All uses were removed by I1c925d7facf19b3953b5deb85d992415344c4c9f;
this is just a dead definition.
(cherry-pick of commit: a0c9d207b1)
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change-Id: I2e17e522a78120c3658d81035e202aab861a3b22
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.
(cherry-pick of 1b4b3b918b)
Change-Id: Iea6e1271fb054ea7f44860724e04143875867d78
As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.
Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider. The actual
access control is still managed by POSIX permissions on that
directory.
avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
Keystore is going through an API cleanup to make names more clear and
remove unclear methods.
(cherry-picked from commit cbc8f79655)
Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
user_changed will be used for state change methods around android user
creation/deletion.
(cherry-picked from commit 520bb816b8)
Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.
Also let vold create new directories under it's private storage area
where the benchmarks will be carried out. Mirror the definition of
the private storage area on expanded media.
avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
Addresses the following error when running CTS on master:
junit.framework.AssertionFailedError: The following errors were encountered when validating the SELinuxneverallow rule:
neverallow { appdomain -bluetooth } self:capability *;
/tmp/SELinuxHostTest5593810182495331783.tmp: error while loading shared libraries: libc++.so: cannot open shared object file: No such file or directory
Also indicate that none of the sepolicy tools need c++ std lib.
(cherry-pick of 28acbeab18)
Bug: 19566396
Change-Id: Ieb380d05ae896a8146b80f94fe3b3211178705bb
Programs routinely scan through /system, looking at the files there.
Don't generate an SELinux denial when it happens.
Bug: 21120228
Change-Id: I85367406e7ffbb3e24ddab6f97448704df990603
Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.
Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.
Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.
(cherrypicked from commit 2025fd1476)
Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service
The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.
To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)
This macro handles steps 1, 2 and 3.
No difference in sediff is expected.
(cherrypicked from commit 625a3526f1)
Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
MAC address access is no longer allowed via the java API. Deny access
from native code.
Bug: 17787238
Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf
The Settings app contains a SystemPropPoker class which notifies every service
on the system that a property has changed.
Address the following denial:
avc: denied { list } for service=NULL scontext=u:r:system_app:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
Cherry-pick of Change-Id: I81926e8833c1abcb17a4d49687fc89619b416d6c
Bug: 20762975
Change-Id: I665a460f30a1ef57b513da9166aad60097dd4886
As an optimization, installd is now moving previously-installed
applications between attached storage volumes. This is effectively
copying to the new location, then deleting the old location.
Since OAT files can now live under /data/app directories, we also
need the ability to relabel those files.
avc: denied { create } for name="base.apk" scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { write } for path="/data/app/com.example.playground-2/base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { setattr } for name="base.apk" dev="mmcblk0p16" ino=40570 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelfrom } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1
avc: denied { relabelto } for name="base.odex" dev="mmcblk0p16" ino=40574 scontext=u:r:installd:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file permissive=1
(Cherry-pick of 8f821db783)
Bug: 19993667, 20275578
Change-Id: I52bb29ed9f57b3216657eb757d78b06eeaf53458
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.
Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.
Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
deviceidle service should be accessible to all non third-party apps.
Cherry-pick of commit: 7c1dced7d5
Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.
(cherry picked from commit effcac7d7e)
Bug: 20526234
Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13
This enables an optimization of bypassing the FUSE overhead when
migrating emulated storage between volumes.
avc: denied { write } for path="/mnt/expand/6cba9b95-4fc8-4096-b51f-bdb2c007d059/media/obb/.nomedia" dev="dm-0" ino=387843 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1
Bug: 19993667
Change-Id: I2bb9aaca50ed988ded6afec6d7fbe190903707e0
