Commit graph

79 commits

Author SHA1 Message Date
dcashman
47bd7300a5 Add support for factory reset protection.
Address the following denials:
<12>[  417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[  417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
2014-09-08 14:27:45 -07:00
Robin Lee
de08be8aa0 Allow system reset_uid, sync_uid, password_uid
Permits the system server to change keystore passwords for users other
than primary.

Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
2014-08-29 23:48:07 +01:00
Brian Carlstrom
372d0df796 Remove system_server create access from /data/dalvik-cache
Bug: 16875245
Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a
2014-08-28 21:15:38 -07:00
Sreeram Ramachandran
997461bda5 Allow system_server to talk to netlink directly.
This is needed for http://ag/512212 to work.

Bug: 15409819
Change-Id: If91fc6891d7ce04060362c6cde8c57462394c4e8
2014-07-28 15:13:34 -07:00
Narayan Kamath
aa8e657ef0 Revert "fix system_server dex2oat exec"
This reverts commit 10370f5ff4.

The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.

bug: 16317188

Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d
2014-07-25 15:37:27 +01:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
d26357641d Remove auditallow from system_server.
system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

(cherry picked from commit 5a25fbf7ca)

Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f
2014-07-16 09:52:13 -07:00
Riley Spahn
344fc109e9 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
2014-07-15 10:09:52 -07:00
Nick Kralevich
10370f5ff4 fix system_server dex2oat exec
Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
2014-07-15 16:10:16 +00:00
Ed Heyl
81839dfb24 reconcile aosp (3a8c5dc05f) after branching. Please do not merge.
Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2
2014-07-14 23:31:31 -07:00
Colin Cross
5d60f04e5d sepolicy: allow system server to remove cgroups
Bug: 15313911
Change-Id: Ib7d39561a0d52632929d063a7ab97b6856f28ffe
2014-07-09 17:02:10 -07:00
Andres Morales
d8447fdfe1 Typedef+rules for SysSer to access persistent block device
Defines new device type persistent_data_block_device

This block device will allow storage of data that
will live across factory resets.

Gives rw and search access to SystemServer.

Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e
2014-07-09 16:08:16 -07:00
Jeff Sharkey
be092af039 Rules to allow installing package directories.
Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976
2014-07-07 15:41:14 -07:00
Nick Kralevich
d00eff47fe system_server: bring back sdcard_type neverallow rule
We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.

Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba
2014-07-04 11:45:49 -07:00
Riley Spahn
596bcc7687 Remove keystore auditallow statements from system.
Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28
2014-07-01 18:25:02 +00:00
Riley Spahn
1196d2a576 Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-26 08:53:10 -07:00
Nick Kralevich
8c6552acfb Allow system_server to read all /proc files
system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.

Allow it.

Addresses the following errors which have been showing up
in logcat:

  W/ProcessCpuTracker(12159): Skipping unknown process pid 1
  W/ProcessCpuTracker(12159): Skipping unknown process pid 2
  W/ProcessCpuTracker(12159): Skipping unknown process pid 3

Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512
2014-06-25 09:32:08 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Paul Jensen
97a2cfdf66 Allow Bluetooth app to initiate DHCP service on bt-pan interface.
bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658
2014-06-19 02:49:37 +00:00
Nick Kralevich
04e730b635 system_server: allow open /dev/snd and read files
system_server needs to open /dev/snd and access files
within that directory. Allow it.

system_server need to parse the ALSA card descriptors after a USB device
has been inserted. This happens from USBService in system_server.

Addresses the following denial:

  system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir

and likely others

Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8
2014-06-18 17:09:55 -07:00
Stephen Smalley
00b180dfb8 Eliminate some duplicated rules.
As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-17 15:30:37 -04:00
Nick Kralevich
fad4d5fb00 Fix SELinux policies to allow resource overlays.
The following commits added support for runtime resource overlays.

  New command line tool 'idmap'
  * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
  Runtime resource overlay, iteration 2
  * 48d22323ce39f9aab003dce74456889b6414af55
  Runtime resource overlay, iteration 2, test cases
  * ad6ed950dbfa152c193dd7e49c369d9e831f1591

During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.

This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.

Test cases are available for this by running:
  * python frameworks/base/core/tests/overlaytests/testrunner.py

Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
2014-06-16 14:20:08 -07:00
Nick Kralevich
a76d9ddf6b system_server profile access
Still not fixed. *sigh*

Addresses the following denial:

<4>[   40.515398] type=1400 audit(15842931.469:9): avc: denied { read } for pid=814 comm="system_server" name="profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir

Change-Id: I705a4cc9c508200ace46780c18b7112b62f27994
2014-06-13 21:29:56 -07:00
Nick Kralevich
96d9af4235 allow system_server getattr on /data/dalvik-cache/profiles
8670305177 wasn't complete. I thought
getattr on the directory wasn't needed but I was wrong. Not sure
how I missed this.

Addresses the following denial:

  <4>[   40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir

Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6
2014-06-13 09:05:26 -07:00
Nick Kralevich
8670305177 Remove world-read access to /data/dalvik-cache/profiles
Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.

Add read/write capabilities back to app domains, since apps need to
read/write profiling data.

Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.

Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
2014-06-12 14:56:05 -07:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-12 20:46:07 +00:00
Ruchi Kandoi
13d5886363 system_server: Adds permission to system_server to write sysfs file
Need this for changing the max_cpufreq and min_cpufreq for the low power
mode.

Denials:
type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854
comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file

Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8

Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646
Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
2014-06-10 23:43:33 +00:00
Stephen Smalley
6bb672e6b3 Make the system_server domain enforcing.
Change-Id: I1ea20044bd6789dde002da7fc9613cfbf1ee2d23
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-09 02:45:53 +00:00
Stephen Smalley
2cc6d63d5d Allow system_server access to /data/media files passed via Binder.
Addresses denials such as:
 avc: denied { read } for comm="Binder_6" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
 avc: denied { getattr } for comm="Binder_9" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I5e5744eecf2cbd4fc584db8584be4e9101bcb60c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-04 13:36:48 -04:00
Stephen Smalley
f85c1fc293 Allow installd, vold, system_server unlabeled access.
The bugs that motivated bringing back the unlabeled allowall rules,
https://android-review.googlesource.com/#/c/94971/
should be resolved by the following changes:
https://android-review.googlesource.com/#/c/94966/
https://android-review.googlesource.com/#/c/96080/

Beyond those changes, installd needs to be able to remove package directories
for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so
allow it the permissions required for this purpose.  vold needs to be able
to chown/chmod/restorecon files in asec containers so allow it the
permissions to do so.  system_server tries to access all /data/data
subdirectories so permit it to do so.  installd and system_server
read the pkg.apk file before it has been relabeled by vold and therefore
need to read unlabeled files.

Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 16:35:01 -04:00
Nick Kralevich
8599e34b95 Introduce wakelock_use()
Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.

Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.

Still TODO: fix device specific wakelock use.

Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
2014-05-23 15:44:40 -07:00
Stephen Smalley
a16a59e2c7 Remove graphics_device access.
Neither mediaserver nor system_server appear to require
direct access to graphics_device, i.e. the framebuffer
device.  Drop it.

Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-14 18:47:49 +00:00
Stephen Smalley
782e084dc2 Allow system_server to read tombstones.
Address denials such as:
 avc:  denied  { read } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { open } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { getattr } for  path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { read } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { open } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file

Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-14 14:30:43 -04:00
Stephen Smalley
538edd3317 Restrict system_server to only the data file types needed.
Drop rules on data_file_type attribute and replace with rules
on specific types under /data.

Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-13 07:58:18 -04:00
Stephen Smalley
02dac03a8c Drop relabelto_domain() macro and its associated definitions.
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-09 18:30:22 +00:00
Nick Kralevich
cd905ec04e Protect keystore's files.
Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
2014-05-09 10:14:56 -07:00
Stephen Smalley
53cde700cd Report graphics_device accesses by system_server or mediaserver.
See if we can remove these allow rules by auditing any granting
of these permissions.  These rules may be a legacy of older Android
or some board where the gpu device lived under /dev/graphics too.

Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-07 15:01:51 -04:00
Nick Kralevich
3f3d6ffb7e Allow system_server pstore access.
pstore contains /sys/fs/pstore/console-ramoops, which is the
replacement for /proc/last_kmsg. Both files are read by system_server
on startup. Allow access.

Addresses the following denials:

<12>[   53.836838] type=1400 audit(949060020.909:19): avc:  denied  { search } for  pid=1233 comm="Thread-119" name="/" dev="pstore" ino=10296 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir
<12>[   53.856546] type=1400 audit(949060020.909:20): avc:  denied  { getattr } for  pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[   53.878425] type=1400 audit(949060020.909:21): avc:  denied  { read } for  pid=1233 comm="Thread-119" name="console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[   53.898476] type=1400 audit(949060020.909:22): avc:  denied  { open } for  pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file

Change-Id: I7307da751961b242e68adb319da9c00192e77bbb
2014-04-15 14:24:39 -07:00
Stephen Smalley
e06e536388 Allow inputflinger to call system_server.
Resolves denials such as:
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { open } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { search } for  pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { call } for  pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: I099d7dacf7116efa73163245597c3de629d358c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-21 10:40:56 -04:00
Stephen Smalley
971b5d7c9f Allow system_server to set ctl.bugreport property.
Resolves denials such as:
avc:  denied  { set } for property=ctl.bugreport scontext=u:r:system_server:s0 tcontext=u:object_r:ctl_bugreport_prop:s0 tclass=property_service

Change-Id: I6c3085065157f418fc0cd4d01fa178eecfe334ad
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-18 10:49:34 -04:00
Stephen Smalley
bafbf81330 Allow system_server to read from log daemon.
Addresses denials such as:
avc:  denied  { write } for  pid=1797 comm="logcat" name="logdr" dev="tmpfs" ino=7523 scontext=u:r:system_server:s0 tcontext=u:object_r:logdr_socket:s0 tclass=sock_file
avc:  denied  { connectto } for  pid=1797 comm="logcat" path="/dev/socket/logdr" scontext=u:r:system_server:s0 tcontext=u:r:logd:s0 tclass=unix_stream_socket

Change-Id: Idc4f48519ca3d81125102e8f15f68989500f5e9e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-14 08:37:16 -04:00
Stephen Smalley
6fe899a0d1 Silence /proc/pid denials.
system_server components such as ActivityManager and CpuTracker
try to access all /proc/pid directories, triggering denials on
domains that are not explicitly allowed to the system_server.
Silence these denials to avoid filling the logs with noise
and overwriting actual useful messages in the kernel ring buffer.

Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-13 16:20:50 -04:00
Stephen Smalley
c18121811c Deduplicate and rationalize system_server /proc/pid access.
The system_server has duplicate/overlapping rules regarding
/proc/pid access as well as a lack of clarity on the reason
for the different rules.  Deduplicate the rules and clarify
the purpose of different sets of rules.

Replace the rules granting /proc/pid access for all domains with
specific rules only for domains that we know should be accessible
by the system_server, i.e. all apps (appdomain) and the set of
native processes listed in com.android.server.Watchdog.NATIVE_STACKS_OF_INTEREST.

Change-Id: Idae6fc87e19e1700cdc4bdbde521d35caa046d74
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-06 14:33:54 -05:00
Nick Kralevich
d9d9d2f417 temp fix for build breakage.
libsepol.check_assertion_helper: neverallow on line 8857 violated by allow system_server sdcard_external:file { ioctl read write getattr lock append open };
Error while expanding policy
make: *** [out/target/product/manta/obj/ETC/sepolicy_intermediates/sepolicy] Error 1

Change-Id: I181707ed66bad3db56f9084b3d9ba161d13b34bd
2014-03-05 11:29:52 -08:00
Stephen Smalley
d331e00bd8 Do not allow system_server to access SDcard files.
As per:
https://android-review.googlesource.com/#/c/84130/3/system_server.te@240
it is unsafe to allow such access.

Add a neverallow rule to prohibit any rules on sdcard_type in the
future.

Change-Id: Ife714b65b07144eb6228a048a55ba82181595213
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-05 13:18:16 -05:00
Stephen Smalley
3dad7b611a Address system_server denials.
Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { call } for  pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc:  denied  { write } for  pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc:  denied  { write } for  pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc:  denied  { ptrace } for  pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc:  denied  { sigkill } for  pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc:  denied  { write } for  pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { unlink } for  pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { read write } for  pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { write } for  pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-05 12:22:19 -05:00
Stephen Smalley
28afdd9234 Deduplicate binder_call rules.
A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-03 22:42:52 +00:00
Nick Kralevich
63b98b17e4 restore system_server zygote socket rules
1601132086 removed the getattr/getopt
support for system_server, which is needed to close the zygote socket.
See b/12061011 for details.

system_server still needs this rule, and it's expected to stay
permanently. Restore the rule and remove the comment about it eventually
being deleted.

Addresses the following denials:

<5>[   86.307639] type=1400 audit(1393376281.530:5): avc:  denied  { getattr } for  pid=656 comm="main" path="socket:[7195]" dev=sockfs ino=7195 scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
<5>[   86.307945] type=1400 audit(1393376281.530:6): avc:  denied  { getopt } for  pid=656 comm="main" path="/dev/socket/zygote" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12114500
Change-Id: I47033766dea3ba2fdaa8ce9b4251370bd64aea6d
2014-02-28 21:35:53 +00:00
Stephen Smalley
37afd3f6c3 Remove system_server and zygote unlabeled execute access.
Now that all of /data outside of /data/data should be labeled
even on legacy devices as a result of
Ib8d9751a47c8e0238cf499fcec61898937945d9d, there
should be no reason to permit the system_server or zygote
execute access to unlabeled files.

This is the only remaining case where a type writable by
app domains can be executed by system services, so eliminating
it is desirable.

That said, I have not specifically tested the non-SE to SE
upgrade path to confirm that this causes no problems.

Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-27 08:55:48 -05:00
Stephen Smalley
0296b9434f Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.
Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 21:26:08 +00:00