Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.
Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache
* init
* zygote
* installd
* dex2oat
For zygote, installd, and dex2oat, these accesses make sense.
For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.
This change was motivated by the discussion
in https://android-review.googlesource.com/127582
Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.
The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.
Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd
system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.
This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.
Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c
Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.
Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.
This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.
Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.
(cherry picked from commit d31936f89c)
Bug: 19198997
Change-Id: Icfed1ee66f082df1117b090341f62981f01bc849
Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.
Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.
This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.
Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.
Change-Id: I40de0ae28134ce71e808e5ef4a39779b71897571
Messenger can't send MMSes on the master branch. When Messenger sends
an MMS, it stores the message data in local file and publishes it
via a content provider. The URI is passed to the MMS API. The
MmsServiceBroker in system process gets the call and grant URI
permission to phone UID. The MmsService in phone process (and sharing
the phone UID) needs to read the URI to get message data to send.
Addresses the following denial:
type=1400 audit(0.0:32): avc: denied { read } for path="/data/data/com.google.android.apps.messaging/cache/rawmms/5394791820000274558.dat" dev="mmcblk0p28" ino=83180 scontext=u:r:radio:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
Change-Id: I2b694ff6c516714d3524e0613bae0f6773ed2e95
external/sepolicy commit 99940d1af5
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.
Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.
external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.
By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.
For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.
Addresses the following denials:
avc: denied { read } for pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf
system_app tries to access files in /data/data (lnk_files).
But due to permission issue it is not able to access the
link files.
Change-Id: I2959d899f5e3ab9caa219d684541d36587a6c059
Chrome team recommends reverting this patch and introducing
it into a future version of Android, to avoid potential
compatibility issues.
This reverts commit 9de62d6ffe.
Bug: 17471434
Bug: 18609318
Change-Id: I9adaa9d0e4cb6a592011336e442e9d414dbac470
On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.
Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.
Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
Grant shell read access to /proc taken away by
commit: 0d3f7ddc70
Addresses the following denials encountered when running ps or top.
Bug: 18799966
Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
Chrome team recommends reverting this patch and introducing
it into a future version of Android, to avoid potential
compatibility issues.
This reverts commit 9de62d6ffe.
Bug: 17471434
Bug: 18609318
Change-Id: I3086cb8a8d7142b1eadce622f7e87a4c3426b6bf
