avc: granted { use } for pid=3067 comm="SoundPoolThread"
scontext=u:r:drmserver:s0 tcontext=u:r:system_server:s0 tclass=fd
Test: builds/boots on Angler. Adds permissions for all "granted" avc
messages observed in three months of log auditing.
Bug: 28760354
Change-Id: I51f13d7c7d40f479b1241dfcd5d925d28f74926b
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.
Bug: 28760354
Change-Id: I76c2752f806b83a6c21fcb17b6f445368936f61b
No "granted" messages for the removed permissions observed in three
months of log audits.
Bug: 28760354
Change-Id: I46b6b79b3a13108020114f3c3555adeac021b0a9
No "granted" messages for the removed permissions observed in three
months of log audits.
Bug: 28760354
Change-Id: I6bd9525b663a2bdad4f5b2d4a85d3dd46d5fd106
untrusted_app lost the ability to read files labeled as sysfs to prevent
information leakage, but this is trivially bypassable by spawning an
isolated app, since this was not taken away from isolated app.
Privileges should not be gained by launching an isolated app, and this
one directly defeats that hardeneing. Remove this access.
Bug: 28722489
Change-Id: I61d3678eca515351c9dbe4444ee39d0c89db7a3e
Allow /proc/meminfo to be read by bootanim. Not sure why
it's needed, but harmless enough.
Modify domain_deprecated so it doesn't use r_dir_file().
/proc/meminfo is neither a symlink nor a directory, so it doesn't
make sense to create allow rules for those classes of objects.
Addresses the following denial:
avc: denied { read } for comm="BootAnimation" name="meminfo" dev="proc"
ino=4026536593 scontext=u:r:bootanim:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0
This denial is only showing up on flounder, flounder_lte, or
dragon devices. I'm not sure why.
Change-Id: I0f808bcae47fc2fda512cd147c3b44593835cac5
Was moved to domain_deprecated. Move back to domain.
Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.
Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).
Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.
BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba. Restore access to everyone.
Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.
Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.
Commit 4e2d22451f restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.
Addresses the following denials:
avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.
Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.
Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.
Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.
This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.
Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
The extra permissions are not needed. Delete them.
This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.
Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
