ping in Android no longer requires any additional privileges beyond
the caller. Drop the ping domain and executable file type entirely.
Also add net_domain() to shell domain so that it can create and
use network sockets.
Change-Id: If51734abe572aecf8f510f1a55782159222e5a67
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
There are continued complaints about not being able to generate
bug reports and surfaceflinger crashes. Move surfaceflinger
out of enforcing until I can resolve this.
Here are some denials I'm seeing. I'm not sure what binder service is
running in the shell domain... Need to do more digging.
nnk@nnk:~/Downloads$ grep "avc: " screenshot_runtime_restart.txt | grep surfaceflinger
<5>[ 5.182699] type=1400 audit(1389111729.860:9): avc: denied { search } for pid=186 comm="surfaceflinger" name="tmp" dev="mmcblk0p28" ino=627090 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[ 744.988702] type=1400 audit(1389112469.578:188): avc: denied { call } for pid=596 comm="Binder_3" scontext=u:r:surfaceflinger:s0 tcontext=u:r:shell:s0 tclass=binder
This reverts commit a11c56e124.
Bug: 12416329
Change-Id: I7b72608c760c4087f73047ad751a5bd069fa2ec7
Causing adbd to run at 100% cpu utilization when the following
sequence of commands are run:
1) Run the command "adb shell ping -c 1 -w 5 www.google.com" for 5 times
2) Run "adb shell top -m 5"
The following denial occurs:
<5>[ 20.647559] type=1400 audit(1389054327.861:21): avc: denied { sigchld } for pid=1989 comm="adbd" scontext=u:r:ping:s0 tcontext=u:r:adbd:s0 tclass=process
Reverting for now.
This reverts commit 1b556c3270.
Bug: 12251052
Change-Id: I1b9920624f49b0aed2226c41a45005aff228d9e8
When a bugreport is triggered using the device keys,
it generates a screenshot and places it into
/data/data/com.android.shell/files/bugreports. SELinux is denying
those writes.
Addresses the following denials:
<5> type=1400 audit(1389047451.385:23): avc: denied { call } for pid=267 comm="Binder_1" scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=binder
<5> type=1400 audit(1389046083.780:37): avc: denied { write } for pid=4191 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-06-14-07-35.txt.tmp" dev="mmcblk0p28" ino=81874 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
Bug: 12416329
Change-Id: I318145591cda500094d98103d30b784df48a67be
init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.
Add a neverallow rule to prevent the reintroduction of
this bug.
Change-Id: I78d35e675fd142d880f15329471778c18972bf50
tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions. execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains. Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.
Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.
Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
execmem permission controls the ability to make an anonymous
mapping executable or to make a private file mapping writable
and executable. Remove this permission from domain (i.e.
all domains) by default, and add it explicitly to app domains.
It is already allowed in other specific .te files as required.
There may be additional cases in device-specific policy where
it is required for proprietary binaries.
Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
system_server and app domains need to map dalvik-cache files with PROT_EXEC.
type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.
type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file
Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Will likely want to split into adbd_user.te vs adbd.te before
going enforcing to support adb root and adb remount on non-user builds.
Possibly take all common rules to an adbdcommon.te.
Change-Id: I63040c7f5f0fca10b3df682572c51c05e74738a7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This showed up at some point in the past during our own
internal CTS testing but it seems wrong based on the DAC
permissions and a potential way to inject code into apps
from the shell. Drop it for now and see if it shows up again.
This predates userdebug/eng vs user shell split so possibly
it only happens in the userdebug/eng case.
Change-Id: If8b1e7817f8efecbf68a0ba5fd06328a23a6c6db
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow the shell user to set debug.* properties.
This allows systrace to work on Android.
Allow the shell user to set sys.powerctl, to allow reboots
to work.
Addresses the following denials:
<4>[ 2141.449722] avc: denied { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.450820] avc: denied { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.506703] avc: denied { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.507591] avc: denied { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
Bug: 12231073
Change-Id: Iaba1db06ba287c7d5d10ce287833c57238e03bb6
I'm only seeing this denial on one device (manta), but it feels like
it should be part of the generic policy. I don't understand
why it's happening on only one device.
Addresses the following denial:
14.711671 type=1400 audit(1387474628.570:6): avc: denied { block_suspend } for pid=533 comm="InputReader" capability=36 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2
Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47
bluetooth, nfc, radio and shell are not explicitly declared
in installd.te. This prevents applications in those group
from upgrading by "adb install -r".
You can reproduce the issue by following step:
1. adb pull /system/priv-app/Shell.apk
2. adb install -r Shell.apk
3. install failed with the error log blow
[Error in logcat]
E/installd( 338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/com.android.shell-1': Permission denied
E/installd( 338): couldn't symlink directory '/data/data/com.android.shell/lib' -> '/data/app-lib/Shell': Permission denied
[Error in dmesg]
<5>[ 112.053301] type=1400 audit(1387412796.071:10): avc: denied { create } for pid=337 comm="installd" name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=lnk_file
This operation fails only if the app belongs to any of the
groups specified in the commit title.
Change-Id: I7572df9fb6e471fad34f61137f0eeeda4c82659d
Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g. console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.
Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.
We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system. We should not have to allow it to untrusted_app.
Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.
Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In 61dc350720, I forgot to allow
system_server to run getopt/getattr on the zygote socket.
Bug: 12061011
Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6
The closure of /dev/socket/zygote occurs in the zygote child
process, after Zygote has dropped privileges and changed
SELinux domains. In Google's internal tree, socket closures
are following a different path, which is causing getopt/getattr
to be used on the file descriptor. This is generating a large
number of denials.
Allow the operations for now. getopt/getattr are fairly harmless.
Long term, we shouldn't be performing these operations on the
zygote socket.
Addresses the following denials:
18.352783 type=1400 audit(1386374111.043:7): avc: denied { getattr } for pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.353088 type=1400 audit(1386374111.043:8): avc: denied { getopt } for pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833251 type=1400 audit(1386374111.524:9): avc: denied { getattr } for pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
18.833557 type=1400 audit(1386374111.524:10): avc: denied { getopt } for pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042419 type=1400 audit(1386374111.734:11): avc: denied { getattr } for pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.042724 type=1400 audit(1386374111.734:12): avc: denied { getopt } for pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.182830 type=1400 audit(1386374111.874:14): avc: denied { getattr } for pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.183105 type=1400 audit(1386374111.874:15): avc: denied { getopt } for pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
19.235473 type=1400 audit(1386374111.924:16): avc: denied { getattr } for pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
Bug: 12061011
Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9
Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.
Dumpstate is triggered by running "adb bugreport"
Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
