Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
wificond would like to be able to set WiFi related properties
without access to the rest of the system properties. Today,
this only involves marking the driver as loaded or unloaded.
avc: denied { write } for name="property_service" dev="tmpfs" ino=10100
scontext=u:r:wificond:s0 tcontext=u:object_r:property_socket:s0
tclass=sock_file permissive=0
Bug: 29579539
Test: No avc denials related to system properties across
various WiFi events.
Change-Id: I6d9f1de3fbef04cb7750cc3753634f9e02fdb71f
(cherry picked from commit 1ebfdd6a14)
These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.
The /proc/interrupts and /proc/stat files were covered in this paper:
https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/
The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.
Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.
Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
With v4.8+ kernels, CAP_WAKE_ALARM is needed to set
alarmtimers via timerfd (this change is likely to be
backported to stable as well).
However, with selinux enabled, we also need to allow
the capability on the system_server so this enables it.
Change-Id: I7cd64d587906f3fbc8a129d48a4db07373c74c7e
Signed-off-by: John Stultz <john.stultz@linaro.org>
Commit: b144ebab48 added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them. Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).
Address denials such as:
type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0
Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
A new directory is created in user data partition that contains preloaded
content such as a retail mode demo video and pre-loaded APKs.
The new directory is writable/deletable by system server. It can only be
readable (including directory list) by privileged or platform apps
Bug: 28855287
Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037
The system_server needs to clear these markers along with other app
data that it's responsible for clearing.
bug: 28510916
Change-Id: If9ba8b5b372cccefffd03ffddc51acac8e0b4649
am: 50c2909f23
* commit '50c2909f23df270f75d23e16de2bb9e5363b54dd':
Sepolicy: Allow debuggerd to dump backtraces of Bluetooth
Sepolicy: Refactor long lines for debuggerd backtraces
Change-Id: I0d3f68a422a4d8b14148343983f1d6a8a85ac268
Allow to dump traces of the Bluetooth process during ANR
and system-server watchdog dumps.
Bug: 28658141
Change-Id: Ie78bcb25e94e1ed96ccd75f7a35ecb04e7cb2b82
Add pinner service to system_service services.
Add CAP_IPC_LOCK permissions to system_server in order to allow
system_server to pin more memory than the lockedmem ulimit.
bug 28251566
Change-Id: I990c73d25fce4f2cc9a2db0015aa238fa7b0e984
am: 39cfed0b23
* commit '39cfed0b23c542cf4b95e0e2835c1886914f88ce':
Allow the system to rename wallpaper files
Change-Id: I4404f9f9d9ffb78af3c50beefd1b1f220662d181
When using domain_trans(init, foo_exec, foo), don't add the
following rule:
allow foo init:process sigchld;
This is already allowed for all domains in domain.te:
# Allow reaping by init.
allow domain init:process sigchld;
So adding it over and over again is redundant and bloats the
policy. More specifically, when I run:
sepolicy-analyze out/target/product/bullhead/root/sepolicy dups
this change reduces the number of duplicate policy statements
from 461 to 389.
Change-Id: I8632e5649a54f63eb1f79ea6405c4b3f515f544c
Give mount & chroot permissions to otapreopt_chroot related to
postinstall.
Add postinstall_dexopt for otapreopt in the B partition. Allow
the things installd can do for dexopt. Give a few more rights
to dex2oat for postinstall files.
Allow postinstall files to call the system server.
Bug: 25612095
Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7
am: fbb6d2de1c
* commit 'fbb6d2de1cf4d4ce6e86c353b963824b1b98d43b':
allow system server to set log.tag.WifiHAL
limit shell's access to log.* properties
Change-Id: I135fcb73d8cec20966e01c7a19f4a7e6b1002aad
am: d9b0a34
* commit 'd9b0a34ad4c0797e7e648c0dfa4ce0866f6d62fe':
Allow system_server to hard link its own files
Change-Id: I8417d52812e847b01fa40d720659567aba25f27b
Specifically, backup of wallpaper imagery needs to use hard links to
achieve "real file" access to the large imagery files without rewriting
the contents all the time just to stage for backup. They can't be
symlinks because the underlying backup mechanisms refuse to act on
symbolic links for other security reasons.
Bug 25727875
Change-Id: Ic48fba3f94c92a4b16ced27a23646296acf8f3a5
On eng and userdebug builds (only), allow system server
to change the value of log.tag.WifiHAL. WifiStateMachine
will set this property to 'D' by default. If/when a user
enables "Developer options -> Enable Wi-Fi Verbose Logging",
WifiStateMachine change log.tag.WifiHAL to 'V'.
BUG=27857554
TEST=manual (see below)
Test detail
1. on user build:
$ adb shell setprop log.tag.WifiHAL V
$ adb shell getprop log.tag.WifiHAL
<blank line>
$ adb bugreport | grep log.tag.WifiHAL
<11>[ 141.918517] init: avc: denied { set } for property=log.tag.WifiHAL pid=4583 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:wifi_log_prop:s0 tclass=property_service permissive=0
<11>[ 141.918566] init: sys_prop: permission denied uid:2000 name:log.tag.WifiHAL
2. on userdebug build:
$ adb shell getprop log.tag.WifiHAL
$ <blank line>
$ adb shell setprop log.tag.WifiHAL V
$ adb shell getprop log.tag.WifiHAL
V
3. on userdebug build with modified WifiStateMachine:
$ adb shell getprop log.tag.WifiHAL
D
Change-Id: I9cdd52a2b47a3dd1065262ea8c329130b7b044db
Add a neverallow rule (CTS test + compile time assertion) blocking
system_server from executing files outside of a few select file
types.
In general, it's dangerous to fork()/exec() from within a multi-threaded
program. See
https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
This change helps discourage the introduction of new execs.
Bug: 28035297
Change-Id: Idac824308183fa2cef75f17159dae14447290e5b
We've seen evidence that the logcat binary can end up wedged, which
means we can eventually starve system_server for FDs. To mitigate
this, wrap logcat using the timeout utility to kill and clean up if
it takes too long to exit.
avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
Bug: 27994717, 28021719, 28009200
Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee
