The patch in 36a5d109e6 wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.
Fixes the following denial:
<5>[ 82.120746] type=1400 audit(1830030.349:5): avc: denied { name_connect } for pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631
Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.
Addresses the following denial:
[ 1831.586826] type=1400 audit(1384129166.563:173): avc: denied { create } for pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Change-Id: Ia542a9df3e466a8d409955bab6a23a524ff3d07b
Bug: 11097631
Use more general type names for the contents of /data/misc/camera and
/data/misc/audio. These were the names used in our policy until 4.3
was released, at which point we switched to be consistent with AOSP.
However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and
Galaxy Note 3 4.3 image all shipped with policies using _data_file names
because they were based on our older policy. So we may as well switch
AOSP to these names.
Not sure if in fact these could be all coalesced to the new media_data_file
type for /data/misc/media introduced by
Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343.
Options to fix already existing devices, which would only apply
to Nexus devices with 4.3 or 4.4 at this point:
1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either
the system/core init.rc or to the device-specific init.*.rc files.
-or-
2) Add a typealias declaration in the policy to remap the old type names.
to the new ones. Then existing types on persistent storage will be
remapped internally to the new ones.
-or-
3) Some sort of relabeld.
Option #2 is implemented by this change.
Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.
Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6
This is causing runtime restarts on flo/deb when uninstalling
some APKs. Revert while I investigate it.
11-04 21:52:41.487 687 704 I ActivityManager: Force stopping com.android.development appid=10078 user=-1: uninstall pkg
11-04 21:52:41.487 687 712 W PackageManager: Couldn't delete native library directory /data/app-lib/com.android.development
11-04 21:52:41.557 687 712 W dalvikvm: threadid=20: thread exiting with uncaught exception (group=0x959dfae8)
11-04 21:52:41.557 687 712 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: PackageManager
11-04 21:52:41.557 687 712 E AndroidRuntime: java.lang.NullPointerException
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.security.KeyStore.clearUid(KeyStore.java:327)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.removeKeystoreDataIfNeeded(PackageManagerService.java:9787)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.removePackageDataLI(PackageManagerService.java:9384)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deleteInstalledPackageLI(PackageManagerService.java:9503)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deletePackageLI(PackageManagerService.java:9612)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deletePackageX(PackageManagerService.java:9239)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.access$4100(PackageManagerService.java:178)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService$7.run(PackageManagerService.java:9173)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:733)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:95)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Looper.loop(Looper.java:136)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.HandlerThread.run(HandlerThread.java:61)
11-04 21:52:41.567 687 712 I Process : Sending signal. PID: 687 SIG: 9
and
[ 7.324554] type=1400 audit(1383601030.823:5): avc: denied { read write } for pid=192 comm="keystore" name="qseecom" dev="tmpfs" ino=7521 scontext=u:r:keystore:s0 tcontext=u:object_r:device:s0 tclass=chr_file
This reverts commit 709d71836d.
Bug: 11518274
Recommend using concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This will allow
sepolicy to exist in the vendor directory.
Change-Id: If982217fcb3645d9c6b37a341755b5b65f26fc5f
