Usage:
sepolicy-analyze -D -P out/target/product/<board>/root/sepolicy
Displays duplicate allow rules, i.e. pairs of allow rules that grant
the same permissions where one allow rule is written directly in terms
of individual types and the other is written in terms of attributes
associated with those same types. The rule with individual types is
a candidate for removal. The rule with individual types may be directly
represented in the source policy or may be a result of expansion of
a type negation (e.g. domain -foo -bar is expanded to individual allow
rules by the policy compiler). Domains with unconfineddomain will
typically have such duplicate rules as a natural side effect and can
be ignored.
Also add a tools/README with a description of all of the tools.
Change-Id: I07838dbd22c5cc8a4a65b57003ccae38129050f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The patch in 36a5d109e6 wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.
Fixes the following denial:
<5>[ 82.120746] type=1400 audit(1830030.349:5): avc: denied { name_connect } for pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631
Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.
Addresses the following denial:
[ 1831.586826] type=1400 audit(1384129166.563:173): avc: denied { create } for pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Change-Id: Ia542a9df3e466a8d409955bab6a23a524ff3d07b
Bug: 11097631
Use more general type names for the contents of /data/misc/camera and
/data/misc/audio. These were the names used in our policy until 4.3
was released, at which point we switched to be consistent with AOSP.
However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and
Galaxy Note 3 4.3 image all shipped with policies using _data_file names
because they were based on our older policy. So we may as well switch
AOSP to these names.
Not sure if in fact these could be all coalesced to the new media_data_file
type for /data/misc/media introduced by
Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343.
Options to fix already existing devices, which would only apply
to Nexus devices with 4.3 or 4.4 at this point:
1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either
the system/core init.rc or to the device-specific init.*.rc files.
-or-
2) Add a typealias declaration in the policy to remap the old type names.
to the new ones. Then existing types on persistent storage will be
remapped internally to the new ones.
-or-
3) Some sort of relabeld.
Option #2 is implemented by this change.
Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.
Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6
This is causing runtime restarts on flo/deb when uninstalling
some APKs. Revert while I investigate it.
11-04 21:52:41.487 687 704 I ActivityManager: Force stopping com.android.development appid=10078 user=-1: uninstall pkg
11-04 21:52:41.487 687 712 W PackageManager: Couldn't delete native library directory /data/app-lib/com.android.development
11-04 21:52:41.557 687 712 W dalvikvm: threadid=20: thread exiting with uncaught exception (group=0x959dfae8)
11-04 21:52:41.557 687 712 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: PackageManager
11-04 21:52:41.557 687 712 E AndroidRuntime: java.lang.NullPointerException
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.security.KeyStore.clearUid(KeyStore.java:327)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.removeKeystoreDataIfNeeded(PackageManagerService.java:9787)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.removePackageDataLI(PackageManagerService.java:9384)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deleteInstalledPackageLI(PackageManagerService.java:9503)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deletePackageLI(PackageManagerService.java:9612)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deletePackageX(PackageManagerService.java:9239)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.access$4100(PackageManagerService.java:178)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService$7.run(PackageManagerService.java:9173)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:733)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:95)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Looper.loop(Looper.java:136)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.HandlerThread.run(HandlerThread.java:61)
11-04 21:52:41.567 687 712 I Process : Sending signal. PID: 687 SIG: 9
and
[ 7.324554] type=1400 audit(1383601030.823:5): avc: denied { read write } for pid=192 comm="keystore" name="qseecom" dev="tmpfs" ino=7521 scontext=u:r:keystore:s0 tcontext=u:object_r:device:s0 tclass=chr_file
This reverts commit 709d71836d.
Bug: 11518274
Recommend using concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This will allow
sepolicy to exist in the vendor directory.
Change-Id: If982217fcb3645d9c6b37a341755b5b65f26fc5f
Otherwise we break "adb root && adb shell svc power reboot",
which has the side effect of killing all of our test automation
(oops).
Bug: 11477487
Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631
Temporarily revert -Wall -Werror on checkseapp.
This is causing a compiler error on darwin SDK builds.
cc1: warnings being treated as errors
external/sepolicy/tools/check_seapp.c: In function 'rule_map_free':
external/sepolicy/tools/check_seapp.c:439: warning: unused parameter 's'
make: *** [out/host/darwin-x86/obj/EXECUTABLES/checkseapp_intermediates/check_seapp.o] Error 1
Change-Id: I9776777a751f16d5ca0d90e731482c31dac813f9
And also remove the unnecessary references to libselinux for
sepolicy-check, as it has no dependencies on libselinux.
Also enable -Wall -Werror on building all of these tools and
fix up all such errors.
Usage:
$ sepolicy-analyze -e -P out/target/product/<device>/root/sepolicy
or
$ sepolicy-analyze -d -P out/target/product/<device>/root/sepolicy
The first form will display all type pairs that are "equivalent", i.e.
they are identical with respect to allow rules, including indirect allow
rules via attributes and default-enabled conditional rules (i.e. default
boolean values yield a true conditional expression).
Equivalent types are candidates for being coalesced into a single type.
However, there may be legitimate reasons for them to remain separate,
for example:
- the types may differ in a respect not included in the current
analysis, such as default-disabled conditional rules, audit-related
rules (auditallow or dontaudit), default type transitions, or
constraints (e.g. mls), or
- the current policy may be overly permissive with respect to one or the
other of the types and thus the correct action may be to tighten access
to one or the other rather than coalescing them together, or
- the domains that would in fact have different accesses to the types
may not yet be defined or may be unconfined in the policy you are
analyzing (e.g. in AOSP policy).
The second form will display type pairs that differ and the first
difference found between the two types. This output can be long.
We have plans to explore further enhancements to this tool, including
support for identifying isomorphic types. That will be required to
identify similar domains since all domains differ in at least their
entrypoint type and in their tmpfs type and thus will never show up as
equivalent even if they are in all other respects identical to each other.
Change-Id: If0ee00188469d2a1e165fdd52f235c705d22cd4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*. bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former. This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).
Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
