tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
5559 commits 1 branch 0 tags 50 MiB
Commit graph

5559 commits

This branch
This branch
All branches
Author SHA1 Message Date
Mark Salyzyn
d143560445 persist.mmc.* only set in init 
Bug: 26976972
Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118
 2016-02-04 11:03:10 -08:00
Daichi Hirono
4c42a0dcc0 Merge "Fix SELinux warning when passing fuse FD from system server." 2016-02-04 03:34:01 +00:00
Daichi Hirono
59e3d7b42d Fix SELinux warning when passing fuse FD from system server. 
Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd
 2016-02-03 18:15:33 +09:00
Jeffrey Vander Stoep
84fbd53a1b Merge "init: allow to access console-ramoops with newer kernels" 2016-02-01 19:15:15 +00:00
Jeffrey Vander Stoep
3d8391e759 Merge "mediaserver: grant perms from domain_deprecated" 2016-01-28 15:35:17 +00:00
Jeffrey Vander Stoep
61e9386030 Merge "logd: grant perms from domain_deprecated" 2016-01-28 15:34:28 +00:00
Jeffrey Vander Stoep
e48ab7848d Merge "kernel: grant perms from domain_deprecated" 2016-01-28 15:34:06 +00:00
Jeff Vander Stoep
72e78bfcac mediaserver: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7
 2016-01-27 19:33:42 -08:00
Jeff Vander Stoep
2f3979a778 logd: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02
 2016-01-27 19:25:52 -08:00
Jeff Vander Stoep
bc2b76b06b kernel: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1

Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
 2016-01-27 19:18:01 -08:00
dcashman
0e591bd256 Allow apps to check attrs of /cache 
Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6
 2016-01-27 15:49:11 -08:00
Jeffrey Vander Stoep
1cf93217fa Merge "vold: grant perms from domain_deprecated" 2016-01-27 23:44:48 +00:00
Jeffrey Vander Stoep
f33507dfc5 Merge "healthd: grant perms from domain_deprecated" 2016-01-27 20:47:31 +00:00
Daniel Cashman
fea9ad7c29 Merge "remove access_kmsg macro, because it to be more explicit." 2016-01-27 20:46:44 +00:00
Jeffrey Vander Stoep
eecaa0b5f9 Merge "zygote: grant perms from domain_deprecated" 2016-01-27 20:35:12 +00:00
Jeff Vander Stoep
9306072c97 vold: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { open } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { getattr } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file

avc: denied { read } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { open } for path="/cache" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { ioctl } for path="/cache" dev="mmcblk0p30" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir

avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { open } for path="/proc" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir

avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I8af7edc5b06675a9a2d62bf86e1c22dbb5d74370
avc: denied { read } for name="block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { open } for path="/sys/block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
 2016-01-27 12:24:26 -08:00
Jeff Vander Stoep
12401b8d18 healthd: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: denied { open } for path="/sys/devices/platform/htc_battery_max17050.8/power_supply/flounder-battery/present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Iaee5b79a45aedad98e08c670addbf444c984165e
 2016-01-27 11:20:52 -08:00
Jeff Vander Stoep
cee6a0e748 zygote: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2
 2016-01-27 10:55:03 -08:00
dcashman
db559a348e Allow sdcardd tmpfs read access. 
Address the following denial:
type=1400 audit(1453854842.899:7): avc: denied { search } for pid=1512 comm="sdcard" name="/" dev="tmpfs" ino=7547 scontext=u:r:sdcardd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0

vold: EmulatedVolume calls sdcard to mount on /storage/emulated.

Bug: 26807309
Change-Id: Ifdd7c356589f95165bba489dd06282a4087e9aee
 2016-01-27 10:42:54 -08:00
Jeffrey Vander Stoep
98f60e5c74 Merge "Revert "zygote: grant perms from domain_deprecated"" 2016-01-27 18:39:42 +00:00
Jeffrey Vander Stoep
b898360e27 Revert "zygote: grant perms from domain_deprecated" 
This reverts commit e52fff83a1.

Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
 2016-01-27 18:39:28 +00:00
Jeffrey Vander Stoep
4115beae63 Merge "zygote: grant perms from domain_deprecated" 2016-01-27 18:08:01 +00:00
Jeff Vander Stoep
e52fff83a1 zygote: grant perms from domain_deprecated 
In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I5b505ad386a445113bc0a1bb35d4f88f7761c048
 2016-01-27 09:57:25 -08:00
Sylvain Chouleur
9a28f90d6a init: allow to access console-ramoops with newer kernels 
Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.

sepolicy must be adapted to this new requirement.

Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
 2016-01-27 16:42:31 +01:00
Narayan Kamath
c4121add28 Merge "Revert "Remove domain_deprecated from sdcard domains"" 2016-01-27 15:39:28 +00:00
Narayan Kamath
f4d7eef731 Revert "Remove domain_deprecated from sdcard domains" 
This reverts commit 0c7bc58e91.

bug: 26807309

Change-Id: I8a7b0e56a0d6f723508d0fddceffdff76eb0459a
 2016-01-27 15:39:05 +00:00
Jeff Vander Stoep
be0616baf0 domain: grant write perms to cgroups 
Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
 2016-01-27 03:00:50 +00:00
dcashman
5833e3f5ca Restore untrusted_app proc_net access. 
Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4
 2016-01-26 16:56:24 -08:00
SimHyunYong
001b10bdff remove access_kmsg macro, because it to be more explicit. 
This macro does not give us anything to it.

Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
 2016-01-27 08:56:30 +09:00
SimHyunYong
093ea6fb9a Using r_dir_file macro in domain.te 
r_dir_file(domain, self)

allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file r_file_perms;

te_macros
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

Change-Id: I7338f63a1eaa8ca52cd31b51ce841e3dbe46ad4f
 2016-01-27 07:54:47 +09:00
Jeffrey Vander Stoep
cdae042a07 Merge "Remove domain_deprecated from sdcard domains" 2016-01-26 22:44:14 +00:00
James Hawkins
ae29dea8b7 Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." 2016-01-26 21:26:37 +00:00
James Hawkins
2e8d71c3be bootstat: Fix the SELinux policy after removing domain_deprecated. 
* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804
 2016-01-26 18:52:58 +00:00
SimHyunYong
7171232c02 Delete policy it is alread included in binder_call macros. 
define(`binder_call', `
allow $1 $2:binder { call transfer };
allow $2 $1:binder transfer;
allow $1 $2:fd use;
')

binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)

it is alread include these policy.. so I can delete these policy!
allow surfaceflinger appdomain:fd use;
allow surfaceflinger bootanim:fd use;
 2016-01-26 16:33:44 +09:00
Jeffrey Vander Stoep
0220b345b3 Merge "Delete duplicated policy, it is already include in app.te." 2016-01-26 06:17:32 +00:00
Tao Bao
6899e0a38b Merge "Allow update_engine to use Binder IPC." 2016-01-26 04:33:51 +00:00
SimHyunYong
5ba9af2390 Delete duplicated policy, it is already include in app.te. 
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
 2016-01-26 11:13:29 +09:00
Tao Bao
dce317cf43 Allow update_engine to use Binder IPC. 
Register service with servicemanager and name the context.

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c
 2016-01-25 16:42:38 -08:00
dcashman
b037a6c94b Add adbd socket perms to system_server. 
Commit 2fdeab3789 added ability to debug
over adbd for zygote-spawned apps, required by removal of domain_deprecated
from untrusted_app.  This functionality is a core debugabble component
of the android runtime, so it is needed by system_server as well.

Bug: 26458796
Change-Id: I29f5390122b3644449a5c3dcf4db2d0e969f6a9a
 2016-01-25 16:09:01 -08:00
Jeff Vander Stoep
2fdeab3789 app: connect to adbd 
Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496
 2016-01-25 15:20:05 -08:00
Jeff Vander Stoep
45517a7547 domain: allow dir search in selinuxfs 
Domain is already allowed to stat selinuxfs, it also needs
dir search.

Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir

Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07
 2016-01-25 18:18:36 +00:00
Jeffrey Vander Stoep
c1b0ffcfdc Merge "watchdog: remove domain_deprecated" 2016-01-25 17:09:46 +00:00
Jeff Vander Stoep
1eeaa47eac watchdog: remove domain_deprecated 
Change-Id: I60d66da98a8da9cd7a9d0130862242e09b7dccf1
 2016-01-25 08:12:21 -08:00
Nick Kralevich
5c8854abef app.te: grant /system dir/file/symlink read 
Renderscript needs the ability to read directories on
/system. Allow it and file/symlink read access.

Addresses the following denials:
  RenderScript: Invoking /system/bin/ld.mc with args '/system/bin/ld.mc -shared -nostdlib
    /system/lib64/libcompiler_rt.so -mtriple=aarch64-none-linux-gnueabi
    --library-path=/system/vendor/lib64 --library-path=/system/lib64
    -lRSDriver -lm -lc
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/primitives.o
    -o
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/librs.primitives.so'
  ld.mc   : type=1400 audit(0.0:1340): avc: denied { read } for name="lib64" dev="mmcblk0p24" ino=212 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  ld.mc   : type=1400 audit(0.0:1341): avc: denied { read } for name="lib64" dev="mmcblk0p29" ino=1187 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  RenderScript: Child process "/system/bin/ld.mc" terminated with status 256

Change-Id: I9fb989f66975ed553dbc0c49e9c5b5e5bc45b3c3
 2016-01-23 08:41:47 -08:00
dcashman
cbf7ba18db Remove domain_deprecated from untrusted_app. 
Bug: 22032619
Change-Id: Iaa192f98df3128da5e11ce1fd3cf9d1a597fedf5
 2016-01-22 15:51:41 -08:00
dcashman
2193f766bc Temporarily allow untrusted_app to read proc files. 
Address the following denial:
01-22 09:15:53.998  5325  5325 W ChildProcessMai: type=1400 audit(0.0:44): avc: denied { read } for name="meminfo" dev="proc" ino=4026535444 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Change-Id: Id2db5ba09dc9de58e6da7c213d4aa4657c6e655c
 2016-01-22 15:49:42 -08:00
James Hawkins
447041a940 Merge "bootstat: Implement the SELinux policy to allow reading/writing to /data/misc/bootstat." 2016-01-22 18:05:25 +00:00
dcashman
8666bf25cf Allow access to /dev/ion and proc_net dir. 
Address the following:
01-21 13:35:41.147  5896  5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152  5896  5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152  5896  5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152  5896  5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed

and

01-22 08:58:47.667  7572  7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671  7498  7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671  7498  7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13

Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38
 2016-01-22 09:29:00 -08:00
James Hawkins
39c198ac6f bootstat: Implement the SELinux policy to allow reading/writing to 
/data/misc/bootstat.

BUG: 21724738
Change-Id: I2789f57cc8182af1a7c33672ef82297f32f54e2e
 2016-01-22 08:08:37 -08:00
Jeffrey Vander Stoep
e1224de04d Merge "Allow domains to stat filesystems." 2016-01-22 00:27:50 +00:00