audit logs indicate that "append" is still used, but not write.
From ToT master:
avc: granted { append } for comm="tombstoned" scontext=u:r:tombstoned:s0
tcontext=u:object_r:anr_data_file:s0 tclass=file
Bug: 32064548
Test: build
Change-Id: Id05853a8ae38b84deed4d8bcca5a72c64ce7fd7e
Not needed for modern Android versions. These rules are really, really
old.
Test: "adb bugreport" continues to work
Test: Generating a bugreport via key combo continues to work.
Change-Id: Ibc1157fb36abd7fc701db3819474f25210a3cb5f
When /system/bin/crash_dump is executed from the su domain, do not
perform a domain transition. This allows processes run from that domain
to crash normally without SELinux interfering.
Bug: 114136122
Test: cferris: "This change works for me. I ran the crasher executable on
/data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp).
All of them show that crash_dump can read the executables."
Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
to profman in cases where it could already access files.
Bug: 112990132
Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc
DropboxManager may pass FDs to any app with the READ_LOGS
permission which is available to all apps as a development
permission.
Test: atest CtsIncidentHostTestCases
Fixes: 111856304
Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.
Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
This scripts checks for common problems with SELinux policy,
including:
- Declared types that are not assigned to any files
- Files that don't exist on a running device
- Rules defined in the wrong file
- Using the wrong version of _file_perms/_dir_perms
These are heuristics, mainly because it does not fully parse regular
expressions and because policy might still be needed even if the
relevant file does not exist on a single device. But it hopefully is
a start at helping cleanup policy.
Bug: 30003114
Bug: 70702017
Test: Run script on core and device-specific policy.
Test: Verify that most of its results are correct.
Change-Id: I1ded4e9b18816841198dcbf72da65f046441d626
Shell access to existing input devices is an abuse vector.
The shell user can inject events that look like they originate
from the touchscreen etc.
Everyone should have already moved to UiAutomation#injectInputEvent
if they are running instrumentation tests (i.e. CTS), Monkey for
their stress tests, and the input command (adb shell input ...) for
injecting swipes and things.
Remove the write ability for shell users, and add a neverallow assertion
(which is also a CTS test) to prevent regressions.
Bug: 30861057
Test: auditallow statement added in
f617a404c2 hasn't triggered.
Test: ran getevent, saw correct output, played with device
Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99
Test to see if anyone is writing to /dev/input from the shell.
Bug: 30861057
Test: device boots and no avc granted messages.
Change-Id: Ia3499ef9436f83cf13c633525348b63edd95990f
Bug: 110887137
Test: Flash new system policy onto a device with vendor policy that uses
untrusted_app_visible_* attributes, and check that old and new attributes
are applied to exactly same types.
Change-Id: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
Merged-In: Ibee0ec645878fcc8c93cd0fbd169a8d45129d79e
(cherry picked from commit 7abca51d19)
commit 9b2e0cbeea added a new
self:global_capability_class_set macro that covers both self:capability
and self:cap_userns. Apply the new macro to various self:capability
references that have cropped up since then.
Bug: 112307595
Test: policy diff shows new rules are all cap_userns
Change-Id: I3eb38ef07532a8e693fd549dfdbc4a6df5329609
Bug: 78793464
Test: fastboot getvar partition-size:super
'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.
Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea
Attempting to reduce the number of different spellings we have for
"product services" partition in the codebase.
Bug: 112431447
Test: m
Change-Id: I1499c60e3d6c6c9fbe2e3f30f097f83b1e837c1c
Merged-In: I1499c60e3d6c6c9fbe2e3f30f097f83b1e837c1c
mediaserver is receiving a file passed as a file descriptor. Just read
and map is enough, and open should not be allowed for mediaserver.
Bug: 78436043
Error out if m4 generates a warning. This will help detect and prevent
malformed macros.
See 855084960f for motivation.
Test: policy compiles
Test: Policy doesn't compile if 855084960f
is reverted.
Change-Id: Iee6b6273bc2a24b1220861fd662573e76001defc
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.
Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
Quotes and backticks are sensitive characters and should never show up
in a comment. Fix comment to avoid the use of a single quote. Also fixes
a bug where certain rules were not getting included in the compiled
policy.
Fixes the following build warnings:
[ 3% 3564/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/plat_pub_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[ 3% 3578/114975] build out/target/product/taimen/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[ 3% 3579/114975] build out/target/product/taimen/obj/ETC/vendor_sepolicy.cil_intermediates/vendor_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[ 3% 3607/114975] build out/target/product/taimen/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
[ 3% 3677/114975] build out/target/product/taimen/obj/ETC/built_plat_sepolicy_intermediates/base_plat_policy.conf
m4:system/sepolicy/public/te_macros:404: Warning: excess arguments to builtin `define' ignored
Test: policy compiles and no warnings.
Change-Id: Ie32d8b536955b40888b79e3a93851d2ae297f8ee
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.
Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
Replace more complicated logic that determines that persistent
properties are now valid with a simple check of
ro.persistent_properties.ready.
Test: manual
Bug: 109821005
Change-Id: I8c63beb294377ea9ce6eb6336b83f529deedd830
