Commit graph

106 commits

Author SHA1 Message Date
Elliott Hughes
b70abb6e05 Merge "Fix init's restorecon of /dev/kmsg."
am: c0937b6ebd

Change-Id: I06890bb6755d084f37bf6fb6564e4e1abeac8c06
2016-08-12 00:30:43 +00:00
Elliott Hughes
bbf7d257b1 Fix init's restorecon of /dev/kmsg.
Bug: http://b/30699558
Change-Id: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69
Merged-In: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69
2016-08-11 15:19:23 -07:00
dcashman
5e6aa65f62 resolve merge conflicts of 5423db6 to stage-aosp-master
Change-Id: I16706423534069f69bd0305ac500a9cd74db55a6
2016-08-05 15:01:15 -07:00
Daniel Micay
5423db6eb3 restrict access to timing information in /proc
These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.

The /proc/interrupts and /proc/stat files were covered in this paper:

https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/

The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.

Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.

Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
2016-08-05 13:57:25 -04:00
Daniel Rosenberg
c15090b315 sepolicy: Add policy for sdcardfs and configfs
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
2016-07-22 13:34:23 -07:00
Yongqin Liu
47b12481cd Merge \"init.te: allow writting to /proc/sys/vm/overcommit_memory\"
am: 87f2ca2d43

Change-Id: Ia0ebfddad770c09ded5fecd2273f78d560507e9f
2016-07-11 19:17:46 +00:00
Yongqin Liu
b34480dcbd init.te: allow writting to /proc/sys/vm/overcommit_memory
Since there is "write /proc/sys/vm/overcommit_memory 1" line in init.rc

Change-Id: I5899d2802e7fa56b438a06d4cadb4eb6827bfe16
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2016-07-08 07:49:04 +08:00
Christian Poetzsch
6b2d897822 sepolicy: add support for new tracefs am: 4dafa72ac9
am: 0b26e99b68

* commit '0b26e99b6870dc6ae5b9bc146b83c9537f9a5dc1':
  sepolicy: add support for new tracefs

Change-Id: I9189f98cb7cff87c412c7b3e09030c723b70abd7
2016-05-13 14:55:24 +00:00
Christian Poetzsch
4dafa72ac9 sepolicy: add support for new tracefs
Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799

Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Change-Id: I60fb7a90e24628e0370c3bca57644451fce5646d
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
2016-05-13 12:38:15 +00:00
Jeff Vander Stoep
d984c445bb allow init to read symlinks in sys am: 912f3c10b3
am: 86e46d22fd

* commit '86e46d22fd102d12946c4b704723a434f0eaa451':
  allow init to read symlinks in sys

Change-Id: I699cf59b024877f767237104a330f30ad25c7be2
2016-05-10 20:30:23 +00:00
Jeff Vander Stoep
912f3c10b3 allow init to read symlinks in sys
avc: denied { read } for name="device" dev="sysfs" ino=36099 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_rmtfs:s0 tclass=lnk_file

init is already allowed to read directories, this is an obvious omission.

Change-Id: I5131a84bb67e73aaed235c3cbab95c365eaaa2f0
2016-05-10 11:30:53 -07:00
Yabin Cui
466fd7fac8 Merge "Allow init and vold writing misc block device." into nyc-dev
am: 541e9d5

* commit '541e9d50d1ee071895b5e33c519018e5ce3635a1':
  Allow init and vold writing misc block device.

Change-Id: Ifcf032d5afd8b576246ba5c8e00c039bbf6e8059
2016-04-09 01:09:28 +00:00
Yabin Cui
c1a23d0497 Allow init and vold writing misc block device.
Bug: 27176738
Change-Id: Ib52bb94973d20591dd440cea42aadfa53d476848
2016-04-07 11:13:28 -07:00
William Roberts
8519b61ddd init: keep init out of system_app sandboxes am: 536b333
am: fc4e3c5

* commit 'fc4e3c55dd6e7777e1be28eeb7fcbceffa43f6ae':
  init: keep init out of system_app sandboxes

Change-Id: I1304edf2873669810fec9b2d334615a91d97e0ec
2016-04-05 21:42:21 +00:00
William Roberts
536b33349c init: keep init out of system_app sandboxes
Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-04-05 16:44:40 +00:00
Nick Kralevich
39dbe762ce Merge "init: avoid lengthy allow rules" am: d25611d
am: 61a47b0

* commit '61a47b0aec351c3336c76197e9d0de81585bfb78':
  init: avoid lengthy allow rules

Change-Id: Idcab728745e6efcfbe49a5ee0493aec519e1e154
2016-04-05 00:09:49 +00:00
Nick Kralevich
8a8770cdac refine /data/misc/logd rules
(cherry pick from commit 6937aa93ac)

Followup to 121f5bfd80.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
Bug: 27965066
2016-04-01 12:45:19 -07:00
William Roberts
cf0d7f66e5 init: avoid lengthy allow rules
Some of the init allow rules were well passed 100 characters and
were difficult to read. Format them to use the one-per-line
set subtraction format as seen in other locations within sepolicy.

Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-30 09:40:46 -07:00
Nick Kralevich
060c980600 refine /data/misc/logd rules
am: 6937aa9

* commit '6937aa93ac0a36f19cb13b81a282dedcad324be5':
  refine /data/misc/logd rules
2016-03-28 17:28:38 +00:00
Nick Kralevich
6937aa93ac refine /data/misc/logd rules
Followup to 121f5bfd80.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
2016-03-28 09:21:00 -07:00
Mark Salyzyn
ab33c46905 init: logpersist access on debug
(cherry pick from commit 121f5bfd80)

03-25 09:31:22.996     1     1 W init    : type=1400 audit(0.0:8): \
  avc: denied { getattr } for path="/data/misc/logd/logcat.052" \
  dev="dm-2" ino=124778 scontext=u:r:init:s0 \
  tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0
. . .

Introduced a new macro not_userdebug_nor_eng()

Change-Id: I9c3a952c265cac096342493598fff7d41604ca45
2016-03-25 14:40:40 -07:00
Mark Salyzyn
7d5f4f156a Merge "init: logpersist access on debug"
am: 0144eed

* commit '0144eedba57cc078112f95ca66d827f98ecf4a5b':
  init: logpersist access on debug
2016-03-25 21:21:17 +00:00
Mark Salyzyn
121f5bfd80 init: logpersist access on debug
03-25 09:31:22.996     1     1 W init    : type=1400 audit(0.0:8): \
  avc: denied { getattr } for path="/data/misc/logd/logcat.052" \
  dev="dm-2" ino=124778 scontext=u:r:init:s0 \
  tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0
. . .

Introduced a new macro not_userdebug_nor_eng()

Change-Id: I9c3a952c265cac096342493598fff7d41604ca45
2016-03-25 13:05:07 -07:00
Daniel Rosenberg
bc2f0e50f2 Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
am: cf8719e

* commit 'cf8719e7bad53d6c38b2825b736c27c3f37dbf4e':
  sepolicy: Add policy for sdcardfs and configfs
2016-03-22 00:51:44 +00:00
Daniel Rosenberg
cf8719e7ba Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev 2016-03-22 00:46:48 +00:00
Janis Danisevskis
1c983327cf Leftovers of SELinux policy reload mechanism
Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6
2016-03-11 17:48:19 +00:00
Daniel Rosenberg
47fb4b9fc4 sepolicy: Add policy for sdcardfs and configfs
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
2016-03-07 11:57:08 -08:00
Alex Deymo
a52b561859 New postinstall domain and rules to run post-install program.
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

(cherry picked from commit 6cb2c893b1)

Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef
2016-03-04 15:49:15 -08:00
Alex Deymo
6cb2c893b1 New postinstall domain and rules to run post-install program.
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.

This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.

Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.

Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.

Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
2016-03-02 15:33:12 -08:00
Sylvain Chouleur
9a28f90d6a init: allow to access console-ramoops with newer kernels
Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.

sepolicy must be adapted to this new requirement.

Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
2016-01-27 16:42:31 +01:00
Bertrand SIMONNET
34e4da5fa9 Allows init to send signals.
This will allow init to terminate services cleanly (SIGTERM, wait,
SIGKILL) when needed.

Bug: 26216447
Test: manual: init is able to send a SIGTERM signal without denials.

Change-Id: Id2471ca08c0b011be64a36956628e965bc999bc6
2016-01-07 15:15:29 -08:00
dcashman
36f255ff52 Create sysfs_zram label.
Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
2016-01-04 14:24:09 -08:00
Nick Kralevich
5beeb81e65 init.te: allow writing to /sys/kernel/debug/tracing/tracing_on
Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc

Also allow shell getattr access to the tracing file. That way
"ls -la" returns something meaningful.

Bug: 26217098
Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786
2015-12-16 12:53:55 -08:00
Nick Kralevich
44826cb5e4 Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-07 17:04:49 -08:00
Tom Cherry
949d7cbc29 Support fine grain read access control for properties
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
2015-12-03 14:06:10 -08:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Jeff Vander Stoep
483fd26735 Enforce no persistent logging on user builds
For userdebug and eng builds enforce that:

 - only logd and shell domains may access logd files

 - logd is only allowed to write to /data/misc/logd

Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
2015-09-21 17:04:00 -07:00
Nick Kralevich
4abd409af0 Relax neverallow rule for loading an updated SELinux policy.
Revert the neverallow change portion of
356df32778, in case others need to
do dynamic policy updates.

(cherrypicked from commit e827a8ab27)

Bug: 22885422
Bug: 8949824
Change-Id: If0745e7f83523377fd19082cfc6b33ef47ca0647
2015-08-24 15:24:56 -07:00
Nick Kralevich
6d0e9c8f4e init.te: delete kernel load policy support
Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

(cherrypicked from commit e827a8ab27)

Bug: 22885422
Bug: 8949824
Change-Id: I802cb61fd18a452a2bb71c02fe57cfce5b7e9dc8
2015-08-24 15:24:33 -07:00
Nick Kralevich
be98d9cff3 Add /data/local/tmp neverallow rules
Add a neverallow rule (compile time assertion) for /data/local/tmp
access. /data/local/tmp is intended entirely for the shell user, and
it's dangerous for other SELinux domains to access it. See, for example,
this commit from 2012:

  f3ef1271f2

Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe
2015-08-22 14:47:00 -07:00
Daniel Rosenberg
e244f2d355 Allow init to mount filesystems on properly labeled folders
Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
2015-07-27 15:37:25 -07:00
Nick Kralevich
f2c4e1283e neverallow service_manager / service_manager_type
Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
2015-07-14 13:06:12 -07:00
Mark Salyzyn
0d22c6cec6 logd: logpersistd
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-06-02 13:56:01 -07:00
Paul Lawrence
f7163597f5 New ext4enc kernel switching from xattrs to ioctl
This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-04-29 15:44:46 -07:00
Paul Lawrence
13dec5fa5b Securely encrypt the master key
Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-04-28 15:28:16 -07:00
Paul Lawrence
3ee85ca6aa Revert "Securely encrypt the master key"
This reverts commit 5287d9a8e5.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a
2015-04-28 19:16:22 +00:00
Paul Lawrence
5287d9a8e5 Securely encrypt the master key
This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1
2015-04-27 20:04:10 +00:00
Nick Kralevich
e05487acc3 init.te: Don't allow mounting on top of /proc
Don't allow init to mount on top of /proc. See
https://android-review.googlesource.com/148295 for details.

Change-Id: I65f66b39f3a5bfb72facb9f716f4537ac2237af1
2015-04-25 15:54:11 -07:00
Elliott Hughes
5aac86dc06 Revert "Revert "SELinux policy changes for re-execing init.""
This reverts commit c450759e8e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 12:28:12 -07:00
Nick Kralevich
c450759e8e Revert "SELinux policy changes for re-execing init."
shamu isn't booting.

This reverts commit 46e832f562.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca
2015-04-24 16:59:43 +00:00