Commit graph

4108 commits

Author SHA1 Message Date
dcashman
1b4b3b918b Expand rtc_device label to match all rtc class drivers.
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.

Change-Id: I50d15aa62e87509e940acd168474433803b2115d
2015-05-21 10:35:57 -07:00
dcashman
c7594898db Label /dev/rtc0 as rtc_device.
Grant access to system_server, as it is used by AlarmManagerService.

Change-Id: I4f099fe30ba206db07d636dd454d43d3df9d3015
2015-05-18 14:01:37 -07:00
Nick Kralevich
72aeb0126a Merge "neverallow cache_file and derivatives execute" 2015-05-18 16:53:16 +00:00
Jeffrey Vander Stoep
a7621f808e Merge "make unix_socket_connect() for property service a warning" 2015-05-15 21:23:32 +00:00
William Roberts
6c30016136 neverallow cache_file and derivatives execute
Change-Id: I45002cfd05e4e184bfc66039b3ae9a4af057adb1
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-15 18:39:56 +00:00
Chad Brubaker
cbc8f79655 Rename keystore methods and delete unused permissions
Keystore is going through an API cleanup to make names more clear and
remove unclear methods.

Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-14 13:49:24 -07:00
William Roberts
1b4e69a734 make unix_socket_connect() for property service a warning
Encourage the use of set_prop macro by making existing
unix_socket_connect(domain, property, init) calls
warn at compile time. When encountering one of these macros,
m4 will emit a deprecated message as follows:

m4: external/sepolicy/adbd.te: 97: deprecated: unix_socket_connect(adbd, property, init) Please use set_prop(adbd, <property name>) instead.

Change-Id: I997fed75d2683933e08db8b9efeecea71523c7c3
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-14 13:03:12 -07:00
Than McIntosh
e5916eb67b Merge "Tweak perfprofd sepolicy to include ipc_lock self capability." 2015-05-14 19:58:06 +00:00
Than McIntosh
728fe3d491 Tweak perfprofd sepolicy to include ipc_lock self capability.
Bug: http://b/19483574
Change-Id: Id39a5aaf531d2a75a22647bdafb34a6ef18201c8
2015-05-14 15:47:36 -04:00
William Roberts
d1fa4d3d92 neverallow transitions to shell
Only a few daemons need transition to shell. Prevent
misuse and over-privileging of shell domain.

Change-Id: Ib1a5611e356d7a66c2e008232c565035e3fc4956
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-13 19:37:36 -07:00
William Roberts
529a8634e1 neverallow "write ops" on system_data_file from "others"
Only a few system level components should be creating and writing
these files, force a type transition for shared files.

Change-Id: Ieb8aa8a36859c9873ac8063bc5999e9468ca7533
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-13 11:51:33 -07:00
Chad Brubaker
520bb816b8 Add keystore user_changed permission
user_changed will be used for state change methods around android user
creation/deletion.

Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
2015-05-12 13:24:43 -07:00
dcashman
b8943b1581 Merge "Fix sepolicy-analyze libc++.so loading issue w/CTS." 2015-05-12 18:10:13 +00:00
dcashman
28acbeab18 Fix sepolicy-analyze libc++.so loading issue w/CTS.
Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory

Also indicate that none of the sepolicy tools need c++ std lib.

(cherry-pick of 0cdb0517be696c0dc6882d289eedd45bf2da918c now made possible by
addition of commit: 28b72eddd54cb1287dd7daae853e8e4b78fa17eb)

Bug: 19617220
Change-Id: I2c5b7ab1ddeb0e02cbaad2b7d5430a0974524a89
2015-05-12 11:06:44 -07:00
Paul Crowley
421dadbc9d Allow vold to create subdirectories within its private area.
AVC message we get without this change creating
/data/misc/vold/user_keys

05-12 08:57:54.839   189   189 W vold    : type=1400 audit(0.0:176):
avc: denied { create } for name="user_keys" scontext=u:r:vold:s0
tcontext=u:object_r:vold_data_file:s0 tclass=dir permissive=0

Bug: 19704432
Change-Id: I10fc90c64c7c10fa9811133a4289663ae8617607
2015-05-12 10:00:41 +01:00
Nick Kralevich
540be83b82 Merge "Label /oem files" 2015-05-07 20:49:01 +00:00
Nick Kralevich
82966219e6 Merge "Replace unix_socket_connect() and explicit property sets with macro" 2015-05-07 00:06:23 +00:00
William Roberts
625a3526f1 Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 00:02:59 +00:00
Nick Kralevich
2025fd1476 Label /oem files
Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.

Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.

Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.

Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe
2015-05-06 16:33:56 -07:00
Nick Kralevich
1212235ff4 Don't label simpleperf system_file
The default label for files on /system is already system_file. No
need to explicitly specify it.

Change-Id: If0c92a0da4119a0d8f83b4a3e05101cfcdb9a82d
2015-05-06 15:19:52 -07:00
Nick Kralevich
cfd49516f9 Merge "Update sepolicy to add label for /data/misc/perfprofd." 2015-05-06 21:57:07 +00:00
Dehao Chen
7d66f783c2 Update sepolicy to add label for /data/misc/perfprofd.
Bug: 19483574
Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64
2015-05-06 14:45:44 -07:00
Nick Kralevich
e550e79c76 kernel: allow rebooting, and writing to /dev/__kmsg__
Addresses the following denials:

  avc:  denied  { write } for  pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0
  avc:  denied  { write } for  pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0
  avc:  denied  { sys_boot } for  pid=1 comm="init" capability=22  scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0

Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-05 17:40:07 -07:00
Than McIntosh
ccc8608cc6 Merge "New sepolicy for perfprofd, simpleperf." 2015-05-05 13:38:29 +00:00
dcashman
6780dfeeab Allow system_app to list all services.
The Settings app contains a SystemPropPoker class which notifies every service
on the system that a property has changed.

Address the following denial:
avc:  denied  { list } for service=NULL scontext=u:r:system_app:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Bug: 20762975
Change-Id: I81926e8833c1abcb17a4d49687fc89619b416d6c
2015-05-04 15:06:26 -07:00
Than McIntosh
0fdd364e89 New sepolicy for perfprofd, simpleperf.
Bug: http://b/19483574

Change-Id: I594f04004cccd2cbfadbd0f9d1bbb9815a2ea59d
2015-05-04 13:49:15 -04:00
Stephen Smalley
4a12d9630a Ensure that domain and appdomain attributes are assigned.
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.

Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.

Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-01 10:13:07 -04:00
Jeff Sharkey
8f821db783 Allow installd to move APKs.
As an optimization, installd is now moving previously-installed
applications between attached storage volumes.  This is effectively
copying to the new location, then deleting the old location.

Since OAT files can now live under /data/app directories, we also
need the ability to relabel those files.

avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1

Bug: 19993667, 20275578
Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458
2015-04-30 16:08:35 -07:00
Paul Lawrence
f7163597f5 New ext4enc kernel switching from xattrs to ioctl
This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-04-29 15:44:46 -07:00
dcashman
7c1dced7d5 Make deviceidle accessible as system_api_service.
deviceidle service should be accessible to all non third-party apps.

Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa
2015-04-29 10:30:10 -07:00
Alex Klyubin
0bc92cea13 Merge "Expand access to gatekeeperd." 2015-04-29 16:30:27 +00:00
Alex Klyubin
effcac7d7e Expand access to gatekeeperd.
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
2015-04-29 09:22:11 -07:00
Paul Lawrence
13dec5fa5b Securely encrypt the master key
Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-04-28 15:28:16 -07:00
Paul Lawrence
3ee85ca6aa Revert "Securely encrypt the master key"
This reverts commit 5287d9a8e5.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a
2015-04-28 19:16:22 +00:00
Paul Lawrence
5287d9a8e5 Securely encrypt the master key
This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1
2015-04-27 20:04:10 +00:00
Nick Kralevich
e05487acc3 init.te: Don't allow mounting on top of /proc
Don't allow init to mount on top of /proc. See
https://android-review.googlesource.com/148295 for details.

Change-Id: I65f66b39f3a5bfb72facb9f716f4537ac2237af1
2015-04-25 15:54:11 -07:00
Jeff Sharkey
90c64542a2 Allow vold to move FUSE backing files directly.
This enables an optimization of bypassing the FUSE overhead when
migrating emulated storage between volumes.

avc: denied { write } for path="/mnt/expand/6cba9b95-4fc8-4096-b51f-bdb2c007d059/media/obb/.nomedia" dev="dm-0" ino=387843 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1

Bug: 19993667
Change-Id: I2bb9aaca50ed988ded6afec6d7fbe190903707e0
2015-04-24 15:24:15 -07:00
Jeff Vander Stoep
c2e31a7782 Create context for ctl.console
Change-Id: I1c9fa4da442aa47ae4b7341eab6f788f0329d2d2
2015-04-24 14:39:16 -07:00
Jeffrey Vander Stoep
eb9536488c Revert "Create context for ctl.console"
This reverts commit bbd56b71ce.

Change-Id: I3e295f785aa62de3a04b2f201be97dd7ef0c207f
2015-04-24 21:05:46 +00:00
Jeff Vander Stoep
bbd56b71ce Create context for ctl.console
Change-Id: I9ba4952230ec1b811b8ec6cd19c0286ee791bf08
2015-04-24 20:32:46 +00:00
Elliott Hughes
5aac86dc06 Revert "Revert "SELinux policy changes for re-execing init.""
This reverts commit c450759e8e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 12:28:12 -07:00
Nick Kralevich
6d97d9b818 Merge "Revert "SELinux policy changes for re-execing init."" 2015-04-24 17:00:12 +00:00
Nick Kralevich
c450759e8e Revert "SELinux policy changes for re-execing init."
shamu isn't booting.

This reverts commit 46e832f562.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca
2015-04-24 16:59:43 +00:00
Elliott Hughes
ecd577313e Merge "SELinux policy changes for re-execing init." 2015-04-24 03:10:15 +00:00
Nick Kralevich
caefbd71c5 allow adbd to set sys.usb.ffs.ready
Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
2015-04-23 19:45:21 -07:00
Elliott Hughes
46e832f562 SELinux policy changes for re-execing init.
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
2015-04-23 17:12:18 -07:00
Nick Kralevich
934cf6eaf0 Merge "gatekeeperd: use more specific label for /data file" 2015-04-20 15:24:00 +00:00
Jeff Sharkey
e98cda25e1 Grant apps write access to returned vfat FDs.
Users can pick files from vfat devices through the Storage Access
Framework, which are returned through ParcelFileDescriptors.  Grant
apps write access to those files.  (Direct access to the files on
disk is still controlled through normal filesystem permissions.)

avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9
2015-04-18 14:34:52 -07:00
Jeff Sharkey
c9036fb1c1 Grant platform apps access to /mnt/media_rw.
Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.

Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.

avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad
2015-04-18 14:14:15 -07:00
Nick Kralevich
367757d2ef gatekeeperd: use more specific label for /data file
Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
2015-04-17 17:56:31 -07:00