To write bytes to appfuse file from priv_app, we need to specify
mlstrustedobject.
The CL fixes the following denial.
type=1400 audit(0.0:77): avc: denied { write } for name="10" dev="fuse" ino=10 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0
BUG=23093747
(cherry picked from commit 4d19f98c72)
Change-Id: I9901033bb3349d5def0bd7128db45a1169856dc1
Similar to profman, dex2oat does more checks on profiles now.
It needs to be able to do stat to test for existance and non-emptiness.
03-28 10:41:06.667 8611 8611 W dex2oat : type=1400 audit(0.0:129):
avc: denied { getattr } for
path="/data/misc/profiles/ref/com.google.android.apps.magazines/primary.prof"
dev="dm-0" ino=636928 scontext=u:r:dex2oat:s0
tcontext=u:object_r:user_profile_data_file:s0 tclass=file permissive=0
Bug: 27860201
Change-Id: I3a7cb396596ae28a375ea98224ada29f093f475e
We do a bit more work checks in the runtime for the profiles and call
stat on the files to see if they exists and their are not empty.
SElinux error
[ 297.842210] type=1400 audit(1459106986.097:7): avc: denied { getattr
} for pid=4504 comm="profman"
path="/data/misc/profiles/cur/0/com.google.android.youtube/primary.prof"
dev="dm-1" ino=636936 scontext=u:r:profman:s0
tcontext=u:object_r:user_profile_data_file:s0:c512,c768 tclass=file
permissive=0
Bug: 27860201
Change-Id: Ic97882e6057a4b5c3a16089b9b99b64bc1a3cd98
There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.
Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403
(cherry picked from commit f2d07904f7)
/dev/uio uio_device is already declared. Accessing uio through /sys
is also common.
Bug: 26990688
Change-Id: I3db941161dae31d3b87f265708abbcd9171a2c1f
(cherry pick from commit 16fe52c90c)
One time executables. recovery_refresh can be used at any time to
ensure recovery logs in pmsg are re-placed at the end of the FIFO.
recovery_persist takes the recovery logs in pmsg and drops them
into /data/misc/recovery/ directory.
Bug: 27176738
Change-Id: Ife3cf323930fb7a6a5d1704667961f9d42bfc5ac
sysfs_thermal nodes are common enough to warrant an entry in global
policy and the new HardwarePropertiesManagerService exists explicitly to
expose some of this information.
Address the following denials:
avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1
avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1
Bug: 27809332
Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d
See https://groups.google.com/d/msg/android-ndk/BbEOA9pnR-I/HgLkGy5qAgAJ
Addresses the following denial:
avc: denied { lock } for path="/data/data/com.mypackage/files/somefilename" dev="mmcblk0p28" ino=114736 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0
While I'm here, also add lock to w_file_perms.
Change-Id: I2568a228099c4e112e4a8b80da3bfcf2e35eb0ea
The changes to ptrace in
https://android-review.googlesource.com/#/c/175786/ (removing it from
app.te and only adding it to isolated_app and untrusted_app) broke
WebView crash handling in cases where privileged apps (like gmscore) use
WebView.
The only way to fix this would be to allow priv_app to self-ptrace as
well. :/
Bug: 27697529
Change-Id: Ib9a3810dddc9f4213b6260133cbae23f669ae8dc
SELinux label is created for contexthub_service system service.
ContextHub service manages all available context hubs and serves fulfil communication between apps
and underlying context hub hardware.
Change-Id: I8470fedd9c79a00012e1cdb9b548a1b632ba7de6
Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries. Mark it as an app_api_service so
that all applications may use this API. Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties. As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.
(cherry-picked from commit: 9ed71eff4b)
Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
Remove permissions which are already covered by other permissions.
Found by running:
sepolicy-analyze path/to/sepolicy dups
No functional change.
Change-Id: I526d1c1111df718b29e8276b024fa0788ad17c71
Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely. Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.
Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be
It's okay for isolated apps to connect to the webview update service to
find out which APK is WebView. This enables isolated renderer processes
to load their code from the WebView APK.
Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f
... and client apps to read them.
A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png
System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps
Client apps will:
- Receive file descriptors and read from them.
Bug 27548047
Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b
Vold needs to be able to query if the directory exists and
eventually to fix permissions and the owner.
Typical error:
W vold : type=1400 audit(0.0:485): avc: denied { getattr }
for path="/data/misc/profiles/cur/11/foreign-dex" dev="dm-2"
ino=343857 scontext=u:r:vold:s0
tcontext=u:object_r:user_profile_foreign_dex_data_file:s0 tclass=dir
permissive=0
Bug: 27517932
Change-Id: Iff10c864634baa97cc814916ee7495b262e0c7eb
It's unlikely we'll get /proc locked down for the N release, so
delete the auditallow to avoid spamming the logs. Mark this
commit as DO NOT MERGE so we can continue to make progress on this
for future Android releases.
Change-Id: Ibf27bc5cb1b23c21e123aae8a4f190560d0ac2dc
Both appdomain and priv_app can set the default ringtones, so the
cache files need to be mlstrustedobject.
avc: denied { write } for path="/data/system_de/0/ringtones/ringtone_cache" dev="mmcblk0p44" ino=1602501 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
Bug: 27366059
Change-Id: Ib362f58b180a62bd46800083d6c538426f955b10
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
(cherry picked from commit 6cb2c893b1)
Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef
