Settings > Developer Options > Profile GPU Rendering was broken,
as it couldn't set a debug.* system property.
In addition, system_app wasn't allowed to access init's property_service socket.
Both fixed.
In addition, allow system_app to write to radio_prop.
Fixes the following denials:
<5>[ 170.769658] type=1400 audit(1386722177.029:57): avc: denied { write } for pid=4142 comm="ndroid.settings" name="property_service" dev="tmpfs" ino=7457 scontext=u:r:system_app:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
<4>[ 170.770064] avc: denied { set } for property=debug.hwui.overdraw scontext=u:r:system_app:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<3>[ 170.770148] init: sys_prop: permission denied uid:1000 name:debug.hwui.overdraw
Bug: 12037026
Change-Id: I5e879ab339e68e9e4715266fc8a698ab6ad5756e
Various third party apps come with their own binaries that they write out to
their sandbox directories and then execute, e.g.:
audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file
While this is not ideal from a security POV, it seems necessary to support for
compatibility with Android today.
Split out the execute-related permissions to a separate allow rule as it
only makes sense for regular files (class file) not other kinds of files
(e.g. fifos, sockets, symlinks), and use the rx_file_perms macro.
Move the rule to untrusted_app only so that we do not permit system apps
to execute files written by untrusted apps.
Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Label /proc/sys/vm/mmap_min_addr with proc_security to prevent
writing it by any domain other than init. Also remove memprotect
mmap_zero permission from unconfineddomain so that it cannot pass
the SELinux check over mapping low memory.
Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.
Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd. bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.
Exclude ptrace access from unconfineddomain.
Prohibit ptrace access to init via neverallow.
Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow apps to communicate with each other via pipes.
In particular, this fixes a bug where printing from Chrome wasn't
working.
STEPS TO REPRODUCE:
1. Launch Chrome
2. From menu tap print and observe
OR
1. Launch Drive, Select any file (*.txt, *.doc. *.pdf.........)
2. Select print
Addresses the following denials:
<5>[ 122.352797] type=1400 audit(1386363998.374:18): avc: denied { write } for pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[ 123.248363] type=1400 audit(1386363999.264:19): avc: denied { getattr } for pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
<5>[ 123.248620] type=1400 audit(1386363999.264:20): avc: denied { write } for pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file
Bug: 12032455
Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/
init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file. Hence,
the setenforce permission is checked while still running in the
kernel domain. Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later. We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.
Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The build is broken. Reverting temporarily to fix breakage.
libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....
This reverts commit bf12e22514.
Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/
init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file. Hence,
the setenforce permission is checked while still running in the
kernel domain. Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later. We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.
Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
lmkd low memory killer daemon
The kernel low memory killer logic has been moved to a new daemon
called lmkd. ActivityManager communicates with this daemon over a
named socket.
This is just a placeholder policy, starting off in unconfined_domain.
Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10
Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.
The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.
Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space
-rw------- root root u:object_r:usermodehelper:s0 bset
-rw------- root root u:object_r:usermodehelper:s0 inheritable
Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This label was originally used for Motorola
Xoom devices. nvmap is the tegra gpu memory
manager and the various nvhost drivers are
for tegra graphics related functionality,
i.e. display serial interface, image signal
processor, or media processing stuff.
Only grouper and tilapia presently need this
policy.
Change-Id: I2a7000f69abf3185724d88d428e8237e0ca436ec
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Otherwise sockets that have no specific entry match the /dev(/.*) entry
instead, leaving them in device type rather than socket_device type.
Every socket should get its own entry regardless, but this at least puts
it into a more specific type by default.
Change-Id: I97f7999af7f9f83484d3a51440dda791d3726f1a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:
<5>[ 291.791423] type=1400 audit(1385587240.320:79): avc: denied { write } for pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file
path=/dev/ashmem (deleted)
Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d
Usage:
sepolicy-analyze -D -P out/target/product/<board>/root/sepolicy
Displays duplicate allow rules, i.e. pairs of allow rules that grant
the same permissions where one allow rule is written directly in terms
of individual types and the other is written in terms of attributes
associated with those same types. The rule with individual types is
a candidate for removal. The rule with individual types may be directly
represented in the source policy or may be a result of expansion of
a type negation (e.g. domain -foo -bar is expanded to individual allow
rules by the policy compiler). Domains with unconfineddomain will
typically have such duplicate rules as a natural side effect and can
be ignored.
Also add a tools/README with a description of all of the tools.
Change-Id: I07838dbd22c5cc8a4a65b57003ccae38129050f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
