Historically we pushed all system_server SD card interactions through
DefaultContainerService to avoid holding open FDs, but it's safe to
measure disk usage for internal emulated storage when looking
directly at /data/media, since there is no risk of unsafe ejection.
These rule changes give us just enough access to measure statistics.
avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1
avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
Test: builds, boots, and access allowed
Bug: 33298975
Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382
Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.
Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
Vold shouldn't have this selinux permission, so this will be left in for
a few weeks to keep track of if removing it would be an issue to any
other processes. If not, then a follow-up CL will remove both the rule
and the auditallow
Test: This CL is a test in itself, auditallow rules shouldn't change
behavior of SELinux policy by themselves
Bug: 26901147
Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5
Sdcardfs now supports bind mounts and remounts
instead of needing several separate mounts
bug: 30954918
Test: Enable Sdcardfs, verify mounts
Change-Id: Id94713752a08ceeb6aea7d3c29a29d3293a9b0c8
commit 221938cbee
introduces a fix that uses braces around a single item.
This is not within the normal style of no brace around
a single item. Drop the braces.
Change-Id: Ibeee1e682c0face97f18d5e5177be13834485676
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As of system/core commit a742d1027784a54c535cff69b375a9f560893155, this
functionality is no longer used.
Test: device boots and no obvious problems.
Change-Id: Ia3ad8add92f1cdaaff36f4935be8b03458fed7f2
No denials showing up in collected audit logs.
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I5a0d4f3c51d296bfa04e71fc226a01dcf5b5b508
auditallow has been in place since Apr 2016
(f84b798151) and no SELinux denials have
been generated / collected. Remove unused functionality.
Test: Device boots with no problems.
Test: no SELinux denials of this type collected.
Bug: 28035297
Change-Id: I52414832abb5780a1645a4df723c6f0c758eb5e6
recovery (update_binary) may need to set up cpufreq during an update.
avc: denied { write } for pid=335 comm="update_binary" name="scaling_max_freq" dev="sysfs" ino=7410 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0
Bug: 32463933
Test: Build a recovery image and apply an OTA package that writes to
/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
Change-Id: Ia90af9dd15e162dd94bcd4722b66aa296e3058c5
Lock in the gains we've made so far in restricting access to generically
labeled /proc files. There's more we can do here, but let's avoid
inadvertent regressions.
Test: policy compiles. Only compile time assertions added.
Bug: 26813932
Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a
/data/bugreports is moving to /bugreports
Bug: 27262109
Bug: 27204904
Bug: 32799236
Test: new symlink is in /bugreports and is labeled correctly
Change-Id: Ib6a492fba8388bf43debad28cfc851679f8c6151
Description stolen from
42a9699a9f
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
The service running the boot control HAL needs the permissions
provided by the boot_control_hal attribute. update_engine and
update_verifier still also need these permissions in order
to successfully call the new HAL in pass-through mode, but also
need permission to call the new service.
Bug: 31864052
Test: Built and confirmed no permission denials.
Change-Id: I2a6fdd5cf79b9e461d7cc14bd5b7abd6481ed911
Signed-off-by: Connor O'Brien <connoro@google.com>
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from
/data.
Bug: 32970029
Test: On HiKey and Marlin:
Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial.
Test: Apply this CL, no SELinux denials.
Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
