Stephen Smalley
945fb56766
Confine hostapd, but leave it permissive for now.
...
Change-Id: I23a2c568e9fdd51c6c09c6c80a7ce9f2b5bd4966
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-18 11:25:10 -08:00
Jeff Sharkey
4ab2983596
am 35e8dcc9
: Merge "Let vold mount OBB files on external storage." into klp-dev
...
* commit '35e8dcc9ba40c6419f63d0a516c0995d3064f96e':
Let vold mount OBB files on external storage.
2013-11-14 16:26:18 -08:00
Jeff Sharkey
35e8dcc9ba
Merge "Let vold mount OBB files on external storage." into klp-dev
2013-11-15 00:19:25 +00:00
Jeff Sharkey
80176dc445
Let vold mount OBB files on external storage.
...
Fixes this specific violation:
type=1400 audit(1384468728.202:16): avc: denied { read write } for
pid=271 comm="vold" name="test1.obb" dev="fuse" ino=3100664872
scontext=u:r:vold:s0 tcontext=u:object_r:sdcard_internal:s0
tclass=file
Bug: 11693888
Change-Id: I45d30ecabdf0bc8871f3dd67b5695ac909109d9a
2013-11-14 16:11:56 -08:00
Nick Kralevich
e0068ecce3
am 24fb24f7
: am ae49e7a3
: Merge "Confine tee, but leave it permissive for now."
...
* commit '24fb24f7ea1bf74bc1234394b81955e0aab6943f':
Confine tee, but leave it permissive for now.
2013-11-14 11:37:53 -08:00
Nick Kralevich
24fb24f7ea
am ae49e7a3
: Merge "Confine tee, but leave it permissive for now."
...
* commit 'ae49e7a3691137b5276254074b2c282bcdfee523':
Confine tee, but leave it permissive for now.
2013-11-14 11:34:11 -08:00
Nick Kralevich
ae49e7a369
Merge "Confine tee, but leave it permissive for now."
2013-11-14 19:29:27 +00:00
Nick Kralevich
c6a3f60cbe
am 678420e0
: am 6ce3d60c
: Merge "Confine rild, but leave it permissive for now."
...
* commit '678420e023c6f143fb99cfed031397e732960410':
Confine rild, but leave it permissive for now.
2013-11-14 08:50:01 -08:00
Stephen Smalley
87d0deb3ab
am 67a53232
: am b1cb3205
: Confine wpa_supplicant, but leave it permissive for now.
...
* commit '67a53232cec967ca53e6f7284fd582a5bdd3eb69':
Confine wpa_supplicant, but leave it permissive for now.
2013-11-14 08:50:00 -08:00
Nick Kralevich
678420e023
am 6ce3d60c
: Merge "Confine rild, but leave it permissive for now."
...
* commit '6ce3d60ca39dd37f0de4bcd81620b3611cd28e14':
Confine rild, but leave it permissive for now.
2013-11-14 08:46:49 -08:00
Stephen Smalley
67a53232ce
am b1cb3205
: Confine wpa_supplicant, but leave it permissive for now.
...
* commit 'b1cb3205cad978399fa7c9dcafed607fe5d07de6':
Confine wpa_supplicant, but leave it permissive for now.
2013-11-14 08:46:49 -08:00
Nick Kralevich
6ce3d60ca3
Merge "Confine rild, but leave it permissive for now."
2013-11-14 16:44:24 +00:00
Stephen Smalley
dcbab907ea
Confine rild, but leave it permissive for now.
...
Change-Id: I6df9981b2af0150c6379a0ebdbe0a8597c994f4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:32:22 -05:00
Stephen Smalley
72a4745919
Confine tee, but leave it permissive for now.
...
Change-Id: Id69b1fe80746429a550448b9168ac7e86c38aa9f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:31:44 -05:00
Stephen Smalley
b1cb3205ca
Confine wpa_supplicant, but leave it permissive for now.
...
Change-Id: Iaa4ed5428d1c49cb4cff3a39c48800cb108f2ac3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:30:55 -05:00
Nick Kralevich
0e11233dc1
am 360d4120
: netd: allow tcp_socket name_connect
...
* commit '360d4120ecc3afba68852ee57b528334dfcaa859':
netd: allow tcp_socket name_connect
2013-11-13 12:18:15 -08:00
Nick Kralevich
b9d93b0138
am ace68b1e
: am 91ebcf33
: netd: allow tcp_socket name_connect
...
* commit 'ace68b1e06a2f5c433f4f7dd191e71411e86541f':
netd: allow tcp_socket name_connect
2013-11-13 12:11:27 -08:00
Nick Kralevich
ace68b1e06
am 91ebcf33
: netd: allow tcp_socket name_connect
...
* commit '91ebcf33326418ed9603e618ad193550646c3b04':
netd: allow tcp_socket name_connect
2013-11-13 12:08:17 -08:00
Nick Kralevich
360d4120ec
netd: allow tcp_socket name_connect
...
The patch in 36a5d109e6
wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.
Fixes the following denial:
<5>[ 82.120746] type=1400 audit(1830030.349:5): avc: denied { name_connect } for pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631
(cherry picked from commit 91ebcf3332
)
Change-Id: I62bba8777a5c8af1c0143e7ca2d915129ef38798
2013-11-13 11:51:46 -08:00
Nick Kralevich
91ebcf3332
netd: allow tcp_socket name_connect
...
The patch in 36a5d109e6
wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.
Fixes the following denial:
<5>[ 82.120746] type=1400 audit(1830030.349:5): avc: denied { name_connect } for pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631
Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
2013-11-13 11:32:13 -08:00
Nick Kralevich
d8c9d74d96
am 59078a94
: netd: allow tcp connections.
...
* commit '59078a940d72aef9f9e3f1e15f828cc44a101e3b':
netd: allow tcp connections.
2013-11-13 10:08:30 -08:00
Nick Kralevich
59078a940d
netd: allow tcp connections.
...
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.
Addresses the following denial:
[ 1831.586826] type=1400 audit(1384129166.563:173): avc: denied { create } for pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631
(cherry picked from commit 36a5d109e6
)
Change-Id: Id2e383e1c74a26ef7e56499a33bf2b06b869c12b
2013-11-13 09:56:21 -08:00
Nick Kralevich
e6da07b738
am b391269f
: am 36a5d109
: netd: allow tcp connections.
...
* commit 'b391269f972e3138e1c1640144c6bc9614fe9509':
netd: allow tcp connections.
2013-11-13 09:54:12 -08:00
Nick Kralevich
b391269f97
am 36a5d109
: netd: allow tcp connections.
...
* commit '36a5d109e6953c63d2a865eab4c4d021aa52250b':
netd: allow tcp connections.
2013-11-13 09:50:23 -08:00
Nick Kralevich
36a5d109e6
netd: allow tcp connections.
...
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.
Addresses the following denial:
[ 1831.586826] type=1400 audit(1384129166.563:173): avc: denied { create } for pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Change-Id: Ia542a9df3e466a8d409955bab6a23a524ff3d07b
Bug: 11097631
2013-11-13 06:29:29 -08:00
Stephen Smalley
49146335f4
am 868a9e26
: am 8510d31e
: Rename camera_calibration_file and audio_firmware_file.
...
* commit '868a9e26cfe2931ae419056b348b479b9ae92f3a':
Rename camera_calibration_file and audio_firmware_file.
2013-11-12 14:58:51 -08:00
Stephen Smalley
868a9e26cf
am 8510d31e
: Rename camera_calibration_file and audio_firmware_file.
...
* commit '8510d31ed3b5d53c2232b7aac5f65b32d38753d0':
Rename camera_calibration_file and audio_firmware_file.
2013-11-12 14:55:33 -08:00
Stephen Smalley
8510d31ed3
Rename camera_calibration_file and audio_firmware_file.
...
Use more general type names for the contents of /data/misc/camera and
/data/misc/audio. These were the names used in our policy until 4.3
was released, at which point we switched to be consistent with AOSP.
However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and
Galaxy Note 3 4.3 image all shipped with policies using _data_file names
because they were based on our older policy. So we may as well switch
AOSP to these names.
Not sure if in fact these could be all coalesced to the new media_data_file
type for /data/misc/media introduced by
Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343.
Options to fix already existing devices, which would only apply
to Nexus devices with 4.3 or 4.4 at this point:
1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either
the system/core init.rc or to the device-specific init.*.rc files.
-or-
2) Add a typealias declaration in the policy to remap the old type names.
to the new ones. Then existing types on persistent storage will be
remapped internally to the new ones.
-or-
3) Some sort of relabeld.
Option #2 is implemented by this change.
Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-12 17:01:44 -05:00
Nick Kralevich
fb2ca12e25
am bc4484b2
: am bc1388d3
: Merge "Make kernel / init enforcing"
...
* commit 'bc4484b2c29b7cc1598b6d09328888e5fe696913':
Make kernel / init enforcing
2013-11-12 09:35:55 -08:00
Nick Kralevich
c9562376ba
am 14f95109
: am 56f39193
: Merge "Confine debuggerd, but leave it permissive for now."
...
* commit '14f95109b702996c2ca8dc9dd2556a6e9947eaa4':
Confine debuggerd, but leave it permissive for now.
2013-11-12 09:35:55 -08:00
Nick Kralevich
bc4484b2c2
am bc1388d3
: Merge "Make kernel / init enforcing"
...
* commit 'bc1388d34cae1cdd71284b38066a287f969a4b52':
Make kernel / init enforcing
2013-11-12 09:32:52 -08:00
Nick Kralevich
14f95109b7
am 56f39193
: Merge "Confine debuggerd, but leave it permissive for now."
...
* commit '56f391930142d02c66852e5cd4ebf7d83b65f80d':
Confine debuggerd, but leave it permissive for now.
2013-11-12 09:32:52 -08:00
Nick Kralevich
bc1388d34c
Merge "Make kernel / init enforcing"
2013-11-12 17:30:01 +00:00
Nick Kralevich
56f3919301
Merge "Confine debuggerd, but leave it permissive for now."
2013-11-12 17:28:21 +00:00
Stephen Smalley
4ca16a5740
am a9ccd7dc
: am af47ebb6
: Label /dev/fscklogs and allow system_server access to it.
...
* commit 'a9ccd7dce97460656adc355c3896852314b6d62e':
Label /dev/fscklogs and allow system_server access to it.
2013-11-11 11:58:33 -08:00
Stephen Smalley
a9ccd7dce9
am af47ebb6
: Label /dev/fscklogs and allow system_server access to it.
...
* commit 'af47ebb67aa64d699615693bf4603ec173417175':
Label /dev/fscklogs and allow system_server access to it.
2013-11-11 11:56:04 -08:00
Stephen Smalley
af47ebb67a
Label /dev/fscklogs and allow system_server access to it.
...
Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc: denied { getattr } for pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc: denied { open } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc: denied { write } for pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc: denied { remove_name } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc: denied { unlink } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-11 11:52:24 -08:00
Nick Kralevich
47f8bbad00
am c1468d45
: am 00739e3d
: Make the ueventd domain enforcing.
...
* commit 'c1468d454e73d5c0de2e567fb60a2c984c8d00c0':
Make the ueventd domain enforcing.
2013-11-11 08:48:01 -08:00
Nick Kralevich
c1468d454e
am 00739e3d
: Make the ueventd domain enforcing.
...
* commit '00739e3d14f2f1ea9240037283c3edd836d2aa2f':
Make the ueventd domain enforcing.
2013-11-11 08:40:13 -08:00
Nick Kralevich
b1d81645b3
Make kernel / init enforcing
...
Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.
Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6
2013-11-08 15:44:30 -08:00
Nick Kralevich
00739e3d14
Make the ueventd domain enforcing.
...
All (known) denials have been addressed.
Change-Id: Ic12ed190a2efb7f20be589137a27b95d03dde25a
2013-11-08 08:34:46 -08:00
Stephen Smalley
72d25ce196
am b53788de
: am a7716718
: Label /data/misc/media and allow mediaserver access to it.
...
* commit 'b53788de984f05bff63c1a617cea4e1fbab9cfbb':
Label /data/misc/media and allow mediaserver access to it.
2013-11-07 16:29:39 -08:00
Stephen Smalley
b53788de98
am a7716718
: Label /data/misc/media and allow mediaserver access to it.
...
* commit 'a771671877d306804dbbf5a8e6baa03c877f890d':
Label /data/misc/media and allow mediaserver access to it.
2013-11-07 16:27:03 -08:00
Stephen Smalley
a771671877
Label /data/misc/media and allow mediaserver access to it.
...
Otherwise we get denials like these on 4.4:
type=1400 audit(1383590170.360:29): avc: denied { write } for pid=61 comm="mediaserver" name="media" dev="mtdblock1" ino=6416 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc: denied { add_name } for pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc: denied { create } for pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590170.360:29): avc: denied { write open } for pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc: denied { write } for pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc: denied { open } for pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Change-Id: Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-07 16:22:50 -08:00
Geremy Condra
9443965cfb
am eac6e590
: am ddf98fa8
: Neverallow access to the kmem device from userspace.
...
* commit 'eac6e59020eee640e08fdbf055ed2b78e6c5095e':
Neverallow access to the kmem device from userspace.
2013-11-07 16:22:44 -08:00
Geremy Condra
eac6e59020
am ddf98fa8
: Neverallow access to the kmem device from userspace.
...
* commit 'ddf98fa8cf11000f91329945abc23ee791adfe69':
Neverallow access to the kmem device from userspace.
2013-11-07 16:20:39 -08:00
Geremy Condra
ddf98fa8cf
Neverallow access to the kmem device from userspace.
...
Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
2013-11-07 16:17:32 -08:00
Nick Kralevich
45536dfda1
am 7bc576d5
: am 0ea4ac8a
: Merge "Move goldfish-specific rules to their own directory."
...
* commit '7bc576d5d37c079a0cb922a1d76eb419cafecc55':
Move goldfish-specific rules to their own directory.
2013-11-07 15:21:04 -08:00
Nick Kralevich
7bc576d5d3
am 0ea4ac8a
: Merge "Move goldfish-specific rules to their own directory."
...
* commit '0ea4ac8a12efa2f847625917f35b5cbedec3853a':
Move goldfish-specific rules to their own directory.
2013-11-07 15:18:36 -08:00
Nick Kralevich
0ea4ac8a12
Merge "Move goldfish-specific rules to their own directory."
2013-11-07 23:16:50 +00:00