Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.
To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.
This change:
1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.
Addresses the following denial:
avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file
Bug: 17671501
(cherry picked from commit 2de02877a3)
Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb
Apps should be able to read the contents of mounted OBBs.
Steps to reproduce:
1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
2) Attempt to run the app.
Expected:
App runs successfully.
Actual:
App crashes. See denials below.
This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3
Addresses the following denials:
avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:
adb shell cat /factory/ssn
adb shell cat /factory/bt/bd_addr.conf
adb shell cat /factory/wifi/mac.txt
adb shell cat /factory/60isn
read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.
No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.
Bug: 17600278
(cherry picked from commit 200a9f0e20)
Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.
Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.
Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.
No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.
Bug: 17525863
(cherry picked from commit 642b80427e)
Change-Id: I35f3dc8b1ead9f427645a13fb202e760d1e68e64
On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.
Bug: 17487122
Change-Id: Ica78aa54e5abbb051924166c6808b79b516274fe
- Changing package from android.telecomm to android.telecom
- Changing package from com.android.telecomm to
com.android.server.telecomm.
- Renaming TelecommManager to TelecomManager.
Bug: 17364651
Change-Id: I70e9ecdab7482327f25387ecc6223f46e9cbe10e
When vold mounts an OBB on behalf of another application, the kernel
spins up the "loop0" thread to perform the mount operation. Grant
the kernel thread the ability to read app data files, so the mount
operation can succeed.
Steps to reproduce:
1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java
Expected:
1) All tests pass
Actual:
Test failure, with the following error message:
loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
Vold : Image mount failed (I/O error)
MountService: Couldn't mount OBB file: -1
StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21
TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest)
TestRunner: ----- begin exception -----
TestRunner: junit.framework.AssertionFailedError: OBB should be mounted
TestRunner: at junit.framework.Assert.fail(Assert.java:50)
TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20)
TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235)
Bug: 17428116
Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:
sdcard : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0
Allow the operation.
Steps to reproduce:
1) adb shell into the device and su to root
2) run "kill -9 [PID OF SDCARD]
Expected:
sdcard daemon successfully restarts without error message.
Actual:
SELinux denial above, plus attempts to mount a new filesystem
on top of the existing filesystem.
Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4
Permits the system server to change keystore passwords for users other
than primary.
Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.
Bug: 17288791
Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.
Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"
Expected:
APK installs successfully.
Actual:
APK fails to install. Error message:
Vold E Failed to write superblock (I/O error)
loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
PackageHelper E Failed to create secure container smdl1645334795.tmp
DefContainer E Failed to create container smdl1645334795.tmp
Bug: 17158723
(cherry picked from commit 4c6b13508d)
Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash. Full read permissions may not be necessary:
W/debuggerd( 185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir
Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission. Required for:
https://android-review.googlesource.com/#/c/101800/
Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow. This verifier runs as
a priv-app, which is in the untrusted_app domain. Allow untrusted_app
read-access to these files.
Bug: 16515815
Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 21ada26dae)
Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
Looks like system server doesn't let you start a service without
white listing anymore.
Bug: 16628456
Change-Id: I0f6df8fd2afa24f4a1758a90cb5f8e451e0edb6a
This reverts commit 10370f5ff4.
The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.
bug: 16317188
Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d
As described in the system/core commit with the same Change-Id,
there's a race condition between installd and sdcard when it
comes to accessing /data/media. Resolve the race by checking
/data/.layout_version to make sure the filesystem has been upgraded.
Maybe indirectly fixes the following SELinux denial:
sdcard : type=1400 audit(0.0:3): avc: denied { write } for name="media" dev="mmcblk0p17" ino=102753 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs. Include exceptions for
appdomain and recovery as required by current policy.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 4644ac4836)
Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.
Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.
(cherry picked from commit 603bc20509)
Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.
(cherry picked from commit 88157ea347)
Change-Id: I25354db2add3135335c80be2c2d350e526137572
Add com.android.net.IProxyService as a system_server_service
to service_contexts.
Bug: 16369427
(cherry picked from commit 26d6371c5a)
Change-Id: I3e58681971683bdc7f26a1d130c8bcf8ffcb89e2
https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.
For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.
Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.
(cherry picked from commit 8a5b28d259)
Change-Id: I39baaf62058986d35ad43de708aaa3daf93b2df4
