Commit graph

134 commits

Author SHA1 Message Date
Calin Juravle
837bc42f5f Add SElinux policies to allow foreign dex usage tracking.
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.

Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.

Bug: 27334750
Bug: 26080105

Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
2016-03-01 15:50:08 +00:00
Nick Kralevich
ba12da9572 Allow bluetooth access to the tun device.
Bluetooth uses the tun device for tethering. Allow access.

  STEPS TO REPRODUCE:
  0. Have two devices to test on, say Device A and Device B
  1. On Device A, Go to settings ->Bluetooth .
  2. Turn on the Bluetooth .
  3. Pair it with device B
  4. Tap on the paired device

  OBSERVED RESULTS:
  -Bluetooth share crash is observed with "Bluetooth share has stopped"
  error message
  -Unable to use Bluetooth tethering due to this issue

  EXPECTED RESULTS:
  No crash and Bluetooth devices should be able to connect for tethering

Addresses the following denial:

com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0

Bug: 27372573

(cherry picked from commit 9a1347eee6)

Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497
2016-02-29 10:05:08 -08:00
dcashman
971aeeda21 Label /proc/meminfo.
Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

Bug: 22032619
Chromium Bug: 586021

Change-Id: I584345c84d870c313da69ec97a0b1e54c0eb9ee1
2016-02-23 17:18:17 -08:00
Calin Juravle
89625c9a64 Update permissions for the dedicated profile folders
Bug: 26719109
Bug: 26563023

Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995
2016-02-19 13:40:33 +00:00
Jeff Tinker
0d5bac13e1 Add mediadrm service
Part of media security hardening

This is an intermediate step toward moving
mediadrm to a new service separate from mediaserver.
This first step allows mediadrmservice to run based
on the system property media.mediadrmservice.enable
so it can be selectively enabled on devices that
support using native_handles for secure buffers.

bug: 22990512
Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
2016-02-12 19:38:22 -08:00
dcashman
a8a1faae7b Auditallow untrusted_app procfs access.
Access to proc is being removed but there are still some consumers.  Add
an auditallow to identify them and adjust labels appropriately before
removal.

Change-Id: I853b79bf0f22a71ea5c6c48641422c2daf247df5
2016-02-10 17:05:23 -08:00
Marco Nelissen
d21987702e Merge "selinux rules for codec process" into nyc-dev 2016-02-10 05:46:34 +00:00
Marco Nelissen
c3ba2e5130 selinux rules for codec process
Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b
2016-02-09 14:13:13 -08:00
William Roberts
db664c9ed3 untrusted_app: confine filesystem creation to sandbox
untrusted_apps could be allowed to create/unlink files in world
accessible /data locations. These applications could create
files in a way that would need cap dac_override to remove from
the system when they are uninstalled and/or leave orphaned
data behind.

Keep untrusted_app file creation to sandbox, sdcard and media
locations.

Signed-off-by: William Roberts <william.c.roberts@intel.com>

(cherry picked from commit bd0768cc93)

Change-Id: Ideb275f696606882d8a5d8fdedb48545a34de887
2016-02-09 13:40:51 -08:00
Marco Nelissen
b1bf83fd79 Revert "selinux rules for codec process"
This reverts commit 2afb217b68.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
2016-01-28 13:51:28 -08:00
Chien-Yu Chen
e0378303b5 selinux: Update policies for cameraserver
Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
2016-01-27 11:29:11 -08:00
Marco Nelissen
87a79cf9dd Merge "selinux rules for codec process" 2016-01-27 17:46:47 +00:00
dcashman
e458f9abd4 Restore untrusted_app proc_net access. am: 5833e3f5ca
am: a321dde852

* commit 'a321dde852731f320e24f93347f39278bcf0b58b':
  Restore untrusted_app proc_net access.
2016-01-27 01:26:57 +00:00
dcashman
5833e3f5ca Restore untrusted_app proc_net access.
Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4
2016-01-26 16:56:24 -08:00
dcashman
ee25c98428 Remove domain_deprecated from untrusted_app. am: cbf7ba18db
am: b768bd4642

* commit 'b768bd4642afb99f5ffaad46833e47c785667e3e':
  Remove domain_deprecated from untrusted_app.
2016-01-23 01:04:30 +00:00
dcashman
0503a40570 Temporarily allow untrusted_app to read proc files. am: 2193f766bc
am: d7ff314ada

* commit 'd7ff314adabc5646e77b844335408201811412d9':
  Temporarily allow untrusted_app to read proc files.
2016-01-23 01:04:27 +00:00
dcashman
cbf7ba18db Remove domain_deprecated from untrusted_app.
Bug: 22032619
Change-Id: Iaa192f98df3128da5e11ce1fd3cf9d1a597fedf5
2016-01-22 15:51:41 -08:00
dcashman
2193f766bc Temporarily allow untrusted_app to read proc files.
Address the following denial:
01-22 09:15:53.998  5325  5325 W ChildProcessMai: type=1400 audit(0.0:44): avc: denied { read } for name="meminfo" dev="proc" ino=4026535444 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Change-Id: Id2db5ba09dc9de58e6da7c213d4aa4657c6e655c
2016-01-22 15:49:42 -08:00
Marco Nelissen
2afb217b68 selinux rules for codec process
Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44
2016-01-22 14:43:14 -08:00
Jeff Vander Stoep
02863a7ca7 grant appdomain rw perms to tun_device am: 2b935cd78d
am: 43412f6514

* commit '43412f6514a97572622e009e13f76a61c9d5f987':
  grant appdomain rw perms to tun_device
2016-01-08 23:37:31 +00:00
Jeff Vander Stoep
2b935cd78d grant appdomain rw perms to tun_device
Previously granted to only untrusted_app, allow all apps except
isolated_app read write permissions to tun_device.

avc: denied { read write } for path="/dev/tun" dev="tmpfs" ino=8906 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file

Bug: 26462997
Change-Id: Id6f5b09cda26dc6c8651eb76f6791fb95640e4c7
2016-01-08 15:02:33 -08:00
Johan Redestig
39e29b6f29 Neverallow isolated and untrusted apps to write system properties am: 0d8e9adf49
am: fc3b0dd350

* commit 'fc3b0dd350598fb8a9219b296f15ec241fbcdbb2':
  Neverallow isolated and untrusted apps to write system properties
2016-01-08 19:49:15 +00:00
Johan Redestig
0d8e9adf49 Neverallow isolated and untrusted apps to write system properties
and as a consequence open up for other appdomains (e.g. platform_app)
to write system properties.

Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7
2016-01-08 11:41:50 -08:00
Jeffrey Vander Stoep
ef0b7b1ae5 Merge "app: expand socket ioctl restrictions to all apps" 2016-01-06 18:51:00 +00:00
Jeff Vander Stoep
bb1ece494f app: expand socket ioctl restrictions to all apps
Exempt bluetooth which has net_admin capability.

Allow Droidguard to access the MAC address - droidguard runs in
priv_app domain.

Change-Id: Ia3cf07f4a96353783b2cfd7fc4506b7034daa2f1
2016-01-06 10:22:05 -08:00
Jeff Vander Stoep
4eb8d39db6 untrusted_app: remove mtp_device perms am: 956ca4c504
am: e139b40f0c

* commit 'e139b40f0c339654bdfa92f04f11fc6ed326b2fa':
  untrusted_app: remove mtp_device perms
2016-01-06 17:15:09 +00:00
Jeff Vander Stoep
956ca4c504 untrusted_app: remove mtp_device perms
No longer necessary after android.process.media moved to the
priv_app domain. Verified no new denials via audit2allow rule.

Bug: 25085347
Change-Id: I2d9498d5d92e79ddabd002b4a5c6f918e1eb9bcc
2016-01-06 17:05:28 +00:00
Jeff Vander Stoep
a8d89c3102 expand scope of priv_sock_ioctls neverallows
From self to domain

Change-Id: I97aeea67a6b66bc307715a050cf7699e5be9715e
2016-01-05 09:36:12 -08:00
Felipe Leme
e97bd887ca Creates a new permission for /cache/recovery am: 549ccf77e3
am: b16fc899d7

* commit 'b16fc899d718f91935932fb9b15de0a0b82835c8':
  Creates a new permission for /cache/recovery
2016-01-04 23:55:14 +00:00
Felipe Leme
549ccf77e3 Creates a new permission for /cache/recovery
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2016-01-04 23:11:28 +00:00
Nick Kralevich
06d10f6062 neverallow debugfs access am: 96b1c9ca6f
am: 0abe8cdbe0

* commit '0abe8cdbe0343edf547dfa4e71b6f09b4afa6f2a':
  neverallow debugfs access
2015-12-18 18:41:27 +00:00
Nick Kralevich
96b1c9ca6f neverallow debugfs access
Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.

Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.

Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
2015-12-17 16:46:08 -08:00
Andy Hung
e02e6c03a5 Merge "Add rules for running audio services in audioserver" 2015-12-11 20:10:34 +00:00
Jeff Vander Stoep
3a0ce49b86 Migrate to upstream policy version 30
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-11 18:07:17 +00:00
Jeffrey Vander Stoep
4f9107df8f Revert "Migrate to upstream policy version 30"
This reverts commit 2ea23a6e1a.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
2015-12-08 12:14:50 -08:00
Jeffrey Vander Stoep
5ca5696e8b Revert "Migrate to upstream policy version 30"
This reverts commit 2ea23a6e1a.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
2015-12-08 18:19:04 +00:00
Jeffrey Vander Stoep
e0bc1627c4 Merge "Migrate to upstream policy version 30" am: 9a3d490edd am: 862e4ab15f
am: af56999ec2

* commit 'af56999ec2eef1b21b50b10c0292367b55ff15c2':
  Migrate to upstream policy version 30
2015-12-08 07:29:30 -08:00
Jeffrey Vander Stoep
862e4ab15f Merge "Migrate to upstream policy version 30"
am: 9a3d490edd

* commit '9a3d490edd843e544084c487422aa54f39080876':
  Migrate to upstream policy version 30
2015-12-08 07:22:25 -08:00
Jeff Vander Stoep
2ea23a6e1a Migrate to upstream policy version 30
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-08 07:18:41 -08:00
Marco Nelissen
b03831fe58 Add rules for running audio services in audioserver
audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d
2015-12-07 17:33:20 -08:00
Jeffrey Vander Stoep
e759543568 Merge "Further restrict access to tun_device" am: 98c3f9971f am: cd47828c12
am: 1484b0c369

* commit '1484b0c3690ec23729a160e5f3a1468a4816ab4d':
  Further restrict access to tun_device
2015-12-04 17:19:20 +00:00
Jeffrey Vander Stoep
cd47828c12 Merge "Further restrict access to tun_device"
am: 98c3f9971f

* commit '98c3f9971f4b551fd5578c63f77fa9111bed94ad':
  Further restrict access to tun_device
2015-12-04 01:38:37 +00:00
Jeff Vander Stoep
e555f4b971 Further restrict access to tun_device
Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
2015-12-03 15:56:04 -08:00
Jeff Vander Stoep
d20a46ef17 Create attribute for moving perms out of domain am: d22987b4da am: e2280fbcdd
am: b476b95488

* commit 'b476b954882a48bf2c27da0227209c197dcfb666':
  Create attribute for moving perms out of domain
2015-11-04 00:07:02 +00:00
Jeff Vander Stoep
e2280fbcdd Create attribute for moving perms out of domain
am: d22987b4da

* commit 'd22987b4daf02a8dae5bb10119d9ec5ec9f637cf':
  Create attribute for moving perms out of domain
2015-11-03 23:56:50 +00:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Marco Nelissen
0f754edf7b Update selinux policies for mediaextractor process
Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd
2015-10-27 12:58:04 -07:00
Jeff Vander Stoep
ad32785689 audit untrusted_app access to mtp_device am: 7b8f9f153e
am: 775dda1fb3

* commit '775dda1fb3641e3ea2be4124a9a77cb236648d6f':
  audit untrusted_app access to mtp_device
2015-10-23 18:12:32 +00:00
Jeff Vander Stoep
4b1c3de99a Temporarily downgrade to policy version number am: 0fc831c3b0
am: 312c2511f7

* commit '312c2511f7dfbebf110f1372db55d811bc1ad29f':
  Temporarily downgrade to policy version number
2015-10-23 18:12:28 +00:00
Jeff Vander Stoep
775dda1fb3 audit untrusted_app access to mtp_device
am: 7b8f9f153e

* commit '7b8f9f153edf7c8bbefe3d472c86419d8048e5dd':
  audit untrusted_app access to mtp_device
2015-10-23 18:05:09 +00:00