Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See 5568772e81
for details.
Allow system_server to set ro.build.fingerprint
Addresses the following denial/error:
avc: denied { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
init: sys_prop: permission denied uid:1000 name:ro.build.fingerprint
Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29
Add a compile time assertion that app data files are never
directly opened by system_server. Instead, system_server always
expects files to be passed via file descriptors.
This neverallow rule will help prevent accidental regressions and
allow us to perform other security tightening, for example
bug 7208882 - Make an application's home directory 700
Bug: 7208882
Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
Permits the system server to change keystore passwords for users other
than primary.
(cherrypicked from commit de08be8aa0)
Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
Permits the system server to change keystore passwords for users other
than primary.
Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.
Resolve those conflicts.
This is essentially a revert of bf69632724
for lmp-dev-plus-aosp only.
Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c
This reverts commit 10370f5ff4.
The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.
bug: 16317188
Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d
Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.
Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.
Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.
Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.
(cherry picked from commit 5a25fbf7ca)
Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f
system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.
Change-Id: I27a05761c14def3a86b0749cdb895190bdcf9d71
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
(cherry picked from commit b8511e0d98)
Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
Defines new device type persistent_data_block_device
This block device will allow storage of data that
will live across factory resets.
Gives rw and search access to SystemServer.
Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e
Earlier changes had extended the rules, but some additional changes
are needed.
avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
tcontext=u:object_r:apk_data_file:s0 tclass=dir
Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976
We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.
Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.
Allow it.
Addresses the following errors which have been showing up
in logcat:
W/ProcessCpuTracker(12159): Skipping unknown process pid 1
W/ProcessCpuTracker(12159): Skipping unknown process pid 2
W/ProcessCpuTracker(12159): Skipping unknown process pid 3
Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
system_server needs to open /dev/snd and access files
within that directory. Allow it.
system_server need to parse the ALSA card descriptors after a USB device
has been inserted. This happens from USBService in system_server.
Addresses the following denial:
system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir
and likely others
Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8
As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.
Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).
Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The following commits added support for runtime resource overlays.
New command line tool 'idmap'
* 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
Runtime resource overlay, iteration 2
* 48d22323ce39f9aab003dce74456889b6414af55
Runtime resource overlay, iteration 2, test cases
* ad6ed950dbfa152c193dd7e49c369d9e831f1591
During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.
This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.
Test cases are available for this by running:
* python frameworks/base/core/tests/overlaytests/testrunner.py
Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
8670305177 wasn't complete. I thought
getattr on the directory wasn't needed but I was wrong. Not sure
how I missed this.
Addresses the following denial:
<4>[ 40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir
Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6
Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.
Add read/write capabilities back to app domains, since apps need to
read/write profiling data.
Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.
Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
Need this for changing the max_cpufreq and min_cpufreq for the low power
mode.
Denials:
type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854
comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file
Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8
Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646
Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
