If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:
sdcard : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0
Allow the operation.
Steps to reproduce:
1) adb shell into the device and su to root
2) run "kill -9 [PID OF SDCARD]
Expected:
sdcard daemon successfully restarts without error message.
Actual:
SELinux denial above, plus attempts to mount a new filesystem
on top of the existing filesystem.
(cherrypicked from commit abfd427a32)
Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4
If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:
sdcard : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0
Allow the operation.
Steps to reproduce:
1) adb shell into the device and su to root
2) run "kill -9 [PID OF SDCARD]
Expected:
sdcard daemon successfully restarts without error message.
Actual:
SELinux denial above, plus attempts to mount a new filesystem
on top of the existing filesystem.
Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4
Permits the system server to change keystore passwords for users other
than primary.
Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.
Bug: 17288791
Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.
Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"
Expected:
APK installs successfully.
Actual:
APK fails to install. Error message:
Vold E Failed to write superblock (I/O error)
loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
PackageHelper E Failed to create secure container smdl1645334795.tmp
DefContainer E Failed to create container smdl1645334795.tmp
Bug: 17158723
(cherry picked from commit 4c6b13508d)
Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.
Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"
Expected:
APK installs successfully.
Actual:
APK fails to install. Error message:
Vold E Failed to write superblock (I/O error)
loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
PackageHelper E Failed to create secure container smdl1645334795.tmp
DefContainer E Failed to create container smdl1645334795.tmp
Bug: 17158723
Change-Id: I4aa86e372cc55348f6b8becfa17bd4da583925d4
Remove the CTS specific rule which allows appdomain processes
to view /proc entries for the rest of the system. With this change,
an SELinux domain will only be able to view it's own /proc
entries, e.g. untrusted_app can only view /proc entries for other
untrusted_app, system_app can only view /proc entries for other
system_apps, etc.
/proc contains sensitive information, and we want to avoid
leaking this information between app security domains.
Bug: 17254920
Change-Id: I59da37dde00107a5ab123df3b79a84afa855339f
Add a neverallow rule (compile time assertion) that no SELinux domain
other than init can set default_prop. default_prop is assigned to a
property when no more specific label exists for that property.
This ensures that all properties are labeled properly, and that
no-one (other than init) gets access to unknown properties.
Change-Id: If279960f23737e263d4d1b5face7b5c49cda7ae7
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.
Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.
This change expands on commit a730e50bd9,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.
Change-Id: I12547a75cf68517d54784873846bdadcb60c5112
Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash. Full read permissions may not be necessary:
W/debuggerd( 185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir
Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash. Full read permissions may not be necessary:
W/debuggerd( 185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir
Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission. Required for:
https://android-review.googlesource.com/#/c/101800/
Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
