Some devices still have pre-built binaries with text relocations
on them. As a result, it's premature to assert a neverallow rule
for files in /system
Bug: 20013628
Change-Id: I3a1e43db5c610164749dee6882f645a0559c789b
system_server no longer has universal service_manager_type permissions and so no
longer needs the auditallow rules therewith associated.
Change-Id: I1e6584c120f6fc464a4bf6b377d9d7ea90441477
vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices.
When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.
Bug: 19993667
Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5
Executing dumpsys meminfo over the console shell requires that output go to the
console_device. meminfo passes a fd to each applicaiton thread so that it can
do this in IApplicationThread.dumpMemInfo(). Allow use of this fd.
Addresses the following denial:
type=1400 audit(1426793987.944:4224): avc: denied { read write } for pid=1809 comm="Binder_4" path="/dev/console" dev="tmpfs" ino=5684 scontext=u:r:platform_app:s0 tcontext=u:object_r:console_device:s0 tclass=chr_file
Bug: 17135173
Change-Id: Id5340a1fb3c8dbf41bda427720c4a0047bc557fc
Add rules to let sgdisk read/write to pts when forked from vold.
avc: denied { read write } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:sgdisk:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
Also add rule to let it kick kernel to reload partition tables after
we finish editing them. Without this capability, it leaves this
message and violation:
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot.
GPT data structures destroyed! You may now partition the disk using fdisk or
other utilities.
avc: denied { sys_admin } for capability=21 scontext=u:r:sgdisk:s0 tcontext=u:r:sgdisk:s0 tclass=capability permissive=0
Change-Id: If26a40f9fd3b1ab2c50156ae8bdb128676521b57
Creates new directory at /data/misc/vold for storing key material
on internal storage. Only vold should have access to this label.
Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
As suggested in the comments on
https://android-review.googlesource.com/#/c/141560/
drop BOARD_SEPOLICY_UNION and simplify the build_policy logic.
Union all files found under BOARD_SEPOLICY_DIRS.
Unlike BOARD_SEPOLICY_REPLACE/IGNORE, on which we trigger an error
to catch any lingering uses and force updating of the BoardConfig.mk
files, we only warn on uses of BOARD_SEPOLICY_UNION to avoid
breaking the build until all device BoardConfig*.mk files have been
updated, and since they should be harmless - the files will be unioned
regardless.
Change-Id: I4214893c999c23631f5456cb1b8edd59771ef13b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This is for the new addAuthToken keystore method from
I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to
authorize keymaster operations. The tokens are HMAC'd and so shouldn't
be fakeable but this is still limited to system_server only.
Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47
Create new vold_fsck domain that only has access to vold_block
devices to prevent any access to internal userdata.
Change-Id: I25ddcd16cbf83d7a25b70bc64d95f5345d0d5731
Add wakelock_use to slideshow.te to fix the following denial:
avc: denied { block_suspend } for pid=137 comm="slideshow" capability=36 scontext=u:r:slideshow:s0 tcontext=u:r:slideshow:s0 tclass=capability2 permissive=0
Change-Id: If84f167cd235e8196eadf3fb85cc725a5ea464e6
This fixes the following policy violation:
avc: denied { read } pid=30295 comm="app_process"
tcontext=u:object_r:dalvikcache_data_file:s0
scontext=u:r:dumpstate:s0 tclass=lnk_file
permissive=0 ppid=26813 pcomm="dumpstate"
pgid=26813 pgcomm="dumpstate"
See 0e32726 in app.te for a symmetrical
change.
Change-Id: Iecbccd5fd0046ec193f08b26f9db618dee7a80c1
The deprecated/deleted usbfs kernel driver gets really unhappy when
SELinux denies it access to directories. On flo (3.4.0 kernel), this
comes across as an SELinux denial followed by a kernel panic.
Steps to reproduce:
1. plug in a USB device.
2. notice nothing happens.
3. unplug the USB device
4. plug it in again, watch for restart.
Expected:
USB device works
Actual:
[329180.030242] Host mode: Set DC level as 0x68 for flo.
[329180.030395] msm_hsusb_host msm_hsusb_host: Qualcomm On-Chip EHCI Host Controller
[329180.030639] Unable to create devices usbfs file
[329180.030944] type=1400 audit(1425327845.292:12): avc: denied { search } for pid=24033 comm="kworker/0:1" name="/" dev="usbfs" ino=291099 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=dir
[329180.060394] msm_hsusb_host msm_hsusb_host: new USB bus registered, assigned bus number 1
[329180.091583] msm_hsusb_host msm_hsusb_host: irq 132, io mem 0x12500000
[deleted]
[329180.120178] hub 1-0:1.0: USB hub found
[329180.120452] hub 1-0:1.0: 1 port detected
[329180.123199] Unable to handle kernel NULL pointer dereference at virtual address 00000070
[329180.123443] pgd = c0004000
[329180.123809] [00000070] *pgd=00000000
[329180.124206] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[329180.124481] CPU: 0 Tainted: G W (3.4.0-g2e8a935 #1)
[329180.124908] PC is at mutex_lock+0xc/0x48
[329180.125122] LR is at fs_create_file+0x4c/0x128
[329180.125518] pc : [<c0916708>] lr : [<c0440ec4>] psr: a0000013
[deleted]
[329180.281005] [<c0916708>] (mutex_lock+0xc/0x48) from [<c0440ec4>] (fs_create_file+0x4c/0x128)
[329180.281280] [<c0440ec4>] (fs_create_file+0x4c/0x128) from [<c04410c8>] (usbfs_notify+0x84/0x2a8)
[329180.281738] [<c04410c8>] (usbfs_notify+0x84/0x2a8) from [<c009c3b8>] (notifier_call_chain+0x38/0x68)
[329180.282257] [<c009c3b8>] (notifier_call_chain+0x38/0x68) from [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58)
[329180.282745] [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) from [<c009c628>] (blocking_notifier_call_chain+0x14/0x18)
[329180.283264] [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) from [<c043ef8c>] (generic_probe+0x74/0x84)
[329180.283752] [<c043ef8c>] (generic_probe+0x74/0x84) from [<c04387c4>] (usb_probe_device+0x58/0x68)
[329180.284240] [<c04387c4>] (usb_probe_device+0x58/0x68) from [<c03adc78>] (driver_probe_device+0x148/0x360)
[329180.284576] [<c03adc78>] (driver_probe_device+0x148/0x360) from [<c03ac76c>] (bus_for_each_drv+0x4c/0x84)
[329180.285034] [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) from [<c03adfc8>] (device_attach+0x74/0xa0)
[329180.285522] [<c03adfc8>] (device_attach+0x74/0xa0) from [<c03ac94c>] (bus_probe_device+0x28/0x98)
[329180.286041] [<c03ac94c>] (bus_probe_device+0x28/0x98) from [<c03ab014>] (device_add+0x444/0x5e4)
[329180.286529] [<c03ab014>] (device_add+0x444/0x5e4) from [<c042f180>] (usb_new_device+0x248/0x2e4)
[329180.286804] [<c042f180>] (usb_new_device+0x248/0x2e4) from [<c043472c>] (usb_add_hcd+0x420/0x64c)
[329180.287292] [<c043472c>] (usb_add_hcd+0x420/0x64c) from [<c044600c>] (msm_otg_sm_work+0xe74/0x1774)
[329180.287811] [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) from [<c0091d8c>] (process_one_work+0x280/0x488)
[329180.288299] [<c0091d8c>] (process_one_work+0x280/0x488) from [<c00921a8>] (worker_thread+0x214/0x3b4)
[329180.288787] [<c00921a8>] (worker_thread+0x214/0x3b4) from [<c0096b14>] (kthread+0x84/0x90)
[329180.289276] [<c0096b14>] (kthread+0x84/0x90) from [<c000f3c8>] (kernel_thread_exit+0x0/0x8)
Allow the usbfs operation.
Bug: 19568950
Change-Id: Iffdc7bd93ebde8bb75c57a324b996e1775a0fd1e
Modify create_file_perms and create_dir_perms so it doesn't have
the "link" permission. This permission controls whether hard links
are allowed or not on the given file label. Hard links are a common
source of security bugs, and isn't something we want to support by
default.
Get rid of link_file_perms and move the necessary permissions into
create_file_perms and create_dir_perms. Nobody is using this macro,
so it's pointless to keep it around.
Get rid of unlink on directories. It returns EISDIR if you attempt to
do it, independent of SELinux permissions.
SELinux domains which have a need for hard linking for a particular
file type can add it back to their permission set on an as-needed basis.
Add a compile time assertion (neverallow rule) for untrusted_app.
It's particularly dangerous for untrusted_app to ever have hard
link capabilities, and the neverallow rule will prevent regressions.
Bug: 19953790
Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0
Add a compile time assertion that capabilities other than setuid
and setgid are never granted to run-as.
This is a compile time assertion only. No new capabilities are granted
or removed.
Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220
Add a compile time assertion that gpsd never has capabilities other
than block_suspend.
Bug: 19908228
Change-Id: Iaaf83191902ed04fe9df52c1ed44248fb1ce732d
Android has long enforced that code can't compile with text
relocations present. Add a compile time assertion to prevent
regressions.
Change-Id: Iab35267ce640c1fad9dc82b90d22e70e861321b7
Make sure we're not running fsck on block devices where it
doesn't make any sense. In particular, we should not be running
fsck on /system since it's mounted read-only, and any modification
to that block device will screw up verified boot.
Change-Id: Ic8dd4b0519b423bb5ceb814daeebef06a8f065b4
/odm has the same permissions as /system/... for devices with a
separate odm partition
Bug: 19609718
Change-Id: I6dd83d43c5fd8682248e79d11b0ca676030eadf0
Commit a191398812 added a new
SELinux label to /system/xbin/procrank, which had the effect of
preventing dumpstate from executing procrank. Allow dumpstate
to execute procrank.
Bug: 18342188
Change-Id: If5b781db0d3af34912f3c803b7fa73d53120f3ba
/system/xbin/procrank is a setuid program run by adb shell on
userdebug / eng devices. Allow it to work without running adb root.
Bug: 18342188
Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7
This is causing more harm than good. We'll just make these all link
libc++ again and work out the CTS issues if they still exist.
Bug: 19778891
This reverts commit 3812cf58cb.
Change-Id: Iaea8f6acb147da4275633a760ccb32951db7f8b6
This is causing more harm than good. We'll just make these all link
libc++ again (another revert) and work out the CTS issues if they still
exist.
Bug: 19778891
This reverts commit a5113a1500.
Change-Id: I35a4c93dae4abb66e3525451d5ce01e33a540895
Address sanitizer requires using libc++ (apparently). We removed
libc++ from these projects since they were C and the SDK/CTS was not
able to find libc++.
If we're interested in continuing to use ASAN on these tools
(probably), we should turn libc++ back on once we're sure CTS won't
die.
Bug: 19778891
Change-Id: I3c1913171a15396ead73277ec1186fead730f66d
Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory
Also indicate that none of the sepolicy tools need c++ std lib.
Bug: 19617220
Change-Id: I713b3cbd1220655413d399c7cd2b0b50459a5485
