android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.
Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d
Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.
(cherry picked from commit 89765083f7)
Bug: 22846070
Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.
Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d
neverallow access to untrusted_app and isolated app
Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.
Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
Allow the non-privileged adb shell user to run strace. Without
this patch, the command "strace /system/bin/ls" fails with the
following error:
shell@android:/ $ strace /system/bin/ls
strace: ptrace(PTRACE_TRACEME, ...): Permission denied
+++ exited with 1 +++
Change-Id: I207fe0f71941bff55dbeb6fe130e636418f333ee
Privileged apps now run in the priv_app domain. Remove permissions
from untrusted_app that were originaly added for GMS core, Finsky, and
Play store.
Bug: 22033466
Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be
23cde8776b removed JIT capabilities
from system_server for user and userdebug builds. Remove the capability
from eng builds to be consistent across build types.
Add a neverallow rule (compile time assertion + CTS test) to verify
this doesn't regress on our devices or partner devices.
Bug: 23468805
Bug: 24915206
Change-Id: Ib2154255c611b8812aa1092631a89bc59a27514b
Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.
Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.
To prevent this, we add a neverallow.
Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
To prevent assigning non property types to properties, introduce
a neverallow to prevent non property_type types from being set.
Change-Id: Iba9b5988fe0b6fca4a79ca1d467ec50539479fd5
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Address the following denial:
SELinux E avc: denied { find } for service=drm.drmManager scontext=u:r:bluetooth:s0 tcontext=u:object_r:drmserver_service:s0
This denial is triggered by Bluetooth when MmsFileProvider.java is
using the PduPersister which in turn is using DRM.
Change-Id: I4c077635f8afa39e6bc5e10178c3a7ae3cb6a9ea
Simplify SELinux policy by deleting the procrank SELinux domain.
procrank only exists on userdebug/eng builds, and anyone wanting
to run procrank can just su to root.
Bug: 18342188
Change-Id: I71adc86a137c21f170d983e320ab55be79457c16
Third party vpn apps must receive open tun fd from the framework
for device traffic.
neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.
Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.
Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.
Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.
Bug: 23186405
Test: Manually tested with Brillo build.
Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
vold hasn't use the generic "block_device" label since
commit 273d7ea4ca (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.
Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.
Thanks to jorgelo for reminding me about this.
Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.
Change-Id: Ib9dcbf21d0a28700d500cf0ea4e412b009758d5d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When property_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
property_contexts and general variant as a temporary
intermediate before running checkfc.
Change-Id: Ia86eb0480c9493ceab36fed779b2fe6ab85d2b3d
Signed-off-by: William Roberts <william.c.roberts@intel.com>
In kernel 3.18 following error message is seen
since audit_read is added to capability2 at classmap.h
So add audit_read permission to capability2.
SELinux: Permission audit_read in class capability2 not defined in policy.
SELinux: the above unknown classes and permissions will be denied
The kernel change from AOSP is:
3a101b8de0%5E%21/security/selinux/include/classmap.h
Change-Id: I236fbb8ac575c5cb8df097014da6395e20378175
Signed-off-by: Woojung Min <wmin@nvidia.com>
When service_contexts fails to build, the file is deleted
leaving only the error message for debugging. Build
service_contexts and general variant as a temporary
intermediate before running checkfc.
Change-Id: Ib9c9247d36e6a6406b4df84d10e982921c07d492
Signed-off-by: William Roberts <william.c.roberts@intel.com>
