Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs. Include exceptions for
appdomain and recovery as required by current policy.
Change-Id: I73d70ab04719a67f71e48ac795025f2ccd5da385
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.
Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.
Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb
https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.
For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.
Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.
Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
Define the service context for "webviewupdate", a new service that will
run in the system server.
Bug: 13005501
Change-Id: I841437c59b362fda88d130be2f2871aef87d9231
system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.
Change-Id: I27a05761c14def3a86b0749cdb895190bdcf9d71
1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.
2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.
3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:
type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0
which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.
Bug: 16261280
Bug: 16298582
Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.
dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.
Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.
Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
Support opening the ffs-based interface for adbd in recovery. (Copied
from adbd.te.)
Bug: 16183878
Change-Id: Ib80e5b910d9ad4252cb80e7ce2f85e478cd94816
ueventd is allowed to change files and directories in /sys,
but not symbolic links. This is, at a minimum, causing the
following denial:
type=1400 audit(0.0:5): avc: denied { getattr } for comm="ueventd" path="/sys/devices/tegradc.0/driver" dev=sysfs ino=3386 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_tegradc:s0 tclass=lnk_file
Allow ueventd to modify labeling / attributes of symlinks.
Change-Id: If641a218e07ef479d1283f3171b2743f3956386d
The new Nexus 5 tee implementation requires raw block I/O
for anti-rollback protection.
Bug: 15777869
Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396
Defines new device type persistent_data_block_device
This block device will allow storage of data that
will live across factory resets.
Gives rw and search access to SystemServer.
Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e
Rename sdcard_internal/external types to fuse and vfat
respectively to make it clear that they are assigned to any
fuse or vfat filesystem by default (absent a context= mount option)
and do not necessarily represent the SDcard.
The sdcard_type attribute is still assigned to both types and
can still be used in allow rules to permit access to either the
internal or external SDcard.
Define type aliases for the old names to preserve compatibility
on policy reload and for device-specific policies that may not yet
be updated.
Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This will be used to populate rt_tables (a mapping from routing table numbers to
table names) that's read by the iproute2 utilities.
Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
adb sideload depends on the ability to access the fuse
directory. Flipping recovery into enforcing started triggering
the following denial:
type=1400 audit(17964905.699:7): avc: denied { search } for pid=132 comm="recovery" name="/" dev="fuse" ino=1 scontext=u:r:recovery:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
Change-Id: I27ee0295fa2e2d0449bfab4f95bfbc076e92cf59
Create a new domain for the one-shot init service flash_recovery.
This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.
Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8
Earlier changes had extended the rules, but some additional changes
are needed.
avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
tcontext=u:object_r:apk_data_file:s0 tclass=dir
Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976
Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.
Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
Error while expanding policy
make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1
Change-Id: Iddf2cb8d0de2ab445e54a727f01be0b992b45ba5
The recovery script may ask to label a file with a label not
known to the currently loaded policy. Allow it.
Addresses the following denials:
avc: denied { relabelto } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
avc: denied { setattr } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.
Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156
Currently, ueventd only modifies the SELinux label on a file
if the entry exists in /ueventd.rc. Add policy support to enable
an independent restorecon_recursive whenever a uevent message occurs.
Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac
