On dm-verity errors, we catch uevents in ueventd and set the value
for a matching verity.* property. Allow ueventd to actually change
property values.
Needed by changes from
Ibb82953594d234f81ad21c40f524190b88e4ac8f
Change-Id: I79bc90733edf8a45b27e64795f4adfbb3bc028dc
Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See 5568772e81
for details.
Allow system_server to set ro.build.fingerprint
Addresses the following denial/error:
avc: denied { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
init: sys_prop: permission denied uid:1000 name:ro.build.fingerprint
Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29
In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service. A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them. A neverallow rule prevents us from allowing
qemu-props to set default_prop.
We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat. We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).
Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).
init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it. init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.
Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.
This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.
Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.
Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Resolves denials such as:
avc: denied { set } for property=ril.cdma.inecmmode scontext=u:r:radio:s0 tcontext=u:object_r:rild_prop:s0 tclass=property_service
This makes ril.cdma consistent with net.cdma.
We may ultimately need to coalesce rild_prop and radio_prop; they
were an attempt to distinguish what can be set by rild from what can be
set by com.android.phone, but the init property service DAC checking
permits any of them to be set by anything with the radio AID. We
presently allow rild to set either type, but radio can only set radio_prop.
Change-Id: Ia3852db187e52427e18075e24b2beab19dd59c1f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.
Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Our policy also has this entry:
net.rmnet_usb0. u:object_r:radio_prop:s0
Rather than trying to enumerate all possible variants, just reduce
the existing rmnet0 entry to rmnet so that it matches all properties
with that prefix.
Change-Id: Ic2090ea55282fb219eab54c96fd52da96bb18917
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.
Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.
Only support reading user input on userdebug / eng builds.
Steps to reproduce with the "crasher" program:
adb root
adb shell setprop debug.db.uid 20000
mmm system/core/debuggerd
adb sync
adb shell crasher
Addresses the following denials:
<5>[ 580.637442] type=1400 audit(1392412124.612:149): avc: denied { read } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637589] type=1400 audit(1392412124.612:150): avc: denied { open } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637706] type=1400 audit(1392412124.612:151): avc: denied { read write } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637823] type=1400 audit(1392412124.612:152): avc: denied { open } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637958] type=1400 audit(1392412124.612:153): avc: denied { ioctl } for pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d and
50e37b93ac, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
Properties under bluetooth. and persist.service.bdroid. are
considered Bluetooth-related properties.
Change-Id: Iee937d9a1184c2494deec46f9ed7090c643acda7
Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.
Change-Id: Idc475901ed437efb325807897e620904f4ff03e9
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.