Commit graph

55 commits

Author SHA1 Message Date
William Roberts
2f5a6a96bd Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526f1)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 10:32:06 -07:00
Nick Kralevich
2d425de9f4 am b1b5e662: am caefbd71: allow adbd to set sys.usb.ffs.ready
* commit 'b1b5e662ffbbaf2fe473c336954ef9d4a835f5f6':
  allow adbd to set sys.usb.ffs.ready
2015-04-24 03:46:32 +00:00
Nick Kralevich
caefbd71c5 allow adbd to set sys.usb.ffs.ready
Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
2015-04-23 19:45:21 -07:00
Jeff Sharkey
346a468b93 am bf75239c: am 4f4a4754: Merge "Apps need more than just search."
* commit 'bf75239cdb3d55c0979fcbc29182aca10e2c1d04':
  Apps need more than just search.
2015-04-03 17:39:55 +00:00
Jeff Sharkey
3bdc0abc68 Apps need more than just search.
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=3129 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=0

Change-Id: I802321331e9bd7ae41d3af7ace39364240db6d84
2015-04-03 09:54:33 -07:00
Jeff Sharkey
c63d824426 am 2768f1cb: am 93fd6f0a: Consistent external storage policy.
* commit '2768f1cb723089a1b281d3fee39503d37bb9154f':
  Consistent external storage policy.
2015-04-03 14:52:53 +00:00
Jeff Sharkey
93fd6f0a4e Consistent external storage policy.
Apps, shell and adbd should all have identical access to external
storage.  Also document where we have files and/or symlinks.

Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe
2015-04-02 18:20:22 -07:00
Nick Kralevich
dee73f90e6 am 106ca81b: am 2714e41a: am b4876619: Merge "bootchart: add policy rules for bootchart"
* commit '106ca81bcb070dad96b2ae29bae6b7e6320a9533':
  bootchart: add policy rules for bootchart
2015-02-24 17:33:10 +00:00
Nick Kralevich
2714e41a3c am b4876619: Merge "bootchart: add policy rules for bootchart"
* commit 'b487661946ad632e34412ffccf55d43723ded572':
  bootchart: add policy rules for bootchart
2015-02-24 17:22:51 +00:00
Yongqin Liu
cc38e6d1a4 bootchart: add policy rules for bootchart
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2015-02-24 01:02:20 +08:00
dcashman
880938af90 am 49e7e0c2: am d8800a10: am cd82557d: Restrict service_manager find and list access.
* commit '49e7e0c24846468fe6ed408ef00b8182058fb30f':
  Restrict service_manager find and list access.
2014-12-16 23:50:11 +00:00
dcashman
49e7e0c248 am d8800a10: am cd82557d: Restrict service_manager find and list access.
* commit 'd8800a10fa987bac8234d87f1d4ff83d90966053':
  Restrict service_manager find and list access.
2014-12-16 23:01:31 +00:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Nick Kralevich
cb71b82565 am c4ed15a8: am 2c38b3b8: DO NOT MERGE: allow access to labeled executables in /system
* commit 'c4ed15a88692ef47d249eb159beb83ec9b054f6a':
  DO NOT MERGE: allow access to labeled executables in /system
2014-10-23 15:58:56 +00:00
Nick Kralevich
2c38b3b809 DO NOT MERGE: allow access to labeled executables in /system
Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.

Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.

This allows "adb pull /system" to work without generating
SELinux denials.

Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604
2014-10-21 22:39:42 -07:00
Nick Kralevich
973877dbc1 Allow adbd to write to /data/adb
adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895
Change-Id: Ia5af09045e9f72a95325b429c30a5ae78e104bdc
2014-10-21 16:15:52 +00:00
dcashman
3e6da1472f Enable selinux read_policy for adb pull.
Remove permission from appdomain.

(cherry picked from commit 309cc668f9)

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116
2014-09-26 14:33:42 -07:00
dcashman
309cc668f9 Enable selinux read_policy for adb pull.
Remove permission from appdomain.

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116
2014-09-09 14:28:25 -07:00
Stephen Smalley
45731c70ef Annotate MLS trusted subjects and objects.
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-08 16:06:40 -04:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
14aa7c0608 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea347)

Change-Id: I25354db2add3135335c80be2c2d350e526137572
2014-07-17 16:30:26 -07:00
Riley Spahn
88157ea347 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb
2014-07-17 21:33:33 +00:00
Ed Heyl
7563a6f1fb reconcile aosp (a7c04dcd74) after branching. Please do not merge.
Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7
2014-07-14 23:31:01 -07:00
Nick Kralevich
a7c04dcd74 Remove domain:process from unconfined
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-10 13:54:20 -07:00
Nick Kralevich
98b7ab5396 allow adb push to create directories.
Addresses the following denial:

  type=1400 audit(0.0:24): avc: denied { create } for comm="adbd" name="md5sum" scontext=u:r:adbd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir

Change-Id: Ibb1708af85b2235cbad2794993cfeef896f8db4a
2014-06-08 13:47:33 -07:00
Nick Kralevich
4fd4a2054d Allow adbd / shell /data/anr access
The shell user needs to be able to run commands like
"cat /data/anr/traces.txt". Allow it.

We also need to be able to pull the file via adb.
"adb pull /data/anr/traces.txt". Allow it.

Addresses the following denials:

<4>[   20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
<4>[   27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 15450720
Change-Id: I767102a7182895112838559b0ade1cd7c14459ab
2014-06-05 13:31:31 -07:00
Nick Kralevich
24b5622528 Remove obsolete vdc rule.
As of system/core commit 225459a5da21e9397ca49b0d9af7d5fe3462706b,
adbd no longer talks to vold. Remove the obsolete rule.

Bug: 12504045
Change-Id: I0a4f621afd8e5f8ab83219e7b0ff096c992d365f
2014-06-02 21:11:23 -07:00
Stephen Smalley
356f4be679 Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 13:14:22 -04:00
Nick Kralevich
77cc05502f Label /dev/usb-ffs/adb functionfs
Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2
2014-04-15 15:12:45 -07:00
dcashman
ddde8c2933 Allow adbd access to gpu_device.
Addresses denials seen when attempting to take a screencaputre from ddms:
<5>[ 1232.327360] type=1400 audit(1393354131.695:41): avc:  denied  { read write } for  pid=18487 comm="screencap" name="nvhost-ctrl" dev="tmpfs" ino=4035 scontext=u:r:adbd:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Bug: 13188914
Change-Id: I758e4f87ab024035604d47eebae7f89f21ea1e3e
2014-03-12 10:33:25 -07:00
Stephen Smalley
0296b9434f Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.
Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 21:26:08 +00:00
Stephen Smalley
35102f584b Drop rules for /data/misc/adb legacy type.
This should be obsoleted by the restorecon in
I30e4d2a1ae223a03eadee58a883c79932fff59fe .

Change-Id: Iaeacb1b720b4ac754c6b9baa114535adc1494df2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 11:29:11 -05:00
Nick Kralevich
f95636651c Move adbd into enforcing (all build types)
adbd was only in enforcing for user builds. Commit
Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6 allows us to move
it into enforcing for everyone. Do it.

Change-Id: Ie1a3e5361c891d2c9366e11f35699e3146cc3d88
2014-01-27 11:09:31 -08:00
Nick Kralevich
7d0f955ef0 Support running adbd in the su domain.
When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.

This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.

Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
2014-01-23 09:22:43 -08:00
Nick Kralevich
570e5f4353 Move adbd into enforcing on user devices
Change-Id: Ic5aae78d575dba50d0a4bb78747da3ba4b81fb7b
2014-01-13 08:59:13 -08:00
Nick Kralevich
40ce0bb81b allow adbd setpcap
adbd uses setpcap to drop capabilities from the bounding
set on user builds. See system/core commit
080427e4e2b1b72718b660e16b6cf38b3a3c4e3f

Change-Id: I6aec8d321b8210ea50a56aeee9bc94738514beab
2014-01-11 14:11:45 -08:00
Stephen Smalley
81e74b1cdf Confine adbd but leave it permissive for now.
Will likely want to split into adbd_user.te vs adbd.te before
going enforcing to support adb root and adb remount on non-user builds.
Possibly take all common rules to an adbdcommon.te.

Change-Id: I63040c7f5f0fca10b3df682572c51c05e74738a7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-02 15:46:39 -05:00
Stephen Smalley
48759ca205 Support run-as and ndk-gdb functionality.
Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-09 15:00:44 -05:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
Stephen Smalley
55540755bc Label adb keys file and allow access to it.
The /adb_keys entry will only take effect if a restorecon is
applied by init.rc on a kernel that includes the rootfs labeling
support, but does no harm otherwise.

The /data/misc/adb labeling ensures correct labeling of the adb_keys
file created if the device has ro.adb.secure=1 set.

Allow adbd to read the file.

Change-Id: I97b3d86a69681330bba549491a2fb39df6cf20ef
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-01 09:08:28 -04:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
Alex Klyubin
3b9fd5ffcd SELinux policy: let adbd drop Linux capabilities.
Change-Id: Id41891b89c7b067919cbda06ab97d5eff2ad044f
2013-05-10 00:30:23 +00:00
repo sync
9504a50740 Allow ADB to interact extensively with system_data_files.
Long term this should be scoped down.

Change-Id: I261f05568566cca38bc5c43fbfa7ff1c816e5846
2013-04-30 18:18:31 -07:00
Nick Kralevich
1e25b98074 Revert "Add the sysrq_file special file and give ADB write access."
This rule doesn't work, as /proc/sysrq-trigger isn't properly labeled.
Revert this change for now.

This reverts commit bb2591e56f.
2013-04-25 14:46:36 -07:00
Geremy Condra
bb2591e56f Add the sysrq_file special file and give ADB write access.
Change-Id: Ief2d412dddf4cefdf43a26538c4be060df4cc787
2013-04-05 13:13:52 -07:00
Stephen Smalley
81fe5f7c0f Allow all domains to read the log devices.
Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-05 13:07:16 -07:00
Geremy Condra
2c831009a5 Fix various SELinux denials.
Change-Id: I73a2b841ab3399b7528b8084a5c4736e6ecea48a
2013-04-03 12:00:41 -07:00
Geremy Condra
e69552ba2d Revert "Revert "Various minor policy fixes based on CTS.""
This reverts commit ba84bf1dec

Hidden dependency resolved.

Change-Id: I9f0844f643abfda8405db2c722a36c847882c392
2013-03-27 20:34:51 +00:00
Geremy Condra
ba84bf1dec Revert "Various minor policy fixes based on CTS."
This reverts commit 8a814a7604

Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
2013-03-22 21:41:37 +00:00
Stephen Smalley
8a814a7604 Various minor policy fixes based on CTS.
Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-22 15:27:02 -04:00