Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.
Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This is causing the version of Chrome in Android's tree to crash. The
version of Chrome in Android's tree does not have the following patch:
https://codereview.chromium.org/630123003
Until Chrome updates the version in Android's tree, we need to revert.
Works around the following denials:
audit(0.0:19): avc: denied { search } for name="com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:20): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:21): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
This reverts commit 669a977303.
Bug: 18006219
Change-Id: Id44137ec6a0dfe4a597b34ab3dad9e3feecc2a5e
Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.
Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.
This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.
(cherrypick from commit 480374e4d0)
Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93
Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.
Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.
This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.
Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.
Change-Id: I3c096607a74fd0f360d41f3e6f06535ca00c58ec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Apps should be able to read the contents of mounted OBBs.
Steps to reproduce:
1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
2) Attempt to run the app.
Expected:
App runs successfully.
Actual:
App crashes. See denials below.
This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3
Addresses the following denials:
avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
(cherrypick of commit 62083414a4)
Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
Apps should be able to read the contents of mounted OBBs.
Steps to reproduce:
1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur)
2) Attempt to run the app.
Expected:
App runs successfully.
Actual:
App crashes. See denials below.
This can also be reproduced by running the newly introduced CTS
test in I2018b63b0236ce6b5aee4094e40473315b1948c3
Addresses the following denials:
avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file
avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0
Bug: 17633509
Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:
adb shell cat /factory/ssn
adb shell cat /factory/bt/bd_addr.conf
adb shell cat /factory/wifi/mac.txt
adb shell cat /factory/60isn
read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.
No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.
Bug: 17600278
(cherry picked from commit 200a9f0e20)
Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
During factory provisioning, some manufacturers may need to pull files
from /factory (label efs_file and bluetooth_efs_file) to collect
device specific identifiers such as the mac address, using commands
similar to the following:
adb shell cat /factory/ssn
adb shell cat /factory/bt/bd_addr.conf
adb shell cat /factory/wifi/mac.txt
adb shell cat /factory/60isn
read-only access to these files is currently disallowed by a
neverallow rule. Relax the rules to allow read-only access to the
shell user if desired.
No new SELinux rules are added or deleted by this change. This is
only a relaxation in what's allowed for vendor specific policy.
Bug: 17600278
Change-Id: I13f33f996c077918dce70a5cff31a87eac436678
Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.
Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.
Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.
No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.
Bug: 17525863
(cherry picked from commit 642b80427e)
Change-Id: I35f3dc8b1ead9f427645a13fb202e760d1e68e64
Netlink uevent sockets are used by the kernel to inform userspace
when certain events occur, for example, when new hardware is added
or removed. This allows userspace to take some action based on those
messages.
Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets.
Certain device specific app domains, such as system_app, may have a
need to receive messages from this socket type.
Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app.
These sockets have been the source of rooting attacks in Android
in the past, and it doesn't make sense to expose this to untrusted_apps.
No new SELinux rules are introduced by this change. This is an
adjustment of compile time assertions only.
Bug: 17525863
Change-Id: I3e538dc8096dc23b9678bcd20e3c1e742c21c967
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.
Bug: 17288791
Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
Remove the CTS specific rule which allows appdomain processes
to view /proc entries for the rest of the system. With this change,
an SELinux domain will only be able to view it's own /proc
entries, e.g. untrusted_app can only view /proc entries for other
untrusted_app, system_app can only view /proc entries for other
system_apps, etc.
/proc contains sensitive information, and we want to avoid
leaking this information between app security domains.
Bug: 17254920
Change-Id: I59da37dde00107a5ab123df3b79a84afa855339f
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.
Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 21ada26dae)
Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently, dex2oat runs in the installd sandbox, and has
all the SELinux capabilities that installd does. That's too
excessive.
dex2oat handles untrusted user data, so we want to put it in
it's own tighter sandbox.
Bug: 15358102
Change-Id: I08083b84b9769e24d6dad6dbd12401987cb006be
Rename sdcard_internal/external types to fuse and vfat
respectively to make it clear that they are assigned to any
fuse or vfat filesystem by default (absent a context= mount option)
and do not necessarily represent the SDcard.
The sdcard_type attribute is still assigned to both types and
can still be used in allow rules to permit access to either the
internal or external SDcard.
Define type aliases for the old names to preserve compatibility
on policy reload and for device-specific policies that may not yet
be updated.
Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.
Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.
Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f
Remove the auditallow statements from app.te and
binderservicedomain.te which were causing log spam.
Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
sdcard_internal is assigned to fuse mounts while sdcard_external
is assigned to vfat mounts by genfs_contexts. Originally we
allowed access to both via the sdcard_type attribute, and access
via both means was required. IIUC however, in 4.4 and later,
SDcard access should always occur via the fuse mount and we can
drop access to sdcard_external.
I think we can do the same for all domains except sdcardd. However,
I cannot test this as the Nexus devices do not have external SDcard
support.
Also wondering if we should rename sdcard_internal type to fuse
and sdcard_external type to vfat to more clearly represent their
meaning, since one accesses the external SDcard via the fuse mount now.
Change-Id: Ie44221e9eea90e627a48df5398c456b86293f724
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The following commits added support for runtime resource overlays.
New command line tool 'idmap'
* 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
Runtime resource overlay, iteration 2
* 48d22323ce39f9aab003dce74456889b6414af55
Runtime resource overlay, iteration 2, test cases
* ad6ed950dbfa152c193dd7e49c369d9e831f1591
During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.
This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.
Test cases are available for this by running:
* python frameworks/base/core/tests/overlaytests/testrunner.py
Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.
Add read/write capabilities back to app domains, since apps need to
read/write profiling data.
Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.
Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh. So they originally
shared a common set of rules. Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc. Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc). The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command. And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.
Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te. init_shell was an unconfined_domain(),
so it loses nothing from this change. Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.
Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As of sepolicy commit a16a59e2c7
(https://android-review.googlesource.com/94580), adf_device
and graphics_device have the exact same security properties.
Merge them into one type to avoid a proliferation of SELinux
types.
Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95
This is to accomodate migration to (and ongoing support of) a
new installed-app file topology, in which APK files are placed
in /data/app/$PACKAGE-rev/, there is a canonical-path symlink
/data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native
libraries exist not under a top-level /data/app-lib/$PACKAGE-rev
hard directory, but rather under /data/app/$PACKAGE/lib (when
referenced by canonical path).
Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0
NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.
Addresses the following error / denial:
06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
<4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app
Expected:
App runs
Actual:
App crashes with error above.
Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).
init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it. init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.
Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.
This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.
Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.
Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
