Commit graph

66 commits

Author SHA1 Message Date
dcashman
36f255ff52 Create sysfs_zram label.
Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
2016-01-04 14:24:09 -08:00
Daichi Hirono
a20802ddb8 Add new rules for appfuse.
The new rules are used to allow to mount FUSE file system for priv-app.

Change-Id: I5ce2d261be501e2b3fef09b7666f1e5d1cddbe52
2015-12-24 11:32:41 +09:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Nick Kralevich
7e86e19d58 remove "allow vold block_device:blk_file create_file_perms;"
vold hasn't use the generic "block_device" label since
commit 273d7ea4ca (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.

Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.

Thanks to jorgelo for reminding me about this.

Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9
2015-10-06 16:05:27 -07:00
Nick Kralevich
b08688628c am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed."
* commit '7af012fc94a34dd42e72d32c246a47140ec2861a':
  Only allow toolbox exec where /system exec was already allowed.
2015-08-25 23:43:46 +00:00
Stephen Smalley
a3c97a7660 Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 12:46:07 -04:00
Jeff Sharkey
6b75d099e1 Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0

Bug: 21858077
Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
2015-06-25 22:26:30 -07:00
Nick Kralevich
31d88a704e Allow /dev/klog access, drop mknod and __null__ access
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972c1)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-23 16:47:49 +00:00
Jeff Sharkey
769b96f2e3 Allow vold to change priority when benchmarking.
avc: denied { sys_nice } for capability=23 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=0

Bug: 21711477
Change-Id: I78e7a6667e06a4b1a2b0c4d26ddae4797231e553
2015-06-11 13:00:30 -07:00
Jeff Sharkey
7617cd48b7 New "selinux.restorecon" control property.
This new property is used as a control verb for running a recursive
restorecon at the path contained in the property value.

Defines a new label and grants access to vold, which invokes it when
mounting private adopted volumes.

Bug: 21121357
Change-Id: I8ff12a146e54a505aa5b43a542578891563d647a
2015-06-09 13:39:04 -07:00
Nick Kralevich
e2651972c1 Allow /dev/klog access, drop mknod and __null__ access
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-08 10:29:11 -07:00
Paul Lawrence
35e50159ad DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
(cherry-picked from change f7163597f5)

This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-05-29 17:50:12 +00:00
Paul Lawrence
e2c0c9de7b DO NOT MERGE Securely encrypt the master key
(chery-picked from commit 13dec5fa5b)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-05-29 17:42:09 +00:00
Jeff Sharkey
c960596cc3 drop_caches label, vold scratch space on expanded.
Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.

Also let vold create new directories under it's private storage area
where the benchmarks will be carried out.  Mirror the definition of
the private storage area on expanded media.

avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
2015-05-14 20:55:33 -07:00
Paul Crowley
421dadbc9d Allow vold to create subdirectories within its private area.
AVC message we get without this change creating
/data/misc/vold/user_keys

05-12 08:57:54.839   189   189 W vold    : type=1400 audit(0.0:176):
avc: denied { create } for name="user_keys" scontext=u:r:vold:s0
tcontext=u:object_r:vold_data_file:s0 tclass=dir permissive=0

Bug: 19704432
Change-Id: I10fc90c64c7c10fa9811133a4289663ae8617607
2015-05-12 10:00:41 +01:00
William Roberts
2f5a6a96bd Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526f1)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 10:32:06 -07:00
William Roberts
625a3526f1 Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 00:02:59 +00:00
Paul Lawrence
f7163597f5 New ext4enc kernel switching from xattrs to ioctl
This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-04-29 15:44:46 -07:00
Paul Lawrence
13dec5fa5b Securely encrypt the master key
Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-04-28 15:28:16 -07:00
Paul Lawrence
3ee85ca6aa Revert "Securely encrypt the master key"
This reverts commit 5287d9a8e5.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a
2015-04-28 19:16:22 +00:00
Paul Lawrence
5287d9a8e5 Securely encrypt the master key
This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1
2015-04-27 20:04:10 +00:00
Jeff Sharkey
90c64542a2 Allow vold to move FUSE backing files directly.
This enables an optimization of bypassing the FUSE overhead when
migrating emulated storage between volumes.

avc: denied { write } for path="/mnt/expand/6cba9b95-4fc8-4096-b51f-bdb2c007d059/media/obb/.nomedia" dev="dm-0" ino=387843 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1

Bug: 19993667
Change-Id: I2bb9aaca50ed988ded6afec6d7fbe190903707e0
2015-04-24 15:24:15 -07:00
Jeff Sharkey
73d9c2a97b Initial policy for expanded storage.
Expanded storage supports a subset of the features of the internal
data partition.  Mirror that policy for consistency.  vold is also
granted enough permissions to prepare initial directories.

avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

Bug: 19993667
Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5
2015-04-06 17:59:44 -07:00
Jeff Sharkey
84e1c61193 Different blkid and fsck execution domains.
vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices.

When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.

Bug: 19993667
Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5
2015-04-01 14:41:24 -07:00
Jeff Sharkey
4423ecdb09 Directory for vold to store private data.
Creates new directory at /data/misc/vold for storing key material
on internal storage.  Only vold should have access to this label.

Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
2015-04-01 09:28:09 -07:00
Jeff Sharkey
5a5b364c54 Separate fsck domains to protect userdata.
Create new vold_fsck domain that only has access to vold_block
devices to prevent any access to internal userdata.

Change-Id: I25ddcd16cbf83d7a25b70bc64d95f5345d0d5731
2015-03-31 08:13:20 -07:00
Jeff Sharkey
f063f461a9 Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works.  At a high level, vold is taking on a more active role in
managing devices that dynamically appear.

This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid.  It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.

For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.

Slightly relax system_server external storage rules to allow calls
like statfs().  Still neverallow open file descriptors, since they
can cause kernel to kill us.

Here are the relevant violations that this CL is designed to allow:

avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd

Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-30 17:07:42 -07:00
Paul Lawrence
38af1da107 Adding e4crypt support
Add selinux rules to allow file level encryption to work

Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-27 14:47:30 -07:00
Stephen Smalley
273d7ea4ca Label block devices created or accessed by vold with specific types.
Assign a more specific type than block_device to all
block devices created or accessed by vold.   Allow vold
to set the context on the device nodes it creates.

vold can create extra loop devices (/dev/block/loopN) and
block devices for volumes it manages (/dev/block/vold/M:N).

vold can read/write device mapper block devices (/dev/block/dm-N)
created for encrypted volumes.

vold can read/write metadata partitions used to store encryption metadata.
The metadata_block_device type should be assigned in device-specific
policy to the partition specified by the encryptable= mount option
for the userata entry in the fstab.<board> file.

This change does not remove the ability to create or read/write
generic block_device devices by vold, so it should not break anything.
It does add an auditallow statement on such accesses so that we can track
remaining cases where we need to label such device nodes so that we can
ultimately remove this access.

Change-Id: Id3bea28f5958086716cd3db055bea309b3b5fa5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-02 13:29:25 +00:00
Stephen Smalley
cedee697c3 Fix fsck-related denials with encrypted userdata.
Allow error reporting via the pty supplied by init.
Allow vold to invoke fsck for checking volumes.

Addresses denials such as:
avc:  denied  { ioctl } for  pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file

avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file

These denials show up if you have encrypted userdata.

Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-30 13:49:58 -04:00
Stephen Smalley
dd053a9b89 Define types for userdata and cache block devices.
Introduce separate types for the userdata and cache block
devices so that we can assign them and allow access to them
in device-specific policy without allowing access to any other
block device (e.g. system).  These types will only be used if
assigned to device node paths in the device-specific file_contexts
configuration.  Otherwise, this change will have no impact - the
userdata and cache block devices will continue to default to block_device
type.

To avoid breakage when these new types are assigned to the userdata
block device, allow access by vold and uncrypt, but auditallow
these accesses to confirm that these are required.

Change-Id: I99d24f06506f51ebf1d186d9c393b3cad60e98d7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-19 19:01:32 -07:00
Stephen Smalley
f85c1fc293 Allow installd, vold, system_server unlabeled access.
The bugs that motivated bringing back the unlabeled allowall rules,
https://android-review.googlesource.com/#/c/94971/
should be resolved by the following changes:
https://android-review.googlesource.com/#/c/94966/
https://android-review.googlesource.com/#/c/96080/

Beyond those changes, installd needs to be able to remove package directories
for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so
allow it the permissions required for this purpose.  vold needs to be able
to chown/chmod/restorecon files in asec containers so allow it the
permissions to do so.  system_server tries to access all /data/data
subdirectories so permit it to do so.  installd and system_server
read the pkg.apk file before it has been relabeled by vold and therefore
need to read unlabeled files.

Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 16:35:01 -04:00
Nick Kralevich
8599e34b95 Introduce wakelock_use()
Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.

Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.

Still TODO: fix device specific wakelock use.

Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
2014-05-23 15:44:40 -07:00
Stephen Smalley
02dac03a8c Drop relabelto_domain() macro and its associated definitions.
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-09 18:30:22 +00:00
Paul Lawrence
d7567118e9 Allow vold to access keymaster
Bug: 9467042
Change-Id: Ice72e6c3047d1439e6fa6997b5f47f807f34b28d
2014-04-14 12:50:18 -07:00
Robert Craig
4b3893f90b Replace ctl_default_prop access with explicit service property keys.
The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.

Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-25 13:36:50 -04:00
Paul Lawrence
01ba6834c1 Allow vold to call to healthd
vold needs to be able to check remaining battery to safely abort
certain operations

Bug: 11985952
Change-Id: I7dfe83f7d1029593882e0e5ad33f90fb29e5532b
2014-03-20 09:52:36 -07:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Robert Craig
48b18832c4 Introduce asec_public_file type.
This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-11 17:08:10 +00:00
Nick Kralevich
3753c816b2 vold: allow wakelocks, fsck logs
When encrypting a device, vold tries to acquire a wake lock,
to prevent the device from sleeping. Add an allow rule.

After booting with a freshly encrypted device, fsck logs data to
/dev/fscklogs/log . Add an allow rule.

Addresses the following denials.

wake lock:

<5>[  372.401015] type=1400 audit(1387488823.195:6): avc:  denied  { read write } for  pid=143 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
<5>[  127.274556] type=1400 audit(1387494536.080:8): avc:  denied  { open } for  pid=140 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file

fsck logging:

<5>[   44.759122] type=1400 audit(1387489522.460:6): avc:  denied  { search } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.559964] type=1400 audit(1387495221.265:6): avc:  denied  { write } for  pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560081] type=1400 audit(1387495221.265:7): avc:  denied  { add_name } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir
<5>[   28.560244] type=1400 audit(1387495221.265:8): avc:  denied  { create } for  pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.560383] type=1400 audit(1387495221.265:9): avc:  denied  { write open } for  pid=132 comm="vold" name="log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file
<5>[   28.582520] type=1400 audit(1387495221.285:10): avc:  denied  { getattr } for  pid=132 comm="vold" path="/dev/fscklogs/log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file

Change-Id: I09fbe73c9d4955578c16fece4f3b84269eed78b5
2013-12-19 15:23:43 -08:00
Jeff Sharkey
4ab2983596 am 35e8dcc9: Merge "Let vold mount OBB files on external storage." into klp-dev
* commit '35e8dcc9ba40c6419f63d0a516c0995d3064f96e':
  Let vold mount OBB files on external storage.
2013-11-14 16:26:18 -08:00
Jeff Sharkey
80176dc445 Let vold mount OBB files on external storage.
Fixes this specific violation:

type=1400 audit(1384468728.202:16): avc:  denied { read write } for
pid=271 comm="vold" name="test1.obb" dev="fuse" ino=3100664872
scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_internal:s0
tclass=file

Bug: 11693888
Change-Id: I45d30ecabdf0bc8871f3dd67b5695ac909109d9a
2013-11-14 16:11:56 -08:00
Jeff Sharkey
1d5176cd91 am 2abfe7d4: Allow vold to invoke blkid, use external ASECs.
* commit '2abfe7d4f72b0265b1dec31e675650c77998f4d6':
  Allow vold to invoke blkid, use external ASECs.
2013-10-17 18:48:46 -07:00
Jeff Sharkey
2abfe7d4f7 Allow vold to invoke blkid, use external ASECs.
Bug: 11175082
Change-Id: Ic1bd15e8729583be199551ec6baeb4acaf46c210
2013-10-17 15:17:30 -07:00
Nick Kralevich
d045e564aa Partially revert 4fc702eccf.
It's questionable whether this change is actually needed,
and it only affects one user (who's /data partition was
created oddly).

Revert it for now (in master) to see if we get more reports
of this bug.

Bug: 11149726
Change-Id: I9b5408306b55653b2b9d43e68e7c771b72662649
2013-10-14 13:00:12 -07:00
Geremy Condra
4fc702eccf DO NOT MERGE Fix denials seen during device upgrade.
Fixes:
denied  { relabelto } for  pid=721 comm="PackageManager" name="vmdl-112554949.tmp" dev="mmcblk0p30" ino=712747 scontext=u:r:system:s0 tcontext=u:object_r:apk_private_tmp_file:s0 tclass=file
denied  { create } for  pid=240 comm="vold" name="smdl2tmp1.asec" scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 11149726
Change-Id: Iddc7592c757375a961f0d392c27622073c141b36
2013-10-09 18:36:29 -07:00
Geremy Condra
13a74a3aea Merge "Allow vold to start and stop processes via init" into klp-dev 2013-09-11 23:03:05 +00:00
Geremy Condra
7eb786bca2 Give vold the capability to kill.
Bug: 10706792
Change-Id: I85085ab7a6f0f3d12ba4d2b21b655bb64795495f
2013-09-11 10:19:10 -07:00
Ken Sumrall
4974855824 Allow vold to start and stop processes via init
This is needed for the new fuse wrapped sdcard support.

bug: 10330128

Change-Id: Ic5ebc769d376bf061d237616e56bcd562a63c6be
2013-09-10 17:06:58 -07:00
Alex Klyubin
b25fe91e25 Grant fsetid Linux capability to vold.
This fixes the issue where paid apps failed to install via Google
Play with "Package file has a bad manifest" error. The issue appears
to be caused by vold being prevented by SELinux policy from setting
the setgid bit on the ASEC container directory into which the APK is
decrypted. As a result, the APK is not readable to PackageParser.

Bug: 9736808
Change-Id: I07546a9f9caac3de8b720499bd1bf1604edea0fe
2013-07-08 15:48:36 -07:00