app_process is now a symlink to app_process32 or
app_process64, so we have to update the selinux
rules to explicitly refer to them.
See change 5a7ee9ad63d for context.
Change-Id: I7f7a107d79a8f7a3c193f97809e1e737540258f1
Commit: 7ffb997207 added protection against low
memory mapping for all domains, a superset of appdomain. Remove the same,
redundant neverallow rule from appdomain.
Change-Id: Ia41c02763f6b5a260c56d10adfbab649d9f3f97c
Neither mediaserver nor system_server appear to require
direct access to graphics_device, i.e. the framebuffer
device. Drop it.
Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This just adds a neverallow rule to ensure we never
add an allow rule permitting such mappings.
Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We added these rules to the recovery domain when we removed them
from unconfined to ensure that we did not break anything. But we
have seen no uses of these rules by the recovery domain. Tested
wiping userdata and cache from the recovery and performing an
adb sideload of an ota zip file.
Change-Id: I261cb1124130f73e98b87f3e5a31d6d7f521ff11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We added these rules to the kernel domain when we removed them
from unconfined to ensure that we did not break anything. But
we have seen no uses of these rules and this matches our expectation
that any actual operations that require these permissions occurs
after switching to the init domain.
Change-Id: I6f3556a26b0f6f4e6effcb874bfc9498e7dfaa47
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These rules seem to be a legacy of old Android or perhaps old policy
before we began splitting types on /data. I have not been able to
trigger the auditallow rules on AOSP master. Reduce the rules to
only read access to system data. If we need write access to some
specific directory under /data, we should introduce a type for it.
Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Too many leaky files in that directory. It's a security best practice
to not mount this filesystem, however, we need it mounted for
tracing support. Even though it's mounted, make sure the files aren't
readable.
Bug: 11635985
Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd
Drop rules on data_file_type attribute and replace with rules
on specific types under /data.
Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
I didn't fix unpublished denials before switching this into enforcing. Need to revert.
This reverts commit ae50551142.
Bug: 14844424
Change-Id: I01408b77a67ad43a8fb20be213d3ffbace658616
Kernel userspace helpers may be spawned running in the kernel
SELinux domain. Those userspace helpers shouldn't be able to turn
SELinux off.
This change revisits the discussion in
https://android-review.googlesource.com/#/c/71184/
At the time, we were debating whether or not to have an allow rule,
or a dontaudit rule. Both have the same effect, as at the time we
switch to enforcing mode, the kernel is in permissive and the operation
will be allowed.
Change-Id: If335a5cf619125806c700780fcf91f8602083824
Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.
Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
installd creates /data/.layout_version. Introduce a separate type
for this file (and any other file created by installd under a directory
labeled system_data_file) so that we can allow create/write access by
installd without allowing it to any system data files created by other
processes. This prevents installd from overwriting other system data
files, and ensure that any files it creates will require explicit
rules in order to access.
Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
