Commit graph

68 commits

Author SHA1 Message Date
Jeff Vander Stoep
e555f4b971 Further restrict access to tun_device
Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
2015-12-03 15:56:04 -08:00
Nick Kralevich
85dcd53b74 Move bluetoothdomain rules into their own file.
Don't mix bluetooth rules with bluetoothdomain. The bluetoothdomain
rules are used by several other SELinux domains, not just bluetooth,
and keeping them in the same file is confusing.

Change-Id: I487251ab1c1392467a39c7a87328cdaf802fc1f8
2015-11-18 09:19:17 -08:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Jeffrey Vander Stoep
b62298375d am 1d2eaf92: Merge "Allow bluetooth to find the drmservice"
* commit '1d2eaf92c3dfd187fa7fff687ebfe49389fe46cb':
  Allow bluetooth to find the drmservice
2015-10-15 17:11:29 +00:00
Johan Redestig
32e5e31a63 Allow bluetooth to find the drmservice
Address the following denial:
  SELinux  E  avc:  denied  { find } for service=drm.drmManager scontext=u:r:bluetooth:s0 tcontext=u:object_r:drmserver_service:s0

This denial is triggered by Bluetooth when MmsFileProvider.java is
using the PduPersister which in turn is using DRM.

Change-Id: I4c077635f8afa39e6bc5e10178c3a7ae3cb6a9ea
2015-10-08 17:18:00 +00:00
Jeff Vander Stoep
694e2bfbaf am de53051a: Do not allow untrusted_app to open tun_device
* commit 'de53051a8282ec59fdd21667850997bc4096f8d2':
  Do not allow untrusted_app to open tun_device
2015-10-07 21:04:24 +00:00
Jeff Vander Stoep
de53051a82 Do not allow untrusted_app to open tun_device
Third party vpn apps must receive open tun fd from the framework
for device traffic.

neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.

Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
2015-10-07 20:40:24 +00:00
Sharvil Nanavati
bea8a99c91 DO NOT MERGE Grant Bluetooth the ability to acquire wake locks.
Bug: 23375670
Change-Id: I0454c580b465a2f0edc928cf0effb71733866f03
2015-08-31 23:28:15 -07:00
William Roberts
2f5a6a96bd Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526f1)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 10:32:06 -07:00
Nick Kralevich
b4807fe1a8 am 82966219: Merge "Replace unix_socket_connect() and explicit property sets with macro"
* commit '82966219e6962502fbda5a1c911cde06776ccf35':
  Replace unix_socket_connect() and explicit property sets with macro
2015-05-07 16:15:51 +00:00
William Roberts
625a3526f1 Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 00:02:59 +00:00
Vinit Deshpande
721f3e3650 am fcdd354..fcdd354 from mirror-m-wireless-internal-release
fcdd354 Add permission for Bluetooth Sim Access Profile

Change-Id: I9b40b17be0c9bf08ca48ad34d3718d421ec6466e
2015-04-14 16:07:12 -07:00
Casper Bonde
fcdd354653 Add permission for Bluetooth Sim Access Profile
Added permission to SAP socket used to access the the RIL daemon

Change-Id: Ifbfb764f0b8731e81fb3157955aa4fda6120d846
Signed-off-by: Casper Bonde <c.bonde@samsung.com>
2015-04-12 22:18:31 -07:00
dcashman
bd7f5803f9 Enforce more specific service access.
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-09 09:45:54 -07:00
dcashman
03a6f64f95 Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
2015-04-08 20:26:50 +00:00
dcashman
91b7c67d16 Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
2015-04-07 15:48:58 -07:00
dcashman
3cc6fc5ffb Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
2015-04-07 12:43:47 -07:00
dcashman
d4c78f4b3f Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
2015-04-07 16:59:38 +00:00
dcashman
4cdea7fc40 Assign app_api_service attribute to services.
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
2015-04-06 13:20:41 -07:00
dcashman
b075338d0e Assign app_api_service attribute to services.
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
2015-04-03 14:29:40 -07:00
dcashman
d12993f084 Add system_api_service and app_api_service attributes.
System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 11:20:00 -07:00
dcashman
8af4e9cb00 Record observed service accesses.
Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
2015-04-01 14:30:46 -07:00
dcashman
bb3cef4488 Record observed bluetooth service access.
Bug: 18106000
Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4
2015-03-06 11:13:29 -08:00
dcashman
6a2451b580 Allow platform_app access to keystore.
Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
2015-03-02 11:31:26 -08:00
dcashman
41d961a728 Allow bluetooth surfaceflinger access.
Address the following denial:
02-12 07:51:42.702: E/SELinux(158): avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:bluetooth:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

which occurs when the remote service starts up.
02-12 07:51:42.702: E/ServiceManager(158): find_service('SurfaceFlinger') uid=1002 - PERMISSION DENIED
02-12 07:51:42.702: I/ServiceManager(2827): Waiting for service SurfaceFlinger...
02-12 07:51:42.959: E/ActivityManager(469): ANR in com.google.android.remote.tv.services
02-12 07:51:42.959: E/ActivityManager(469): PID: 2827
02-12 07:51:42.959: E/ActivityManager(469): Reason: executing service com.google.android.tv.remote/.RemoteService

Bug: 19268019
Change-Id: I2d415c2ea2f70cf71851147253cf6e1906fd0940
2015-02-12 09:50:20 -08:00
dcashman
895a4f2cf7 Allow bluetooth mediaserver_service access.
This was observed when attempting to change volume for a bluetooth device
supporting AVRCP volume control.

Addresses the following denials:
avc:  denied  { find } for service=media.audio_flinger scontext=u:r:bluetooth:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
avc:  denied  { find } for service=media.audio_policy scontext=u:r:bluetooth:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Bug: 19341236
Change-Id: If7f2ff1ea9fc694bad700cf59f400f2d2df8c2dd
2015-02-11 13:25:57 -08:00
dcashman
0e30164b17 Allow bluetooth access to keystore service.
Address the following denial:
SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:bluetooth:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Encountered when remote service attempts access:
02-04 00:15:19.174 E/AndroidRuntime(10847): FATAL EXCEPTION: main
02-04 00:15:19.174 E/AndroidRuntime(10847): Process: com.google.android.remote.tv.services, PID: 10847
02-04 00:15:19.174 E/AndroidRuntime(10847): java.lang.RuntimeException: Unable to create service com.google.android.tv.remote.RemoteService: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.exist(java.lang.String, int)' on a null object reference
02-04 00:15:19.174 E/AndroidRuntime(10847):         at android.app.ActivityThread.handleCreateService(ActivityThread.java:2801)

Bug: 19268019
Change-Id: I86f85cb19c5540bf041c82ec9a8088aacae67792
2015-02-09 14:45:46 -08:00
dcashman
4a89cdfa89 Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2015-01-14 13:54:26 -08:00
Nick Kralevich
9819a6cba3 bluetooth: allow sending bugreports via bluetooth
Bluetooth can receive bugreport data for beaming to another device.
This comes across as an open file descriptor. Allow bluetooth access
to bugreports.

Addresses the following denial:

  avc: denied { read } for path="/data/data/com.android.shell/files/bugreports/bugreport-2014-12-19-15-35-32.txt" dev="dm-0" ino=662738 scontext=u:r:bluetooth:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

Change-Id: I7be2ce2e0e48323c1e8f932be17b434b89daf085
2014-12-19 16:43:41 -08:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
4a24475b9d Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc20509)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f
2014-07-18 12:24:36 -07:00
Riley Spahn
603bc20509 Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 09:24:13 -07:00
Riley Spahn
344fc109e9 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
2014-07-15 10:09:52 -07:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-14 11:09:27 -07:00
Nick Kralevich
be66069765 Remove -unconfineddomain from neverallow rules
Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.

Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.

Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f
2014-07-04 10:12:13 -07:00
Sharvil Nanavati
77eb35263f Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.
Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e
2014-07-01 11:58:30 -07:00
Sérgio Faria
536ddba898 Allow setopt on bluetooth's unix_stream_socket.
This is extremely useful as it allows timeouts on the socket.
Since ioctl is allowed, setopt shouldn't be a problem.

Resolves denials, in 3rd party apps, such as:

avc:  denied  { setopt } for  pid=18107 comm="AudioRouter-6"
scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0
tclass=unix_stream_socket

Change-Id: I6f38d7b86983c517575b735f43b62a2ed811e81c
Signed-off-by: Sérgio Faria <sergio91pt@gmail.com>
2014-06-30 15:15:12 +00:00
Paul Jensen
97a2cfdf66 Allow Bluetooth app to initiate DHCP service on bt-pan interface.
bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658
2014-06-19 02:49:37 +00:00
Stephen Smalley
eab85946a5 Allow bluetooth users ioctl access to bluetooth unix stream socket.
Resolves denials such as:
avc:  denied  { ioctl } for  pid=6390 comm="m.wimmcompanion" path="socket:[472596]" dev="sockfs" ino=472596 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Idd4fa219fe8674c6e1c40211b3c105d6276cfc5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-11 08:43:23 -04:00
Stephen Smalley
b0db712bf0 Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-07 15:47:33 -05:00
Stephen Smalley
2737ceff23 Allow stat/read of /data/media files by app domains.
Resolves denials such as:
avc:  denied  { read } for  pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

avc:  denied  { getattr } for  pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-04 19:07:19 +00:00
Stephen Smalley
495e9d12b9 Allow getopt / getattr to bluetooth unix_stream_socket.
Resolve denials such as:

avc:  denied  { getattr } for  pid=16226 comm="Thread-2096" path="socket:[414657]" dev="sockfs" ino=414657 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=5890 comm="FinalizerDaemon" scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Iea7790aa4f8e24f3ec0d2c029933a3902333472e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-04 13:34:54 -05:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Stephen Smalley
85708ec4f9 Resolve overlapping rules between app.te and net.te.
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 17:26:06 +00:00
Nick Kralevich
997680a3b7 bluetooth: allow media_rw_data_file
Allow bluetooth to handle media_rw_data_file file descriptors
sent to it from other processes. Without this, bluetooth
picture / video sharing is broken.

Steps to reproduce:
1. Take few pictures
2. launch gallery and choose a picture/video and click on share and choose
   available BT device and share

Other info from bug report:

- Bluetooth process queries media content provider for a file descriptor,
  with an Uri like "content://media/external/images/media/69"
- Media server resolves the uri to a file on the filesystem, in the case of
  Gallery at "/storage/emulated/0/DCIM/Camera/IMG_20140128_141656.jpg"
- Media server returns the FD over binder to bluetooth
- Bluetooth is unable to read the file backed by the file descriptor.

Fixes Denial:

<5>[  821.040286] type=1400 audit(1390952161.805:11): avc:  denied  { read } for  pid=1348 comm="Binder_3" path="/data/media/0/DCIM/Camera/IMG_20140128_141656.jpg" dev="mmcblk0p23" ino=236246 scontext=u:r:bluetooth:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Bug: 12457805
Change-Id: I1423d06a98416ae4ab19508f0d005a6353acadc4
2014-01-28 16:14:52 -08:00
Stephen Smalley
d14e9deaa4 Make bluetooth enforcing (again).
Previous bluetooth denials should be addressed by
I14b0530387edce1097387223f0def9b59e4292e0.

Change-Id: I5c6b44a142a7e545230b89df9c4500ce2fab4ab6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-18 15:12:12 +00:00
Stephen Smalley
09f6a99b66 Allow mediaserver to connect to bluetooth.
Re-purpose the existing bluetooth_socket type, originally
for /dev/socket/bluetooth used by bluetoothd in the old
bluetooth stack, for sockets created by bluedroid under
/data/misc/bluedroid, and allow mediaserver to connect
to such sockets.  This is required for playing audio
on paired BT devices.

Based on b/12417855.

Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-16 18:35:28 +00:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Nick Kralevich
85396e93df Revert "Make bluetooth enforcing."
The following CTS tests are failing on nakasig-userdebug

Failing tests
android.bluetooth.cts.BasicAdapterTest#test_enableDisable
android.bluetooth.cts.BasicAdapterTest#test_getAddress
android.bluetooth.cts.BasicAdapterTest#test_getBondedDevices
android.bluetooth.cts.BasicAdapterTest#test_getName
android.bluetooth.cts.BasicAdapterTest#test_listenUsingRfcommWithServiceRecord

Logs
=====
junit.framework.AssertionFailedError: expected:<11> but was:<10>
at android.bluetooth.cts.BasicAdapterTest.enable(BasicAdapterTest.java:278)
at android.bluetooth.cts.BasicAdapterTest.test_enableDisable(BasicAdapterTest.java:128)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:191)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:176)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:554)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1701)

Reverting this change until we get a proper fix in place.

SELinux bluetooth denials:

nnk@nnk:~$ grep "avc: " Redirecting.txt | grep bluetooth
<5>[  831.249360] type=1400 audit(1389206307.416:215): avc:  denied  { write } for  pid=14216 comm="BluetoothAdapte" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  834.329536] type=1400 audit(1389206310.496:217): avc:  denied  { write } for  pid=14218 comm="BTIF" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file

This reverts commit 2eba9c5fa2.

Bug: 12475767
Change-Id: Id4989f6b371fa02986299114db70279e151ad64a
2014-01-10 09:31:50 -08:00