Chrome team recommends reverting this patch and introducing
it into a future version of Android, to avoid potential
compatibility issues.
This reverts commit 9de62d6ffe.
Bug: 17471434
Bug: 18609318
Change-Id: I9adaa9d0e4cb6a592011336e442e9d414dbac470
On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.
Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.
Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
Grant shell read access to /proc taken away by
commit: 0d3f7ddc70
Addresses the following denials encountered when running ps or top.
Bug: 18799966
Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
Address observed audit logs of the form:
granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager
in order to record existing relationships with services.
Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
SELinux domains wanting read access to /proc/net need to
explicitly declare it.
TODO: fixup the ListeningPortsTest cts test so that it's not
broken.
Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.
Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
Used to record the Android log messages, then on reboot
provide a means to triage user-space actitivies leading
up to a panic. A companion to the pstore console logs.
Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
Commit 92dfa31f78 added "seinfo=platform"
to all fixed UID domains. However, that caused problems for shared_relro.
shared_relro runs like an isolated app, and doesn't have an seinfo field
associated with it.
This causes a crash when system_server attempts to start shared_relro.
W art : PreZygoteFork called when we already have a zygote space.
E SELinux : seapp_context_lookup: No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a
E SELinux : selinux_android_setcontext: Error setting context for app with uid 1037, seinfo (null): Success
E Zygote : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed
F art : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort
I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a
W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process
F art : art/runtime/runtime.cc:331] Runtime aborting...
F art : art/runtime/runtime.cc:331] Aborting thread:
F art : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native
F art : art/runtime/runtime.cc:331] | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800
F art : art/runtime/runtime.cc:331] | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80
F art : art/runtime/runtime.cc:331] | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100
F art : art/runtime/runtime.cc:331] | stack=0xbe39d000-0xbe39f000 stackSize=8MB
F art : art/runtime/runtime.cc:331] | held mutexes= "abort lock" "mutator lock"(shared held)
F art : art/runtime/runtime.cc:331] kernel: (couldn't read /proc/self/task/1176/stack)
F art : art/runtime/runtime.cc:331] native: (backtrace::Unwind failed for thread 1176)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91)
F art : art/runtime/runtime.cc:331] at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227)
removing seinfo=platform from shared_relro fixed this bug, but then
revealed two new SELinux denials:
E SELinux : avc: denied { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
E SELinux : avc: denied { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
Add the needed SELinux rule.
Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810
The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.
Suppress service_manager related denials. For example:
SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)
Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9
Commit 0d08d4721a added two auditallow
statements. The intented purpose of the auditallow statement was:
auditallow accesses by init to files
and character devices left in the generic device type so we can monitor
what is being left there, although it is not necessarily a problem unless
the file or device should be accessible to others.
As currently written, the auditallow rules aren't actionable. It's not
a problem by itself for init to access a /dev file or chr_file.
Rather, we care about when other domains access such files.
Currently, this generates a number of (expected) audit statements on
boot, which causes unnecessary confusion and makes people believe
that something is broken.
Remove the unactionable auditallow statements.
Change-Id: Ibfe33976505a7dc3f8d15c9eb203c044a39da426
uncrypt needs to be able to read OTA files in GMS core's home
directory, which is protected with MLS. Mark uncrypt as an
mlstrustedsubject so that it can read the files.
Addresses the following denial (and probably others):
uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
Remove the auditallow line for uncrypt. Per dd053a9b89,
the auditallow line was added to confirm that uncrypt was actually
accessing the userdata block device. The access to the userdata block
device is definitely occurring, and auditing it doesn't add any value.
Remove the auditing.
Eliminates the following unnecessary audit lines:
avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file
avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file
Tighten up userdata block access to write-only. uncrypt never reads
directly from the block device.
Testing:
1) Create the file /cache/recovery/command with a line like:
--update_package=/data/data/com.google.android.gms/foo.zip
2) Create the file /data/data/com.google.android.gms/foo.zip
(contents not important)
3) Run "setprop ctl.start pre-recovery"
Expected: No SELinux denials.
Actual: SELinux denials
Bug: 18875451
Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d
Addresses the following denials:
avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
Bug: 18864737
Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
On the Nexus 9, init.rc creates the /vendor -> /system/vendor
symlink, then a bit later removes the symlink, creates a
proper directory, and mounts /vendor on the directory.
The current permissive SELinux policy doesn't allow init to
remove the /vendor symlink, which eventually causes the following
errors:
avc: denied { unlink } for pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered
There was an attempt to reorder some of these operations so
we didn't have to create / delete the symlink, but it
doesn't seem to have gone well.
f67d6bd3c0
Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
Commit dc0ab516f11d8e2c413315e733e25a41ba468e4f changed the libsepol
structures on which sepolicy-analyze relies so that it could be compiled
as a C++ library. Reflect this change in sepolicy-analyze.
Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
Shell domain needs to be able to access system_server_services, e.g.
when running the pm command. Addresses the following denials:
10-07 00:59:26.901 178 178 E SELinux : avc: denied { find } for service=user scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
10-07 00:59:26.903 178 178 E SELinux : avc: denied { find } for service=package scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
Change-Id: I4cc2f31809a2615ba781e2ecfe2ca7d6f5226b73
It's beneficial to be able to overide this in a device makefile
if you need to get the domains into an unconfined state to keep
the logs from filling up on kernel entries without having to add
rules into device specific policy.
Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
needed to get to the swap device.
Addresses the following denial:
avc: denied { search } for pid=149 comm="mkswap" name="block" dev="tmpfs" ino=9947 scontext=u:r:toolbox:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
Change-Id: I0c897540f1c7950738622a013121a050a1f32b2f
Bluetooth can receive bugreport data for beaming to another device.
This comes across as an open file descriptor. Allow bluetooth access
to bugreports.
Addresses the following denial:
avc: denied { read } for path="/data/data/com.android.shell/files/bugreports/bugreport-2014-12-19-15-35-32.txt" dev="dm-0" ino=662738 scontext=u:r:bluetooth:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0
Change-Id: I7be2ce2e0e48323c1e8f932be17b434b89daf085
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
Required for Settings to show name/icon of apps on sd card
(permission copied from untrusted_app)
Also removed duplicate permission (from domain) in untrusted_app
Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
