- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'
Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
Implement the booleans test in sepolicy-analyze so
that we can move the no-booleans check from the
SELinuxTest to the SELinuxHostTest along with the
other policy checks.
Change-Id: I95d7ad34da10c354470f43734d34a6ec631a7b4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.
This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.
Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
Add neverallow rules to ensure that zygote commands are only taken from
system_server.
Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7
Bug: 19624279
Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
Allow system server to handle already open app unix_stream_sockets.
This is needed to support system_server receiving a socket
created using socketpair(AF_UNIX, SOCK_STREAM) and
socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android
functionality.
Addresses the following denial:
type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0
Bug: 19648474
Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39
Ensure that AT_SECURE=1 is set when installd executes dex2oat.
LD_PRELOAD is no longer set by init, and installd couldn't see
LD_PRELOAD anyway due to https://android-review.googlesource.com/129971 .
Drop it.
Continuation of commit b00a037992
Change-Id: Icaf08768b3354c6a99dd0f77fef547a706cc96e9
The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.
Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.
Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.
Addresses the following denial:
W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
(cherrypick from commit e2547c3bff)
Bug: 18504118
Bug: 18340553
Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8
With the move to block based OTAs, we're never going to fix
this bug. Remove the auditallow statement to avoid SELinux log
spam.
Bug: 15575013
Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd
Right now, the system_server has the CAP_SYS_MODULE capability. This allows the
system server to install kernel modules. Effectively, system_server is one
kernel module load away from full root access.
Most devices don't need this capability. Remove this capability from
the core SELinux policy. For devices which require this capability,
they can add it to their device-specific SELinux policy without making
any framework code changes.
In particular, most Nexus devices ship with monolithic kernels, so this
capability isn't needed on those devices.
Bug: 7118228
Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3
isolated apps should only be able to access 2 services.
Remove access permissions for services inappropriately added,
and add a neverallow rule to prevent regressions.
Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
Allow init to
1. Access device mapper to set up dm-verity devices
avc: denied { write } for pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0
2. Access the metadata partition to load and store dm-verity state
avc: denied { write } for pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0
3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered
by dm-verity
avc: denied { getattr } for pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0
These can be reproduced using the following steps:
1. Add fs_mgr flag verify to the system partition in fstab
2. Add a device specific init.rc handler for the init action that
calls the built-in command verity_load_state.
Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
This reverts commit 27042f6da1.
Managed profiles are represented by new android users which have the ability to
communicate across profiles as governed by an IntentFilter provisioned by the
DevicePolicyManager. This communication includes reading and writing content
URIs, which is currently obstructed by the mls separation between an owning user
and its managed profile.
Bug: 19444116
Bug: 19525465
Bug: 19540297
Bug: 19592525
Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference
Address the following denial:
avc: denied { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
As of https://android-review.googlesource.com/127858 ,
open(O_RDONLY) is no longer used for chmod. It's no
longer necessary to allow init to read the SELinux policy.
Change-Id: I691dd220827a01a8d7a9955b62f8aca50eb25447
The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.
Addresses the following denial:
type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
TODO: Add device specific labels for the boot image.
Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa
Addresses the following denial encountered when sharing photos between personal
and managed profiles:
Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5