Commit graph

163 commits

Author SHA1 Message Date
Stephen Smalley
b335e3847f Run idmap in its own domain.
Run idmap in its own domain rather than leaving it in installd's domain.
This prevents misuse of installd's permissions by idmap.

zygote also needs to run idmap.  For now, just run it in zygote's
domain as it was previously since that is what is done for dex2oat
invocation by zygote.  zygote appears to run idmap with system uid
while installd runs it with app UIDs, so using different domains
seems appropriate.

Remove system_file execute_no_trans from both installd and zygote;
this should no longer be needed with explicit labels for dex2oat and
idmap.

Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-06-19 14:34:20 -04:00
Mark Salyzyn
0d22c6cec6 logd: logpersistd
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-06-02 13:56:01 -07:00
dcashman
1b4b3b918b Expand rtc_device label to match all rtc class drivers.
/dev/rtc0 is not the only possible rtc device node, make sure all are given the
rtc_device label.

Change-Id: I50d15aa62e87509e940acd168474433803b2115d
2015-05-21 10:35:57 -07:00
dcashman
c7594898db Label /dev/rtc0 as rtc_device.
Grant access to system_server, as it is used by AlarmManagerService.

Change-Id: I4f099fe30ba206db07d636dd454d43d3df9d3015
2015-05-18 14:01:37 -07:00
Nick Kralevich
2025fd1476 Label /oem files
Files on the /oem partition are weird. The /oem partition is an ext4
partition, built in the Android tree using the "oem_image" build target
added in build/ commit b8888432f0bc0706d5e00e971dde3ac2e986f2af. Since
it's an ext4 image, it requires SELinux labels to be defined at build
time. However, the partition is mounted using context=u:object_r:oemfs:s0,
which ignores the labels on the filesystem.

Assign all the files on the /oem image to be oemfs, which is consistent
with how they'll be mounted when /oem is mounted.

Other options would be to use an "unlabeled" label, or try to fix the
build system to not require SELinux labels for /oem images.

Bug: 20816563
Change-Id: Ibe8d9ff626eace8a2d5d02c3f06290105baa59fe
2015-05-06 16:33:56 -07:00
Nick Kralevich
1212235ff4 Don't label simpleperf system_file
The default label for files on /system is already system_file. No
need to explicitly specify it.

Change-Id: If0c92a0da4119a0d8f83b4a3e05101cfcdb9a82d
2015-05-06 15:19:52 -07:00
Dehao Chen
7d66f783c2 Update sepolicy to add label for /data/misc/perfprofd.
Bug: 19483574
Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64
2015-05-06 14:45:44 -07:00
Than McIntosh
0fdd364e89 New sepolicy for perfprofd, simpleperf.
Bug: http://b/19483574

Change-Id: I594f04004cccd2cbfadbd0f9d1bbb9815a2ea59d
2015-05-04 13:49:15 -04:00
Elliott Hughes
5aac86dc06 Revert "Revert "SELinux policy changes for re-execing init.""
This reverts commit c450759e8e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 12:28:12 -07:00
Nick Kralevich
c450759e8e Revert "SELinux policy changes for re-execing init."
shamu isn't booting.

This reverts commit 46e832f562.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca
2015-04-24 16:59:43 +00:00
Elliott Hughes
46e832f562 SELinux policy changes for re-execing init.
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
2015-04-23 17:12:18 -07:00
Nick Kralevich
367757d2ef gatekeeperd: use more specific label for /data file
Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
2015-04-17 17:56:31 -07:00
Neil Fuller
e647578502 Add rules for /system/bin/tzdatacheck
Bug: 19941636
Change-Id: I7cc61e058424c856da88f11ff9b259f34cb39dc7
2015-04-09 09:29:12 +01:00
Nick Kralevich
8a06c07724 Allow system_server to collect app heapdumps (debug builds only)
On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:

  % adb shell am set-watch-heap com.android.systemui 1048576
  % adb shell dumpsys procstats --start-testing

which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.

Allow this behavior.

Addresses the following denial:

  avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
2015-04-07 16:40:44 -07:00
Jeff Sharkey
73d9c2a97b Initial policy for expanded storage.
Expanded storage supports a subset of the features of the internal
data partition.  Mirror that policy for consistency.  vold is also
granted enough permissions to prepare initial directories.

avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

Bug: 19993667
Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5
2015-04-06 17:59:44 -07:00
Andres Morales
e207986ea0 SELinux permissions for gatekeeper TEE proxy
sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
2015-04-06 16:46:58 -07:00
Fyodor Kupolov
b87a4b16d2 Support for storing OAT files in app directory
oat dir inside apk_tmp_file should be labeled as dalvikcache_data_file.

Bug: 19550105
Change-Id: Ie928b5f47bfc42167bf86fdf10d6913ef25d145d
2015-04-02 14:32:43 -07:00
Jeff Sharkey
4423ecdb09 Directory for vold to store private data.
Creates new directory at /data/misc/vold for storing key material
on internal storage.  Only vold should have access to this label.

Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
2015-04-01 09:28:09 -07:00
Jeff Sharkey
f063f461a9 Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works.  At a high level, vold is taking on a more active role in
managing devices that dynamically appear.

This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid.  It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.

For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.

Slightly relax system_server external storage rules to allow calls
like statfs().  Still neverallow open file descriptors, since they
can cause kernel to kill us.

Here are the relevant violations that this CL is designed to allow:

avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd

Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-30 17:07:42 -07:00
Paul Lawrence
38af1da107 Adding e4crypt support
Add selinux rules to allow file level encryption to work

Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-27 14:47:30 -07:00
Tom Cherry
d2522cb396 add /odm to file_contexts
/odm has the same permissions as /system/... for devices with a
separate odm partition

Bug: 19609718
Change-Id: I6dd83d43c5fd8682248e79d11b0ca676030eadf0
2015-03-19 12:29:32 -07:00
Nick Kralevich
a191398812 Add new "procrank" SELinux domain.
/system/xbin/procrank is a setuid program run by adb shell on
userdebug / eng devices. Allow it to work without running adb root.

Bug: 18342188
Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7
2015-03-19 09:35:31 -07:00
Mark Salyzyn
61d665af16 logd: allow access to system files
- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'

Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
2015-03-11 23:00:37 +00:00
Yongqin Liu
cc38e6d1a4 bootchart: add policy rules for bootchart
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2015-02-24 01:02:20 +08:00
Mark Salyzyn
34d32ea164 selinux: add pstore
Used to record the Android log messages, then on reboot
provide a means to triage user-space actitivies leading
up to a panic. A companion to the pstore console logs.

Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
2015-01-14 12:34:20 -08:00
Elliott Hughes
367ef9684d toybox and toolbox should be considered equivalent.
When toolbox completely disappears, we can worry about whether we want
to rename this context.

Change-Id: I359b6b2b21bb9452352e700f6ac37c137200ac77
2014-12-17 16:03:01 -08:00
Nick Kralevich
22b4eb7083 am ca62a8b7: allow coredump functionality
* commit 'ca62a8b72be35de3781c1f8f16600cfeca874ef5':
  allow coredump functionality
2014-10-31 22:22:47 +00:00
Nick Kralevich
ca62a8b72b allow coredump functionality
(cherrypick of commit d7e004ebf9)

Change-Id: I7993698ac96f21db0039681275280dbd43ff61ba
2014-10-31 15:16:29 -07:00
Bill Yi
e269b48c69 Merge commit 'd0b1a44e5fba8284f1698d60aa25ed93221e8da5' into HEAD 2014-10-22 08:46:59 -07:00
Nick Kralevich
973877dbc1 Allow adbd to write to /data/adb
adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895
Change-Id: Ia5af09045e9f72a95325b429c30a5ae78e104bdc
2014-10-21 16:15:52 +00:00
Nick Kralevich
61027bc5ef am 57a17d14: add support for fsck.f2fs
* commit '57a17d143405c400bc03b134af5af10959c53d76':
  add support for fsck.f2fs
2014-10-20 18:52:04 +00:00
Nick Kralevich
57a17d1434 add support for fsck.f2fs
The Nexus 9 uses f2fs for /data. Make sure to properly label
/system/bin/fsck.f2fs so that the appropriate domain transition occurs.
Add support for getattr on devpts, required for fsck.f2fs.

Addresses the following denials:

  avc:  denied  { execute_no_trans } for  pid=172 comm="init" path="/system/bin/fsck.f2fs" dev="dm-0" ino=272 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=0
  avc:  denied  { getattr } for  pid=170 comm="fsck.f2fs" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1

Change-Id: I34b3f91374d1eb3fb4ba76abce14ff67db259f96
2014-10-20 10:42:19 -07:00
Nick Kralevich
5f12c83d04 am ad151a23: Merge "Label block devices created or accessed by vold with specific types."
* commit 'ad151a233a51a76f5d3c1a6289daa8a03025b8ab':
  Label block devices created or accessed by vold with specific types.
2014-10-18 23:09:11 +00:00
Robin Lee
5871d1bc18 resolved conflicts for merge of 51bfecf4 to lmp-dev-plus-aosp
Change-Id: I8ea400354e33a01d3223b4efced6db76ba00aed6
2014-10-15 23:11:59 +01:00
Robin Lee
51bfecf49d Pull keychain-data policy out of system-data
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-15 18:02:03 +00:00
Stephen Smalley
273d7ea4ca Label block devices created or accessed by vold with specific types.
Assign a more specific type than block_device to all
block devices created or accessed by vold.   Allow vold
to set the context on the device nodes it creates.

vold can create extra loop devices (/dev/block/loopN) and
block devices for volumes it manages (/dev/block/vold/M:N).

vold can read/write device mapper block devices (/dev/block/dm-N)
created for encrypted volumes.

vold can read/write metadata partitions used to store encryption metadata.
The metadata_block_device type should be assigned in device-specific
policy to the partition specified by the encryptable= mount option
for the userata entry in the fstab.<board> file.

This change does not remove the ability to create or read/write
generic block_device devices by vold, so it should not break anything.
It does add an auditallow statement on such accesses so that we can track
remaining cases where we need to label such device nodes so that we can
ultimately remove this access.

Change-Id: Id3bea28f5958086716cd3db055bea309b3b5fa5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-02 13:29:25 +00:00
Stephen Smalley
8a0c25efb0 Do not allow init to execute anything without changing domains.
Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-28 03:23:27 +00:00
Stephen Smalley
54e9bc4514 Dependencies for new goldfish service domains.
In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service.  A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them.  A neverallow rule prevents us from allowing
qemu-props to set default_prop.

We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat.  We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).

Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-27 17:19:39 -07:00
Alex Light
feedd3c621 Make system use patchoat to relocate during runtime.
Add patchoat selinux rules.

Bug: 15358152

(cherry picked from commit fbc8ec2eac)

Change-Id: Ic84a370548393be62db740092e8393b662bcf345
2014-08-06 13:48:58 -07:00
Alex Light
fbc8ec2eac Make system use patchoat to relocate during runtime.
Add patchoat selinux rules.

Bug: 15358152

Change-Id: Ibe92d8b55a24bbf718b0416a21b76e5df7a2de26
2014-08-05 10:22:09 -07:00
Ed Heyl
8ee37b4f1c reconcile aosp (c103da877b) after branching. Please do not merge.
Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
2014-07-14 23:32:08 -07:00
Nick Kralevich
75d63fcfd2 Put dex2oat in it's own sandbox
Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.

dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.

Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
2014-07-10 15:33:11 -07:00
Sreeram Ramachandran
65edb75d53 Allow netd to create data files in /data/misc/net/.
This will be used to populate rt_tables (a mapping from routing table numbers to
table names) that's read by the iproute2 utilities.

Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-08 19:06:28 +00:00
Nick Kralevich
9f6af083e8 New domain "install_recovery"
Create a new domain for the one-shot init service flash_recovery.

This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.

Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8
2014-07-08 16:22:14 +00:00
Jeff Sharkey
be092af039 Rules to allow installing package directories.
Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
    dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
    tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976
2014-07-07 15:41:14 -07:00
Nick Kralevich
bf8a37b8eb Create vdc domain
The init.rc one-shot services "defaultcrypto" and "encrypt" call
out to the /system/bin/vdc command line to ask vold to perform
encryption operations. Create a new domain for these one-shot
services. Allow the vdc domain to talk to vold.

Change-Id: I73dc2ee4cc265bc16056b27307c254254940fd9f
2014-06-21 01:40:54 +00:00
Nick Kralevich
b4adc62a57 Force logwrapper to system_file
Some device-specific policies are improperly creating a security
domain for logwrapper, rather than removing the logwrapper
lines from init.device.rc. Don't allow that. Explicitly add an entry
for /system/bin/logwrapper to force it to a system_file. Attempting
to override this will result in the following compile time error:

  obj/ETC/file_contexts_intermediates/file_contexts: Multiple different
  specifications for /system/bin/logwrapper
  (u:object_r:logwrapper_exec:s0 and u:object_r:system_file:s0).

Bug: 15616899
Change-Id: Ia55394247a9fa16e00434d61091fff9d9d4ff125
2014-06-17 08:53:03 -07:00
Nick Kralevich
fad4d5fb00 Fix SELinux policies to allow resource overlays.
The following commits added support for runtime resource overlays.

  New command line tool 'idmap'
  * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
  Runtime resource overlay, iteration 2
  * 48d22323ce39f9aab003dce74456889b6414af55
  Runtime resource overlay, iteration 2, test cases
  * ad6ed950dbfa152c193dd7e49c369d9e831f1591

During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.

This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.

Test cases are available for this by running:
  * python frameworks/base/core/tests/overlaytests/testrunner.py

Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
2014-06-16 14:20:08 -07:00
Nick Kralevich
84ed890aeb Merge adf_device into graphics_device
As of sepolicy commit a16a59e2c7
(https://android-review.googlesource.com/94580), adf_device
and graphics_device have the exact same security properties.

Merge them into one type to avoid a proliferation of SELinux
types.

Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95
2014-06-03 17:01:10 -07:00
Stephen Smalley
ad0d0fc722 Protect /data/property.
/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:43:37 +00:00