Commit graph

27 commits

Author SHA1 Message Date
Jeff Sharkey
7617cd48b7 New "selinux.restorecon" control property.
This new property is used as a control verb for running a recursive
restorecon at the path contained in the property value.

Defines a new label and grants access to vold, which invokes it when
mounting private adopted volumes.

Bug: 21121357
Change-Id: I8ff12a146e54a505aa5b43a542578891563d647a
2015-06-09 13:39:04 -07:00
Jeff Vander Stoep
8b015f9df4 Create context for ctl.console
(cherry picked from commit c2e31a7782)

Change-Id: I92218709fa8cdb71c0369aca8fdd7922df45f7d0
2015-04-24 14:47:31 -07:00
Jeffrey Vander Stoep
eb9536488c Revert "Create context for ctl.console"
This reverts commit bbd56b71ce.

Change-Id: I3e295f785aa62de3a04b2f201be97dd7ef0c207f
2015-04-24 21:05:46 +00:00
Jeff Vander Stoep
bbd56b71ce Create context for ctl.console
Change-Id: I9ba4952230ec1b811b8ec6cd19c0286ee791bf08
2015-04-24 20:32:46 +00:00
Nick Kralevich
caefbd71c5 allow adbd to set sys.usb.ffs.ready
Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
2015-04-23 19:45:21 -07:00
Sami Tolvanen
9f0682dc50 Revert "Allow ueventd to set verity.* properties"
Updating properties from ueventd may lead to deadlocks with init in rare
cases, which makes these changes unnecessary after all.

This reverts commit 47cd53a558.

Change-Id: I87bdd66f0ec025eb3a9ea17574a67e908f3de6da
2015-02-27 22:18:01 +00:00
Sami Tolvanen
47cd53a558 Allow ueventd to set verity.* properties
On dm-verity errors, we catch uevents in ueventd and set the value
for a matching verity.* property. Allow ueventd to actually change
property values.

Needed by changes from
  Ibb82953594d234f81ad21c40f524190b88e4ac8f

Change-Id: I79bc90733edf8a45b27e64795f4adfbb3bc028dc
2015-02-18 13:56:06 +00:00
Nick Kralevich
c48971f69f allow system_server to set ro.build.fingerprint
Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See 5568772e81
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

  avc:  denied  { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
  init: sys_prop: permission denied uid:1000  name:ro.build.fingerprint

Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29
2014-11-18 22:44:31 +00:00
Stephen Smalley
54e9bc4514 Dependencies for new goldfish service domains.
In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service.  A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them.  A neverallow rule prevents us from allowing
qemu-props to set default_prop.

We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat.  We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).

Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-27 17:19:39 -07:00
Martijn Coenen
9ac7df2280 Allow NFC to read/write nfc. system properties.
(cherry pick of commit 05383ebfb4)

Bug: 17298769
Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97
2014-09-26 13:57:02 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Paul Jensen
97a2cfdf66 Allow Bluetooth app to initiate DHCP service on bt-pan interface.
bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658
2014-06-19 02:49:37 +00:00
Mark Salyzyn
9e7bbf61de selinux: logd Development settings
- logd Development Settings failed to access persist.logd.size

Change-Id: I0732b44fcbffbf3c187bcb23df2db807fa3e8fde
2014-06-12 13:08:13 -07:00
Stephen Smalley
3235f61aa8 Restrict /data/security and setprop selinux.reload_policy access.
Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).

init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it.  init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.

Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.

This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.

Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.

Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 18:30:11 +00:00
Stephen Smalley
3a099879fb Label ril.cdma with radio_prop.
Resolves denials such as:
avc:  denied  { set } for property=ril.cdma.inecmmode scontext=u:r:radio:s0 tcontext=u:object_r:rild_prop:s0 tclass=property_service

This makes ril.cdma consistent with net.cdma.

We may ultimately need to coalesce rild_prop and radio_prop; they
were an attempt to distinguish what can be set by rild from what can be
set by com.android.phone, but the init property service DAC checking
permits any of them to be set by anything with the radio AID.  We
presently allow rild to set either type, but radio can only set radio_prop.

Change-Id: Ia3852db187e52427e18075e24b2beab19dd59c1f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 09:12:08 -04:00
Robert Craig
4b3893f90b Replace ctl_default_prop access with explicit service property keys.
The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.

Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-25 13:36:50 -04:00
Stephen Smalley
1c0c010261 Allow system_app to start bugreport and to create /data/anr/traces.txt.
Resolves denials such as:

avc:  denied  { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service

avc:  denied  { write } for  pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { add_name } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { create } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-11 12:12:14 +00:00
Stephen Smalley
16a66529e4 Generalize rmnet entry for radio properties.
Our policy also has this entry:
net.rmnet_usb0.         u:object_r:radio_prop:s0

Rather than trying to enumerate all possible variants, just reduce
the existing rmnet0 entry to rmnet so that it matches all properties
with that prefix.

Change-Id: Ic2090ea55282fb219eab54c96fd52da96bb18917
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 13:14:04 -05:00
Nick Kralevich
116a20fdb6 debuggerd: Allow "debug.db.uid" usage
Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
2014-02-18 15:00:40 -08:00
Nick Kralevich
dd1ec6d557 Give system_server / system_app ability to write some properties
Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[  131.700473] avc:  denied  { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[  131.700625] init: sys_prop: permission denied uid:1000  name:debug.force_rtl
<4>[  132.630062] avc:  denied  { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[  132.630184] init: sys_prop: permission denied uid:1000  name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
2013-11-01 10:45:03 -07:00
Nick Kralevich
7914a47f05 Enable SELinux on vold
This change enables SELinux security enforcement on vold.

For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d and
50e37b93ac, with the following
additional changes:

1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.

2) Addition of the powerctl property, which vold contacts to
tell init to reboot.

3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.

4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.

Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature.  I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.

Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-28 20:41:16 -07:00
Alex Klyubin
3123b1eef7 SELinux policy for Bluetooth properties.
Properties under bluetooth. and persist.service.bdroid. are
considered Bluetooth-related properties.

Change-Id: Iee937d9a1184c2494deec46f9ed7090c643acda7
2013-05-06 10:18:27 -07:00
William Roberts
9e70c8bf68 Move policy files
Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.

Change-Id: Idc475901ed437efb325807897e620904f4ff03e9
2013-03-22 10:42:10 -07:00
William Roberts
e2ad318e45 Label persist audio properties
label all persist.audio.* properties
and allow mediaserver access to them.

Change-Id: If5755d9783dce298e66a25bcb7f17ff17bd83ea7
2012-11-28 12:15:02 -08:00
Bob Craig
92495b38d5 Add persist.mac_enforcing_mode context 2012-06-28 10:51:25 -04:00
Stephen Smalley
730957aef3 Rework the radio vs rild property split.
Only label properties with the ril. prefix with rild_prop.
Allow rild and system (and radio) to set radio_prop.
Only rild can set rild_prop presently.
2012-04-04 16:01:19 -04:00
Stephen Smalley
124720a697 Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
2012-04-04 10:11:16 -04:00