Drop rules on data_file_type attribute and replace with
rules on specific types, coalescing with existing rules
where appropriate. Reorganize the rules and try to
annotate the reason for the different rules.
Change-Id: I2d07e7c276a9c29677f67db0ebecfc537c084965
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
91a4f8d4fd created system_app_data_file,
and assigned all system_apps to use this file type. For testing purposes,
our automated testing infrastructure sideloads shared system UID apks.
Installd does not have permission to create the lib symlink, so the
installation fails.
Allow installd to create this symlink.
repro:
adb install AppLaunch.apk
276 KB/s (8414 bytes in 0.029s)
pkg: /data/local/tmp/AppLaunch.apk
Failure [INSTALL_FAILED_INTERNAL_ERROR]
logcat:
05-08 23:16:36.336 605 637 I PackageManager: Copying native libraries to /data/app-lib/vmdl609237490
05-08 23:16:36.338 605 637 W asset : Installing empty resources in to table 0x5e89a368
05-08 23:16:36.359 193 193 W installd: type=1400 audit(0.0:29): avc: denied { create } for name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=lnk_file
05-08 23:16:36.363 193 193 E installd: couldn't symlink directory '/data/data/com.android.tests.applaunch/lib' -> '/data/app-lib/com.android.tests.applaunch-1': Permission denied
05-08 23:16:36.364 605 637 W PackageManager: Failed linking native library dir (user=0)
05-08 23:16:36.364 605 637 W PackageManager: Package couldn't be installed in /data/app/com.android.tests.applaunch-1.apk
Bug: 14659632
Change-Id: Iac4890302cd070aa3f71553af217f343ed7b8bc3
Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.
Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
As per the discussion in:
https://android-review.googlesource.com/#/c/92903/
Add sysfs_type attribute to sysfs type so that it is included
in rules on sysfs_type, allow setattr to all sysfs_type for ueventd
for chown/chmod, and get rid of redundant rules.
Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Should no longer be required due to restorecon_recursive of /data
by init.rc (covers everything outside of /data/data) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).
Move the neverallow rule on relabelto to the neverallow section.
We could potentially drop this altogether, along with the relabelto_domain
macro and its callers, since its motivation was to provide some
safeguard in spite of allowing relabelfrom to unlabeled files for
all domains and this change removes relabelfrom.
unconfined still retains rw access to unlabeled, as do specific domains
that are explicitly allowed it.
Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Should no longer be required due to restorecon_recursive of /data
by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).
Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ADF is a modern replacement for fbdev.
ADF's device nodes (/dev/adf[X]), interface nodes
(/dev/adf-interface[X].[Y]), and overlay engine nodes
(/dev/adf-overlay-engine[X].[Y]) are collectively used in similar
contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and
healthd will need to send R/W ioctls to these nodes to prepare and
update the display.
Ordinary apps should not talk to ADF directly.
Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Not sure what denial originally motivated adding this
access, but drop it and see if it resurfaces. platform_app
is still permissive_or_unconfined() so this should not break
anything.
Change-Id: Ia4418080e3477346fa48d23b4bb5d53396ed5593
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
See if we can remove these allow rules by auditing any granting
of these permissions. These rules may be a legacy of older Android
or some board where the gpu device lived under /dev/graphics too.
Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files. However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.
This resolves the following denial when cropping or taking a user photo
for secondary users:
avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Otherwise it is treated as a regex and matches any character.
Change-Id: I9e23f01b0e104d3ef57993fd1a3d9a5b13201910
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit 3fbc536dfd allowed untrusted
app to read radio data files passed via binder, but didn't allow
write access. Write access is needed when sending MMS messages.
Steps to reproduce:
1) have some photos on the device
2) Launch messaging app
3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..)
4) Send
EXPECTED RESULTS:
No crash
OBSERVED RESULTS:
- Messaging crashes on sending MMS
- messages are stuck in sending state
Additional details:
05-05 10:14:01.196 2457 2457 W Binder_3: type=1400 audit(0.0:20): avc: denied { write } for path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!
05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream.
05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4
05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966)
05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:674)
05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:650)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
05-05 10:14:01.203 27809 28219 E PduPersister: at java.lang.Thread.run(Thread.java:818)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS
05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809
05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at android.content.ContentUris.parseId(ContentUris.java:85)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at java.lang.Thread.run(Thread.java:818)
05-05 10:14:01.222 659 5253 W ActivityManager: Force finishing activity com.android.mms/.ui.ComposeMessageActivity
Bug: 14562421
Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9
specifycapabilities is no longer specified by the zygote userspace manager.
It was removed in commit: 42a4bb5730266f80585e67262c73505d0bfffbf8. Remove
this permission from policy.
Change-Id: I866a25b590a375a68de6eec9af1b3ef779889985
Allow the zygote to create instruction set specific
directories under /data/dalvik-cache and to change their owner
to the system UID.
These subdirectories are required in order to support
instruction set specific dex caches on devices that support
multiple instruction sets. We can't ask init to create these
directories for us, because init doesn't have any knowledge
about the list of runtime instruction sets the device supports.
The owner needs to be system because the package manager (running
in the system_server) is allowed to manipulate files under this
directory.
(cherry picked from commit 032e5b0ae1)
Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361
Developers should be able to use systrace with user builds.
This requires read access to /sys/kernel/debug/tracing/trace,
otherwise the following error occurs:
$ atrace
capturing trace... done
TRACE:
error opening /sys/kernel/debug/tracing/trace: Permission denied (13)
with the following SELinux denial:
<4>[ 79.830542] type=1400 audit(11940551.039:8): avc: denied { read } for pid=1156 comm="atrace" name="trace" dev="debugfs" ino=3024 scontext=u:r:shell:s0 tcontext=u:object_r:debugfs:s0 tclass=file
At least on the kernel I've tested this on, debugfs doesn't support
setting SELinux file labels. Grant read access to all of debugfs to
work around this limitation.
Bug: 13904660
Change-Id: Ib58e98972c5012e9b34fec9e0a6094641638cd9a
