Commit graph

35 commits

Author SHA1 Message Date
Mark Salyzyn
140a019aed dumpstate: storage statistics
Deal with a few audit failures

Bug: 24200279
Change-Id: Ifb8e936738ef9c8576842576315cca2825310d3a
2015-12-11 12:50:57 -08:00
Felipe Leme
83fd8a54f5 Increase communication surface between dumpstate and Shell:
- Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-04 14:08:28 -08:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Stephen Smalley
a3c97a7660 Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 12:46:07 -04:00
Nick Kralevich
979adffd45 eliminate some anr_data_file permissions.
Init is now responsible for creating /data/anr, so it's
unnecessary to grant system_server and dumpstate permissions
to relabel this directory. Remove the excess permissions.

Leave system_data_file relabelfrom, since it's possible we're
still using it somewhere.

See commits:
  https://android-review.googlesource.com/161650
  https://android-review.googlesource.com/161477
  https://android-review.googlesource.com/161638

Bug: 22385254
Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9
2015-08-12 17:01:57 -07:00
dcashman
eab26faa60 Remove service_manager_local_audit_domain.
service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
2015-06-08 11:21:54 -07:00
Andres Morales
e207986ea0 SELinux permissions for gatekeeper TEE proxy
sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
2015-04-06 16:46:58 -07:00
Nick Kralevich
c24d90cb59 dumpstate: allow df on /storage/emulated
dumpstate runs "df" on all mounted filesystems. Allow dumpstate
to access /storage/emulated so df works.

Addresses the following denial:

  avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir

Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8
2015-04-06 15:24:51 -07:00
Kazuki Nakayama
9103c9751c Allow dumpstate to read symlink under dalvik-cache
This fixes the following policy violation:
avc: denied { read } pid=30295 comm="app_process"
tcontext=u:object_r:dalvikcache_data_file:s0
scontext=u:r:dumpstate:s0 tclass=lnk_file
permissive=0 ppid=26813 pcomm="dumpstate"
pgid=26813 pgcomm="dumpstate"

See 0e32726 in app.te for a symmetrical
change.

Change-Id: Iecbccd5fd0046ec193f08b26f9db618dee7a80c1
2015-03-31 10:04:31 +02:00
dcashman
23f336156d Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
2015-03-03 11:38:07 -08:00
Nick Kralevich
5cf3994d8a Revert /proc/net related changes
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc82
and commit 99940d1af5

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
2015-02-25 13:35:17 -08:00
Christopher Ferris
5ec38c49e3 Dumpstate runs the same from shell as service.
Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.

Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
2015-02-04 14:19:26 -08:00
Christopher Ferris
b51c4dd39a Allow debuggerd to redirect requests.
On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.

Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.

Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
2015-01-20 15:15:27 -08:00
Nick Kralevich
99940d1af5 remove /proc/net read access from domain.te
SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
2015-01-14 22:18:24 +00:00
dcashman
4a89cdfa89 Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2015-01-14 13:54:26 -08:00
dcashman
0780f30c80 Allow dumpstate and shell to list services.
Addresses the following denials:
avc:  denied  { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager
avc:  denied  { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Bug: 18864737
Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-30 15:26:29 -08:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Stephen Smalley
cbc5279a43 More MLS trusted subject/object annotations.
dumpstate and lmkd need to act on apps running at any level.

Various file types need to be writable by apps running at any
level.

Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-15 19:22:23 +00:00
Christopher Ferris
e7d136738f Allow dumpstate to read /system/bin executables.
On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.

Bug: 17487122

(cherry picked from commit 04f3d79077)

Change-Id: Ib7835ffac1811a5aef54a250689287c1666720ef
2014-09-13 16:24:01 -07:00
Stephen Smalley
77a236c909 Allow dumpstate to dump backtraces of certain native processes.
The list of processes comes from frameworks/native/cmds/dumpstate/utils.c.
dumpstate calls dump_backtrace_to_file() for each such process, which
asks debuggerd to dump the backtrace.

Resolves denials such as:
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd
 avc:  denied  { dump_backtrace } for  scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd

Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-08-01 10:18:31 -04:00
Christopher Ferris
b2eaa28d11 Allow dumpstate to read /data/tombstones.
Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7
2014-07-22 19:11:41 -07:00
Riley Spahn
603bc20509 Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 09:24:13 -07:00
Sreeram Ramachandran
d2d172a33e Allow dumpstate to read the list of routing tables.
Change-Id: I55475c08c5e43bcf61af916210e680c47480ac32
2014-07-08 15:46:52 -07:00
Nick Kralevich
c0d14767e6 dumpstate: transition into vdc domain
dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.

Addresses the following denial:

  <4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0

Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe
2014-06-25 14:18:51 -07:00
Nick Kralevich
a8281adf99 dumpstate: allow pstore access
Dumpstate reads from /sys/fs/pstore/console-ramoops when generating
a bug report. Allow it.

Addresses the following denials:
  <12>[ 2187.362750] type=1400 audit(1402346777.139:9): avc: denied { search } for pid=4155 comm="dumpstate" name="/" dev="pstore" ino=9954 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
  <12>[ 2187.363025] type=1400 audit(1402346777.139:10): avc: denied { getattr } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1
  <12>[ 2187.363185] type=1400 audit(1402346777.139:11): avc: denied { read } for pid=4155 comm="dumpstate" name="console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1
  <12>[ 2187.363321] type=1400 audit(1402346777.139:12): avc: denied { open } for pid=4155 comm="dumpstate" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9955 scontext=u:r:dumpstate:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=1

Change-Id: Ia20b7a03ed8e0c61b023eea93415a50af82e1bbf
2014-06-09 13:46:38 -07:00
Nick Kralevich
b2ed044f8d dumpstate: allow gpu_device access
dumpstate calls screencap to take a screenshot. screencap
requires the ability to access the gpu device. Allow it.

Bug: 15514427
Change-Id: Iad8451b6108786653146de471f6be2d26b0e3297
2014-06-09 12:52:01 -07:00
Nick Kralevich
a1cd65b810 Make dumpstate domain enforcing.
Change-Id: I74bf300c1b80e94e5acf9ba00ab443dfabad7408
2014-06-09 05:48:31 +00:00
Stephen Smalley
02dac03a8c Drop relabelto_domain() macro and its associated definitions.
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-09 18:30:22 +00:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Mark Salyzyn
8ed750e973 sepolicy: Add write_logd, read_logd & control_logd
- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2014-02-04 07:56:50 -08:00
Stephen Smalley
208deb3357 Allow dumpstate to run am and shell.
See http://code.google.com/p/android/issues/detail?id=65339

Further denials were observed in testing and allowed as well.

Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-29 14:57:08 -05:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Stephen Smalley
a5066135ee Fix denials triggered by adb shell screencap.
Change-Id: Ief925f1f49a6579d5a7a1035f3732834238fa590
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-07 13:25:25 -05:00
Nick Kralevich
bfa3cd51e4 Allow dumpstate to write shell files
Allow the bugreport service to create files in
/data/data/com.android.shell/files/bugreports/bugreport .

Addresses the following denials:

<5>[31778.629368] type=1400 audit(1388876199.162:230): avc:  denied  { write } for  pid=19092 comm="dumpstate" name="bugreports" dev="mmcblk0p28" ino=1565709 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[31778.629493] type=1400 audit(1388876199.162:231): avc:  denied  { add_name } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[31778.629622] type=1400 audit(1388876199.162:232): avc:  denied  { create } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[31778.629779] type=1400 audit(1388876199.162:233): avc:  denied  { write open } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[31778.629977] type=1400 audit(1388876199.162:234): avc:  denied  { getattr } for  pid=19092 comm="dumpstate" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I080613e8a2c989a7b50fde914271967a814c4ff4
2014-01-05 19:20:10 -08:00
Nick Kralevich
09e6abd91b initial dumpstate domain
Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-16 15:29:09 -08:00