It seems likely that there is no reason to keep around a number of
devices that are configured to be included into the pixel kernels. Init
and ueventd should be the only processes with r/w access to these
devices, so auditallow rules have been added to ensure that they aren't
actually used.
/dev/keychord was given its own type since it's one of the few character
devices that's actually legitimately used and would cause log spam in
the auditallow otherwise.
Bug: 33347297
Test: The phone boots without any apparent log spam.
Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
This leaves only the existence of ephemeral_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private. There are a few rules, defined by other domains'
files remaining in the public policy until the rules from these
domains also move to the private policy:
allow ephemeral_app_current appdomain:binder transfer;
allow ephemeral_app_current audioserver_current:binder transfer;
allow ephemeral_app_current drmserver_current:binder transfer;
allow ephemeral_app_current dumpstate_current:binder transfer;
allow ephemeral_app_current mediaserver_current:binder transfer;
allow ephemeral_app_current surfaceflinger_current:binder transfer;
allow ephemeral_app_current system_server_current:binder transfer;
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from platform_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I98687181434a98a141469ef676c461fcd1db2d4e
This leaves only the existence of platform_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from platform_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da
No relevant collected denials.
Test: device boots and no obvious problems.
Test: no collected denials.
Bug: 28760354
Change-Id: Idcf939b3cbdb1dec835d59150181047d062e6c48
Allow storaged to read /proc/[pid]/io
Grant binder access to storaged
Add storaged service
Grant storaged_exec access to dumpstate
Grant storaged binder_call to dumpstate
Bug: 32221677
Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
No denials collected.
Bug: 28760354
Test: no denials collected.
Test: device boots and no obvious problems
Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec
No audits have been recorded for these rules. Remove them.
Originally added for backwards compatibility in
549ccf77e3 as part of the split
between cache_file and cache_recovery_file.
Bug: 25351711
Test: No audit records recorded
Change-Id: I5133028b5fcc99a731aabea90305171dee0edf47
Don't allow processes to list out the contents of the directory
/dev/__properties__. This is an implementation specific detail that
shouldn't be visible to processes.
Test: Device boots and no problems reading individual properties.
Test: ls -la /dev/__properties__ fails
Change-Id: I4df6a829b0d22e30fb2c38030c690fc4a356f6a3
This leaves only the existence of system_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from system_app_current
attribute (as expected).
Bug: 31364497
Change-Id: Ifc7d350ed9749a32b0c38a78ac5f41c819dbdb96
This leaves only the existence of isolated_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from isolated_app_current
attribute (as expected).
Bug: 31364497
Change-Id: I499a648e515628932b7bcd188ecbfbe4a247f2f3
This leaves the existence of priv_app domain as public API. All other
rules are implementation details of this domain's policy and are thus
now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from priv_app_current
attribute (as expected) except for
allow priv_app_current update_engine_current:binder transfer;
which is caused by public update_engine.te rules and will go
away once update_engine rules go private.
Bug: 31364497
Change-Id: Iea583127fbf0a19c37dd42bf1ef2ae0454793391
This leaves only the existence of untrusted_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.
Test: No change to policy according to sesearch, except for
disappearance of all allow rules from untrusted_domain_current
attribute (as expected).
Bug: 31364497
Change-Id: Ief71fa16cfc38437cbe5c58100bba48b9a497c92
Commit fee49159e introduced the net_radio_prop and system_radio_prop
properties, and added allow rules for backwards compatibility. In
addition, auditallow rules were added to see if the allow rules were
necessary.
The auditallow rules for radio net_radio_prop are triggering, so it's
clear these properties are being set by the radio process. Drop the
auditallow statement.
Test: policy compiles.
Change-Id: I7fa6df18ed4dd4cb8e0c9098373cc28134615330
/proc/tty/drivers is read by applications to figure out if they are
running in an emulated environment. Specifically, they look for the
string "goldfish" within that file.
Arguably this is not an Android API, and really shouldn't be exposed to
applications, but:
1) A largish number of applications break if they can't read this file;
2) The information here isn't particularly sensitive
While we could spend a bunch of time trying to get applications fixed,
there are bigger fish to fry. It's not worth the battle.
Test: "ls -laZ /proc/tty/drivers" is labeled properly.
Bug: 33214085
Bug: 33814662
Bug: 33791054
Bug: 33211769
Bug: 26813932
Change-Id: Icc05bdc1c917547a6dca7d76636a1009369bde49
Allow init to send userspace generated SELinux denials to the kernel
audit subsystem.
Test: "setprop asdf asdf" from the unprivileged adb shell user
generated an SELinux denial processed by logd.
Bug: 27878170
Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1
We allow domains to manually transition to logpersist for userdebug
or eng debug logging permissions that would be counter to monitoring
limits on a released user build.
Test: compile
Bug: 30566487
Change-Id: I03a81c75cbd2b44617e4b27c4c083a26a0e0fa87
6e4508e625 inadvertently removed access
to ro.serialno and ro.boot.serialno from ADB shell. This is needed for
CTS. This commit thus reinstates the access.
Test: adb shell getprop ro.serialno
Bug: 33700679
Change-Id: I62de44b1631c03fcd64ceabaf33bbaeb869c2851
This removes access to Bluetooth system properties from arbitrary
SELinux domains. Access remains granted to init, bluetooth, and
system_app domains. neverallow rules / CTS enforce that access is not
granted to Zygote and processes spawned from Zygote expcept for
system_app and bluetooth.
The reason is that some of these properties may leak persistent
identifiers not resettable by the user.
Test: Bluetooth pairing and data transfer works
Bug: 33700679
Change-Id: Icdcb3927a423c4011a62942340a498cc1b302472
ro.runtime.firstboot system property is only used internally by
system_server to distinguish between first start after boot from
consecutive starts (for example, this happens when full-disk
encryption is enabled). The value of the property is a
millisecond-precise timestamp which can help track individual
device. Thus apps should not have access to this property.
Test: Device boots fine, reading ro.runtime.firstboot from an app results in an error and SELinux denial.
Bug: 33700679
Change-Id: I4c3c26a35c5dd840bced3a3e53d071f45317f63c
SELinux policy compiler complained about a quote inside the
recovery_only section of recovery.te. This section's contents are
inside quotes and thus can't contain quotes.
Test: mmm system/sepolicy produces no warnings
Bug: 33700679
Change-Id: I5bf943166f4f514d04472f7e59b025a9723eb1b8
