The current neverallow rule (compile time assertion)
neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.
However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.
Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.
Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:
* all app processes
* dumpstate
* system_server
* mediaserver
* surfaceflinger
Removing binder_service revokes this implicit access.
Add explicit access for system_server to make binder calls to
gatekeeperd.
Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.
Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
Settings needs to be able to access it when opening developer options.
Address the following denial:
avc: denied { find } for service=persistent_data_block scontext=u:r:system_app:s0 tcontext=u:object_r:persistent_data_block_service:s0 tclass=service_manager
Bug: 20131472
Change-Id: I85e2334a92d5b8e23d0a75312c9b4b5bf6aadb0b
Backup service needs to be accessible to all apps to notify the system when
something changes which is being backed-up.
Bug: 18106000
Change-Id: I8f34cca64299960fa45afc8d09110123eb79338b
Chrome's WebSQL implementation works by running sqlite in the
sandboxed renderer process, and sqlite expects to be able to
call flock() on the database file.
Bug: 20134929
Change-Id: Id33a2cd19b779144662056c6f3aba3365b0a2a54
Move the following services from tmp_system_server_service to appropriate
attributes:
network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats
Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
Commit 85ce2c706e removed hard link
support from create_file_perms, but system_server requires hard
link support for split APKs. Allow it.
Addresses the following denial:
audit(0.0:152): avc: denied { link } for name="base.apk" dev="dm-0" ino=816009 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
Steps to reproduce:
1) Find the directory "hellogoogle3.splitapk"
2) adb install-multiple -r hellogoogle3_incremental.apk
3) adb install-multiple -r -p com.google.android.samples.hellogoogle3 native.apk
Expected:
2nd APK installs successfully.
Actual:
2nd APK fails to install.
Change-Id: Ib69fc70dd1c7cd158590db3fd117d6b05acf1cf7
On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:
% adb shell am set-watch-heap com.android.systemui 1048576
% adb shell dumpsys procstats --start-testing
which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.
Allow this behavior.
Addresses the following denial:
avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
Move the following services from tmp_system_server_service to appropriate
attributes:
jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats
Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
Required for PackageManagerService to perform restorecon recursively on a
staging dir.
Addresses the following denial:
avc: denied { open } for name="oat" dev="mmcblk0p28" ino=163027 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir
Bug: 19550105
Bug: 20087446
Change-Id: I0f6ebb79745091ecb4d6d3dbe92f65606b7469da
dumpstate runs "df" on all mounted filesystems. Allow dumpstate
to access /storage/emulated so df works.
Addresses the following denial:
avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.
Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.
Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
System services differ in designed access level. Add attributes reflecting this
distinction and label services appropriately. Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute. Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.
Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
Apps, shell and adbd should all have identical access to external
storage. Also document where we have files and/or symlinks.
Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe
For the reasons explained in the pre-existing code, we don't want
to grant fsetid to netd, nor do we want denial messages to be
generated.
Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
Same change as 9819a6 but for nfc.
Nfc can receive bugreport data for beaming to another device.
This comes across as an open file descriptor. Allow nfc access
to bugreports.
Addresses the following denial:
avc: denied { read } for path="/data/data/com.android.shell/files/bugreports/bugreport-2015-03-30-04-49-57.txt" dev="mmcblk0p27" ino=82334 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file op_res=-13 ppid=435 pcomm="main" tgid=23475 tgcomm="m.android.shell"
Change-Id: I3efefcdb46444a1a6520803cb5e68bbdf29d3ad6
Some devices still have pre-built binaries with text relocations
on them. As a result, it's premature to assert a neverallow rule
for files in /system
Bug: 20013628
Change-Id: I3a1e43db5c610164749dee6882f645a0559c789b
system_server no longer has universal service_manager_type permissions and so no
longer needs the auditallow rules therewith associated.
Change-Id: I1e6584c120f6fc464a4bf6b377d9d7ea90441477
vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices.
When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.
Bug: 19993667
Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5
Executing dumpsys meminfo over the console shell requires that output go to the
console_device. meminfo passes a fd to each applicaiton thread so that it can
do this in IApplicationThread.dumpMemInfo(). Allow use of this fd.
Addresses the following denial:
type=1400 audit(1426793987.944:4224): avc: denied { read write } for pid=1809 comm="Binder_4" path="/dev/console" dev="tmpfs" ino=5684 scontext=u:r:platform_app:s0 tcontext=u:object_r:console_device:s0 tclass=chr_file
Bug: 17135173
Change-Id: Id5340a1fb3c8dbf41bda427720c4a0047bc557fc
Add rules to let sgdisk read/write to pts when forked from vold.
avc: denied { read write } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:sgdisk:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
Also add rule to let it kick kernel to reload partition tables after
we finish editing them. Without this capability, it leaves this
message and violation:
Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot.
GPT data structures destroyed! You may now partition the disk using fdisk or
other utilities.
avc: denied { sys_admin } for capability=21 scontext=u:r:sgdisk:s0 tcontext=u:r:sgdisk:s0 tclass=capability permissive=0
Change-Id: If26a40f9fd3b1ab2c50156ae8bdb128676521b57
Creates new directory at /data/misc/vold for storing key material
on internal storage. Only vold should have access to this label.
Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
