Allow system_server to unlink sockets created
by the wpa supplicant. This will resolve the following
denial seen across mutliple devices.
avc: denied { unlink } for pid=584 comm="WifiStateMachin" name="wlan0" dev=mmcblk0p10 ino=138762 scontext=u:r:system_server:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file
Change-Id: If3a8b1f270dfcd3dc6838eb8ac72e3d5004cc36d
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions. execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains. Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.
Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.
Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
system_server and app domains need to map dalvik-cache files with PROT_EXEC.
type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.
type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file
Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
I'm only seeing this denial on one device (manta), but it feels like
it should be part of the generic policy. I don't understand
why it's happening on only one device.
Addresses the following denial:
14.711671 type=1400 audit(1387474628.570:6): avc: denied { block_suspend } for pid=533 comm="InputReader" capability=36 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2
Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47
In 61dc350720, I forgot to allow
system_server to run getopt/getattr on the zygote socket.
Bug: 12061011
Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6
lmkd low memory killer daemon
The kernel low memory killer logic has been moved to a new daemon
called lmkd. ActivityManager communicates with this daemon over a
named socket.
This is just a placeholder policy, starting off in unconfined_domain.
Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10
Otherwise we break "adb root && adb shell svc power reboot",
which has the side effect of killing all of our test automation
(oops).
Bug: 11477487
Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.
The following domains were deliberately NOT changed:
1) kernel
2) init
In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.
When we're ready to tighten up the rules for these domains,
we can:
1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.
For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.
Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.
Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.
Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This CL completes the renaming of domain system to system_server by
removing the "system" typealias that was temporarily added to avoid
breaking the build while the rename CLs are landing.
Change-Id: I05d11571f0e3d639026fcb9341c3476d44c54fca
This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.
Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.
Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
