The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.
Addresses the following denial:
type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
TODO: Add device specific labels for the boot image.
Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa
When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.
Allow init to relabel a tmpfs /data.
Addresses the following denial:
[ 6.294896] type=1400 audit(29413651.850:4): avc: denied { relabelfrom } for pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
Steps to reproduce:
1) Go into Settings > Security > Encrypt Phone
2) Encrypt phone
3) See denial
4) reboot phone
5) See denial on boot
Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
Updating properties from ueventd may lead to deadlocks with init in rare
cases, which makes these changes unnecessary after all.
This reverts commit 47cd53a558.
Change-Id: I87bdd66f0ec025eb3a9ea17574a67e908f3de6da
STEPS TO REPRODUCE:
1. Connect the device to Mac.
2. Switch to AFT.
3. Now AFT on Mac will show the device contents.
4. Now drag and drop the file to device and observe.
EXPECTED RESULTS:
Should able to copy.
OBSERVED RESULTS:
Showing can not copy file and on clicking ok,
It shows device storage can not connect and close the AFT.
Addresses the following denial:
W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd
12310 12530 E MtpRequestPacket: Malformed MTP request packet
ps -Z entry:
u:r:untrusted_app:s0:c512,c768 u0_a6 12310 203 android.process.media
Bug: 15835289
Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a
clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
capable(CAP_IPC_LOCK), and then checks to see the requested amount is
under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
does not need CAP_IPC_LOCK, so we suppress any denials we see
from clatd asking for this capability.
See https://android-review.googlesource.com/127940
Suppresses the following denial:
type=1400 audit(1424916750.163:7): avc: denied { ipc_lock } for pid=3458 comm="clatd" capability=14 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
Change-Id: Ica108f66010dfc6a5431efa0b4e58f6a784672d1
Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).
Needed by changes from
I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d
Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
Vold opens ASEC containsers on the sdcard, or OBB files from app's
home directories, both of which are supplied by vold. We need to
allow kernel threads to access those file descriptors.
Addresses the following denial:
loop0 : type=1400 audit(0.0:28): avc: denied { use } for path="/mnt/secure/asec/smdl1159865753.tmp.asec" dev="mmcblk1" ino=19 scontext=u:r:kernel:s0 tcontext=u:r:vold:s0 tclass=fd permissive=0
Bug: 19516891
Change-Id: I5a3607b48f5e0e504e4b3fcaec19152c3784f49d
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.
Addresses the following denials (and many more):
avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
This reverts commit 0f0324cc82
and commit 99940d1af5
Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
The recovery partition has been assigned a recovery_block_device
type for the AOSP devices, so install_recovery should not need
rw access to the generic block_device type. Remove it.
Change-Id: I31621a8157998102859a6e9eb76d405caf6d5f0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
SELinux policy booleans are prohibited in AOSP, so we can drop the
support for the sebool= input selector.
Change-Id: I5ae31247b2f68d90f6ae4c8830458f22c4ffc854
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Presently it ignores duplicate keys in seapp_contexts entries, e.g.
if you were to specify:
user=system seinfo=platform user=bluetooth domain=system_app type=system_app_data_file
checkseapp would ignore the duplicate and libselinux would end up using
the last value defined for the key in each line.
Change-Id: I18cadb0c1bf5a907e6fc6513df65aafed91d76fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a compile time assertion that no SELinux rule exists which
allows mounting on top of symbolic links, fifo files, or socket
files. Remove the capability from unconfined domains.
Change-Id: I6d7cc95cd17e2e5f165fa5948563800ed206bb71
The README jumped directly into using the BOARD_SEPOLICY_*
variables for device-specific policy; add a short introduction
describing what external/sepolicy contains and noting where to put
device-specific policy.
Change-Id: I3c800df93d70074384da993a689a5a0771ecb314
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart
Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Exempt unnamed pipes from the MLS constraints so that they can
be used for cross-user communications when passed over binder or
local socket IPC.
Addresses denials such as:
avc: denied { read } for path="pipe:[59071]" dev="pipefs" ino=59071 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fifo_file
Bug: 19087939
Change-Id: I77d494c4a38bf473fec05b728eaf253484deeaf8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On dm-verity errors, we catch uevents in ueventd and set the value
for a matching verity.* property. Allow ueventd to actually change
property values.
Needed by changes from
Ibb82953594d234f81ad21c40f524190b88e4ac8f
Change-Id: I79bc90733edf8a45b27e64795f4adfbb3bc028dc
Presently it only detects complete duplicates if you specify -s (strict),
which is not used in the external/sepolicy Makefile, and it allows
overriding earlier entries that have the same input selectors (e.g.
user=, seinfo=) with different values for the output selectors (e.g.
domain=, type=). Thus, a device/<vendor>/<board>/sepolicy/seapp_contexts
file can override the external/sepolicy definitions, and even a single
seapp_contexts file can contain duplicated or conflicting definitions.
Make it always check strictly, and prohibit either duplicates on the
input selectors (i.e. overrides) or complete duplicates (redundant).
Change-Id: Id1e38133cbe31b796253101cfe3b111d1826bc8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
14d5619a1a added a neverallow
rule for System V IPC calls. Since this was still allowed
for unconfined domains, this broke user builds.
Remove System V IPC stuff from unconfined and fix the build.
Change-Id: Iea66a9f97a90f8db496f6fa34b5e9642ee926fe6
Android doesn't want to support System V IPC classes.
Ensure that it isn't supported by adding a neverallow rule
(compile time assertion).
Change-Id: I278d45960ee557917584f9137323b4cabfe140a9
This was observed when attempting to change volume for a bluetooth device
supporting AVRCP volume control.
Addresses the following denials:
avc: denied { find } for service=media.audio_flinger scontext=u:r:bluetooth:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
avc: denied { find } for service=media.audio_policy scontext=u:r:bluetooth:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
Bug: 19341236
Change-Id: If7f2ff1ea9fc694bad700cf59f400f2d2df8c2dd
Commit a833763ba0 enabled per-user
isolation, which requires that any files / processes which cross
user boundaries be marked with the mlstrustedsubject attribute.
system_app_data_file, used for storing a user's profile photos,
is not marked as such. As a result, users are unable to add profile
photos.
Addresses the following denial:
avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82184 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_app_data_file:s0 tclass=file
Steps to reproduce:
1.Flash & Factory the Deb device with tip-of-tree build
2.Go to 'Settings-Users'
3.Under users&profiles,click on Owner to add profile photo.
4.Select 'Choose photo from Gallery' and select a photo.
5.Then click the 'Done' button.
6.Device showed the message as 'Unable to save the photo edits'.
OBSERVED RESULTS:
Unable to add user's profile photo id. This issue is coming for all
users(Restricted user,second user)also.
EXPECTED RESULTS:
Device should allow to add profile photo id.
Bug: 19170844
Change-Id: If657dc09dd391e63ca85320f9cc1728580e51a15
We allow chmod/chown of files / directories by init, but don't allow
init to search into subdirectories. Feels wrong.
Addresses the following denial:
avc: denied { search } for pid=1 comm="init" name="/" dev="pstore" ino=5570 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
which results from the following init.rc statement:
# pstore/ramoops previous console log
mount pstore pstore /sys/fs/pstore
chown system log /sys/fs/pstore/console-ramoops
chmod 0440 /sys/fs/pstore/console-ramoops
chown system log /sys/fs/pstore/pmsg-ramoops-0
chmod 0440 /sys/fs/pstore/pmsg-ramoops-0
Bug: 19050686
Change-Id: I0528ecb17686891b66262de1f3c229cc68a56830
The shell domain is already allowed to list and find all service_manager
objects, so extra auditing is pointless.
Bug: 18106000
Change-Id: I8dbf674fa7ea7b05e48e5bbc352b0c9593f2b627
Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.
Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
Address the following denial:
SELinux E avc: denied { find } for service=drm.drmManager scontext=u:r:radio:s0 tcontext=u:object_r:drmserver_service:s0
which occurs when a non-default SMS app sends an MMS. The message would be
stored into system automatically in MMS service (from phone process and phone
UID). The storing of the message involves the creation of
android.drm.DrmManagerClient instance.
Change-Id: Ic4e493f183c9ce7f7ac3f74f6ea062893ea67608
Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.
Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache
* init
* zygote
* installd
* dex2oat
For zygote, installd, and dex2oat, these accesses make sense.
For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.
This change was motivated by the discussion
in https://android-review.googlesource.com/127582
Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.
The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.
Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd
system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.
This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.
Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c
Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.
Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.
This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.
Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.
Change-Id: I40de0ae28134ce71e808e5ef4a39779b71897571
Messenger can't send MMSes on the master branch. When Messenger sends
an MMS, it stores the message data in local file and publishes it
via a content provider. The URI is passed to the MMS API. The
MmsServiceBroker in system process gets the call and grant URI
permission to phone UID. The MmsService in phone process (and sharing
the phone UID) needs to read the URI to get message data to send.
Addresses the following denial:
type=1400 audit(0.0:32): avc: denied { read } for path="/data/data/com.google.android.apps.messaging/cache/rawmms/5394791820000274558.dat" dev="mmcblk0p28" ino=83180 scontext=u:r:radio:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
Change-Id: I2b694ff6c516714d3524e0613bae0f6773ed2e95
