Better refine the rules surrounding the recovery SELinux
domain, and get rid of dmesg log spam.
Recovery is still in permissive_or_unconfined(), so no expected
change in behavior.
Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
As of sepolicy commit a16a59e2c7
(https://android-review.googlesource.com/94580), adf_device
and graphics_device have the exact same security properties.
Merge them into one type to avoid a proliferation of SELinux
types.
Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95
https://android-review.googlesource.com/#/c/95900/ added
allow rules for unlabeled access as needed to all confined
domains. Therefore we can remove it from domain. The only
other domain that truly needs unlabeled access is init, which
presently inherits it from unconfineddomain.
Also prevent rules that would permit any confined domain from
creating new unlabeled files on the system.
Change-Id: I31c6478b42fbf60e3b7893b9578b6ad50170def6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This is to accomodate migration to (and ongoing support of) a
new installed-app file topology, in which APK files are placed
in /data/app/$PACKAGE-rev/, there is a canonical-path symlink
/data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native
libraries exist not under a top-level /data/app-lib/$PACKAGE-rev
hard directory, but rather under /data/app/$PACKAGE/lib (when
referenced by canonical path).
Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0
As of system/core commit 225459a5da21e9397ca49b0d9af7d5fe3462706b,
adbd no longer talks to vold. Remove the obsolete rule.
Bug: 12504045
Change-Id: I0a4f621afd8e5f8ab83219e7b0ff096c992d365f
NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.
Addresses the following error / denial:
06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
<4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app
Expected:
App runs
Actual:
App crashes with error above.
Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
Rewrote the process policy in external/sepolicy/unconfined.te
from a blacklist to a whitelist to be more easily understood.
There were previously 11 disallowed permissions and now there are
19 allowed permissions.
Change-Id: Ida4dc881c5fedc56980324774f40e09a9b8a830a
Switch from using unconfined_domain() to permissive_or_unconfined().
For user builds, or builds with FORCE_PERMISSIVE_TO_UNCONFINED=true,
this is a no-op. For userdebug / eng builds, this will allow us to
collect denials from /proc/last_kmsg.
Change-Id: I41e1a206b2a3b0eee34539bfebfc5deee9e18a42
The selinux_version file is used to perform policy
versioning checks by libselinux and SELinuxMMAC. When
loading policy a check is first performed to determine
if the policy out in /data/security/current should be
used to override the base policy shipped with the device.
The selinux_version file is used to make that choice. The
contents of the file simply contains the BUILD_FINGERPRINT
that the policy was built against. A simple string comparison
is then performed by libselinux and SELinuxMMAC.
Change-Id: I69d9d071743cfd46bb247c98f94a193396f8ebbd
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).
init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it. init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.
Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.
This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.
Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.
Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Create a separate recovery policy and only include the
recovery domain allow rules in it.
Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These permissions are already allowed indirectly via unconfineddomain
and via domain, but ultimately we plan to remove them from those two
attributes. Explicitly allow the ones we expect to be required,
matching the complement of the auditallow rules in domain.te.
Change-Id: I43edca89d59c159b97d49932239f8952a848031c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
https://android-review.googlesource.com/#/c/95900/ added further
unlabeled rules for installd and added explicit unlabeled rules for
vold and system_server. Exclude these permissions from the auditallow
rules on unlabeled so that we only see the ones that would be denied if
we were to remove the allow domain rules here.
Change-Id: I2b9349ad6606bcb6a74a7e67343a8a9e5d70174c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
