Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.
To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.
Change-Id: Id79cc6f434c41179d5c0d0d739c4718918b0b1dc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
No longer necessary after android.process.media moved to the
priv_app domain. Verified no new denials via audit2allow rule.
Bug: 25085347
Change-Id: I2d9498d5d92e79ddabd002b4a5c6f918e1eb9bcc
Shell user needs to be able to get current device battery_level via
/sys/class/power_supply/battery/capacity. Create a global label and
corresponding policy for accessing this. Rely on each device to label
the appropriate sysfs entry.
Bug: 26219114
Change-Id: I2c5ef489a9db2fdf7bbd5afd04278214b814351c
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).
Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.
BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
Dependencies being built with newline files in between
were also including the list of files without the newlines,
thus make would have to process 3n-1 files instead of 2n-1
where n is the number of files to process.
Additionally the *_with_nl variables were not being cleared
out and polluting Make's global name-space.
Change-Id: I76ea1a3dfae994b32991730aea7e4308da52a583
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba. Restore access to everyone.
Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.
Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.
Commit 4e2d22451f restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.
Addresses the following denials:
avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.
Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.
Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
Both angler and bullhead violate these SELinux rules.
Bullhead: tee has access to these files
Angler: system_server has read/write access to these files.
Fixes the following compile time error:
libsepol.report_failure: neverallow on line 32 of external/sepolicy/fingerprintd.te (or line 6704 of policy.conf) violated by allow tee fingerprintd_data_file:file { ioctl read write create setattr lock append rename open };
libsepol.check_assertions: 1 neverallow failures occurred
Error while expanding policy
out/host/linux-x86/bin/checkpolicy: loading policy configuration from out/target/product/bullhead/obj/ETC/sepolicy_intermediates/policy.conf
This reverts commit 604a8cae62.
Change-Id: Iabb8f2e9de96f9082cd6a790d1af80cbc6a569b1
Only fingerprintd should be creating/reading/writing/etc from
/data/system/users/[0-9]+/fpdata(/.*)? . Add a neverallow rule
(compile time assertion + CTS test) to ensure no regressions.
Change-Id: I30261a4bd880f5c4f3d90d1686a6267f60bdd413
The target sectxfile_nl, which is an auto-generated newline file,
has dependencies on itself and the other files. The dependencies
should be on the other files and this newline file, not the other
way around. Ideally, the *_contexts recipes should have the
dependency recorded for their "contexts" files and the newline
file.
Additionally, recipe dependencies for building the *_contexts files
depended on the list of all the contexts files with the newline file
in that list, however an additional explicit addition of the newline
file was also added in. Remove this, since its in the full list of
files.
Change-Id: Iac658923f23a8d9263d392c44003b6bda4064646
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc
Also allow shell getattr access to the tracing file. That way
"ls -la" returns something meaningful.
Bug: 26217098
Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786
The label for /sys/kernel/debug/tracing was changed from debugfs
to debugfs_tracing in commit https://android-review.googlesource.com/187692 .
Ensure we're using the correct label.
Change-Id: I6cab9d6b9f3d96b41db26642b67d880b1ca17a8b
Enable checkfc to check *_contexts against a set of valid attributes
which must be associated with all types in the contexts file that
is being checked.
Since it's imperative that checkfc knows which file its checking to
choose the proper attribute set, the -s option is introduced to
indicate the service_contexts file. The property_contexts file continues
to use the existing -p and file_contexts requires no specification, aka
it's the default.
Failure examples:
file_contexts:
Error: type "init" is not of set: "fs_type, dev_type, file_type"
service_contexts:
Error: type "init_exec" is not of set: "service_manager_type"
property_contexts:
Error: type "bluetooth_service" is not of set: "property_type"
Change-Id: I62077e4d0760858a9459e753e14dfd209868080f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.
Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.
Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.
Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
An auditallow has been in place since commit
cb835a2852 but nothing has been triggered.
Remove the rule.
Bug: 25768265
Change-Id: Ia9f35c41feabc9ccf5eb5c6dae09c68dc4f465ff
The "su" domain is in globally permissive mode on userdebug/eng
builds. No SELinux denials are suppose to be generated when running
under "su".
Get rid of useless SELinux denials coming from su trying to stat
files in /dev/__properties__. For example: "ls -la /dev/__properties__"
as root.
Addresses the following denials:
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:wc_transport_prop:s0" dev="tmpfs" ino=10597 scontext=u:r:su:s0 tcontext=u:object_r:wc_transport_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qseecomtee_prop:s0" dev="tmpfs" ino=10596 scontext=u:r:su:s0 tcontext=u:object_r:qseecomtee_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:radio_atfwd_prop:s0" dev="tmpfs" ino=10595 scontext=u:r:su:s0 tcontext=u:object_r:radio_atfwd_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=10594 scontext=u:r:su:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:contexthub_prop:s0" dev="tmpfs" ino=10593 scontext=u:r:su:s0 tcontext=u:object_r:contexthub_prop:s0 tclass=file permissive=1
Change-Id: Ief051a107f48c3ba596a31d01cd90fb0f3442a69
Per https://android-review.googlesource.com/185392 , ctl.* properties
are not represented as files in the filesystem. So there's no need
to grant read access to them, since it's pointless.
Remove core_property_type from these properties, which has the net
effect of removing read access to these non-existent files.
Change-Id: Ic1ca574668a3511c335a7036a2bb7993ff02c1e3
Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.
Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.
Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.
Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.
Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
