installd has been deleting files on the primary (emulated) storage
device for awhile now, but it was lacking the ability to delete files
on secondary (physical) storage devices.
Even though we're always going through an sdcardfs layer, the
kernel checks our access against the label of the real underlying
files.
Instead of tediously listing each possible storage label, using
"sdcard_type" is more descriptive and future-proof as new
filesystems are added.
avc: denied { read open } for path="/mnt/media_rw/1B82-12F6/Android/data/com.android.cts.writeexternalstorageapp" dev="loop9p1" ino=1224 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { write search } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { remove_name } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
avc: denied { unlink } for name="probe" dev="loop9p1" ino=1232 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=1
avc: denied { rmdir } for name="cache" dev="loop9p1" ino=1225 scontext=u:r:installd:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=1
Bug: 113277754
Test: atest android.appsecurity.cts.StorageHostTest
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Test: atest --test-mapping frameworks/base/services/core/java/com/android/server/pm/
Change-Id: Id79d8f31627c0bfb490b4280c3b0120d0ef699bf
It doesn't make sense to write neverallow assertions where an attribute
negation exists allowing the operation. When such a negation exists,
domains can "opt-out" of the neverallow assertion by declaring their
use of the attribute. Such trivially bypassable assertions provide
no security nor architectural guarantees.
"netdomain" is such an attribute. This attribute is used by processes to
indicate that they communicate with the network, for example, using
TCP/UDP sockets. Vendor code is freely allowed to use network
communication by declaring their use of the attribute.
Because the attribute is usable to any vendor domain, the "no socket
connections to netd" restriction is pointless and provides a false sense
of security. Any process can opt-out of these restrictions by just
declaring their use of networking functionality. This also results in
ineffective policy bloat, making it difficult to reason about the policy
and make changes.
Delete the ineffective, misleading neverallow assertion.
Test: compiles
Change-Id: Ia72d9660a337ef811e56c9227af29b17d043b99f
Clatd is effectively an internal implementation detail of netd.
It exists as a separate daemon only because this gives us a better
security boundary. Netd is it's only launcher (via fork/exec) and
killer.
Generated via:
{ echo; cat public/clatd.te; echo; } >> private/clatd.te
rm -f public/clatd.te
plus a minor edit to put coredomain after clatd type declaration
and required changes to move netd's clatd use out of public into private.
Test: build and install on non-aosp test device, atest, check for selinux clat denials
Change-Id: I80f110b75828f3657986e64650ef9e0f9877a07c
am: 622992fd49 -s ours
am skip reason: change_id I4339f19af999d43e07995ddb77478a2384bbe209 with SHA1 db3fde05b5 is in history
Change-Id: Ia1b175f2c19e5e3f3e104f85777c081ebc093a54
ART generically locks profile files, and this avoids
special casing the ART code for read-only partitions.
An example on how ART does it:
https://android-review.googlesource.com/c/platform/art/+/958222/3/runtime/jit/jit.cc#731
Bug: 119800099
Test: system server locking a system file, no denial
(cherry picked from commit db3fde05b5)
Change-Id: I5623f5d548dd1226e5788e369333922a27f14021
Merged-In: I4339f19af999d43e07995ddb77478a2384bbe209
These denials are intermittent and unnecessary. Hide them while we
investigate how to properly fix the issue.
Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2
(cherry picked from commit 654ceeb93f)
am: 7c40e0bb6e -s ours
am skip reason: change_id I1ebd82e6730d62d1966da3c4634ecd78ce703543 with SHA1 487fcb87c0 is in history
Change-Id: I4c57a1b329f9ae1a2e66369658861baf379046b2
am: 24dd16b650 -s ours
am skip reason: change_id Id927ee73469d3e90f5111bd5e31ed760a58c8ebe with SHA1 3e41b297d2 is in history
Change-Id: I14bc89d2151b790278dd6e877312b8edfc05aac4
am: 63067284f1 -s ours
am skip reason: change_id I3bd1b2262dc6dcb099403d24611db66aac9aecb0 with SHA1 ae68bf23b6 is in history
Change-Id: I177f0150b4d4ba19841a19fee6d8f15a49cd7fc3
am: 5a56156bcc -s ours
am skip reason: change_id I5af4d01e17f2d37335f523a49c7b1f81886edfa2 with SHA1 210cdc6fa4 is in history
Change-Id: I97fb79ff555ecffdef5f8e88e4022e076083f7f8
bpf programs/maps are now loaded by the bpfloader, not netd
Test: built/installed on crosshatch which uses eBPF - no avc denials
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I1ebd82e6730d62d1966da3c4634ecd78ce703543
Merged-In: I1ebd82e6730d62d1966da3c4634ecd78ce703543
(cherry picked from commit 487fcb87c0)
No longer needed, since this is now done by netd.
In a separate commit so it can potentially not be backported to Q
if we so desire.
Test: build/installed on crosshatch with netd/clatd changes,
and observed functioning ipv4 on ipv6 only network with no
avc denials
Bug: 65674744
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
Merged-In: Id927ee73469d3e90f5111bd5e31ed760a58c8ebe
(cherry picked from commit 3e41b297d2)
am: 9bb7844efa -s ours
am skip reason: change_id Ieab51aeb67ebb85b6c778410ba96963612277ae4 with SHA1 afa10f7223 is in history
Change-Id: Ie31a3810a21ee64be15310e62ecbec3da2f3abb8
This is presumably libc isatty detection on stdin/out/err.
Either way - allowing it is harmless.
This fixes:
type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0
Test: built and observed no more avc denials on crosshatch
Bug: 77868789
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4
Merged-In: Ieab51aeb67ebb85b6c778410ba96963612277ae4
(cherry picked from commit afa10f7223)
Media component update service is removed, so selinux
permissions for it are no longer needed.
Bug: 123250010
Test: boot, play video
Change-Id: I0fec6839f5caf53d16399cb72dcdd6df327efc95
These denials are intermittent and unnecessary. Hide them while we
investigate how to properly fix the issue.
Bug: 131096543
Bug: 132093726
Test: Build
Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2
