We were incorrectly reporting overlapping rules as duplicates.
Only report cases where an attribute-based rule is a superset
of type-based rule. Also omit self rules as they are often due
to expansion of domain self rules by checkpolicy.
Change-Id: I27f33cdf9467be5fdb6ce148aa0006d407291833
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Some device-specific policies are improperly creating a security
domain for logwrapper, rather than removing the logwrapper
lines from init.device.rc. Don't allow that. Explicitly add an entry
for /system/bin/logwrapper to force it to a system_file. Attempting
to override this will result in the following compile time error:
obj/ETC/file_contexts_intermediates/file_contexts: Multiple different
specifications for /system/bin/logwrapper
(u:object_r:logwrapper_exec:s0 and u:object_r:system_file:s0).
Bug: 15616899
Change-Id: Ia55394247a9fa16e00434d61091fff9d9d4ff125
Add missing services to service_contexts that we did not include
in earlier patch that added SELinux checks in service_manager.
Change-Id: I889d999bf0b745bfcb75a3553b207777dc5700b7
The following commits added support for runtime resource overlays.
New command line tool 'idmap'
* 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
Runtime resource overlay, iteration 2
* 48d22323ce39f9aab003dce74456889b6414af55
Runtime resource overlay, iteration 2, test cases
* ad6ed950dbfa152c193dd7e49c369d9e831f1591
During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.
This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.
Test cases are available for this by running:
* python frameworks/base/core/tests/overlaytests/testrunner.py
Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
Several device-specific policy changes with the same Change-Id
also add this attribute to device-specific types.
Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time. The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).
Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow. This ensures that the no write to /system
restriction cannot be bypassed via context= mount.
Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It's a bug to have a type with both the file_type and fs_type
attribute. A type should be declared with either file_type,
or fs_type, but not both.
Create a neverallow rule which detects this situation. This works
because we have the following allow rule:
allow fs_type self:filesystem associate;
If a type is a file_type and an fs_type, the associate allow rule
will conflict with this neverallow rule.
Not sure if this is the cleanest way to accomplish this, but it
seems to work.
Change-Id: Ida387b1df260efca15de38ae7a66ed25e353acaa
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:
set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");
which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.
Allow this behavior for now, even though it's obviously a bug.
Also, allow recovery to read through the /dev directory.
Addresses the following denials:
avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
8670305177 wasn't complete. I thought
getattr on the directory wasn't needed but I was wrong. Not sure
how I missed this.
Addresses the following denial:
<4>[ 40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir
Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6
This is no longer required now that clatd has switched from IPv6
forwarding to sockets.
Bug: 15340961
Change-Id: Id7d503b842882d30e6cb860ed0af69ad4ea3e62c
run-as won't communicate with shell via pipes. Allow it.
nnk@nnk:~$ adb shell "cat /dev/zero | run-as com.google.foo sh -c 'cat'"
/system/bin/sh: cat: <stdout>: Broken pipe
<4>[ 1485.483517] type=1400 audit(1402623577.085:25): avc: denied { read } for pid=6026 comm="run-as" path="pipe:[29823]" dev="pipefs" ino=29823 scontext=u:r:runas:s0 tcontext=u:r:shell:s0 tclass=fifo_file
read is definitely needed. Not sure about write, but adding it just
in case.
Change-Id: Ifdf838b0df79a5f1e9559af57c2d1fdb8c41a201
Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.
Add read/write capabilities back to app domains, since apps need to
read/write profiling data.
Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.
Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
Addresses denials such as:
avc: denied { read write } for comm="dnsmasq" path="socket:[1054090]" dev="sockfs" ino=1054090 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=udp_socket
This may not be needed (need to check netd to see if it should be closing
all of these sockets before exec'ing other programs), but should be harmless.
Change-Id: I77c7af5e050e039fd48322914eeabbcb8a716040
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh. So they originally
shared a common set of rules. Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc. Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc). The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command. And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.
Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te. init_shell was an unconfined_domain(),
so it loses nothing from this change. Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.
Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Need this for changing the max_cpufreq and min_cpufreq for the low power
mode.
Denials:
type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854
comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file
Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8
Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646
Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
single quotes make the m4 parser think it's at the end of
a block, and generates the following compile time warning:
external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720:
Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b
dumpstate calls screencap to take a screenshot. screencap
requires the ability to access the gpu device. Allow it.
Bug: 15514427
Change-Id: Iad8451b6108786653146de471f6be2d26b0e3297
Right now usbfs doesn't have any labels, generating the
following kernel warnings:
<7>[ 3.009582] SELinux: initialized (dev usbfs, type usbfs), not configured for labeling
and the occasional SELinux unlabeled auditallow logs:
<4>[ 285.579254] type=1400 audit(1402010345.094:16): avc: granted { search } for pid=371 comm="qcks" name="/" dev="usbfs" ino=15794 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[ 285.632354] type=1400 audit(1402010345.154:18): avc: granted { search } for pid=371 comm="qcks" name="001" dev="usbfs" ino=15796 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
Make sure usbfs is assigned via genfscon
Change-Id: I7191f2584014ba55a3c3a98e7efd0350dc958782
Domains which want to access /data/local/tmp must do so by
creating their own SELinux domain.
Bug: 15164984
Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
Modeled after http://oss.tresys.com/pipermail/refpolicy/2013-January/006283.html
Addresses the following kernel error message:
<6>[ 3.855423] SELinux: Permission attach_queue in class tun_socket not defined in policy.
<6>[ 3.862482] SELinux: the above unknown classes and permissions will be denied
<7>[ 3.869668] SELinux: Completing initialization.
Change-Id: Iad87fcd5348d121a808dbe7ae3c63f8c90fc09fc
