Commit graph

1136 commits

Author SHA1 Message Date
Nick Kralevich
ae49e7a369 Merge "Confine tee, but leave it permissive for now." 2013-11-14 19:29:27 +00:00
Nick Kralevich
c6a3f60cbe am 678420e0: am 6ce3d60c: Merge "Confine rild, but leave it permissive for now."
* commit '678420e023c6f143fb99cfed031397e732960410':
  Confine rild, but leave it permissive for now.
2013-11-14 08:50:01 -08:00
Stephen Smalley
87d0deb3ab am 67a53232: am b1cb3205: Confine wpa_supplicant, but leave it permissive for now.
* commit '67a53232cec967ca53e6f7284fd582a5bdd3eb69':
  Confine wpa_supplicant, but leave it permissive for now.
2013-11-14 08:50:00 -08:00
Nick Kralevich
678420e023 am 6ce3d60c: Merge "Confine rild, but leave it permissive for now."
* commit '6ce3d60ca39dd37f0de4bcd81620b3611cd28e14':
  Confine rild, but leave it permissive for now.
2013-11-14 08:46:49 -08:00
Stephen Smalley
67a53232ce am b1cb3205: Confine wpa_supplicant, but leave it permissive for now.
* commit 'b1cb3205cad978399fa7c9dcafed607fe5d07de6':
  Confine wpa_supplicant, but leave it permissive for now.
2013-11-14 08:46:49 -08:00
Nick Kralevich
6ce3d60ca3 Merge "Confine rild, but leave it permissive for now." 2013-11-14 16:44:24 +00:00
Stephen Smalley
dcbab907ea Confine rild, but leave it permissive for now.
Change-Id: I6df9981b2af0150c6379a0ebdbe0a8597c994f4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:32:22 -05:00
Stephen Smalley
72a4745919 Confine tee, but leave it permissive for now.
Change-Id: Id69b1fe80746429a550448b9168ac7e86c38aa9f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:31:44 -05:00
Stephen Smalley
b1cb3205ca Confine wpa_supplicant, but leave it permissive for now.
Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:30:55 -05:00
Nick Kralevich
0e11233dc1 am 360d4120: netd: allow tcp_socket name_connect
* commit '360d4120ecc3afba68852ee57b528334dfcaa859':
  netd: allow tcp_socket name_connect
2013-11-13 12:18:15 -08:00
Nick Kralevich
b9d93b0138 am ace68b1e: am 91ebcf33: netd: allow tcp_socket name_connect
* commit 'ace68b1e06a2f5c433f4f7dd191e71411e86541f':
  netd: allow tcp_socket name_connect
2013-11-13 12:11:27 -08:00
Nick Kralevich
ace68b1e06 am 91ebcf33: netd: allow tcp_socket name_connect
* commit '91ebcf33326418ed9603e618ad193550646c3b04':
  netd: allow tcp_socket name_connect
2013-11-13 12:08:17 -08:00
Nick Kralevich
360d4120ec netd: allow tcp_socket name_connect
The patch in 36a5d109e6 wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.

Fixes the following denial:

<5>[   82.120746] type=1400 audit(1830030.349:5): avc:  denied  { name_connect } for  pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket

Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631

(cherry picked from commit 91ebcf3332)

Change-Id: I62bba8777a5c8af1c0143e7ca2d915129ef38798
2013-11-13 11:51:46 -08:00
Nick Kralevich
91ebcf3332 netd: allow tcp_socket name_connect
The patch in 36a5d109e6 wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.

Fixes the following denial:

<5>[   82.120746] type=1400 audit(1830030.349:5): avc:  denied  { name_connect } for  pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket

Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631

Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
2013-11-13 11:32:13 -08:00
Nick Kralevich
d8c9d74d96 am 59078a94: netd: allow tcp connections.
* commit '59078a940d72aef9f9e3f1e15f828cc44a101e3b':
  netd: allow tcp connections.
2013-11-13 10:08:30 -08:00
Nick Kralevich
59078a940d netd: allow tcp connections.
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.

Addresses the following denial:

[ 1831.586826] type=1400 audit(1384129166.563:173): avc:  denied  { create } for  pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket

Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631

(cherry picked from commit 36a5d109e6)

Change-Id: Id2e383e1c74a26ef7e56499a33bf2b06b869c12b
2013-11-13 09:56:21 -08:00
Nick Kralevich
e6da07b738 am b391269f: am 36a5d109: netd: allow tcp connections.
* commit 'b391269f972e3138e1c1640144c6bc9614fe9509':
  netd: allow tcp connections.
2013-11-13 09:54:12 -08:00
Nick Kralevich
b391269f97 am 36a5d109: netd: allow tcp connections.
* commit '36a5d109e6953c63d2a865eab4c4d021aa52250b':
  netd: allow tcp connections.
2013-11-13 09:50:23 -08:00
Nick Kralevich
36a5d109e6 netd: allow tcp connections.
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.

Addresses the following denial:

[ 1831.586826] type=1400 audit(1384129166.563:173): avc:  denied  { create } for  pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket

Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Change-Id: Ia542a9df3e466a8d409955bab6a23a524ff3d07b
Bug: 11097631
2013-11-13 06:29:29 -08:00
Stephen Smalley
49146335f4 am 868a9e26: am 8510d31e: Rename camera_calibration_file and audio_firmware_file.
* commit '868a9e26cfe2931ae419056b348b479b9ae92f3a':
  Rename camera_calibration_file and audio_firmware_file.
2013-11-12 14:58:51 -08:00
Stephen Smalley
868a9e26cf am 8510d31e: Rename camera_calibration_file and audio_firmware_file.
* commit '8510d31ed3b5d53c2232b7aac5f65b32d38753d0':
  Rename camera_calibration_file and audio_firmware_file.
2013-11-12 14:55:33 -08:00
Stephen Smalley
8510d31ed3 Rename camera_calibration_file and audio_firmware_file.
Use more general type names for the contents of /data/misc/camera and
/data/misc/audio.  These were the names used in our policy until 4.3
was released, at which point we switched to be consistent with AOSP.
However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and
Galaxy Note 3 4.3 image all shipped with policies using _data_file names
because they were based on our older policy.  So we may as well switch
AOSP to these names.

Not sure if in fact these could be all coalesced to the new media_data_file
type for /data/misc/media introduced by
Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343.

Options to fix already existing devices, which would only apply
to Nexus devices with 4.3 or 4.4 at this point:
1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either
the system/core init.rc or to the device-specific init.*.rc files.
-or-
2) Add a typealias declaration in the policy to remap the old type names.
to the new ones.  Then existing types on persistent storage will be
remapped internally to the new ones.
-or-
3) Some sort of relabeld.

Option #2 is implemented by this change.

Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-12 17:01:44 -05:00
Nick Kralevich
fb2ca12e25 am bc4484b2: am bc1388d3: Merge "Make kernel / init enforcing"
* commit 'bc4484b2c29b7cc1598b6d09328888e5fe696913':
  Make kernel / init enforcing
2013-11-12 09:35:55 -08:00
Nick Kralevich
c9562376ba am 14f95109: am 56f39193: Merge "Confine debuggerd, but leave it permissive for now."
* commit '14f95109b702996c2ca8dc9dd2556a6e9947eaa4':
  Confine debuggerd, but leave it permissive for now.
2013-11-12 09:35:55 -08:00
Nick Kralevich
bc4484b2c2 am bc1388d3: Merge "Make kernel / init enforcing"
* commit 'bc1388d34cae1cdd71284b38066a287f969a4b52':
  Make kernel / init enforcing
2013-11-12 09:32:52 -08:00
Nick Kralevich
14f95109b7 am 56f39193: Merge "Confine debuggerd, but leave it permissive for now."
* commit '56f391930142d02c66852e5cd4ebf7d83b65f80d':
  Confine debuggerd, but leave it permissive for now.
2013-11-12 09:32:52 -08:00
Nick Kralevich
bc1388d34c Merge "Make kernel / init enforcing" 2013-11-12 17:30:01 +00:00
Nick Kralevich
56f3919301 Merge "Confine debuggerd, but leave it permissive for now." 2013-11-12 17:28:21 +00:00
Stephen Smalley
4ca16a5740 am a9ccd7dc: am af47ebb6: Label /dev/fscklogs and allow system_server access to it.
* commit 'a9ccd7dce97460656adc355c3896852314b6d62e':
  Label /dev/fscklogs and allow system_server access to it.
2013-11-11 11:58:33 -08:00
Stephen Smalley
a9ccd7dce9 am af47ebb6: Label /dev/fscklogs and allow system_server access to it.
* commit 'af47ebb67aa64d699615693bf4603ec173417175':
  Label /dev/fscklogs and allow system_server access to it.
2013-11-11 11:56:04 -08:00
Stephen Smalley
af47ebb67a Label /dev/fscklogs and allow system_server access to it.
Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc:  denied  { getattr } for  pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc:  denied  { open } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc:  denied  { write } for  pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { remove_name } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc:  denied  { unlink } for  pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file

Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-11 11:52:24 -08:00
Nick Kralevich
47f8bbad00 am c1468d45: am 00739e3d: Make the ueventd domain enforcing.
* commit 'c1468d454e73d5c0de2e567fb60a2c984c8d00c0':
  Make the ueventd domain enforcing.
2013-11-11 08:48:01 -08:00
Nick Kralevich
c1468d454e am 00739e3d: Make the ueventd domain enforcing.
* commit '00739e3d14f2f1ea9240037283c3edd836d2aa2f':
  Make the ueventd domain enforcing.
2013-11-11 08:40:13 -08:00
Nick Kralevich
b1d81645b3 Make kernel / init enforcing
Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.

Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6
2013-11-08 15:44:30 -08:00
Nick Kralevich
00739e3d14 Make the ueventd domain enforcing.
All (known) denials have been addressed.

Change-Id: Ic12ed190a2efb7f20be589137a27b95d03dde25a
2013-11-08 08:34:46 -08:00
Stephen Smalley
72d25ce196 am b53788de: am a7716718: Label /data/misc/media and allow mediaserver access to it.
* commit 'b53788de984f05bff63c1a617cea4e1fbab9cfbb':
  Label /data/misc/media and allow mediaserver access to it.
2013-11-07 16:29:39 -08:00
Stephen Smalley
b53788de98 am a7716718: Label /data/misc/media and allow mediaserver access to it.
* commit 'a771671877d306804dbbf5a8e6baa03c877f890d':
  Label /data/misc/media and allow mediaserver access to it.
2013-11-07 16:27:03 -08:00
Stephen Smalley
a771671877 Label /data/misc/media and allow mediaserver access to it.
Otherwise we get denials like these on 4.4:

type=1400 audit(1383590170.360:29): avc:  denied  { write } for  pid=61 comm="mediaserver" name="media" dev="mtdblock1" ino=6416 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { add_name } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { create } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590170.360:29): avc:  denied  { write open } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { write } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { open } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-07 16:22:50 -08:00
Geremy Condra
9443965cfb am eac6e590: am ddf98fa8: Neverallow access to the kmem device from userspace.
* commit 'eac6e59020eee640e08fdbf055ed2b78e6c5095e':
  Neverallow access to the kmem device from userspace.
2013-11-07 16:22:44 -08:00
Geremy Condra
eac6e59020 am ddf98fa8: Neverallow access to the kmem device from userspace.
* commit 'ddf98fa8cf11000f91329945abc23ee791adfe69':
  Neverallow access to the kmem device from userspace.
2013-11-07 16:20:39 -08:00
Geremy Condra
ddf98fa8cf Neverallow access to the kmem device from userspace.
Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
2013-11-07 16:17:32 -08:00
Nick Kralevich
45536dfda1 am 7bc576d5: am 0ea4ac8a: Merge "Move goldfish-specific rules to their own directory."
* commit '7bc576d5d37c079a0cb922a1d76eb419cafecc55':
  Move goldfish-specific rules to their own directory.
2013-11-07 15:21:04 -08:00
Nick Kralevich
7bc576d5d3 am 0ea4ac8a: Merge "Move goldfish-specific rules to their own directory."
* commit '0ea4ac8a12efa2f847625917f35b5cbedec3853a':
  Move goldfish-specific rules to their own directory.
2013-11-07 15:18:36 -08:00
Nick Kralevich
0ea4ac8a12 Merge "Move goldfish-specific rules to their own directory." 2013-11-07 23:16:50 +00:00
Nick Kralevich
4cafcfd294 am 289fe68b: am 842a1111: Merge "Confine healthd, but leave it permissive for now."
* commit '289fe68b3ecbc05395d78bfe77fb15bc9512a571':
  Confine healthd, but leave it permissive for now.
2013-11-07 14:21:04 -08:00
Nick Kralevich
289fe68b3e am 842a1111: Merge "Confine healthd, but leave it permissive for now."
* commit '842a1111c0544f7f855b0cdc4cceee8a370af759':
  Confine healthd, but leave it permissive for now.
2013-11-07 14:18:39 -08:00
Nick Kralevich
842a1111c0 Merge "Confine healthd, but leave it permissive for now." 2013-11-07 22:15:35 +00:00
Nick Kralevich
d9a21dbcfe am 6b754790: am fec3c5ad: Merge "Make the keystore domain enforcing."
* commit '6b754790b56cbe3617ea1f715d3f3236d7b7ad78':
  Make the keystore domain enforcing.
2013-11-07 13:42:54 -08:00
Nick Kralevich
6b754790b5 am fec3c5ad: Merge "Make the keystore domain enforcing."
* commit 'fec3c5ad80cb5323ab7b6b808faca032c3973fc5':
  Make the keystore domain enforcing.
2013-11-07 13:40:21 -08:00
Nick Kralevich
fec3c5ad80 Merge "Make the keystore domain enforcing." 2013-11-07 21:37:09 +00:00