Input config should be under /odm when it's "device-specific",
instead of /vendor (for "SoC-specific").
However, not all device have /odm partition so having the fallback
symlink: /odm -> /vendor/odm is important
Bug: 112880217
Test: build
Change-Id: I294e2b172d06d58a42c51c128e448c7644f854dc
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for
mmap") added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific
files for which we need to ensure that every access is revalidated,
particularly useful for scenarios where we expect the file to be
relabeled at runtime in order to reflect state changes (e.g.
cross-domain solution, assured pipeline without data copying).
system/sepolicy commit 4397f08288 added
the map permission to common file macros, to ensure that file access
would continue working even in the presence of a newer kernel. However,
that change did not affect socket access.
Certain socket classes, such as AF_NETLINK and AF_PACKET, also support
mmap operations. This change adds the map permission to rw_socket_perms,
to ensure continued support for newer kernels.
This technically allows mmap even in cases where the socket family
doesn't support it (such as TCP and UDP sockets), but granting it
is harmless in those cases.
In particular, this fixes a bug in clatd, where the following error
would occur:
10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064
10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0
10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied
Test: policy compiles
Bug: 117791876
Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b
Add a service in mediaswcodec to load updated codecs,
and restrict it to userdebug/eng. Reuse existing
mediaextractor_update_service since the codec update
service is identical, this avoids adding a new one
for now as we may not need the service anymore
after switching to APEX.
Bug: 111407413
Bug: 117290290
Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
Policy w.r.t to apps:
- cgroup access from untrusted apps and priv app is neverallow'ed.
- other apps (e.g. vendor apps) need to explicitly declare appropriate
access rules to cgroups.
Policy w.r.t native domains:
- libcutils exports API to /dev/{cpuset, stune}/*. This API is used
abundantly in native vendor code. So we are not going to limit non-app
access to cgroup.
Bug: 110043362
Bug: 117666318
Test: m selinux_policy, boot device
Change-Id: I83aee21ca3e8941725c70706769ea9dbdc76b9c5
This does not actually grant any permissions but just adds the
necessary boilerplate for a new service.
Bug: 117762471
Bug: 117761873
Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4
This is needed to find the file on the raw block device, so it can be
securely deleted.
Addresses the following denials:
type=1400 audit(0.0:492): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/10/current/encrypted_key" dev="dm-3" ino=9984 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
type=1400 audit(0.0:517): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/11/current/secdiscardable" dev="dm-3" ino=9581 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
type=1400 audit(0.0:694): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/0/current/keymaster_key_blob" dev="dm-3" ino=9903 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
Test: policy compiles and device boots
Change-Id: I1adf21b7fa92b1f92ce76532f4d9337a4d58a2e5
same_process_hal_file is exempted from many Treble neverallows. We want
to know which processes access this type to eventually constrain access
to it.
Bug: 37211678
Test: m selinux_policy
Change-Id: I61c0df21250eb1b1ae2d9c5fa9c801a828539813
We add this type with the intent to expose /system/bin/tcpdump to
vendor on userdebug devices only.
Bug: 111243627
Test: device boots /system/bin/tcpdump correctly labeled as
tcpdump_exec, can browse internet, turn wifi on/off
Change-Id: Icb35e84c87120d198fbb2b44edfa5edf6021d0f0
By convention, auditallow statements are typically put into
userdebug_or_eng blocks, to ensure we don't accidentally ship
unnecessary audit rules. Let's do the same here.
Test: policy compiles.
Change-Id: Ib3eac94284eea3c1ae2f3dacddcb2eaeca95230e
Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.
Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.
Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832
Set up a new service for sw media codec services.
Bug: 111407413
Test: cts-tradefed run cts-dev --module CtsMediaTestCases --compatibility:module-arg CtsMediaTestCases:include-annotation:android.platform.test.annotations.RequiresDevice
Change-Id: Ia1c6a9ef3f0c1d84b2be8756eb1853ffa0597f8e
The auditallow added in 7a4af30b3 has not triggered. This is safe to
remove.
Test: device boots and no obvious problems.
Test: No audit messages seen since May 2018 on go/sedenials
Bug: 9496886
Bug: 68016944
Change-Id: I3861b462467e1fc31e67a263ad06716a4111dcb8
apex_service is already in the list of services dumpstate cannot find;
this ensures that the dontaudit list is the same. We hide the denial
caused by df reading one of its directories.
dumpstate can already call all binder services, so we enable it to
call bufferhubd.
Bug: 116711254
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxHostTest#testNoBugreportDenials
Change-Id: Ie5acc84326fa504199221df825549479f3cf50e1