Commit graph

8 commits

Author SHA1 Message Date
Stephen Smalley
025b7df298 sepolicy: Clean up mls constraints.
Require equivalence for all write operations.  We were already
doing this for app_data_file as a result of restricting open
rather than read/write, so this makes the model consistent across
all objects and operations.  It also addresses the scenario where
we have mixed usage of levelFrom=all and levelFrom=user for
different apps on the same device where the dominated-by (domby)
relation may not be sufficiently restrictive.

Drop the System V IPC constraints since System V IPC is never allowed
by TE and thus these constraints are dead policy.

Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 17:07:39 -04:00
dcashman
60cfe79f18 Revert "Drop special handling of app_data_file in mls constraints."
This reverts commit 27042f6da1.

Managed profiles are represented by new android users which have the ability to
communicate across profiles as governed by an IntentFilter provisioned by the
DevicePolicyManager.  This communication includes reading and writing content
URIs, which is currently obstructed by the mls separation between an owning user
and its managed profile.

Bug: 19444116
Bug: 19525465
Bug: 19540297
Bug: 19592525
Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b
2015-03-04 16:39:58 -08:00
dcashman
e8f95b363a Remove read access from mls constraints.
Addresses the following denial encountered when sharing photos between personal
and managed profiles:

Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0

Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5
2015-02-27 16:03:00 -08:00
Stephen Smalley
7d1b6c8792 sepolicy: allow cross-user unnamed pipe access
Exempt unnamed pipes from the MLS constraints so that they can
be used for cross-user communications when passed over binder or
local socket IPC.

Addresses denials such as:
avc: denied { read } for path="pipe:[59071]" dev="pipefs" ino=59071 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fifo_file

Bug: 19087939

Change-Id: I77d494c4a38bf473fec05b728eaf253484deeaf8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-20 11:16:20 -08:00
Stephen Smalley
27042f6da1 Drop special handling of app_data_file in mls constraints.
This was a legacy of trying to support per-app level isolation
in a compatible manner by blocking direct open but permitting
read/write via passing of open files over Binder or local sockets.
It is no longer relevant and just confusing to anyone trying to use
the mls support for anything else.

Change-Id: I6d92a7cc20bd7d2fecd2c9357e470a30f10967a3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-12 09:31:32 -04:00
Stephen Smalley
e884872655 Add policy for run-as program.
Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-27 10:05:42 -08:00
Stephen Smalley
0e85c17e6e Rewrite MLS constraints to only constrain open for app_data_file, not read/write. 2012-03-19 10:32:24 -04:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00