tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
7070 commits 1 branch 0 tags 50 MiB
Commit graph

67 commits

Author SHA1 Message Date
Daichi Hirono
4c7044e0b1 Allow apps to search appfuse mount point and open a file on appfuse mount point. 
Bug: 29970149
Test: None
Change-Id: I59f49f3bf20d93effde5e1a9a3c1ed64fbecb7a8
 2016-11-15 10:22:19 +09:00
Treehugger Robot
41301ab74b Merge "Allow ephemeral apps network connections" 2016-11-14 21:53:15 +00:00
Connor O'Brien
353244451f Merge "Allow update_verifier to use boot HIDL HAL" 2016-11-14 21:53:07 +00:00
Chad Brubaker
4abf491a9e Allow ephemeral apps network connections 
Test: Verify that HTTP and HTTPS connections from ephemeral apps do not
cause denials.
Change-Id: I0ce25602906e63ec55d5b5869445f2aec10900cb
 2016-11-14 12:24:51 -08:00
Chia-I Wu
fb08872a40 Add sepolicy for hwcomposer HAL 
Allow SurfaceFlinger to call into IComposer, and vice versa for
IComposerCallback.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

binder_call(..., surfaceflinger) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=binder permissive=1

allow ... gpu_device:chr_file rw_file_perms for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... graphics_device ... for
avc: denied { ioctl } for path="/dev/graphics/fb0" dev="tmpfs" ino=15121 ioctlcmd=5380 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hal_graphics_allocator_service:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:bootanim:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=fd permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 ioctlcmd=3e02 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

allow bootanim ...:fd use for
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=11947 scontext=u:r:bootanim:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1

Bug: 32021609
Test: make bootimage
Change-Id: I036cdbebf0c619fef7559f294f1865f381b17588
 2016-11-14 01:10:02 +00:00
Chia-I Wu
dd958e5a21 Add sepolicy for gralloc-alloc HAL 
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
 2016-11-14 01:09:51 +00:00
Chad Brubaker
6f090f6911 Label ephemeral APKs and handle their install/uninstall 
Fixes: 32061937
Test: install/uninstall and verified no denials
Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536
 2016-11-12 00:27:28 +00:00
Nick Kralevich
ee751c33c5 property.te: delete security_prop 
This property is never used.

Test: policy compiles
Change-Id: I43ace92950e1221754db28548031fbbfc0437d7a
 2016-11-11 12:31:19 -08:00
Treehugger Robot
7da34af860 Merge "property.te: sort entries" 2016-11-11 17:20:33 +00:00
Robert Sesek
dc43f7cd84 Add the "webview_zygote" domain. 
The webview_zygote is a new unprivileged zygote and has its own sockets for
listening to fork requests. However the webview_zygote does not run as root
(though it does require certain capabilities) and only allows dyntransition to
the isolated_app domain.

Test: m
Test: angler boots

Bug: 21643067
Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
 2016-11-11 10:13:17 -05:00
Nick Kralevich
26c6d726dd property.te: sort entries 
Sort the entries in property.te. This will make it slightly easier to
read, and avoids merge conflicts by discouraging the common practice of
adding entries to the bottom of this file.

Test: policy compiles.
Change-Id: I87ae96b33156dba73fb7eafc0f9a2a961b689853
 2016-11-11 02:44:51 -08:00
Jason Monk
0e1cbf568a Add persist.vendor.overlay. to properties 
Allow the system_server to change. Allow the zygote to read it as well.

Test: Have system_server set a property
Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
 2016-11-10 17:35:39 -05:00
Connor O'Brien
b24e69dca8 Allow update_verifier to use boot HIDL HAL 
Test: Flashed device and verified no update_verifier permission denials
Change-Id: I5de063c202aefef399645b153f68ff7909989eba
Signed-off-by: Connor O'Brien <connoro@google.com>
 2016-11-09 11:16:16 -08:00
Nick Kralevich
58305da980 Revert "Restore system_server ioctl socket access." 
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.

A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.

This reverts commit ec3285cde0.

(cherrypicked from commit 863ce3e7c7)

Test: AndroiTS GPS Test app shows GPS data, no SELinux denials.
Bug: 32290392
Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d
 2016-11-08 12:40:44 -08:00
Nick Kralevich
364fd19782 profman/debuggerd: allow libart_file:file r_file_perms 
Addresses the following auditallow spam:

avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
 2016-11-08 09:28:28 -08:00
Polina Bondarenko
9785f2addd sepolicy: Add policy for thermal HIDL service 
Bug: 32022261
Test: manual
Change-Id: I664a3b5c37f6a3a36e4e5beb91b384a9599c83f8
 2016-11-08 13:34:31 +01:00
Nick Kralevich
68f233648e installd: r_dir_file(installd, system_file) 
Allow installd to read through files, directories, and symlinks
on /system. This is needed to support installd using files in
/system/app and /system/priv-app

Addresses the following auditallow spam:

avc: granted { getattr } for comm="installd"
path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so"
dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { getattr } for comm="installd"
path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so"
dev="dm-0" ino=2305 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

avc: granted { read open } for comm="installd"
path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43"
ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43"
ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir

avc: granted { read open } for comm="installd"
path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir

Test: policy compiles
Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2
 2016-11-07 16:18:38 -08:00
Treehugger Robot
b0c375d46d Merge "wpa.te: Add binder permission back" 2016-11-07 23:28:35 +00:00
Roshan Pius
cec44a61ba wpa.te: Add binder permission back 
Adding back the binder permission to access keystore from
wpa_supplicant. This was removed by mistake in the previous patch
(commit#: 6caeac) to add hwbinder permissions.

Denials in logs:
11-03 14:37:54.831  9011  9011 I auditd  : type=1400 audit(0.0:1490):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:54.831  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1490): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:55.834  9011  9011 I auditd  : type=1400 audit(0.0:1491):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:55.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1491): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.838  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:56.834  9011  9011 I auditd  : type=1400 audit(0.0:1492):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:56.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1492): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.839  9011  9011 I ServiceManager: Waiting for service
android.security.keystore...
11-03 14:37:57.834  9011  9011 I auditd  : type=1400 audit(0.0:1493):
avc: denied { call } for comm="wpa_supplicant" scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0
11-03 14:37:57.834  9011  9011 W wpa_supplicant: type=1400
audit(0.0:1493): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:servicemanager:s0 tclass=binder permissive=0

Bug: 32655747
Test: Compiles. Will send for integration testing.
Change-Id: Ic57a5bf0e6ea15770efc0d09f68d04b2db9ec1b8
 2016-11-07 12:51:07 -08:00
Etan Cohen
0182a87dab Merge "[NAN-AWARE] Remove NAN service" 2016-11-06 21:56:05 +00:00
Etan Cohen
8da9cd640b Merge "[NAN-AWARE] Add Aware service" 2016-11-05 04:00:40 +00:00
Etan Cohen
43b96aaf12 [NAN-AWARE] Remove NAN service 
Finish NAN -> Aware rename process. Removes old NAN service.

Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: I2f0d9595efea2494b56074752194e7a6e66070f2
 2016-11-04 13:38:14 -07:00
Etan Cohen
44527cb970 [NAN-AWARE] Add Aware service 
Add Aware service - new name for NAN. But do not remove NAN
yet. Enables smooth transition.

Bug: 32263750
Test: device boots and all Wi-Fi unit-tests pass
Change-Id: Ieb9f1ebf1d2f31ee27f228562b4601023da5282d
 2016-11-04 13:37:17 -07:00
dcashman
ec3285cde0 Restore system_server ioctl socket access. 
Bug: 32290392
Test: Builds.
Change-Id: I46e8af202b41131cfc9bb280f04a214859c9b0de
 2016-11-03 19:36:11 -07:00
Ruchi Kandoi
0a924a6e1a hal_memtrack: Add sepolicy for memtrack service. 
Bug: 31180823
Test: reduced sepolicy errors
Change-Id: Ibfba2efa903adec340e37abec2afb3b94a262678
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
 2016-11-03 13:05:48 -07:00
Ruchi Kandoi
3c30c4e2db hal_power: Add sepolicy for power service. 
Bug: 31177288
Test: reduced sepolicy errors
Change-Id: I29556276ee14c341ac8f472875e6b69f903851ff
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
 2016-11-03 13:01:48 -07:00
Steven Moreland
1ec710c8ff Sepolicy for light hal. 
Bug: 32022100
Test: end to end
Change-Id: I5dd9b64c98a5c549fdaf9e47d5a92fa6963370c7
 2016-11-01 21:30:51 +00:00
Dianne Hackborn
11877133ba Allow new settings system service. 
Test: N/A
Change-Id: Ib3c85118bf752152f5ca75ec13371073fc2873cc
 2016-11-01 21:16:56 +00:00
Treehugger Robot
ae9d3c0c31 Merge "Added permissions for the dumpstate service." 2016-11-01 21:13:31 +00:00
Treehugger Robot
02c8383521 Merge "init: Allow SETPCAP for dropping bounding set." 2016-11-01 20:23:14 +00:00
Jorge Lucangeli Obes
847bfa4ab2 init: Allow SETPCAP for dropping bounding set. 
This is required for https://android-review.googlesource.com/#/c/295748
so that init can drop the capability bounding set for services.

Bug: 32438163
Test: With 295748 and a test service using ambient capabilities.
Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
 2016-11-01 14:32:13 -04:00
Felipe Leme
b5f5931e8c Added permissions for the dumpstate service. 
- Allow dumpstate to create the dumpservice service.
- Allow System Server and Shell to find that service.
- Don't allow anyone else to create that service.
- Don't allow anyone else to find that service.

BUG: 31636879
Test: manual verification
Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
 2016-11-01 10:43:25 -07:00
Treehugger Robot
184851a212 Merge "system_server: allow appendable file descriptors" 2016-10-31 15:45:38 +00:00
Treehugger Robot
82b9182ef3 Merge "Get rid of more auditallow spam" 2016-10-31 15:43:42 +00:00
Nick Kralevich
02cfce49ae kernel.te: tighten entrypoint / execute_no_trans neverallow 
The kernel domain exists solely on boot, and is used by kernel threads.
Because of the way the system starts, there is never an entrypoint for
that domain, not even a file on rootfs. So tighten up the neverallow
restriction.

Remove an obsolete comment. The *.rc files no longer have a setcon
statement, and the transition from the kernel domain to init occurs
because init re-execs itself. The statement no longer applies.

Test: bullhead policy compiles.
Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
 2016-10-30 18:46:44 -07:00
Nick Kralevich
8044129f42 system_server: allow appendable file descriptors 
system_server is currently allowed write (but not open) access to
various app file descriptor types, to allow it to perform write
operations on file descriptors passed to it from Android processes.
However, system_server was not allowed to handle file descriptors
open only for append operations.

Write operations are a superset of that allowed by appendable
operations, so it makes no sense to deny system_server the use of
appendable file descriptors. Allow it for app data types, as well as a
few other types (for robustness).

Addresses the following denial generated when adb bugreport is run:

  type=1400 audit(0.0:12): avc: denied { append } for
  path="/data/user_de/0/com.android.shell/files/bugreports/bugreport-MASTER-2016-10-29-08-13-50-dumpstate_log-6214.txt"
  dev="dm-2" ino=384984 scontext=u:r:system_server:s0
  tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Bug: 32246161
Test: policy compiles
Test: No more append denials when running adb shell am bug-report --progress
Change-Id: Ia4e81cb0b3c3580fa9130952eedaed9cab3e8487
 2016-10-29 08:20:56 -07:00
Nick Kralevich
2c8ea36ad8 Get rid of more auditallow spam 
Addresses the following audit messages:

[    7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr
} for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2"
ino=106324 scontext=u:r:init:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

[   65.528068] type=1400 audit(1477751916.508:96): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.530425] type=1400 audit(1477751916.508:97): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.530487] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file

[   65.530800] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file

[   65.530842] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.531138] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.531176] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir

[   65.531465] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir

[   65.531502] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file

[   65.531789] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file

[   65.531827] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

[   65.713056] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir

Bug: 32246161
Test: policy compiles
Test: dumpstate no longer generates the audit messages above.
Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
 2016-10-29 08:15:08 -07:00
Treehugger Robot
ece327292c Merge changes I5bbbcad3,Ifa4630ed 
* changes:
  wifi_hal: Rename to 'hal_wifi'
  wpa: Add permissions for hwbinder
 2016-10-28 23:36:21 +00:00
Nick Kralevich
79a08e13bd Get rid of auditallow spam. 
Fixes the following SELinux messages when running adb bugreport:

avc: granted { read } for name="libart.so" dev="dm-0" ino=1886
scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read execute } for path="/system/lib64/libart.so"
dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2"
ino=106290 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { getattr } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

avc: granted { read } for name="system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { read open } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir

[  169.349480] type=1400 audit(1477679159.734:129): avc: granted { read
} for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350030] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350361] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350399] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.350963] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351002] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351330] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351366] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351861] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.351910] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353105] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353186] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353594] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

[  169.353636] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354230] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.354437] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

[  169.395359] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file

Test: policy compiles
Test: adb bugreport runs without auditallow messages above.
Bug: 32246161
Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
 2016-10-28 11:46:00 -07:00
Roshan Pius
8224596a32 wifi_hal: Rename to 'hal_wifi' 
Renaming the wifi HIDL implementation to 'hal_wifi' from 'wifi_hal_legacy'
to conform with HIDL style guide.

Denials:
01-01 21:55:23.896  2865  2865 I android.hardware.wifi@1.0-service:
wifi_hal_legacy is starting up...
01-01 21:55:23.898  2865  2865 W android.hardware.wifi@1.0-service:
/odm/lib64/hw/ does not exit.
01-01 21:55:23.899  2865  2865 F android.hardware.wifi@1.0-service:
service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL
01-01 21:55:23.899  2865  2865 F libc    : Fatal signal 6 (SIGABRT),
code -6 in tid 2865 (android.hardwar)
01-01 21:55:23.901   377   377 W         : debuggerd: handling request:
pid=2865 uid=2000 gid=2000 tid=2865
01-01 21:55:23.907  2867  2867 E         : debuggerd: Unable to connect
to activity manager (connect failed: Connection refused)
01-01 21:55:23.908  2867  2867 F DEBUG   : *** *** *** *** *** *** ***
*** *** *** *** *** *** *** *** ***
01-01 21:55:23.908  2867  2867 F DEBUG   : Build fingerprint:
'Android/aosp_angler/angler:7.0/NYC/rpius10031052:userdebug/test-keys'
01-01 21:55:23.908  2867  2867 F DEBUG   : Revision: '0'
01-01 21:55:23.908  2867  2867 F DEBUG   : ABI: 'arm64'
01-01 21:55:23.908  2867  2867 F DEBUG   : pid: 2865, tid: 2865, name:
android.hardwar  >>> /system/bin/hw/android.hardware.wifi@1.0-service
<<<
01-01 21:55:23.909  2867  2867 F DEBUG   : signal 6 (SIGABRT), code -6
(SI_TKILL), fault addr --------
01-01 21:55:23.910  2867  2867 F DEBUG   : Abort message:
'service.cpp:59] Check failed: service->registerAsService("wifi") ==
android::NO_ERROR (service->registerAsService("wifi")=-2147483646,
android::NO_ERROR=0) Failed to register wifi HAL'

Bug: 31821133
Test: Compiled and ensured that the selinux denials are no longer
present in logs.
Change-Id: I5bbbcad307e9bb9e59fff87e2926751b3aecc813
 2016-10-28 09:00:31 -07:00
Treehugger Robot
e112faeaa8 Merge "domain: neverallow on setfcap" 2016-10-27 23:45:58 +00:00
William Roberts
c3f1da99b2 domain: neverallow on setfcap 
Filesystem capabilities should only be set by the build tools
or by recovery during an update. Place a neverallow ensuring
this property.

Change-Id: I136c5cc16dff0c0faa3799d0ab5e29b43454a610
Signed-off-by: William Roberts <william.c.roberts@intel.com>
 2016-10-27 12:45:47 -07:00
Roshan Pius
6caeac7b47 wpa: Add permissions for hwbinder 
Modify permissions for wpa_supplicant to use hwbinder (for HIDL),
instead of binder.

Denials:
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:10): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0
01-15 14:31:58.573   541   541 W wpa_supplicant: type=1400
audit(0.0:11): avc: denied { call } for scontext=u:r:wpa:s0
tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=0

BUG: 31365276
Test: Compiled and ensured that the selinux denials are no longer
present in logs.

Change-Id: Ifa4630edea6ec5a916b3940f9a03ef9dc6fc9af2
 2016-10-26 14:52:12 -07:00
Treehugger Robot
70591fedf5 Merge "Rename macros for (non)binderized HALs" 2016-10-26 18:48:30 +00:00
Jeff Vander Stoep
f579ef15a8 Rename macros for (non)binderized HALs 
Test: builds
Bug: 32243668
Change-Id: I1ad4b53003462e932cf80b6972db1520dc66d735
 2016-10-26 10:04:18 -07:00
Jeff Vander Stoep
27ae545a78 clean up hal types 
Bug: 32123421
Test: build Hikey
Change-Id: Iaf02626f3f3a94104c0f9d746c3cf5f20751a27d
 2016-10-26 09:50:04 -07:00
Connor O'Brien
2370fc775c sepolicy for boot_control HAL service 
Bug: 31864052
Test: Logging confirms service runs on boot
Merged-In: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Change-Id: I41e9e5c45d2d42886cdf7ff6d364e9e6e3df1ff4
Signed-off-by: Connor O'Brien <connoro@google.com>
 2016-10-25 13:33:48 -07:00
Treehugger Robot
367d90b6a4 Merge "Add macros for treble and non-treble only policy" 2016-10-25 20:06:02 +00:00
Treehugger Robot
626edc7555 Merge "isolated_app: no sdcard access" 2016-10-21 20:29:01 +00:00
Mikhail Naganov
2ff6b4da73 Update SELinux policy for audiohal 
Change-Id: Iaa9907ed516c947175a59bf49938c0ee03b4f6d1
 2016-10-21 09:53:15 -07:00