Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.
Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.
Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f
We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.
Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba
The new sideloading mechanism in recovery needs to create a fuse
filesystem and read files from it.
Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf
Remove the auditallow statements from app.te and
binderservicedomain.te which were causing log spam.
Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb
Map imms to system_app_service in service_contexts and add
the system_app_service type and allow system_app to add the
system_app_service.
Bug: 16005467
Change-Id: I06ca75e2602f083297ed44960767df2e78991140
Remove the allow rule for default services in
binderservicedomain.te so we will need to whitelist any
services to be registered.
Change-Id: Ibca98b96a3c3a2cbb3722dd33b5eb52cb98cb531
This is extremely useful as it allows timeouts on the socket.
Since ioctl is allowed, setopt shouldn't be a problem.
Resolves denials, in 3rd party apps, such as:
avc: denied { setopt } for pid=18107 comm="AudioRouter-6"
scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0
tclass=unix_stream_socket
Change-Id: I6f38d7b86983c517575b735f43b62a2ed811e81c
Signed-off-by: Sérgio Faria <sergio91pt@gmail.com>
Chrome renderer processes dlopen() a shared library from
gmscore. Open and read on app data file is already allowed,
but execute isn't, so the dlopen() fails. This is a regression
from K, where the dlopen succeeded.
Longer term, there's questions about whether this is appropriate
behavior for an isolated app. For now, allow the behavior.
See the discussion in b/15902433 for details.
Addresses the following denial:
I/auditd ( 5087): type=1400 audit(0.0:76): avc: denied { execute } for comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file
Bug: 15902433
Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678
Adding services to service_contexts for the
pending commits Icf5997dd6a6ba5e1de675cf5f4334c78c2c037f1
and Ibe79be30b80c18ec45ff69db7527c7a4adf0ee08.
Change-Id: Ie898866d1ab3abba6211943e87bcec77ba568567
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.
Addresses the following denial:
<4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0
Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe
system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.
Allow it.
Addresses the following errors which have been showing up
in logcat:
W/ProcessCpuTracker(12159): Skipping unknown process pid 1
W/ProcessCpuTracker(12159): Skipping unknown process pid 2
W/ProcessCpuTracker(12159): Skipping unknown process pid 3
Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Don't allow unconfined domains to access the internet. Restrict
internet functionality to domains which explicitly declare their
use. Removing internet access from unconfined domains helps
protect daemons from network level attacks.
In unconfined.te, expand out socket_class_set, and explicitly remove
tcp_socket, udp_socket, rawip_socket, packet_socket, and
appletalk_socket. Remove name_bind, node_bind and name_connect rules,
since they only apply to internet accessible rules.
Add limited udp support to init.te. This is needed to bring up
the loopback interface at boot.
Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
execmod is checked on attempts to make executable a file mapping
that has been modified. Typically this indicates a text relocation
attempt. As we do not ever allow this for any confined domain to
system_file or exec_type, we should not need it for unconfineddomain
either.
Change-Id: I8fdc858f836ae0d2aa56da2abd7797fba9c258b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
