Addresses the following denial:
avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0
It's not clear why system_server is adjusting the scheduling priority
of kernel processes (ps -Z | grep kernel). For now, allow the operation,
although this is likely a kernel bug.
Maybe fix bug 18085992.
Bug: 18085992
Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855
Currently, recovery is allowed write access to the following three
file labels:
* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)
system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.
The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.
The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.
Allow unlabeled symbolic link modifications.
Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.
Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.
This allows "adb pull /system" to work without generating
SELinux denials.
Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604
Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.
Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.
This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.
Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
mediaserver and drmserver both have permission to read oemfs
related files. However, there are no search permissions on the
directory, so the files would be unreachable.
Grant search permissions on the oemfs directory, so that the files
within that directory can be read.
Bug: 17954291
Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db
Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.
To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.
This change:
1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.
Addresses the following denial:
avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file
Bug: 17671501
(cherry picked from commit 2de02877a3)
Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb
Apps should be able to read the contents of mounted OBBs.
Steps to reproduce:
1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
2) Attempt to run the app.
Expected:
App runs successfully.
Actual:
App crashes. See denials below.
This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3
Addresses the following denials:
avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:
adb shell cat /factory/ssn
adb shell cat /factory/bt/bd_addr.conf
adb shell cat /factory/wifi/mac.txt
adb shell cat /factory/60isn
read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.
No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.
Bug: 17600278
(cherry picked from commit 200a9f0e20)
Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.
Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.
Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.
No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.
Bug: 17525863
(cherry picked from commit 642b80427e)
Change-Id: I35f3dc8b1ead9f427645a13fb202e760d1e68e64
On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.
Bug: 17487122
Change-Id: Ica78aa54e5abbb051924166c6808b79b516274fe
- Changing package from android.telecomm to android.telecom
- Changing package from com.android.telecomm to
com.android.server.telecomm.
- Renaming TelecommManager to TelecomManager.
Bug: 17364651
Change-Id: I70e9ecdab7482327f25387ecc6223f46e9cbe10e
When vold mounts an OBB on behalf of another application, the kernel
spins up the "loop0" thread to perform the mount operation. Grant
the kernel thread the ability to read app data files, so the mount
operation can succeed.
Steps to reproduce:
1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java
Expected:
1) All tests pass
Actual:
Test failure, with the following error message:
loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
Vold : Image mount failed (I/O error)
MountService: Couldn't mount OBB file: -1
StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21
TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest)
TestRunner: ----- begin exception -----
TestRunner: junit.framework.AssertionFailedError: OBB should be mounted
TestRunner: at junit.framework.Assert.fail(Assert.java:50)
TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20)
TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235)
Bug: 17428116
Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:
sdcard : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0
Allow the operation.
Steps to reproduce:
1) adb shell into the device and su to root
2) run "kill -9 [PID OF SDCARD]
Expected:
sdcard daemon successfully restarts without error message.
Actual:
SELinux denial above, plus attempts to mount a new filesystem
on top of the existing filesystem.
Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4
Permits the system server to change keystore passwords for users other
than primary.
Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.
Bug: 17288791
Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.
Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"
Expected:
APK installs successfully.
Actual:
APK fails to install. Error message:
Vold E Failed to write superblock (I/O error)
loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
PackageHelper E Failed to create secure container smdl1645334795.tmp
DefContainer E Failed to create container smdl1645334795.tmp
Bug: 17158723
(cherry picked from commit 4c6b13508d)
Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash. Full read permissions may not be necessary:
W/debuggerd( 185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir
Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission. Required for:
https://android-review.googlesource.com/#/c/101800/
Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow. This verifier runs as
a priv-app, which is in the untrusted_app domain. Allow untrusted_app
read-access to these files.
Bug: 16515815
Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 21ada26dae)
Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
Looks like system server doesn't let you start a service without
white listing anymore.
Bug: 16628456
Change-Id: I0f6df8fd2afa24f4a1758a90cb5f8e451e0edb6a
This reverts commit 10370f5ff4.
The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.
bug: 16317188
Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d
As described in the system/core commit with the same Change-Id,
there's a race condition between installd and sdcard when it
comes to accessing /data/media. Resolve the race by checking
/data/.layout_version to make sure the filesystem has been upgraded.
Maybe indirectly fixes the following SELinux denial:
sdcard : type=1400 audit(0.0:3): avc: denied { write } for name="media" dev="mmcblk0p17" ino=102753 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs. Include exceptions for
appdomain and recovery as required by current policy.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 4644ac4836)
Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621
