Commit graph

13 commits

Author SHA1 Message Date
Jeff Vander Stoep
be0616baf0 domain: grant write perms to cgroups
Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
2016-01-27 03:00:50 +00:00
dcashman
fcea726390 Allow domains to stat filesystems.
Address the following denials:
01-21 12:44:53.704  4595  4595 W ndroid.calendar: type=1400 audit(0.0:21): avc: denied { getattr } for name="/" dev="dm-0" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
01-21 12:45:23.177  5544  5544 W roid.music:main: type=1400 audit(0.0:46): avc: denied { getattr } for name="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=filesystem permissive=0
7618 W .android.chrome: type=1400 audit(0.0:413): avc: denied { getattr } for path="/" dev="rootfs" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0

01-21 12:44:53.709  4595  4595 D AndroidRuntime: Shutting down VM
01-21 12:44:53.727  4595  4595 E AndroidRuntime: FATAL EXCEPTION: main
01-21 12:44:53.727  4595  4595 E AndroidRuntime: Process: com.google.android.calendar, PID: 4595
01-21 12:44:53.727  4595  4595 E AndroidRuntime: java.lang.RuntimeException: Unable to get provider com.google.android.syncadapters.calendar.timely.TimelyProvider: java.lang.IllegalArgumentException: Invalid path: /data
01-21 12:44:53.727  4595  4595 E AndroidRuntime: 	at android.app.ActivityThread.installProvider(ActivityThread.java:5550)
...

Change-Id: I0e9d65438d031e19c9abc5dca8969ed4356437a0
2016-01-21 15:18:39 -08:00
Nick Kralevich
d5464736fb domain_deprecated.te: drop cache_recovery_file access
auditallow says not needed.

Change-Id: If44f64aeb5d0be78fd166d1b3eee298c5f7c860d
2016-01-16 08:15:52 -08:00
Nick Kralevich
dc37ea7393 Remove cache_recovery_file symlink read
auditallow shows no hits.

Change-Id: I5ae33d34cd4bfa48f4384926fcafd84bec60e899
2016-01-07 12:56:54 -08:00
Nick Kralevich
829a749351 domain_deprecated.te: Exclude recovery from auditallow for /cache/recovery
Recovery uses /cache/recovery. Exclude it from auditallow coverage.

Addresses the following SELinux log spam:

  avc:  granted  { search } for  pid=323 comm="recovery" name="recovery" dev="mmcblk0p38" ino=12 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir
  avc:  granted  { read } for  pid=323 comm="recovery" name="block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file
  avc:  granted  { getattr } for  pid=323 comm="recovery" path="/cache/recovery/block.map" dev="mmcblk0p38" ino=26 scontext=u:r:recovery:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=file

Change-Id: Ib6c7b44ac23fccaf2ea506429fb760ee85e87c76
2016-01-06 09:37:13 -08:00
Felipe Leme
549ccf77e3 Creates a new permission for /cache/recovery
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2016-01-04 23:11:28 +00:00
Nick Kralevich
f8f937a16f undeprecate /proc/cpuinfo, more shell permissions
Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba. Restore access to everyone.

Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.

Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.

Commit 4e2d22451f restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.

Addresses the following denials:

  avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
  avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
  avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
  avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0

Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
2015-12-22 16:48:47 -08:00
Nick Kralevich
fe12b61642 label /sys/kernel/debug/tracing and remove debugfs write
Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
2015-12-14 13:57:26 -08:00
Nick Kralevich
4e2d22451f Restore sysfs_devices_system_cpu to domain.te
Lots of processes access CPU information. This seems to be triggered
by libraries loaded into every Android process. Allow the access.

Addresses the following denials:

adbd    : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
adbd    : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1

Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35
2015-12-10 11:10:20 -08:00
Nick Kralevich
44826cb5e4 Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-07 17:04:49 -08:00
Nick Kralevich
8ca19368da Remove domain_deprecated from adbd and shell
The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
2015-11-27 19:18:17 -08:00
Jeff Vander Stoep
6e3506e1ba remove overly permissive rules from domain
Move to domain_deprecated

Bug: 25433265
Change-Id: Ib21876e450d8146ef9363d6430f6c7f00ab0c7f3
2015-11-09 08:44:13 -08:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00