Remove from unpriv_socket_ioctls but grant each user of unpriv_socket_ioctls
use of unpriv_tty_ioctls
Bug: 26990688
Change-Id: I998e09091de5a7234ad0049758d5dad0b35722f7
RecoverySystemService is separated from PowerManagerService as a
dedicated system service to handle recovery related requests (such as
invoking uncrypt to uncrypt an OTA package on /data or to set up /
clear the bootloader control block (i.e. /misc) and etc).
The matching CL in frameworks/base is in:
Change-Id: Ic606fcf5b31c54ce54f0ab12c1768fef0fa64560.
Bug: 26830925
Change-Id: Iee0583c458f784bfa422d0f7af5d1f2681d9609e
(cherry picked from commit 65b5fde912)
Give dex2oat/patchoat link rights in /data/ota to produce a patched
image.
Give zygote rights to relabel links. Also give the zygote rights to
unlink, which is required when relabeling fails (to clean up the
dalvik-cache).
Bug: 25612095
Change-Id: I28bfb9cbeabe93b1f68ada9bcaf29f4f60028c2f
This is needed to kill sockets using the new SOCK_DESTROY
operation instead of using SIOCKILLADDR.
Bug: 26976388
(cherry picked from commit b38e279094)
Change-Id: Id80c6278f19f9fd20fe8d4fca72f84bff9249ed8
Part of media security hardening
This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.
bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
Access to proc is being removed but there are still some consumers. Add
an auditallow to identify them and adjust labels appropriately before
removal.
Change-Id: I853b79bf0f22a71ea5c6c48641422c2daf247df5
Large numbers of denials have been collected. Remove from logging until
further action is taken to address existing denials and remove sysfs
access from additional appdomains.
(cherry-pick from commit: 0b80f4dc8a)
Change-Id: I11b9b159702fb2d50d4352f9cd8b68503d07222a
Remove the .data=NULL assignments that were pushing the
static keymap mapping horizontal.
(cherry picked from commit 29adea51ed)
Change-Id: I2e6e78930ac8d1d8b9bd61d9dedb59f4859ea13c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Data type tracking is no longer needed now that per
key validation routines are supported.
(cherry picked from commit c92dae9807)
Change-Id: I2f1d0d5b1713e0477996479b0f279a58f43f15c7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Input validation was hard-coded into a validation routine
that would check against type and key names in a scattered,
order dependent conditional code block.
This makes it harder than it should be to add new key value
pairs and types into checkseapp.
To correct this, we add a validation callback into the
static mapping. If the validation callback is set, the
existing validation routine will call this for input
validation. On failure, a validation specific error message
is returned to be displayed.
(cherry picked from commit 696a66ba20)
Change-Id: I92cf1cdf4ddbcfae19168b621f47169a3cf551ac
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Change the final error message to be consistent with the others.
From:
Error: reading /home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts, line 82, name domain, value system_server
To:
Error: Reading file: "/home/wcrobert/workspace/aosp/external/sepolicy/seapp_contexts" line: 82 name: "domain" value: "system_server"
(cherry picked from commit efebf97e23)
Change-Id: Idf791d28fbba95fbeed8b9ccec9a296eea33afb9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
(cherry picked from commit 25528cf4a5)
Change-Id: Ic4dc59650ca849b950cb145fedafdf4fc250f009
Signed-off-by: William Roberts <william.c.roberts@intel.com>
update_engine needs to access bootctrl_block_device to get and set the slot to boot.
avc: denied { write } for name="mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
Also track the name change of the native binder service.
avc: denied { add } for service=android.os.UpdateEngineService pid=210 uid=0 scontext=u:r:update_engine:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
Bug: 27106053
Change-Id: Idbfef18578489db33fead0721e8f26d63db5ce09
(cherry picked from commit 3ec34ceb43)
The zygote is reponsible for moving ART A/B OTA artifacts over to
the regular dalvik-cache.
Bug: 25612095
Change-Id: I838d9ec6ee5a0f0af5f379a4696abda69cea51ca
untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.
Keep untrusted_app file creation to sandbox, sdcard and media
locations.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
(cherry picked from commit bd0768cc93)
Change-Id: Ideb275f696606882d8a5d8fdedb48545a34de887
Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc. Many processes try
to read proc dirs, though. Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.
Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0
Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3
