Don't allow processes to list out the contents of the directory
/dev/__properties__. This is an implementation specific detail that
shouldn't be visible to processes.
Test: Device boots and no problems reading individual properties.
Test: ls -la /dev/__properties__ fails
Change-Id: I4df6a829b0d22e30fb2c38030c690fc4a356f6a3
This leaves only the existence of system_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from system_app_current
attribute (as expected).
Bug: 31364497
Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
This leaves only the existence of isolated_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from isolated_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3
This leaves the existence of priv_app domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from priv_app_current
attribute (as expected) except for
allow priv_app_current update_engine_current:binder transfer;
which is caused by public update_engine.te rules and will go
away once update_engine rules go private.
Bug: 31364497
Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from untrusted_domain_current
attribute (as expected).
Bug: 31364497
Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92
Commit fee49159e introduced the net_radio_prop and system_radio_prop
properties, and added allow rules for backwards compatibility. In
addition, auditallow rules were added to see if the allow rules were
necessary.
The auditallow rules for radio net_radio_prop are triggering, so it's
clear these properties are being set by the radio process. Drop the
auditallow statement.
Test: policy compiles.
Change-Id: I7fa6df18ed4dd4cb8e0c9098373cc28134615330
Simulate platform and non-platform split by compiling two different
file_contexts files and loading them together on-device. Leave the existing
file_contexts.bin in place until we're ready to build images based on the new
files.
Bug: 31363362
Test: Builds and boots without additional denials.
Change-Id: I7248f876e2230cee3b3cbf386422063da1e3dde0
Bring back file_contexts.bin.
Change-Id: Ifec2c363579151080fdec48e8bc46bbbc8c97674
Signed-off-by: Sandeep Patil <sspatil@google.com>
/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.
Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:
1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive
While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.
Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49
Allow init to send userspace generated SELinux denials to the kernel
audit subsystem.
Test: "setprop asdf asdf" from the unprivileged adb shell user
generated an SELinux denial processed by logd.
Bug: 27878170
Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1
We allow domains to manually transition to logpersist for userdebug
or eng debug logging permissions that would be counter to monitoring
limits on a released user build.
Test: compile
Bug: 30566487
Change-Id: I03a81c75cbd2b44617e4b27c4c083a26a0e0fa87
6e4508e625 inadvertently removed access
to ro.serialno and ro.boot.serialno from ADB shell. This is needed for
CTS. This commit thus reinstates the access.
Test: adb shell getprop ro.serialno
Bug: 33700679
Change-Id: I62de44b1631c03fcd64ceabaf33bbaeb869c2851
This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.
The reason is that some of these properties may leak persistent
identifiers not resettable by the user.
Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.
Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c
SELinux policy compiler complained about a quote inside the
recovery_only section of recovery.te. This section's contents are
inside quotes and thus can't contain quotes.
Test: mmm system/sepolicy produces no warnings
Bug: 33700679
Change-Id: I5bf943166f4f514d04472f7e59b025a9723eb1b8
Bring the context hub service advertised name into compliance with
the other Android services. This changes the name from
"contexthub_service" to "context".
Test: GTS tests pass.
Change-Id: I8490d60f89bdb97813e328b9ddf08270470fda76
This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.
The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.
Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
Audio HAL server needs to set SCHED_FIFO scheduling policy
for its threads that communicate with FastMixer threads of
AudioFlinger that use the same scheduler.
Bug: 30222631
Change-Id: I405a69d097a6bfed455e3483365b27c4004e1063
Enabling/disabling sepolicy based on ENABLE_TREBLE is not granular
enough (ref: b/32978887 #4).
Bug: 32978887
Test: compiles, doesn't cause any additional denials on device. Nothing
depends on these things I'm removing.
Change-Id: I10acbde16e5e2093f2c9205ed79cd20caed7f44d
Generate a compile time error if someone unexpectedly tries to
transition into logpersist or logd domain.
Test: compile
Bug: 30566487
Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d
- transition to logpersist from init
- sort some overlapping negative references
- intention is to allow logpersist to be used by vendor
userdebug logging
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 30566487
Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
auditallow (added in commit 758e6b3678)
has been in place for about 2 weeks now, and no hits. Remove
execute_no_trans.
The net effect of this change is that priv_apps won't be able to exec()
a file from their home directory, but dlopen() and friends will still
work.
Test: Compiles and boots successfully.
Test: No auditallow messages received via SELinux denial collection.
Change-Id: I60fcdc260d12e1bcc2355ca4dd912de7e6d0a145
