Commit graph

4099 commits

Author SHA1 Message Date
Stephen Smalley
c423b1aae8 Add neverallow checking to sepolicy-analyze.
See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Cherry-pick of commit: 59906bf893
with build-fix from commit: 74bbf703df
added manually.

Bug: 19191637

Change-Id: I1c18fa854b3c5f5e05d5dc42d9006c5fdacebdc3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-05 07:42:30 +00:00
Christopher Ferris
8aaf546402 am 5ec38c49: Dumpstate runs the same from shell as service.
* commit '5ec38c49e3b61b8a3228b56278e85fc276eaec6b':
  Dumpstate runs the same from shell as service.
2015-02-05 02:30:42 +00:00
Christopher Ferris
5ec38c49e3 Dumpstate runs the same from shell as service.
Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.

Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
2015-02-04 14:19:26 -08:00
dcashman
9d08bf2c75 am fc3204f6: am bba18381: Allow radio access to drmserver_service.
* commit 'fc3204f664fdc442d39670fa074264ea90ee0b1a':
  Allow radio access to drmserver_service.
2015-02-02 18:17:57 +00:00
dcashman
fc3204f664 am bba18381: Allow radio access to drmserver_service.
* commit 'bba18381039dbe45f6acce61d6be1ea7abb2fb06':
  Allow radio access to drmserver_service.
2015-02-02 18:11:00 +00:00
dcashman
bba1838103 Allow radio access to drmserver_service.
Address the following denial:
SELinux  E  avc:  denied  { find } for service=drm.drmManager scontext=u:r:radio:s0 tcontext=u:object_r:drmserver_service:s0

which occurs when a non-default SMS app sends an MMS. The message would be
stored into system automatically in MMS service (from phone process and phone
UID). The storing of the message involves the creation of
android.drm.DrmManagerClient instance.

Change-Id: Ic4e493f183c9ce7f7ac3f74f6ea062893ea67608
2015-02-02 09:25:57 -08:00
Nick Kralevich
2fa0b70e51 am 8fb5aad0: am 3c77d4d1: Add compile time checks for /data/dalvik-cache access
* commit '8fb5aad03d2fdf04f50611cbb480ae41b5717810':
  Add compile time checks for /data/dalvik-cache access
2015-01-30 21:22:21 +00:00
Nick Kralevich
8fb5aad03d am 3c77d4d1: Add compile time checks for /data/dalvik-cache access
* commit '3c77d4d1c113282315fbccf696298e04f99a20b4':
  Add compile time checks for /data/dalvik-cache access
2015-01-30 21:16:29 +00:00
Nick Kralevich
f4c0a09bd3 am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec
* commit '437f713936148eb0cf3eb277eab72b07a1d533ca':
  system_server: neverallow dex2oat exec
2015-01-30 21:16:13 +00:00
Nick Kralevich
437f713936 am 361cdaff: system_server: neverallow dex2oat exec
* commit '361cdaff3096fafc16bbe88b84d6f99f7944def7':
  system_server: neverallow dex2oat exec
2015-01-30 19:43:41 +00:00
Nick Kralevich
3c77d4d1c1 Add compile time checks for /data/dalvik-cache access
Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.

Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache

  * init
  * zygote
  * installd
  * dex2oat

For zygote, installd, and dex2oat, these accesses make sense.

For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.

This change was motivated by the discussion
in https://android-review.googlesource.com/127582

Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.

The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.

Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd
2015-01-30 11:27:35 -08:00
Nick Kralevich
361cdaff30 system_server: neverallow dex2oat exec
system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.

This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.

Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c
2015-01-29 16:57:15 -08:00
Ruben Brunk
8e89c8e9d2 am 6cfd9d13: am db1320f5: Add security policy for ProcessInfoService.
* commit '6cfd9d13197c35bc2a76cba3bda47a1a5e51855a':
  Add security policy for ProcessInfoService.
2015-01-29 23:33:51 +00:00
Ruben Brunk
6cfd9d1319 am db1320f5: Add security policy for ProcessInfoService.
* commit 'db1320f550723616165d67faffd6197b8415dbf8':
  Add security policy for ProcessInfoService.
2015-01-29 23:26:33 +00:00
Nick Kralevich
a7cfd557f7 am bf626ce9: appdomain: relax netlink_socket neverallow rule
* commit 'bf626ce94452813e44433c40fb3d80f8b4b00ff5':
  appdomain: relax netlink_socket neverallow rule
2015-01-29 23:25:16 +00:00
Nick Kralevich
bf626ce944 appdomain: relax netlink_socket neverallow rule
Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

(cherry picked from commit d31936f89c)

Bug: 19198997
Change-Id: Icfed1ee66f082df1117b090341f62981f01bc849
2015-01-29 15:02:54 -08:00
Ruben Brunk
db1320f550 Add security policy for ProcessInfoService.
Bug: 19186859

Change-Id: Ic08858f346d6b66e7bfc9da6faa2c6e38d9b2e82
2015-01-29 14:58:24 -08:00
Nick Kralevich
685cbf28d8 am ae5c3c1b: am d31936f8: appdomain: relax netlink_socket neverallow rule
* commit 'ae5c3c1ba66a62f464f4c1a48e4c66435d7b4f51':
  appdomain: relax netlink_socket neverallow rule
2015-01-29 19:31:08 +00:00
Nick Kralevich
ae5c3c1ba6 am d31936f8: appdomain: relax netlink_socket neverallow rule
* commit 'd31936f89c49bc5c54b84bd5095f3c417da14935':
  appdomain: relax netlink_socket neverallow rule
2015-01-29 19:24:45 +00:00
Nick Kralevich
d31936f89c appdomain: relax netlink_socket neverallow rule
Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

Change-Id: I40de0ae28134ce71e808e5ef4a39779b71897571
2015-01-28 17:46:30 -08:00
Nick Kralevich
a8b15ce837 am 54477ed7: am bfe4c8ba: radio.te: make radio mlstrustedsubject
* commit '54477ed781c2fb54b4305a262d750cbb3368acc7':
  radio.te: make radio mlstrustedsubject
2015-01-27 16:41:20 +00:00
Nick Kralevich
54477ed781 am bfe4c8ba: radio.te: make radio mlstrustedsubject
* commit 'bfe4c8ba89aebe0154aeaee6ce65215095fe0840':
  radio.te: make radio mlstrustedsubject
2015-01-27 16:35:31 +00:00
Nick Kralevich
bfe4c8ba89 radio.te: make radio mlstrustedsubject
Messenger can't send MMSes on the master branch. When Messenger sends
an MMS, it stores the message data in local file and publishes it
via a content provider. The URI is passed to the MMS API. The
MmsServiceBroker in system process gets the call and grant URI
permission to phone UID. The MmsService in phone process (and sharing
the phone UID) needs to read the URI to get message data to send.

Addresses the following denial:

  type=1400 audit(0.0:32): avc: denied { read } for path="/data/data/com.google.android.apps.messaging/cache/rawmms/5394791820000274558.dat" dev="mmcblk0p28" ino=83180 scontext=u:r:radio:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Change-Id: I2b694ff6c516714d3524e0613bae0f6773ed2e95
2015-01-26 15:25:03 -08:00
dcashman
adf283431e am f111d2fa: am 5fef2de3: Allow shell to find all services.
* commit 'f111d2fa4dc18fd7e97ca8925fbd6b1d6997dad7':
  Allow shell to find all services.
2015-01-24 00:27:08 +00:00
dcashman
f111d2fa4d am 5fef2de3: Allow shell to find all services.
* commit '5fef2de32079337d99f4515fa3a70cb2faed1305':
  Allow shell to find all services.
2015-01-24 00:19:42 +00:00
dcashman
5fef2de320 Allow shell to find all services.
dumpsys from shell results in many denials:
11-08 02:52:13.087   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.089   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.093   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.103   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.104   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.113   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.114   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.118   171   171 E SELinux : avc:  denied  { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
11-08 02:52:13.130   171   171 E SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.379   171   171 E SELinux : avc:  denied  { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
11-08 02:52:13.388   171   171 E SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
11-08 02:52:13.574   171   171 E SELinux : avc:  denied  { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
11-08 02:52:13.576   171   171 E SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.712   171   171 E SELinux : avc:  denied  { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager
11-08 02:52:13.713   171   171 E SELinux : avc:  denied  { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Bug: 18799966
Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc
2015-01-23 16:06:13 -08:00
Nick Kralevich
8b50638c81 am 77e19521: am 0f0324cc: domain.te: allow /proc/net/psched access
* commit '77e195210f34747ef2955e13652eaa6fe8bcac77':
  domain.te: allow /proc/net/psched access
2015-01-22 20:55:39 +00:00
Nick Kralevich
77e195210f am 0f0324cc: domain.te: allow /proc/net/psched access
* commit '0f0324cc826afb9beefda802d496befe823a081e':
  domain.te: allow /proc/net/psched access
2015-01-22 20:47:12 +00:00
Nick Kralevich
0f0324cc82 domain.te: allow /proc/net/psched access
external/sepolicy commit 99940d1af5
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.

Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.

external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.

By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.

For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.

Addresses the following denials:

  avc: denied { read } for  pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0

Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf
2015-01-22 10:59:21 -08:00
Sharif Inamdar
3a1f6cceaf am d9966044: am 99b40521: Allow system_app to access /data/data link files
* commit 'd99660444d6ded85a0da7030423a71887e004414':
  Allow system_app to access /data/data link files
2015-01-22 00:14:18 +00:00
Nick Kralevich
e8d614b268 am 90b8471e: am 9dc5956f: Merge "Revert "isolated_app: Do not allow access to the gpu_device.""
* commit '90b8471e5a1eeb74032fdb192b0bc4b99196c3d4':
  Revert "isolated_app: Do not allow access to the gpu_device."
2015-01-22 00:14:18 +00:00
Christopher Ferris
e655777eb7 am a48dd6c1: am c21e9cc1: Merge "Allow debuggerd to redirect requests."
* commit 'a48dd6c107b4f3333fbfcf3dad271c943e708d0b':
  Allow debuggerd to redirect requests.
2015-01-22 00:13:28 +00:00
Sharif Inamdar
d99660444d am 99b40521: Allow system_app to access /data/data link files
* commit '99b40521266450dca66a5375e8134bb1d3d5fbe0':
  Allow system_app to access /data/data link files
2015-01-21 23:12:31 +00:00
Nick Kralevich
90b8471e5a am 9dc5956f: Merge "Revert "isolated_app: Do not allow access to the gpu_device.""
* commit '9dc5956f09ad98f1f49b0d538b48443c2eb158a2':
  Revert "isolated_app: Do not allow access to the gpu_device."
2015-01-21 23:12:30 +00:00
Sharif Inamdar
99b4052126 Allow system_app to access /data/data link files
system_app tries to access files in /data/data (lnk_files).
But due to permission issue it is not able to access the
link files.

Change-Id: I2959d899f5e3ab9caa219d684541d36587a6c059
2015-01-21 23:08:20 +00:00
Nick Kralevich
9dc5956f09 Merge "Revert "isolated_app: Do not allow access to the gpu_device."" 2015-01-21 23:05:52 +00:00
Christopher Ferris
a48dd6c107 am c21e9cc1: Merge "Allow debuggerd to redirect requests."
* commit 'c21e9cc1fc6ef69cdca1829e7a78cb68badd631f':
  Allow debuggerd to redirect requests.
2015-01-21 22:58:12 +00:00
Christopher Ferris
c21e9cc1fc Merge "Allow debuggerd to redirect requests." 2015-01-21 18:39:29 +00:00
Nick Kralevich
2ada7f3c10 Revert "isolated_app: Do not allow access to the gpu_device."
Chrome team recommends reverting this patch and introducing
it into a future version of Android, to avoid potential
compatibility issues.

This reverts commit 9de62d6ffe.

Bug: 17471434
Bug: 18609318
Change-Id: I9adaa9d0e4cb6a592011336e442e9d414dbac470
2015-01-20 16:20:42 -08:00
Nick Kralevich
665c06e4c7 resolved conflicts for merge of 7ef348b1 to lmp-mr1-dev-plus-aosp
Change-Id: I0f1dd74fc8aee74c930cbfdd8d497cad7710d780
2015-01-20 15:51:53 -08:00
Christopher Ferris
b51c4dd39a Allow debuggerd to redirect requests.
On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.

Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.

Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
2015-01-20 15:15:27 -08:00
dcashman
854ad128c9 am a5119ee7: am 566e8fe2: Record service accesses.
* commit 'a5119ee7900d511278b12d04f436ed25110556cf':
  Record service accesses.
2015-01-20 15:47:20 +00:00
dcashman
a5119ee790 am 566e8fe2: Record service accesses.
* commit '566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63':
  Record service accesses.
2015-01-20 15:41:43 +00:00
dcashman
566e8fe258 Record service accesses.
Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
2015-01-16 17:27:25 -08:00
dcashman
5e5452c8e9 am 11daf6d6: am 7d1deec4: Record surfaceflinger power_service access.
* commit '11daf6d6a37fb4ec21a52dee32af8b47f6af246c':
  Record surfaceflinger power_service access.
2015-01-17 00:09:26 +00:00
dcashman
11daf6d6a3 am 7d1deec4: Record surfaceflinger power_service access.
* commit '7d1deec4c48a5c15a12249aa841ec5dabab6f814':
  Record surfaceflinger power_service access.
2015-01-17 00:03:44 +00:00
dcashman
7d1deec4c4 Record surfaceflinger power_service access.
Address the following log entry:
SELinux : avc:  granted  { find } for service=power scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:power_service:s0 tclass=service_manager

Change-Id: Id750ba9f99c622351fb3206ad007eae8a713adea
2015-01-16 15:52:01 -08:00
dcashman
6f25eefeeb am 3e7900ff: am d3205254: Merge "Allow shell to read /proc."
* commit '3e7900ff65a19d1e146885ad2f196ed3e4b7df6d':
  Allow shell to read /proc.
2015-01-16 23:22:06 +00:00
dcashman
3e7900ff65 am d3205254: Merge "Allow shell to read /proc."
* commit 'd3205254bbe4dcfe4c7451b40ed5711ccc6d1a18':
  Allow shell to read /proc.
2015-01-16 23:15:07 +00:00
dcashman
d3205254bb Merge "Allow shell to read /proc." 2015-01-16 23:09:51 +00:00