Commit graph

3943 commits

Author SHA1 Message Date
Mark Salyzyn
61d665af16 logd: allow access to system files
- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'

Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
2015-03-11 23:00:37 +00:00
Nick Kralevich
5434a8a913 Merge "system_server: neverallow blk_file read/write" 2015-03-11 20:07:53 +00:00
Nick Kralevich
fbaf72ed8f Merge "sepolicy-analyze: Implement booleans test." 2015-03-11 20:07:31 +00:00
Stephen Smalley
a7b2c5f4ab sepolicy-analyze: Implement booleans test.
Implement the booleans test in sepolicy-analyze so
that we can move the no-booleans check from the
SELinuxTest to the SELinuxHostTest along with the
other policy checks.

Change-Id: I95d7ad34da10c354470f43734d34a6ec631a7b4e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-11 17:03:42 -04:00
Nick Kralevich
acc0842c4b system_server: neverallow blk_file read/write
With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
2015-03-11 12:48:02 -07:00
Nick Kralevich
c01f7fd1c1 system_server: remove appdomain:file write
system_server no longer writes to /proc/pid/oom_adj_score. This is
handled exclusively by lmkd now.

See the following commits:

Kernel 3.18:
* https://android-review.googlesource.com/139083
* https://android-review.googlesource.com/139082

Kernel 3.14:
* https://android-review.googlesource.com/139081
* https://android-review.googlesource.com/139080

Kernel 3.10:
* https://android-review.googlesource.com/139071
* https://android-review.googlesource.com/139671

Kernel 3.4:
* https://android-review.googlesource.com/139061
* https://android-review.googlesource.com/139060

Bug: 19636629
Change-Id: Ib79081365bcce4aa1190de037861a87b55c15db9
2015-03-11 13:21:01 +00:00
dcashman
6843a7932a am 8f81dcad: Only allow system_server to send commands to zygote.
* commit '8f81dcad5bb322a75bc61c8b42f8287e2afeaddc':
  Only allow system_server to send commands to zygote.
2015-03-09 20:55:41 +00:00
dcashman
8f81dcad5b Only allow system_server to send commands to zygote.
Add neverallow rules to ensure that zygote commands are only taken from
system_server.

Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7

Bug: 19624279

Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
2015-03-09 11:26:56 -07:00
Nick Kralevich
b41eb698ee am 0560e75e: system_server: allow handling app generated unix_stream_sockets
* commit '0560e75e4f03e4637637de8512a4718fe7870df8':
  system_server: allow handling app generated unix_stream_sockets
2015-03-09 15:46:38 +00:00
Nick Kralevich
0560e75e4f system_server: allow handling app generated unix_stream_sockets
Allow system server to handle already open app unix_stream_sockets.
This is needed to support system_server receiving a socket
created using socketpair(AF_UNIX, SOCK_STREAM) and
socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android
functionality.

Addresses the following denial:

  type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0

Bug: 19648474
Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39
2015-03-08 23:55:28 -07:00
Nick Kralevich
7afcaafc3a am 0d0d5aa9: installd: drop noatsecure for dex2oat
* commit '0d0d5aa9cd48e3f3f8b115f7a6ffbdad5894ad2c':
  installd: drop noatsecure for dex2oat
2015-03-07 23:38:36 +00:00
Nick Kralevich
0d0d5aa9cd installd: drop noatsecure for dex2oat
Ensure that AT_SECURE=1 is set when installd executes dex2oat.

LD_PRELOAD is no longer set by init, and installd couldn't see
LD_PRELOAD anyway due to https://android-review.googlesource.com/129971 .
Drop it.

Continuation of commit b00a037992

Change-Id: Icaf08768b3354c6a99dd0f77fef547a706cc96e9
2015-03-07 15:03:26 -08:00
dcashman
4eb2bc7e18 am bb3cef44: Record observed bluetooth service access.
* commit 'bb3cef4488b86ea815bc9b35c528f62e47377f5d':
  Record observed bluetooth service access.
2015-03-07 17:56:38 +00:00
dcashman
bb3cef4488 Record observed bluetooth service access.
Bug: 18106000
Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4
2015-03-06 11:13:29 -08:00
Nick Kralevich
a9f288b850 am 1aafc4c7: allow untrusted_app read /data/anr/traces.txt
* commit '1aafc4c7d34b30870ab985a8c33f9c87e16fd73c':
  allow untrusted_app read /data/anr/traces.txt
2015-03-06 16:32:46 +00:00
Nick Kralevich
1aafc4c7d3 allow untrusted_app read /data/anr/traces.txt
The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.

Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.

Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.

Addresses the following denial:

W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

(cherrypick from commit e2547c3bff)

Bug: 18504118
Bug: 18340553
Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8
2015-03-05 17:00:58 -08:00
Nick Kralevich
bb21fe8a86 resolved conflicts for merge of 8be3e779 to stage-aosp-master
Change-Id: I3b402e3a0f55b236c48dc9f4be1973cbfc0af8a4
2015-03-05 16:53:03 -08:00
Nick Kralevich
8be3e77986 move untrusted_app statement to the correct file.
Change-Id: I5ae9606023ef7f3489f44e6657766e922160c470
2015-03-05 15:40:04 -08:00
Nick Kralevich
88d6766b99 am ee66ba8c: Merge "update isolated_app service_manager rules"
* commit 'ee66ba8c4062f6cd1ce481384d39d13e0281f8bc':
  update isolated_app service_manager rules
2015-03-05 23:17:13 +00:00
Nick Kralevich
303e139a5c am b76966d6: recovery: remove auditallow for exec_type:dir writes
* commit 'b76966d65d4e59cbb20b5a78bc583a9907a495da':
  recovery: remove auditallow for exec_type:dir writes
2015-03-05 23:13:44 +00:00
Nick Kralevich
ee66ba8c40 Merge "update isolated_app service_manager rules" 2015-03-05 23:12:44 +00:00
Nick Kralevich
b76966d65d recovery: remove auditallow for exec_type:dir writes
With the move to block based OTAs, we're never going to fix
this bug. Remove the auditallow statement to avoid SELinux log
spam.

Bug: 15575013
Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd
2015-03-05 14:59:53 -08:00
Nick Kralevich
efb4bdb9f4 am 92b10ddb: Eliminate CAP_SYS_MODULE from system_server
* commit '92b10ddb47caa4c80a626e6c70330439feb4aa30':
  Eliminate CAP_SYS_MODULE from system_server
2015-03-05 22:46:05 +00:00
Nick Kralevich
92b10ddb47 Eliminate CAP_SYS_MODULE from system_server
Right now, the system_server has the CAP_SYS_MODULE capability.  This allows the
system server to install kernel modules.  Effectively, system_server is one
kernel module load away from full root access.

Most devices don't need this capability. Remove this capability from
the core SELinux policy. For devices which require this capability,
they can add it to their device-specific SELinux policy without making
any framework code changes.

In particular, most Nexus devices ship with monolithic kernels, so this
capability isn't needed on those devices.

Bug: 7118228
Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3
2015-03-05 14:14:27 -08:00
Nick Kralevich
75f34dc392 update isolated_app service_manager rules
isolated apps should only be able to access 2 services.
Remove access permissions for services inappropriately added,
and add a neverallow rule to prevent regressions.

Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
2015-03-05 12:12:00 -08:00
Sami Tolvanen
9905c88361 am 723e31ef: Merge "Allow init to set up dm-verity"
* commit '723e31efe568bf3372205cb539436fb1ecef4e3f':
  Allow init to set up dm-verity
2015-03-05 04:29:50 +00:00
Sami Tolvanen
723e31efe5 Merge "Allow init to set up dm-verity" 2015-03-05 04:26:01 +00:00
Sami Tolvanen
35f537c7ef Allow init to set up dm-verity
Allow init to

 1. Access device mapper to set up dm-verity devices

    avc:  denied  { write } for  pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0

 2. Access the metadata partition to load and store dm-verity state

    avc:  denied  { write } for  pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0

 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered
    by dm-verity

    avc:  denied  { getattr } for  pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0

These can be reproduced using the following steps:

 1. Add fs_mgr flag verify to the system partition in fstab

 2. Add a device specific init.rc handler for the init action that
    calls the built-in command verity_load_state.

Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
2015-03-05 01:46:47 +00:00
dcashman
e44a431d20 am 60cfe79f: Revert "Drop special handling of app_data_file in mls constraints."
* commit '60cfe79f1807c2dd1897cc026f342946ed92ee65':
  Revert "Drop special handling of app_data_file in mls constraints."
2015-03-05 01:13:47 +00:00
dcashman
60cfe79f18 Revert "Drop special handling of app_data_file in mls constraints."
This reverts commit 27042f6da1.

Managed profiles are represented by new android users which have the ability to
communicate across profiles as governed by an IntentFilter provisioned by the
DevicePolicyManager.  This communication includes reading and writing content
URIs, which is currently obstructed by the mls separation between an owning user
and its managed profile.

Bug: 19444116
Bug: 19525465
Bug: 19540297
Bug: 19592525
Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b
2015-03-04 16:39:58 -08:00
dcashman
31a8511a79 am 23f33615: Record observed system_server servicemanager service requests.
* commit '23f336156daf61ba07c024af2fe96994605f46eb':
  Record observed system_server servicemanager service requests.
2015-03-03 19:50:02 +00:00
dcashman
23f336156d Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
2015-03-03 11:38:07 -08:00
Nick Kralevich
77a16b43c7 am 3e113edf: neverallow ueventd to set properties
* commit '3e113edf0225bbe54a0f98353dd22de855ee2657':
  neverallow ueventd to set properties
2015-03-03 17:34:01 +00:00
Nick Kralevich
3e113edf02 neverallow ueventd to set properties
Add a compile time assertion that no SELinux rules exist which
allow ueventd to set properties, or even connect to the property
socket.

See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
for details.

Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32
2015-03-02 20:10:48 -08:00
dcashman
66d02db0e8 am 19eecd2d: Merge "Allow platform_app access to keystore."
* commit '19eecd2dd7bd0f542e8ac7ed6ea576dc397f6639':
  Allow platform_app access to keystore.
2015-03-02 19:46:51 +00:00
dcashman
19eecd2dd7 Merge "Allow platform_app access to keystore." 2015-03-02 19:43:02 +00:00
dcashman
7bf1b89719 am e8df21b2: Merge "Remove read access from mls constraints."
* commit 'e8df21b20dfc70be413d788586c5f43961c23197':
  Remove read access from mls constraints.
2015-03-02 19:41:52 +00:00
dcashman
6a2451b580 Allow platform_app access to keystore.
Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
2015-03-02 11:31:26 -08:00
dcashman
e8df21b20d Merge "Remove read access from mls constraints." 2015-03-02 18:43:43 +00:00
Nick Kralevich
29b74271ad am e4da594d: Merge "Delete unconfined domain"
* commit 'e4da594d9db3554621c9818ab2144f71ec9a8dac':
  Delete unconfined domain
2015-03-02 17:24:25 +00:00
Nick Kralevich
547aa01865 am 07e73489: init: drop read_policy permission
* commit '07e7348921816cf4f02006016c06d07156c2bd51':
  init: drop read_policy permission
2015-03-02 17:24:24 +00:00
Nick Kralevich
e4da594d9d Merge "Delete unconfined domain" 2015-03-02 17:18:24 +00:00
Nick Kralevich
f435a8e556 Delete unconfined domain
No longer used.  :-)

Change-Id: I687cc36404e8ad8b899b6e76b1de7ee8c5392e07
2015-02-28 11:27:35 -08:00
Nick Kralevich
07e7348921 init: drop read_policy permission
As of https://android-review.googlesource.com/127858 ,
open(O_RDONLY) is no longer used for chmod. It's no
longer necessary to allow init to read the SELinux policy.

Change-Id: I691dd220827a01a8d7a9955b62f8aca50eb25447
2015-02-28 03:55:15 -08:00
Stephen Smalley
0f671bb074 am ed532c06: init: remove permissive_or_unconfined()
* commit 'ed532c06d610cf992b8e86c0cbf812865747a53b':
  init: remove permissive_or_unconfined()
2015-02-28 03:20:48 +00:00
Stephen Smalley
ed532c06d6 init: remove permissive_or_unconfined()
Bug: 19050686
Change-Id: Ie41c3e4d5aaeb43577ba85a4768a5fdbdd665efb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-27 19:14:27 -08:00
Nick Kralevich
de41e919e6 am a8e073cd: Create boot_block_device and allow install_recovery read access
* commit 'a8e073cde0e7d39ebe5d97de497edf22713d3501':
  Create boot_block_device and allow install_recovery read access
2015-02-28 02:18:51 +00:00
Nick Kralevich
a8e073cde0 Create boot_block_device and allow install_recovery read access
The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.

Addresses the following denial:

  type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

TODO: Add device specific labels for the boot image.

Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa
2015-02-27 17:39:09 -08:00
Nick Kralevich
ad9cb7e5b5 am 543faccc: allow init tmpfs:dir relabelfrom
* commit '543faccc62dd9a31fa12a641678de61a44ba7b70':
  allow init tmpfs:dir relabelfrom
2015-02-28 01:15:21 +00:00
dcashman
e8f95b363a Remove read access from mls constraints.
Addresses the following denial encountered when sharing photos between personal
and managed profiles:

Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0

Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5
2015-02-27 16:03:00 -08:00