The changes to ptrace in
https://android-review.googlesource.com/#/c/175786/ (removing it from
app.te and only adding it to isolated_app and untrusted_app) broke
WebView crash handling in cases where privileged apps (like gmscore) use
WebView.
The only way to fix this would be to allow priv_app to self-ptrace as
well. :/
Bug: 27697529
Change-Id: Ib9a3810dddc9f4213b6260133cbae23f669ae8dc
SELinux label is created for contexthub_service system service.
ContextHub service manages all available context hubs and serves fulfil communication between apps
and underlying context hub hardware.
Change-Id: I8470fedd9c79a00012e1cdb9b548a1b632ba7de6
Applications do not explicitly request handles to the batteryproperties
service, but the BatteryManager obtains a reference to it and uses it
for its underlying property queries. Mark it as an app_api_service so
that all applications may use this API. Also remove the batterypropreg
service label, as this does not appear to be used and may have been a
duplication of batteryproperties. As a result, remove the
healthd_service type and replace it with a more specific
batteryproperties_service type.
(cherry-picked from commit: 9ed71eff4b)
Bug: 27442760
Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9
HwRngTest needs access to the hwrandom sysfs files, but untrused_app
does not have access to sysfs. Give these files their own label and
allow the needed read access.
Bug: 27263241
Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
Remove permissions which are already covered by other permissions.
Found by running:
sepolicy-analyze path/to/sepolicy dups
No functional change.
Change-Id: I526d1c1111df718b29e8276b024fa0788ad17c71
Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely. Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.
Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be
It's okay for isolated apps to connect to the webview update service to
find out which APK is WebView. This enables isolated renderer processes
to load their code from the WebView APK.
Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f
... and client apps to read them.
A full path looks like this:
/data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png
System server will:
- Create/delete the directories.
- Write/remove PNG files in them.
- Open the PNG files and return file descriptors to client apps
Client apps will:
- Receive file descriptors and read from them.
Bug 27548047
Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b
Vold needs to be able to query if the directory exists and
eventually to fix permissions and the owner.
Typical error:
W vold : type=1400 audit(0.0:485): avc: denied { getattr }
for path="/data/misc/profiles/cur/11/foreign-dex" dev="dm-2"
ino=343857 scontext=u:r:vold:s0
tcontext=u:object_r:user_profile_foreign_dex_data_file:s0 tclass=dir
permissive=0
Bug: 27517932
Change-Id: Iff10c864634baa97cc814916ee7495b262e0c7eb
It's unlikely we'll get /proc locked down for the N release, so
delete the auditallow to avoid spamming the logs. Mark this
commit as DO NOT MERGE so we can continue to make progress on this
for future Android releases.
Change-Id: Ibf27bc5cb1b23c21e123aae8a4f190560d0ac2dc
Both appdomain and priv_app can set the default ringtones, so the
cache files need to be mlstrustedobject.
avc: denied { write } for path="/data/system_de/0/ringtones/ringtone_cache" dev="mmcblk0p44" ino=1602501 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:ringtone_file:s0 tclass=file permissive=0
Bug: 27366059
Change-Id: Ib362f58b180a62bd46800083d6c538426f955b10
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
(cherry picked from commit 6cb2c893b1)
Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef
Define new netlink socket security classes introduced by upstream kernel commit
6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket
classes"). This was merged in Linux 4.2 and is therefore only required
for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch
of the kernel/common tree).
Add the new socket classes to socket_class_set.
Add an initial set of allow rules although further refinement
will likely be necessary. Any allow rule previously written
on :netlink_socket may need to be rewritten or duplicated for
one or more of the more specific classes. For now, we retain
the existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit 01d95c23ab)
Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114
For apps installed /data (vs the system image), Otapreopt puts
A/B artifacts alongside the regular oat location with a "b" suffix.
Give Otapreopt the right to create and write such files.
Bug: 25612095
Change-Id: Idf3f0959816f49407036cea9b8e684b26c510e80
system_server used to communicate with uncrypt via files (e.g.
/cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B
devices may not have /cache partitions anymore, we switch to communicate
via /dev/socket/uncrypt to allow things like factory reset to keep
working.
Bug: 27176738
Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide which apk should be fully compiled instead of
profile guide compiled.
Apps need only to be able to create (touch) files in this directory.
System server needs only to be able to check wheter or not a file with a
given name exists.
Bug: 27334750
Bug: 26080105
Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
Bluetooth uses the tun device for tethering. Allow access.
STEPS TO REPRODUCE:
0. Have two devices to test on, say Device A and Device B
1. On Device A, Go to settings ->Bluetooth .
2. Turn on the Bluetooth .
3. Pair it with device B
4. Tap on the paired device
OBSERVED RESULTS:
-Bluetooth share crash is observed with "Bluetooth share has stopped"
error message
-Unable to use Bluetooth tethering due to this issue
EXPECTED RESULTS:
No crash and Bluetooth devices should be able to connect for tethering
Addresses the following denial:
com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open }
for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs"
ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0
tclass=chr_file permissive=0
Bug: 27372573
(cherry picked from commit 9a1347eee6)
Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497
