Use more general type names for the contents of /data/misc/camera and
/data/misc/audio. These were the names used in our policy until 4.3
was released, at which point we switched to be consistent with AOSP.
However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and
Galaxy Note 3 4.3 image all shipped with policies using _data_file names
because they were based on our older policy. So we may as well switch
AOSP to these names.
Not sure if in fact these could be all coalesced to the new media_data_file
type for /data/misc/media introduced by
Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343.
Options to fix already existing devices, which would only apply
to Nexus devices with 4.3 or 4.4 at this point:
1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either
the system/core init.rc or to the device-specific init.*.rc files.
-or-
2) Add a typealias declaration in the policy to remap the old type names.
to the new ones. Then existing types on persistent storage will be
remapped internally to the new ones.
-or-
3) Some sort of relabeld.
Option #2 is implemented by this change.
Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*. bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former. This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).
Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Every device has a CPU. This is not device specific.
Allow every domain to read these files/directories.
For unknown reasons, these files are accessed by A LOT
of processes.
Allow ueventd to write to these files. This addresses
the following denials seen on mako:
<5>[ 4.935602] type=1400 audit(1383167737.512:4): avc: denied { read } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935785] type=1400 audit(1383167737.512:5): avc: denied { open } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.935937] type=1400 audit(1383167737.512:6): avc: denied { search } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir
<5>[ 4.936120] type=1400 audit(1383167737.512:7): avc: denied { write } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
<5>[ 4.936303] type=1400 audit(1383167737.512:8): avc: denied { open } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file
Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936
/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.
Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
The /adb_keys entry will only take effect if a restorecon is
applied by init.rc on a kernel that includes the rootfs labeling
support, but does no harm otherwise.
The /data/misc/adb labeling ensures correct labeling of the adb_keys
file created if the device has ro.adb.secure=1 set.
Allow adbd to read the file.
Change-Id: I97b3d86a69681330bba549491a2fb39df6cf20ef
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change-Id I027f76cff6df90e9909711cb81fbd17db95233c1 added a
/data/local/tmp/selinux entry at the same time domains were made
permissive. I do not know why, and do not see how this is used.
So remove it.
Change-Id: I3218cc18de9781bc65ae403f2cf4c234847ef5f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These device nodes were specific to crespo / Nexus S and
if ever needed again, should be re-introduced in the per-device
sepolicy, not here.
Change-Id: I8366de83967974122c33937f470d586d49c34652
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The type was already defined and used in type transitions for cases
where the gps socket is created at runtime by gpsd, but on some devices
it is created by init based on an init.<board>.rc socket entry and therefore
needs a file_contexts entry.
Before:
$ ls -Z /dev/socket/gps
srw-rw---- gps system u:object_r:device:s0 gps
After:
$ ls -Z /dev/socket/gps
srw-rw---- gps system u:object_r:gps_socket:s0 gps
Change-Id: I8eef08d80e965fc4f3e9dd09d4fa446aaed82624
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Otherwise it gets left in the general device type, and we get denials such
as:
type=1400 msg=audit(1379617262.940:102): avc: denied { write } for pid=579 comm="mDnsConnector" name="mdns" dev="tmpfs" ino=3213 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=sock_file
This of course only shows up if using a confined system_server.
Change-Id: I2456dd7aa4d72e6fd15b55c251245186eb54a80a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Otherwise we have different security contexts but the same DAC
permissions:
-rw-rw-rw- root root u:object_r:sysfs_writable:s0 process_name
-rw-rw-rw- root root u:object_r:sysfs:s0 state
-rw-rw-rw- root root u:object_r:sysfs:s0 symbol
This change fixes denials such as:
type=1400 msg=audit(1379096020.770:144): avc: denied { write } for pid=85 comm="SurfaceFlinger" name="symbol" dev="sysfs" ino=47 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I261c7751da3778ee9241ec6b5476e8d9f96ba5ed
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/sys was getting labeled as a rootfs file, but according to
genfs_contexts, it's really a sysfs file. This conflict is causing
problems when patch f29c533c49ab1c90eae612b1c454f2c6879a6658 from
system/core is applied.
Change-Id: I3f34c9ee68bedb171ebebfcd356e924c987b58ff
This change does several things:
1) Restore domain.te to the version present at
cd516a3266 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.
Change-Id: I729d224347a003eaca29299d216a53c99cc3197c
- Remove dac_read_search as it is no longer required by run-as.
- Introduce a separate type for /dev/tty so that we can allow use of own tty for
for a run-as shell without allowing access to other /dev/tty[0-9]* nodes.
- Allow sigchld notifications for death of run-as and its descendants by adbd.
- Drop redundant rules for executing shell or system commands from untrusted_app;
now covered by rules in app.te.
Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c
/data/app-private is used when making an
app purchase or forward locking. Provide a
new label for the directory as well as the
tmp files that appear under it.
Change-Id: I910cd1aa63538253e10a8d80268212ad9fc9fca5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Assortment of policy changes include:
* Bluetooth domain to talk to init and procfs.
* New device node domains.
* Allow zygote to talk to its executable.
* Update system domain access to new device node domains.
* Create a post-process sepolicy with dontaudits removed.
* Allow rild to use the tty device.
Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
iio: Industrial I/O subsystem
usb_accessory: accessory protocol for usb
Allow system access in both cases.
Change-Id: I02db9775ec2ddaaeda40fae6d5e56e320957b09c
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
* commit '9c0f2df1832f82bd2867d2e2fa18dde31b05e63e':
Various minor policy fixes based on CTS.
Split internal and external sdcards
Give sdcard sys_admin capability.
Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.
Change-Id: Idc475901ed437efb325807897e620904f4ff03e9
/vendor has the same permissions as /system/vendor for devices
that have a separate vendor partition.
Bug: 8341435
Change-Id: If0c78b31f8a6e8e5680f1d076c323d1628fb07b2
Initial policy for software watchdog daemon
which is started by init.
Change-Id: I042a5b1698bf53ce2e50ea06851c374e5123ee2c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Also labels /dev/mpu and /dev/mpuirq as gps device.
mpu is motion processing unit and is resposible for
gyroscope functionality.
Change-Id: If7f1a5752c550b72fac681566e1052f09e139ff0
