All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
Required for Settings to show name/icon of apps on sd card
(permission copied from untrusted_app)
Also removed duplicate permission (from domain) in untrusted_app
Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.
Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
host C: sepolicy-analyze <= external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c: In function 'usage':
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: error: 'for' loop initial declarations are only allowed in C99 mode
external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: note: use option -std=c99 or -std=gnu99 to compile your code
make: *** [out/host/linux-x86/obj/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1
Change-Id: I9222e447b032d051c251c9718e2b8d5ffb9e9c35
Commit: 9287e0dd272b85b475e33bcbd7d868517a0f98f9 removed the registration
of EntropyMixer with servicemanager, so it no longer needs a context.
Bug: 18106000
Cherry-pick of commit: 7cfef98ce7
Change-Id: I9aeb35e7ffde75090f4234ea193514fb883b1425
Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See 5568772e81
for details.
Allow system_server to set ro.build.fingerprint
Addresses the following denial/error:
avc: denied { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
init: sys_prop: permission denied uid:1000 name:ro.build.fingerprint
Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29
This seems to not really being used, especially considering
that the init.rc does not have a oneshot service for it, and its
not using the build_policy() and other things to even make it
configurable.
Change-Id: I964f94b30103917ed39cf5d003564de456b169a5
init.rc files can potentially chown/chmod any character device, so
allow it for everything except for kmem (prohibited by neverallow).
While we could whitelist each of the device types, doing so would also
require device-specific changes for the device-specific types and
may be difficult to maintain.
Resolves (permissive) denials such as:
avc: denied { read } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
avc: denied { open } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
avc: denied { setattr } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
avc: denied { read } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
avc: denied { open } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
avc: denied { read } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file
avc: denied { open } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file
avc: denied { setattr } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file
Change-Id: If8d14e9e434fab645d43db12cc1bdbfd3fc5d354
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
tilapia's OTA code for updating the radio image needs to
create files on rootfs and create a character device in /dev.
Add an exception for recovery the the various neverallow rules
blocking this behavior.
(cherrypick, with modifications, from 0055ea904a)
Bug: 18281224
Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e
Change-Id I52fd5fbe30a7f52f1143f176915ce55fb6a33f87 was only intended
for lollipop, not for master.
This reverts commit 2aa727e3f0.
Change-Id: If2101939eb50cd6bbcde118b91c003d1f30d811c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
wpa should never trust any data coming from the sdcard. Add a
compile time assertion to make sure no rules are ever added
allowing this access.
Change-Id: I5f50a8242aa30f6cc0cfd89d82b2b153625105f6
Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.
Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.
Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.
Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
They need to see when it changes so they know when netd bounces.
(cherrypicked from commit 71e9a7c471)
bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a
Also, divide each sepolicy-analyze function into its own component for simplified
command-line parsing and potentially eventual modularization.
Bug: 18005561
Change-Id: I45fa07d776cf1bec7d60dba0c03ee05142b86c19
Resolves (permissive) denials on upgrades from 4.4.
Change-Id: Ia9eed4938a7235c23bb65de7ad65e6e7c325dfd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Switch the kernel and init domains from unconfined_domain()
to permissive_or_unconfined() so that we can start collecting
and addressing denials in -userdebug/-eng builds.
Also begin to address denials for kernel and init seen after
making this switch.
I intentionally did not allow the following denials on hammerhead:
avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file
avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file
These occur when init.rc does:
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
because the prior command to mount the cgroup failed:
mount cgroup none /sys/fs/cgroup/memory memory
I think this is because that cgroup is not enabled in the
kernel configuration. If the cgroup mount succeeded,
then this would have been a write to a cgroup:file and
would have been allowed already.
Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* zygote needs to be able to symlink from dalvik cache to system
to avoid having to copy boot.oat
(when the boot.oat file was built with --compile-pic)
* dex2oat needs to be able to read the symlink in the dalvik cache
(the one that zygote creates)
Bug: 18035729
Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62
Currently, recovery is allowed write access to the following three
file labels:
* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)
system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.
The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.
The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.
Allow unlabeled symbolic link modifications.
(cherrypicked from commit 683ac49d9d)
Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
Add a compile time assertion that app data files are never
directly opened by system_server. Instead, system_server always
expects files to be passed via file descriptors.
This neverallow rule will help prevent accidental regressions and
allow us to perform other security tightening, for example
bug 7208882 - Make an application's home directory 700
Bug: 7208882
Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d
Aside from the keystore daemon itself, only init needs any access
to keystore_data_file (in order to create and potentially restorecon
/data/misc/keystore). The exceptions for the kernel and recovery domains
are unnecessary; no allow rule permits this access in current policy.
Change-Id: I5cf6f29ec08174017ac8f5fb36fef166ce360ca0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This domain was originally intended to be a place to hold rules for
all init.*.rc shell scripts. However, it's now recommended that every
init service have it's own SELinux domain, and the use of init_shell
is to be avoided.
Delete init_shell. No policy is using it anymore, and it's causing
confusion for people implementing device specific SELinux policy.
Bug: 18062250
Change-Id: I7c90851784b233443642ea69722f3281fd457621
