tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
5520 commits 1 branch 0 tags 50 MiB
Commit graph

5520 commits

This branch
This branch
All branches
Author SHA1 Message Date
James Hawkins
2e8d71c3be bootstat: Fix the SELinux policy after removing domain_deprecated. 
* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804
 2016-01-26 18:52:58 +00:00
Jeff Vander Stoep
2fdeab3789 app: connect to adbd 
Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496
 2016-01-25 15:20:05 -08:00
Jeff Vander Stoep
45517a7547 domain: allow dir search in selinuxfs 
Domain is already allowed to stat selinuxfs, it also needs
dir search.

Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir

Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07
 2016-01-25 18:18:36 +00:00
Jeffrey Vander Stoep
c1b0ffcfdc Merge "watchdog: remove domain_deprecated" 2016-01-25 17:09:46 +00:00
Jeff Vander Stoep
1eeaa47eac watchdog: remove domain_deprecated 
Change-Id: I60d66da98a8da9cd7a9d0130862242e09b7dccf1
 2016-01-25 08:12:21 -08:00
Nick Kralevich
5c8854abef app.te: grant /system dir/file/symlink read 
Renderscript needs the ability to read directories on
/system. Allow it and file/symlink read access.

Addresses the following denials:
  RenderScript: Invoking /system/bin/ld.mc with args '/system/bin/ld.mc -shared -nostdlib
    /system/lib64/libcompiler_rt.so -mtriple=aarch64-none-linux-gnueabi
    --library-path=/system/vendor/lib64 --library-path=/system/lib64
    -lRSDriver -lm -lc
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/primitives.o
    -o
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/librs.primitives.so'
  ld.mc   : type=1400 audit(0.0:1340): avc: denied { read } for name="lib64" dev="mmcblk0p24" ino=212 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  ld.mc   : type=1400 audit(0.0:1341): avc: denied { read } for name="lib64" dev="mmcblk0p29" ino=1187 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  RenderScript: Child process "/system/bin/ld.mc" terminated with status 256

Change-Id: I9fb989f66975ed553dbc0c49e9c5b5e5bc45b3c3
 2016-01-23 08:41:47 -08:00
dcashman
cbf7ba18db Remove domain_deprecated from untrusted_app. 
Bug: 22032619
Change-Id: Iaa192f98df3128da5e11ce1fd3cf9d1a597fedf5
 2016-01-22 15:51:41 -08:00
dcashman
2193f766bc Temporarily allow untrusted_app to read proc files. 
Address the following denial:
01-22 09:15:53.998  5325  5325 W ChildProcessMai: type=1400 audit(0.0:44): avc: denied { read } for name="meminfo" dev="proc" ino=4026535444 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Change-Id: Id2db5ba09dc9de58e6da7c213d4aa4657c6e655c
 2016-01-22 15:49:42 -08:00
James Hawkins
447041a940 Merge "bootstat: Implement the SELinux policy to allow reading/writing to /data/misc/bootstat." 2016-01-22 18:05:25 +00:00
dcashman
8666bf25cf Allow access to /dev/ion and proc_net dir. 
Address the following:
01-21 13:35:41.147  5896  5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152  5896  5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152  5896  5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152  5896  5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed

and

01-22 08:58:47.667  7572  7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671  7498  7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671  7498  7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13

Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38
 2016-01-22 09:29:00 -08:00
James Hawkins
39c198ac6f bootstat: Implement the SELinux policy to allow reading/writing to 
/data/misc/bootstat.

BUG: 21724738
Change-Id: I2789f57cc8182af1a7c33672ef82297f32f54e2e
 2016-01-22 08:08:37 -08:00
Jeffrey Vander Stoep
e1224de04d Merge "Allow domains to stat filesystems." 2016-01-22 00:27:50 +00:00
Jeff Vander Stoep
67d9932c67 vold launched e2fsck must run in fsck domain 
Bug: 22821100
Change-Id: I549abfd31f7286ad50be3adeadaf559816c0ee38
 2016-01-21 23:33:32 +00:00
Jeffrey Vander Stoep
792622c383 Merge "fsck: allow e2fsck to stat swap_block_device" 2016-01-21 23:26:27 +00:00
dcashman
fcea726390 Allow domains to stat filesystems. 
Address the following denials:
01-21 12:44:53.704  4595  4595 W ndroid.calendar: type=1400 audit(0.0:21): avc: denied { getattr } for name="/" dev="dm-0" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
01-21 12:45:23.177  5544  5544 W roid.music:main: type=1400 audit(0.0:46): avc: denied { getattr } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0
7618 W .android.chrome: type=1400 audit(0.0:413): avc: denied { getattr } for path="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0

01-21 12:44:53.709  4595  4595 D AndroidRuntime: Shutting down VM
01-21 12:44:53.727  4595  4595 E AndroidRuntime: FATAL EXCEPTION: main
01-21 12:44:53.727  4595  4595 E AndroidRuntime: Process: com.google.android.calendar, PID: 4595
01-21 12:44:53.727  4595  4595 E AndroidRuntime: java.lang.RuntimeException: Unable to get provider com.google.android.syncadapters.calendar.timely.TimelyProvider: java.lang.IllegalArgumentException: Invalid path: /data
01-21 12:44:53.727  4595  4595 E AndroidRuntime: 	at android.app.ActivityThread.installProvider(ActivityThread.java:5550)
...

Change-Id: I0e9d65438d031e19c9abc5dca8969ed4356437a0
 2016-01-21 15:18:39 -08:00
Jeff Vander Stoep
d644f26066 fsck: allow e2fsck to stat swap_block_device 
In libext2fs ext2fs_check_mount_point() calls is_swap_device() to
verify that a device is swap before setting the EXT2_MF_SWAP mount
flag.

Addresses:
avc: denied { getattr } for path="/dev/block/zram0" dev="tmpfs" ino=9951
scontext=u:r:fsck:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file

Bug: 22821100
Change-Id: Ic7a1b6f83b34a40bf4bd35a1564300c58ca27089
 2016-01-21 14:43:36 -08:00
Jeffrey Vander Stoep
352e63546f Merge "vold: allow execute cp and rm" 2016-01-21 20:07:53 +00:00
Jeff Vander Stoep
d1f8f731ea vold: allow execute cp and rm 
Used in system/vold/MoveTask.cpp

Addresses:
avc: denied { execute } for name="toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Change-Id: I2eb6288aaed510ae5be0f3605088ace6b865ef83
 2016-01-21 11:02:02 -08:00
Jeffrey Vander Stoep
db634aa0ac Merge "system_app: remove perms to write to system_data_file" 2016-01-21 18:50:39 +00:00
Jeff Vander Stoep
540ea534e0 gpsd: remove domain_deprecated 
Only used in AOSP by flounder. No denials when running Google Maps.

Change-Id: I9902c263016b4d38f1b3ed0be0bc7c4cd17ee471
 2016-01-20 16:37:56 -08:00
Jeff Vander Stoep
024dc1ce3c system_app: remove perms to write to system_data_file 
Strengthen neverallow rule to enforce that no apps may write to
system_data_file - the default label for /data/

Change-Id: I886e4340f300551754c9e33e9c1764fb730b6b14
 2016-01-20 14:36:45 -08:00
Jeffrey Vander Stoep
589ffaf617 Merge "camera_device: remove typealias" 2016-01-19 21:27:57 +00:00
Rubin Xu
65d364b91a Merge "SELinux rule for ro.device_owner and persist.logd.security" 2016-01-19 16:00:02 +00:00
Rubin Xu
0c8286fe74 SELinux rule for ro.device_owner and persist.logd.security 
They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.

ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.

Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
 2016-01-19 15:27:03 +00:00
Nick Kralevich
8632b9e4cd Merge "domain_deprecated.te: drop cache_recovery_file access" 2016-01-16 20:50:14 +00:00
Nick Kralevich
4cd2f53018 Merge "priv_app.te: drop auditallows on cache_recovery_file" 2016-01-16 20:25:35 +00:00
Nick Kralevich
527d29a80d Merge "kernel.te: drop allow kernel untrusted_app:fd use;" 2016-01-16 20:25:01 +00:00
Nick Kralevich
2309ef8f85 vold.te: drop allow vold toolbox_exec:file rx_file_perms; 
auditallow says not needed.

Change-Id: Iafa048377e159ca3c7cc1f31653002c41ef9ef2b
 2016-01-16 09:30:08 -08:00
Nick Kralevich
d5464736fb domain_deprecated.te: drop cache_recovery_file access 
auditallow says not needed.

Change-Id: If44f64aeb5d0be78fd166d1b3eee298c5f7c860d
 2016-01-16 08:15:52 -08:00
Nick Kralevich
b8d794a1e0 priv_app.te: drop auditallows on cache_recovery_file 
This is actually used. Addresses the following SELinux audit logs:

  avc: granted { create } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { add_name } for comm="Thread-157" name="uncrypt_file" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { write } for comm="Thread-157" path="/cache/recovery/command" dev="mmcblk0p38" ino=23 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file
  avc: granted { setattr } for comm="Thread-157" name="uncrypt_file" dev="mmcblk0p38" ino=22 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_recovery_file:s0:c512,c768 tclass=file

Change-Id: Idab00ebc8eacd7d8bb793b9342249227f91986a1
 2016-01-16 08:02:21 -08:00
Nick Kralevich
52e9d04761 kernel.te: drop allow kernel untrusted_app:fd use; 
auditallow says it's not used.

Bug: 25331459
Change-Id: Ic414efcd0a3be6d744ab66382c20f0ea4c9ea116
 2016-01-16 07:44:14 -08:00
Jeffrey Vander Stoep
c15e1036d4 Merge "camera_device: remove type and add typealias" 2016-01-15 17:47:55 +00:00
Jeffrey Vander Stoep
87a73f199a Merge changes from topic 'fc_sort-2' 
* changes:
  fc_sort: initial commit
  checkfc: do not die on 0 length fc's
 2016-01-15 16:49:55 +00:00
Nick Kralevich
eed6bbdc43 Merge "adbd.te: remove allow adbd toolbox_exec:file rx_file_perms" 2016-01-15 15:26:59 +00:00
Nick Kralevich
bc301caa76 Merge "ppp.te: Remove allow ppp toolbox_exec:file rx_file_perms;" 2016-01-15 15:26:48 +00:00
Nick Kralevich
24739a6a50 Merge "netd.te: Remove allow netd toolbox_exec:file rx_file_perms;" 2016-01-15 15:26:35 +00:00
Nick Kralevich
2c1094058c racoon.te: Remove allow racoon toolbox_exec:file rx_file_perms; 
auditallow says never used.

Change-Id: I789f32bd7d2bbfc583a12bf8a05662e812f09a38
 2016-01-14 21:30:32 -08:00
Nick Kralevich
3351122ec8 netd.te: Remove allow netd toolbox_exec:file rx_file_perms; 
no SELinux denials from auditallow

Change-Id: Ied61f7f97b148b1c10d0f71e9ab30c136a123738
 2016-01-14 21:26:42 -08:00
Nick Kralevich
815d3c56e3 ppp.te: Remove allow ppp toolbox_exec:file rx_file_perms; 
auditallow says no denials.

Change-Id: Ib4e38f5393d3f3ba67277017abc848f5e7c04efd
 2016-01-14 21:20:05 -08:00
Nick Kralevich
155e710830 adbd.te: remove allow adbd toolbox_exec:file rx_file_perms 
auditallow says never used.

Change-Id: I6a3f82740bfecf483e0ccbb528b7218af36d37b8
 2016-01-14 21:14:30 -08:00
William Roberts
49693f1b4d fc_sort: initial commit 
Ordering matters in fc files; the last match wins. In builds where
many BOARD_SEPOLICY_DIRS are set, the order of that list becomes
increasingly important in order to maintain a cohesive built
file_contexts.

To correct this, we sort the device specific file_contexts entries
with the upstream fc_sort tool.

Change-Id: I3775eae11bfa5905cad0d02a0bf26c76ac03437c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-01-14 17:39:07 -08:00
William Roberts
922b4e9522 checkfc: do not die on 0 length fc's 
Checkfc was treating 0 size fc files as a fatal error.
An empty fc file should be treated as "nothing to check"
so long as the -e option is passed.

We add this option, so we don't allow empty file_context
files to pass CTS checking.

Change-Id: Ibca6bd948a13389e10c605d613acc48c5504443e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-01-14 17:39:07 -08:00
Jeffrey Vander Stoep
5de7574a59 Merge "Revert "fc_sort: initial commit"" 2016-01-14 23:30:56 +00:00
Jeffrey Vander Stoep
b1fb7e4037 Revert "fc_sort: initial commit" 
Breaks builds with no device specific policy.

Bug: 26568553
This reverts commit 29d146887e.

Change-Id: If9254d4ad3f104a96325beedebc05dd22664084a
 2016-01-14 23:28:51 +00:00
William Roberts
c68a277f5e fc_sort: add NOTICE file 
Change-Id: I0e63f90cafc5b1ca9cc112e852e172046b16a17e
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-01-14 10:45:45 -08:00
Jeffrey Vander Stoep
2dea4525f3 Merge "fc_sort: initial commit" 2016-01-14 18:31:25 +00:00
Nick Kralevich
c29b2fc423 drop dhcp auditallow 
toolbox_exec is executed by dhcpcd-run-hooks.

Addresses the following auditallow log spam:

  avc: granted { read open } for comm="dhcpcd-run-hook" path="/system/bin/toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { read } for comm="setprop" name="toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { execute } for comm="dhcpcd-run-hook" name="toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { execute_no_trans } for comm="dhcpcd-run-hook" path="/system/bin/toybox" dev="dm-0" ino=650 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file
  avc: granted { read execute } for comm="setprop" path="/system/bin/toybox" dev="dm-0" ino=639 scontext=u:r:dhcp:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file

Change-Id: Ib83c291961a5573397830032a67a2f6861ae2e71
 2016-01-13 16:37:20 -08:00
Daniel Cashman
2fb38fc87e Merge "Allow shell to read sysfs dirs." 2016-01-13 19:17:59 +00:00
dcashman
20fb78662b Allow shell to read sysfs dirs. 
Bug: 26219114
Change-Id: I300899d610258704eb2d45488700eadb7a686606
 2016-01-13 09:02:36 -08:00
Daniel Cashman
7a46e73cb6 Merge "Allow adbd to pull sepolicy from device." 2016-01-13 01:12:04 +00:00