This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).
Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.
BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.
media.log moves to audioserver.
TBD: Pare down permissions.
Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d
- Add a new 'dumpstate' context for system properties. This context
will be used to share state between dumpstate and Shell. For example,
as dumpstate progresses, it will update a system property, which Shell
will use to display the progress in the UI as a system
notification. The user could also rename the bugreport file, in which
case Shell would use another system property to communicate such
change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
notification can be used to stop dumpstate.
BUG: 25794470
Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.
Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules. This is no
longer needed.
Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
dumpstate runs "df" on all mounted filesystems. Allow dumpstate
to access /storage/emulated so df works.
Addresses the following denial:
avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8
This fixes the following policy violation:
avc: denied { read } pid=30295 comm="app_process"
tcontext=u:object_r:dalvikcache_data_file:s0
scontext=u:r:dumpstate:s0 tclass=lnk_file
permissive=0 ppid=26813 pcomm="dumpstate"
pgid=26813 pgcomm="dumpstate"
See 0e32726 in app.te for a symmetrical
change.
Change-Id: Iecbccd5fd0046ec193f08b26f9db618dee7a80c1
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.
Addresses the following denials (and many more):
avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
This reverts commit 0f0324cc82
and commit 99940d1af5
Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.
Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.
Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.
Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
SELinux domains wanting read access to /proc/net need to
explicitly declare it.
TODO: fixup the ListeningPortsTest cts test so that it's not
broken.
Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.
Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
Addresses the following denials:
avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
Bug: 18864737
Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
dumpstate and lmkd need to act on apps running at any level.
Various file types need to be writable by apps running at any
level.
Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.
Bug: 17487122
(cherry picked from commit 04f3d79077)
Change-Id: Ib7835ffac1811a5aef54a250689287c1666720ef
The list of processes comes from frameworks/native/cmds/dumpstate/utils.c.
dumpstate calls dump_backtrace_to_file() for each such process, which
asks debuggerd to dump the backtrace.
Resolves denials such as:
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd
Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.
Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.
Addresses the following denial:
<4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0
Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe
dumpstate calls screencap to take a screenshot. screencap
requires the ability to access the gpu device. Allow it.
Bug: 15514427
Change-Id: Iad8451b6108786653146de471f6be2d26b0e3297
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- Add write_logd, read_logd and control_logd macros added along
with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
deal with fd inheritance. ToDo: investigate means to allow
references to close, and reopen in context of application
or call setsockcreatecon() to label them in child context.
Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
See http://code.google.com/p/android/issues/detail?id=65339
Further denials were observed in testing and allowed as well.
Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.
Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.
This will ensure that all SELinux domains have at least a
minimal level of protection.
Unconditionally enable this flag for all user builds.
Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.
Dumpstate is triggered by running "adb bugreport"
Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
