Commit graph

40 commits

Author SHA1 Message Date
Marco Nelissen
c3ba2e5130 selinux rules for codec process
Bug: 22775369

Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b
2016-02-09 14:13:13 -08:00
Marco Nelissen
710d0a715f Trim media related nfc permissions
Change-Id: I5863c56a53419d2327ab62a7189034711cda7fcc
2016-02-05 21:31:50 -08:00
Marco Nelissen
b1bf83fd79 Revert "selinux rules for codec process"
This reverts commit 2afb217b68.

Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
2016-01-28 13:51:28 -08:00
Chien-Yu Chen
e0378303b5 selinux: Update policies for cameraserver
Update policies for cameraserver so it has the same permissions
as mediaserver.

Bug: 24511454
Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
2016-01-27 11:29:11 -08:00
Marco Nelissen
2afb217b68 selinux rules for codec process
Bug: 22775369
Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44
2016-01-22 14:43:14 -08:00
Marco Nelissen
b03831fe58 Add rules for running audio services in audioserver
audioserver has the same rules as mediaserver so there is
no loss of rights or permissions.

media.log moves to audioserver.

TBD: Pare down permissions.

Bug: 24511453
Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d
2015-12-07 17:33:20 -08:00
Jeff Vander Stoep
d20a46ef17 Create attribute for moving perms out of domain am: d22987b4da am: e2280fbcdd
am: b476b95488

* commit 'b476b954882a48bf2c27da0227209c197dcfb666':
  Create attribute for moving perms out of domain
2015-11-04 00:07:02 +00:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Marco Nelissen
0f754edf7b Update selinux policies for mediaextractor process
Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd
2015-10-27 12:58:04 -07:00
William Roberts
625a3526f1 Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 00:02:59 +00:00
dcashman
bd7f5803f9 Enforce more specific service access.
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-09 09:45:54 -07:00
dcashman
03a6f64f95 Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
2015-04-08 20:26:50 +00:00
dcashman
3cc6fc5ffb Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
2015-04-07 12:43:47 -07:00
dcashman
d4c78f4b3f Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
2015-04-07 16:59:38 +00:00
dcashman
4cdea7fc40 Assign app_api_service attribute to services.
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
2015-04-06 13:20:41 -07:00
dcashman
b075338d0e Assign app_api_service attribute to services.
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
2015-04-03 14:29:40 -07:00
dcashman
d12993f084 Add system_api_service and app_api_service attributes.
System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 11:20:00 -07:00
Johan Redestig
386a0f09dd nfc: allow sending bugreports via nfc
Same change as 9819a6 but for nfc.

Nfc can receive bugreport data for beaming to another device.
This comes across as an open file descriptor. Allow nfc access
to bugreports.

Addresses the following denial:

  avc: denied { read } for path="/data/data/com.android.shell/files/bugreports/bugreport-2015-03-30-04-49-57.txt" dev="mmcblk0p27" ino=82334 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file op_res=-13 ppid=435 pcomm="main" tgid=23475 tgcomm="m.android.shell"

Change-Id: I3efefcdb46444a1a6520803cb5e68bbdf29d3ad6
2015-04-02 11:24:31 +02:00
dcashman
8af4e9cb00 Record observed service accesses.
Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
2015-04-01 14:30:46 -07:00
dcashman
23f336156d Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
2015-03-03 11:38:07 -08:00
dcashman
7818711ab9 Allow nfc nfc and radio service access.
Address the following denials:
SELinux : avc:  denied  { find } for service=phone scontext=u:r:nfc:s0 tcontext=u:object_r:radio_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=nfc scontext=u:r:nfc:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18929632

Change-Id: I54c3d194f9401eb5dc6f2114ebddea241c433f71
2015-01-15 14:00:47 -08:00
dcashman
4a89cdfa89 Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2015-01-14 13:54:26 -08:00
dcashman
3fbeb180db Allow find access to drmserver_service from nfc and
platform_app.

Address the following denials:
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manage
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager

Bug: 18831075
Change-Id: I2c162f58f4adae9f6c544f9d9c6a9300877b4f36
2014-12-22 17:32:44 -08:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Martijn Coenen
9ac7df2280 Allow NFC to read/write nfc. system properties.
(cherry pick of commit 05383ebfb4)

Bug: 17298769
Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97
2014-09-26 13:57:02 -07:00
Riley Spahn
603bc20509 Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 09:24:13 -07:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-14 11:09:27 -07:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-12 20:46:07 +00:00
Stephen Smalley
b0db712bf0 Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-07 15:47:33 -05:00
Stephen Smalley
85708ec4f9 Resolve overlapping rules between app.te and net.te.
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 17:26:06 +00:00
Nick Kralevich
629c98c211 Fix NFC image transfer
Image transfer over NFC is broken.

  STEPS TO REPRODUCE:
  -----------------------------------------
  1. Launch Gallery and open any picture
  2. Keep two devices close each other
  3. Tap on 'Touch to Beam' option on sender device and observe receiver device

  OBSERVED RESULTS:
  'Beam did not complete' message showing in Notification window.

  EXPECTED RESULTS:
  Beam should complete successfully and able to share picture through Beam

  ADDITIONAL INFORMATION :
  Device : Hammerhead
  Reproducibility : 3/3

Addresses the following denials:

<5>[ 3030.955024] type=1400 audit(1391625834.066:72): avc:  denied  { call } for  pid=311 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:nfc:s0 tclass=binder
<5>[ 3049.606559] type=1400 audit(1391625852.716:74): avc:  denied  { write } for  pid=26850 comm="id.nfc:handover" name="0" dev="fuse" ino=3086221568 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.606802] type=1400 audit(1391625852.716:75): avc:  denied  { add_name } for  pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.607068] type=1400 audit(1391625852.716:76): avc:  denied  { create } for  pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610602] type=1400 audit(1391625852.716:77): avc:  denied  { remove_name } for  pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610870] type=1400 audit(1391625852.716:78): avc:  denied  { rename } for  pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Bug: 12891504
Change-Id: I10dc964db9249f53a2b4d8fe871ad9a036c423a2
2014-02-05 20:29:33 +00:00
Nick Kralevich
2e7a301fad Address bug report denials.
Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.

Two bugs here:

1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.

2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.

Addresses the following denials:

<5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
2014-01-21 12:34:38 -08:00
Stephen Smalley
56a1a7e9f4 Make nfc enforcing.
Change-Id: Ibb350951c9ec06feeb620358d3a207cedf8934c0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 10:25:43 -05:00
Stephen Smalley
5637099a25 Confine all app domains, but make them permissive for now.
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.

Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 13:12:55 -04:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
William Roberts
f6f87105d4 Remove all denials caused by rild on tuna devices.
Tested on a maguro variant.
2012-06-07 11:52:51 -04:00
Stephen Smalley
f7948230ef Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton. 2012-03-19 15:58:11 -04:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00