Update shell.te to reflect the fact that hwbinder_user permission is for
lshal, not dumpsys.
Bug: 33382892
Test: pass
Change-Id: I1d298261cea82177436a662afbaa767f00117b16
Don't audit directory writes to sysfs since they cannot succees
and therefore cannot be a security issue
Bug: 35303861
Test: Make sure denial is no longer shown
Change-Id: I1f31d35aa01e28e3eb7371b1a75fc4090ea40464
On boot, Android runs restorecon on a number of virtual directories,
such as /sys and /sys/kernel/debug, to ensure that the SELinux labels
are correct. To avoid causing excessive boot time delays, the restorecon
code aggressively prunes directories, to avoid recursing down directory
trees which will never have a matching SELinux label.
See:
* https://android-review.googlesource.com/93401
* https://android-review.googlesource.com/109103
The key to this optimization is avoiding unnecessarily broad regular
expressions in file_contexts. If an overly broad regex exists, the tree
pruning code is ineffective, and the restorecon ends up visiting lots of
unnecessary directories.
The directory /sys/kernel/debug/tracing contains approximately 4500
files normally, and on debuggable builds, this number can jump to over
9000 files when the processing from wifi-events.rc occurs. For
comparison, the entire /sys/kernel/debug tree (excluding
/sys/kernel/debug/tracing) only contains approximately 8000 files. The
regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching
a significant number of files, which impacts boot performance.
Instead of using an overly broad regex, refine the regex so only the
files needed have an entry in file_contexts. This list of files is
essentially a duplicate of the entries in
frameworks/native/cmds/atrace/atrace.rc .
This change reduces the restorecon_recursive call for /sys/kernel/debug
from approximately 260ms to 40ms, a boot time reduction of approximately
220ms.
Bug: 35248779
Test: device boots, no SELinux denials, faster boot.
Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e
Use the default filesystem label from genfs_contexts for the directory
/sys/kernel/debug/tracing and /sys/kernel/tracing, instead of explicitly
attempting to relabel it.
There are three cases we need to consider:
1) Old-style tracing functionality is on debugfs
2) tracing functionality is on tracefs, but mounted under debugfs
3) tracefs is mounted at /sys/kernel/tracing
For #1, the label on /sys/kernel/debug/tracing will be debugfs, and all
processes are allowed debugfs:dir search, so having the label be debugfs
instead of debugfs_tracing will not result in any permission change.
For #2, the label on /sys/kernel/debug/tracing will be debugfs_tracing,
which is the same as it is today. The empty directory
/sys/kernel/tracing wlll retain the sysfs label, avoiding the denial
below.
For #3, /sys/kernel/debug/tracing won't exist, and /sys/kernel/tracing
will have the debugfs_tracing label, where processes are allowed search
access.
Addresses the following denial:
avc: denied { associate } for pid=1 comm="init" name="tracing"
dev="sysfs" ino=95 scontext=u:object_r:debugfs_tracing:s0
tcontext=u:object_r:sysfs:s0 tclass=filesystem permissive=0
Bug: 31856701
Bug: 35197529
Test: no denials on boot
Change-Id: I7233ea92c6987b8edfce9c2f1d77eb25c7df820f
There is only a single systemapi at the moment that is callable, and it is
protected by a signature/preinstalled permission.
(cherry picked from commit I778864afc9d02f8b2bfcf6b92a9f975ee87c4724)
Bug: 35059826,33297721
Test: manually on a marlin
Change-Id: I3789ce8238f5a52ead8f466dfa3045fbcef1958e
Make the policy smaller and less noisy on user builds by suppressing
auditallow rules.
Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Iddf6f12f8ce8838e84b09b2f9f3f0c8b700543f5
auditallows have been in place for a while, and no obvious denials.
Remove domain_deprecated from init.te
While I'm here, clean up the formatting of the lines in
domain_deprecated.te.
Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Ia12e77c3e25990957abf15744e083eed9ffbb056
Move net.dns* from net_radio_prop to the newly created label
net_dns_prop. This allows finer grain control over this specific
property.
Prior to this change, this property was readable to all SELinux domains,
and writable by the following SELinux domains:
* system_server
* system_app (apps which run as UID=system)
* netmgrd
* radio
This change:
1) Removes read access to this property to everyone EXCEPT untrusted_app
and system_server.
2) Limit write access to system_server.
In particular, this change removes read access to priv_apps. Any
priv_app which ships with the system should not be reading this
property.
Bug: 34115651
Test: Device boots, wifi turns on, no problems browsing the internet
Change-Id: I8a32e98c4f573d634485c4feac91baa35d021d38
Init has access to a number of character devices inherited via
domain.te. Exclude those character devices from the auditallow
logging.
In addition, init has access to a number of character devices explicitly
listed in init.te. Exclude those from auditallow logging too.
Addresses various auditallow spam, including:
avc: granted { read open } for comm="init" path="/dev/urandom"
dev="tmpfs" ino=1197 scontext=u:r:init:s0
tcontext=u:object_r:random_device:s0 tclass=chr_file
avc: granted { read open } for comm="init" path="/dev/ptmx" dev="tmpfs"
ino=1294 scontext=u:r:init:s0 tcontext=u:object_r:ptmx_device:s0
tclass=chr_file
avc: granted { read } for comm="init" name="keychord" dev="tmpfs"
ino=1326 scontext=u:r:init:s0 tcontext=u:object_r:keychord_device:s0
tclass=chr_file
avc: granted { read open } for comm="init" path="/dev/keychord"
dev="tmpfs" ino=1326 scontext=u:r:init:s0
tcontext=u:object_r:keychord_device:s0 tclass=chr_file
and others not covered above.
Bug: 35197529
Bug: 33347297
Test: policy compiles and no auditallow denials.
Change-Id: Id869404a16c81c779943e9967eb32da226b6047e
This leaves only the existence of binderservicedomain attribute as
public API. All other rules are implementation details of this
attribute's policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with *_current targets
referenced in binderservicedomain.te.
Bug: 31364497
Change-Id: Ic830bcc5ffb6d624e0b3aec831071061cccc513c
This leaves only the existence of blkid and blkid_untrusted domains as
public API. All other rules are implementation details of these
domains' policy and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with blkid_current and
blkid_untrusted_current (as expected).
Bug: 31364497
Change-Id: I0dda2feeb64608b204006eecd8a7c9b9c7bb2b81
This leaves only the existence of system_server domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with
system_server_current except those created by other domains'
allow rules referencing system_server domain from public and
vendor policies.
Bug: 31364497
Change-Id: Ifd76fa83c046b9327883eb6f0bbcd2113f2dd1a4
atrace and its atrace_exec now exist only in private policy.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with atrace_current
which is expected now that atrace cannot be referenced from
public or vendor policy.
Bug: 31364497
Change-Id: Ib726bcf73073083420c7c065cbd39dcddd7cabe3
This leaves only the existence of audioserver domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with audioserver_current
except those created by other domains' allow rules referencing
audioserver domain from public and vendor policies.
Bug: 31364497
Change-Id: I6662394d8318781de6e3b0c125435b66581363af
This leaves only the existence of surfaceflinger domain as public API.
All other rules are implementation details of this domain's policy
and are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with
surfaceflinger_current except those created by other domains'
allow rules referencing surfaceflinger domain from public and
vendor policies.
Bug: 31364497
Change-Id: I177751afad82ec27a5b6d2440cf0672cb5b9dfb8
This leaves only the existence of adbd domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules to do with adbd_current except
those created by other domains' allow rules referencing adbd
domain from public and vendor policies.
Bug: 31364497
Change-Id: Icdce8b89f67c70c6c4c116471aaa412e55028cd8
