These are obsoleted by the restorecon_recursive /data/media call
added to the device init*.rc files, e.g.
see I4a191d32a46104a68f6644398c152b274c7937a6
for the hammerhead change.
If/when Ib8d9751a47c8e0238cf499fcec61898937945d9d is merged, this
will also be addressed for all devices by the restorecon_recursive /data
call added to the main init.rc file.
Change-Id: Idbe2006a66817d6bb284d138a7565dec24dc6745
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Our policy also has this entry:
net.rmnet_usb0. u:object_r:radio_prop:s0
Rather than trying to enumerate all possible variants, just reduce
the existing rmnet0 entry to rmnet so that it matches all properties
with that prefix.
Change-Id: Ic2090ea55282fb219eab54c96fd52da96bb18917
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If we are going to allow all domains to search and
stat the contents of /data/security, then we should
also allow them to read the /data/security/current symlink
created by SELinuxPolicyInstallReceiver to the directory
containing the current policy update.
Change-Id: Ida352ed7ae115723964d2723f1115a87af438013
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This should be obsoleted by the restorecon in
I30e4d2a1ae223a03eadee58a883c79932fff59fe .
Change-Id: Iaeacb1b720b4ac754c6b9baa114535adc1494df2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These same permissions are already allowed via net_domain() and
the rules in net.te.
Change-Id: I4681fb9993258b4ad668333ad7d7102e983b5c2b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Move the uncrypt domain into SELinux enforcing mode. This will
start enforcing SELinux rules; security policy violations will
return EPERM.
Bug: 13083922
Change-Id: I4805662d8b336e2bfd891237cc916c57179ebf12
init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell. It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc. We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.
shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.
su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.
Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The current inline documentation is not entirely accurate and caused
user confusion, e.g. see:
https://groups.google.com/d/msg/android-security-discuss/javBrPT8ius/C4EVEFUu4ZoJ
Try to clarify the meaning of untrusted_app, how app domains are
assigned, and how to move other system apps out of untrusted_app into
a different domain.
Change-Id: I98d344dd078fe9e2738b68636adaabda1f4b3c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets
and re-create it at times, so make sure that it remains labeled correctly
when re-created in this manner via a name-based type transition rule.
Do the same for hostapd as it also has permissions for creating/removing
this directory.
<5>[83921.800071] type=1400 audit(1392997522.105:26): avc: denied { rmdir } for pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir
We no longer need the type_transition for sock_file as it will inherit
the type from the parent directory which is set via restorecon_recursive
/data/misc/wifi/sockets or via type_transition, so drop it.
Change-Id: Iffa61c426783eb03205ba6964c624c6ecea32630
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Per https://android-review.googlesource.com/82814 , uncrypt
needs to be able to read shell_data_files on userdebug / eng
builds. Allow it.
Bug: 13083922
Change-Id: I72299673bb5e36be79413227105b5cad006d504f
Add initial support for uncrypt, started via the
pre-recovery service in init.rc. On an encrypted device,
uncrypt reads an OTA zip file on /data, opens the underlying
block device, and writes the unencrypted blocks on top of the
encrypted blocks. This allows recovery, which can't normally
read encrypted partitions, to reconstruct the OTA image and apply
the update as normal.
Add an exception to the neverallow rule for sys_rawio. This is
needed to support writing to the raw block device.
Add an exception to the neverallow rule for unlabeled block devices.
The underlying block device for /data varies between devices
within the same family (for example, "flo" vs "deb"), and the existing
per-device file_context labeling isn't sufficient to cover these
differences. Until I can resolve this problem, allow access to any
block devices.
Bug: 13083922
Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.
After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.
Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.
Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/data/data subdirectories are labeled by installd at creation time
based on seapp_contexts, not based on file_contexts, so we do not
need the /data/data/.* entry, and the wallpaper file was moved from
under com.android.settings/files to /data/system/users/N long ago so we can
delete the old entry for it.
Change-Id: I32af6813ff284e8fe9fd4867df482a642c728755
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.
Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.
Only support reading user input on userdebug / eng builds.
Steps to reproduce with the "crasher" program:
adb root
adb shell setprop debug.db.uid 20000
mmm system/core/debuggerd
adb sync
adb shell crasher
Addresses the following denials:
<5>[ 580.637442] type=1400 audit(1392412124.612:149): avc: denied { read } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637589] type=1400 audit(1392412124.612:150): avc: denied { open } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637706] type=1400 audit(1392412124.612:151): avc: denied { read write } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637823] type=1400 audit(1392412124.612:152): avc: denied { open } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637958] type=1400 audit(1392412124.612:153): avc: denied { ioctl } for pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
Should resolve b/13060688 - emulator writes to /storage/sdcard failing.
Change-Id: I9f00d9dfcd1c4f84c2320628257beca71abf170b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
dhcpcd opens a raw ip socket in ipv6rs_open() to use ICMPv6. This
facility should be available for all devices which have a need to
use it.
Addresses the following denials:
<5>[ 42.699877] type=1400 audit(1392332560.306:8): avc: denied { create } for pid=983 comm="dhcpcd" scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[ 42.699993] type=1400 audit(1392332560.306:9): avc: denied { setopt } for pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[ 42.732208] type=1400 audit(1392332560.338:10): avc: denied { write } for pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
Bug: 12473306
Change-Id: Iee57a0cb4c2d2085a24d4b5fb23a5488f0fd3e03
Start enforcing SELinux rules for lmkd. Security policy
violations will return an error instead of being allowed.
Change-Id: I2bad2c2094d93ebbcb8ccc4b7f3369419004a3f0
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.
Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module. It can be added back where appropriate in device
policy if using a modular kernel. No neverallow since it is device
specific.
Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
