Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.
Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.
This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.
Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label. This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.
This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__. Future
commits will restrict the access.
Bug: 21852512
Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
The directory is to be used in eng/userdebug build to store method
traces (previously stored in /data/dalvik-cache/profiles).
Bug: 25612377
Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993
1) Don't use the generic "system_data_file" for the files in /data/nativetest.
Rather, ensure it has it's own special label. This allows us to distinguish
these files from other files in SELinux policy.
2) Allow the shell user to execute files from /data/nativetest, on
userdebug or eng builds only.
3) Add a neverallow rule (compile time assertion + CTS test) that nobody
is allowed to execute these files on user builds, and only the shell user
is allowed to execute these files on userdebug/eng builds.
Bug: 25340994
Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
/proc/iomem is currently given the proc label but contains system information
which should not be available to all processes.
Bug: 22008387
Change-Id: I4f1821f40113a743ad986d13d8d130ed8b8abf2f
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
logpersistd (nee logcatd) agent, restrict access to run only in
userdebug or eng
Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.
Also let vold create new directories under it's private storage area
where the benchmarks will be carried out. Mirror the definition of
the private storage area on expanded media.
avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
Added permission to SAP socket used to access the the RIL daemon
Change-Id: Ifbfb764f0b8731e81fb3157955aa4fda6120d846
Signed-off-by: Casper Bonde <c.bonde@samsung.com>
Provide a default label for binfmt_misc. This is not used by the
core policy, although it may be used in device specific policy.
Bug: 20152930
Change-Id: Id51d69333bfeda40720d0e65e1539fab0b6e1e95
On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:
% adb shell am set-watch-heap com.android.systemui 1048576
% adb shell dumpsys procstats --start-testing
which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.
Allow this behavior.
Addresses the following denial:
avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
Creates new directory at /data/misc/vold for storing key material
on internal storage. Only vold should have access to this label.
Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'
Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.
Addresses the following denials (and many more):
avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
This reverts commit 0f0324cc82
and commit 99940d1af5
Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart
Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Commit a833763ba0 enabled per-user
isolation, which requires that any files / processes which cross
user boundaries be marked with the mlstrustedsubject attribute.
system_app_data_file, used for storing a user's profile photos,
is not marked as such. As a result, users are unable to add profile
photos.
Addresses the following denial:
avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82184 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file
Steps to reproduce:
1.Flash & Factory the Deb device with tip-of-tree build
2.Go to 'Settings-Users'
3.Under users&profiles,click on Owner to add profile photo.
4.Select 'Choose photo from Gallery' and select a photo.
5.Then click the 'Done' button.
6.Device showed the message as 'Unable to save the photo edits'.
OBSERVED RESULTS:
Unable to add user's profile photo id. This issue is coming for all
users(Restricted user,second user)also.
EXPECTED RESULTS:
Device should allow to add profile photo id.
Bug: 19170844
Change-Id: If657dc09dd391e63ca85320f9cc1728580e51a15
external/sepolicy commit 99940d1af5
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.
Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.
external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.
By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.
For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.
Addresses the following denials:
avc: denied { read } for pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
Resolves denials such as:
avc: denied { write } for pid=1546 comm="Binder_1" name="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir
This is required to install a forward-locked app.
Change-Id: I2b37a56d087bff7baf82c738896d9563f0ab4fc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service. A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them. A neverallow rule prevents us from allowing
qemu-props to set default_prop.
We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat. We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).
Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.
To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.
This change:
1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.
Addresses the following denial:
avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file
Bug: 17671501
(cherry picked from commit 2de02877a3)
Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb
Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.
To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.
This change:
1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.
Addresses the following denial:
avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file
Bug: 17671501
Change-Id: Ib70624fba2baeccafbc0a41369833f76b976ee20
dumpstate and lmkd need to act on apps running at any level.
Various file types need to be writable by apps running at any
level.
Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file. Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.
This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.
Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 21ada26dae)
Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>