Commit graph

29 commits

Author SHA1 Message Date
Jeff Vander Stoep
2ccd99a53a whitelist test failure that bypassed presubmit
avc: denied { read } for comm="batterystats-wo" name="show_stat" dev="sysfs"
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 77816522
Test: build
Change-Id: I50a9bfe1a9e4df9c84cf4b2b4aedbb8f82ac94cd
2018-04-09 14:15:28 -07:00
Jeff Vander Stoep
558cdf1e99 priv_app: remove more logspam
avc: denied { read } for name="ext4" dev="sysfs" ino=32709
scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0
tclass=dir permissive=0 b/72749888
avc: denied { read } for name="state" dev="sysfs" ino=51318
scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:sysfs_android_usb:s0 tclass=file permissive=0
b/72749888

Bug: 72749888
Test: build/boot taimen-userdebug. No more logspam
Change-Id: Ic43d1c8b71e1e5e0e6f9af1e03816c4084120e7e
2018-04-04 14:43:48 -07:00
Jeff Vander Stoep
cc0304cfc2 crashdump: cleanup logs
Suppress WAI denials from crashdump.

Test: build/flash Taimen. Verify no new denials.
Bug: 68319037
Change-Id: If39d057cb020def7afe89fd95e049e45cce2ae16
2018-03-26 13:07:36 -07:00
TreeHugger Robot
763770f611 Merge "Track platform_app SELinux denial." into pi-dev 2018-03-07 19:22:54 +00:00
Joel Galenson
f3f93eaf1d Clean up bug_map.
Remove a fixed bug from bug_map.

Bug: 62140539
Test: Built policy.
Change-Id: I2ce9e48de92975b6e37ca4a3a4c53f9478b006ef
2018-03-07 08:35:41 -08:00
Joel Galenson
2995e996b9 Track platform_app SELinux denial.
This should fix presubmit tests.

Bug: 74331887
Test: Built policy.
Change-Id: Ie9ef75a7f9eaebf1103e3d2f3b4521e9abaf2fe7
2018-03-07 08:26:08 -08:00
Jeff Vander Stoep
9e33565cf0 system_server: grant read access to vendor/framework
avc: denied { getattr } for path="/vendor/framework"
scontext=u:r:system_server:s0 tcontext=u:object_r:vendor_framework_file:s0
tclass=dir

Bug: 68826235
Test: boot Taimen, verify denials no longer occur.
Change-Id: Id4b311fd423342c8d6399c3b724417aff9d1cd88
2018-02-28 17:59:22 +00:00
Joel Galenson
40c112c859 Clean up bug_map.
Remove a fixed bug from bug_map.

Bug: 73068008
Test: Built policy.
Change-Id: Id0072788953cb6b939a11caace0158da7799f540
2018-02-27 14:17:48 -08:00
Joel Galenson
f7ec413844 Dontaudit denials caused by race with labeling.
These denials seem to be caused by a race with the process that labels
the files.  While we work on fixing them, hide the denials.

Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
2018-02-14 17:07:13 -08:00
Joel Galenson
116f75062f Track crash_dump selinux denial.
This should fix presubmit tests.

Bug: 68319037
Test: Built policy.
Change-Id: I0c3bc08c9b114e7a3737cdb3005fb59b2df47d55
2018-02-12 10:09:43 -08:00
Joel Galenson
fc804cc179 Track untrusted_app SELinux denial.
This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: Ib17d2a5e1635ff661d39d14169652f88b7a6e4f5
2018-02-09 15:23:30 -08:00
Joel Galenson
387729fed5 Track system_server SELinux denial.
This should fix presubmit tests.

Bug: 73128755
Test: Built policy.
Change-Id: Ie389de04360090594e627e629a59a60092dda6ca
2018-02-08 14:32:14 -08:00
Joel Galenson
5d6077bc47 Track priv_app SELinux denial.
This should fix presubmit tests.

Bug: 73068008
Test: Built policy.
Change-Id: Ib27fbad2803eb86ff12526f0ae42eb35917ce59b
2018-02-07 09:47:41 -08:00
Joel Galenson
c883689b07 Track priv_app SELinux denial.
This should fix presubmit tests.

Bug: 72749888
Test: Built policy.
Change-Id: Ie55127f1b570832c03878d1c697262239ac14003
2018-02-02 09:31:34 -08:00
Joel Galenson
0eee7ed32c Track priv_app SELinux denial.
This should fix presubmit tests.

Bug: 72811052
Test: Built policy.
Change-Id: Ifcfe71c717a3b1e59cd1810c7f9be588d48c99a5
2018-02-01 09:38:57 -08:00
Joel Galenson
2218696a3d Track priv_app SELinux denial.
This should fix presubmit tests.

Bug: 72749888
Test: Built policy.
Change-Id: I588bba52d26bcc7d93ebb16e28458d9125f73108
2018-01-31 12:22:30 -08:00
Joel Galenson
26ccebd74a Clean up bug_map.
Remove bugs that have been fixed, re-map duped bugs, and alphabetize
the list.

Test: Booted Walleye and Sailfish, tested wifi and camera, and
observed no new denials.

Change-Id: I94627d532ea13f623fe29cf259dd404bfd850c13
2018-01-30 15:01:54 -08:00
Joel Galenson
07efe37c5f Track usbd SELinux denial.
This should fix presubmit tests.

Bug: 72472544
Test: Built policy.
Change-Id: I01f0fe3dc759db66005e26d15395893d494c4bb7
2018-01-29 10:39:34 -08:00
Joel Galenson
56345fdecd Track untrusted_app SELinux denial.
This should fix presubmit tests.

Bug: 72550646
Test: Built policy.
Change-Id: I51345468b7e74771bfa2958efc45a2a839c50283
2018-01-28 08:40:55 -08:00
Joel Galenson
6e705357c3 Track crash_dump selinux denial.
This should fix presubmit tests.

Bug: 72507494
Test: Built policy.
Change-Id: I56944d92232c7a715f0c88c13e24f65316805c39
2018-01-25 14:14:24 -08:00
Joel Galenson
b050dccdd8 Suppress denials from idmap reading installd's files.
We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
2018-01-25 10:07:19 -08:00
Joel Galenson
7b1e9a5f1c Track idmap selinux denial.
This should fix presubmit tests.

Bug: 72444813
Test: Built policy.
Change-Id: I5b8661b34c9417cd95cb0d6b688443dcbe0d1c0b
2018-01-24 17:49:20 -08:00
Jeff Vander Stoep
1e1a3f7c58 Annotate denials
There is a race condition between when /data is mounted
and when processes attempt to access it. Attempting to access
/data before it's mounted causes an selinux denial. Attribute
these denials to a bug.

07-04 23:48:53.646   503   503 I auditd  : type=1400 audit(0.0:7): avc:
denied { search } for comm="surfaceflinger" name="/" dev="sda35" ino=2
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
07-15 17:41:18.100   582   582 I auditd  : type=1400 audit(0.0:4): avc:
denied { search } for comm="BootAnimation" name="/" dev="sda35" ino=2
scontext=u:r:bootanim:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
permissive=0

Bug: 68864350
Test: build
Change-Id: I07f751d54b854bdc72f3e5166442a5e21b3a9bf5
2018-01-16 19:47:36 -08:00
Jeff Vander Stoep
7986777913 statsd: annotate boot denials
Point logspam to its owner.

Bug: 71537285
Test: build
Change-Id: I9db561ee6f2857214b7945b312e6d303630724ea
2018-01-10 08:36:51 -08:00
Jeff Vander Stoep
53950b6595 Fix bug map entry
Tclass was omitted for two entries.

Bug: 69928154
Bug: 69366875
Test: build
Change-Id: Ie12c240b84e365110516bcd786b98dc37295fdb9
2017-11-29 14:48:41 -08:00
Jeff Vander Stoep
378763f218 Remove tracking bugs that have been resolved
Bug: 69175449
Bug: 69197466
Test: build
Change-Id: I11e46b65449cb6f451ecab8d4dff9adc162fe115
2017-11-20 22:14:32 -08:00
Jeff Vander Stoep
41401f475a Add tracking bugs to crash_dump denials
avc: denied { search } for name="com.sf.activity" dev="sda35"
ino=1444147 scontext=u:r:crash_dump:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
avc: denied { search } for comm="crash_dump64"
name="com.android.bluetooth" dev="sda13" ino=1442292
scontext=u:r:crash_dump:s0 tcontext=u:object_r:bluetooth_data_file:s0
tclass=dir
avc: denied { search } for comm="crash_dump64" name="overlay" dev="dm-1"
ino=938 scontext=u:r:crash_dump:s0
tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0

Bug: 68705274
Bug: 68319037
Test: build
Change-Id: I44075ac6bf6447d863373c97ba10eadf59d2d22f
2017-11-14 22:11:15 +00:00
Jeff Vander Stoep
29666d125f Add tracking bugs to denials
These denials should not be allowed. Adding a bug number to the
denial properly attributes them to a bug.

Bug: 69197466
avc: denied { fsetid } for comm="update_engine" capability=4
scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0
tclass=capability

Bug: 62140539
avc: denied { open }
path="/data/system_de/0/spblob/17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file
avc: denied { unlink } for name="17a358cf8dff62ea.weaver"
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 69175449
avc: denied { read } for name="pipe-max-size" dev="proc"
scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build
Change-Id: I62dc26a9076ab90ea4d4ce1f22e9b195f33ade16
2017-11-13 08:08:17 -08:00
Jeff Vander Stoep
e82c8ab786 Track priv_app firstboot_prop denial
This denial should not be allowed. Add bug information to the denial
to give context.

Bug: 63801215
Test: build
Change-Id: I3dc5ce6a5aa1c6bf74c6fd13cab082c7f263c4e8
2017-10-13 13:02:36 -07:00