As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.
Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
Allow the shell user to see the dmesg output. This data is already
available via "adb bugreport", but isn't easy to access.
Bug: 10020939
Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177
Denials generated from the su domain aren't meaningful security
warnings, and just serve to confuse people. Don't log them.
Change-Id: Id38314d4e7b45062c29bed63df4e50e05e4b131e
System UID apps want to be able to create/write to system-owned
/data directories outside of their own /data/data package directory,
such as /data/system/cache and /data/misc/keychain. Restore access
(which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when
system_app_data_file was introduced for the /data/data package
directories of system UID apps), but audit writes to system_data_file
so we can look at introducing separate types for these directories in
the future and ultimately remove access to the rest of the system-owned
data.
Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 removed
these permissions from domain.te and added them to specific domains
as required. Remove the permissions from unconfineddomain as well
so that they are only allowed where explicitly allowed. The earlier
change already added the necessary permissions to init, kernel,
and recovery so we do not need to add them here.
Change-Id: Ifeb5438532a7525e64328e1c54b436e9b6f7fd3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.
Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e
Add a compile time assertion that most SELinux domains don't
execute code from outside of the system partition.
Exceptions are listed in the neverallow rule.
Change-Id: I8166e29a269adca11661df3c6cda4448a42ca30d
Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.
Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.
Still TODO: fix device specific wakelock use.
Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission. Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.
Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
zygote_secondary talks over a different socket named
/dev/socket/zygote_secondary. Make sure it's properly labeled.
See https://android-review.googlesource.com/89604
Addresses the following denial:
<12>[ 48.442004] type=1400 audit(1400801842.179:5): avc: denied { write } for pid=1082 comm="main" name="zygote_secondary" dev="tmpfs" ino=9953 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=1
Bug: 13647418
Change-Id: I1ff5f1d614295a5870bb8a3992ad9167e1656c92
On userdebug / eng builds, Android supports the concept of app wrapping.
You can run an app wrapped by another process. This is traditionally used
to run valgrind on apps, looking for memory leaks and other problems.
App wrapping is enabled by running the following command:
adb shell setprop wrap.com.android.foo "TMPDIR=/data/data/com.android.foo logwrapper valgrind"
Valgrind attempts to mmap exec /system/bin/app_process, which is being denied
by SELinux. Allow app_process exec.
Addresses the following denial:
<4>[ 82.643790] type=1400 audit(16301075.079:26): avc: denied { execute } for pid=1519 comm="memcheck-arm-li" path="/system/bin/app_process32" dev="mmcblk0p25" ino=61 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
Bug: 15146424
Change-Id: I65394938c53da9252ea57856d9f2de465bb30c25
CTS test luni/src/test/java/libcore/java/nio/BufferTest.java function
testDevZeroMapRW() requires us to be able to open /dev/zero in read-write
mode. Allow it.
Change-Id: I2be266875b1d190188376fd84c0996039d3c1524
