Commit graph

121 commits

Author SHA1 Message Date
Sreeram Ramachandran
65edb75d53 Allow netd to create data files in /data/misc/net/.
This will be used to populate rt_tables (a mapping from routing table numbers to
table names) that's read by the iproute2 utilities.

Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-08 19:06:28 +00:00
Nick Kralevich
fad4d5fb00 Fix SELinux policies to allow resource overlays.
The following commits added support for runtime resource overlays.

  New command line tool 'idmap'
  * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
  Runtime resource overlay, iteration 2
  * 48d22323ce39f9aab003dce74456889b6414af55
  Runtime resource overlay, iteration 2, test cases
  * ad6ed950dbfa152c193dd7e49c369d9e831f1591

During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.

This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.

Test cases are available for this by running:
  * python frameworks/base/core/tests/overlaytests/testrunner.py

Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
2014-06-16 14:20:08 -07:00
Stephen Smalley
d2503ba864 Define contextmount_type attribute and add it to oemfs.
Several device-specific policy changes with the same Change-Id
also add this attribute to device-specific types.

Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 17:46:21 +00:00
Nick Kralevich
48212742b2 Don't allow types which are both file_type and fs_type
It's a bug to have a type with both the file_type and fs_type
attribute. A type should be declared with either file_type,
or fs_type, but not both.

Create a neverallow rule which detects this situation. This works
because we have the following allow rule:

  allow fs_type self:filesystem associate;

If a type is a file_type and an fs_type, the associate allow rule
will conflict with this neverallow rule.

Not sure if this is the cleanest way to accomplish this, but it
seems to work.

Change-Id: Ida387b1df260efca15de38ae7a66ed25e353acaa
2014-06-16 08:36:05 -07:00
Nick Kralevich
5a5fb85f1e label usbfs
Right now usbfs doesn't have any labels, generating the
following kernel warnings:

<7>[    3.009582] SELinux: initialized (dev usbfs, type usbfs), not configured for labeling

and the occasional SELinux unlabeled auditallow logs:

<4>[  285.579254] type=1400 audit(1402010345.094:16): avc: granted { search } for pid=371 comm="qcks" name="/" dev="usbfs" ino=15794 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  285.632354] type=1400 audit(1402010345.154:18): avc: granted { search } for pid=371 comm="qcks" name="001" dev="usbfs" ino=15796 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir

Make sure usbfs is assigned via genfscon

Change-Id: I7191f2584014ba55a3c3a98e7efd0350dc958782
2014-06-09 08:36:14 -07:00
Stephen Smalley
ad0d0fc722 Protect /data/property.
/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:43:37 +00:00
Torne (Richard Coles)
9786af2bca Define SELinux policy for RELRO sharing support.
Define a domain and appropriate access rules for shared RELRO files
(used for loading the WebView native library). Any app is permitted to
read the files as they are public data, but only the shared_relro
process is permitted to create/update them.

Bug: 13005501
Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e
2014-05-27 14:17:50 +01:00
Sreeram Ramachandran
56ecf4bdf8 Introduce fwmarkd: a service to set the fwmark of sockets.
(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-14 11:23:28 -07:00
Stephen Smalley
baf49bd541 Label /data/.layout_version with its own type.
installd creates /data/.layout_version.  Introduce a separate type
for this file (and any other file created by installd under a directory
labeled system_data_file) so that we can allow create/write access by
installd without allowing it to any system data files created by other
processes.  This prevents installd from overwriting other system data
files, and ensure that any files it creates will require explicit
rules in order to access.

Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-12 11:31:09 -04:00
Stephen Smalley
9add1f039b Add sysfs_type attribute to sysfs, coalesce ueventd rules.
As per the discussion in:
https://android-review.googlesource.com/#/c/92903/

Add sysfs_type attribute to sysfs type so that it is included
in rules on sysfs_type, allow setattr to all sysfs_type for ueventd
for chown/chmod, and get rid of redundant rules.

Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-08 13:18:52 -04:00
Stephen Smalley
91a4f8d4fd Label app data directories for system UID apps with a different type.
We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-07 18:04:51 +00:00
Jeff Sharkey
6736bac218 Define types for an OEM-provided filesystem.
Bug: 13340779
Change-Id: I6151b6b61ddf90327d51815d13fd65be561be587
2014-04-25 17:07:20 -07:00
Nick Kralevich
77cc05502f Label /dev/usb-ffs/adb functionfs
Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2
2014-04-15 15:12:45 -07:00
jaejyn.shin
318e0c9cef pstore file system labeling
pstore(persistent store) have been applied since kernel 3.5
We need to label the pstore-fs in order to use Android with kernel 3.5 or upper version.
My kernel version is 3.10 and I got the below denial log when I ran the "df" command on the adb shell.

type=1400 msg=audit(1388540540.220:18): avc: denied { getattr } for pid=7296 comm="df" name="/" dev="pstore" ino=7703 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem

And the below log is also shown during booting

type=1400 msg=audit(1388539193.750:4): avc: denied { mount } for pid=2844 comm="mount" name="/" dev="pstore" ino=11393 scontext=u:r:init_shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem

Change-Id: Iaba543d44565c4f20a77a95b9573a628bbd3fd34
2014-04-10 04:51:46 +00:00
Stephen Smalley
19c509034e Define a type for /data/dalvik-cache/profiles.
I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles
subdirectory to /data/dalvik-cache with files that must be
app-writable.  As a result, we have denials such as:
W/Profiler( 3328): type=1400 audit(0.0:199): avc:  denied  { write } for  name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null)
W/auditd  (  286): type=1307 audit(0.0:199):  cwd="/"
W/auditd  (  286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0

We do not want to allow untrusted app domains to write to the
existing type on other /data/dalvik-cache files as that could be used
for code injection into another app domain, the zygote or the system_server.
So define a new type for this subdirectory.  The restorecon_recursive /data
in init.rc will fix the labeling on devices that already have a profiles
directory created.  For correct labeling on first creation, we also need
a separate change to installd under the same change id.

Bug: 13927667
Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-09 19:08:04 +00:00
Stephen Smalley
f9c3257fba Get rid of separate download_file type.
This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file.  Now that platform_app_data_file
is gone, there is no benefit to having this type.

Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

This change depends on:
https://android-review.googlesource.com/#/c/87801/

Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-14 12:17:06 +00:00
Stephen Smalley
dc88dca115 Get rid of separate platform_app_data_file type.
The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-13 13:02:06 +00:00
Stephen Smalley
3dad7b611a Address system_server denials.
Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { call } for  pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc:  denied  { write } for  pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc:  denied  { write } for  pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc:  denied  { ptrace } for  pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc:  denied  { sigkill } for  pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc:  denied  { write } for  pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc:  denied  { read write } for  pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc:  denied  { setopt } for  pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc:  denied  { getattr } for  pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { unlink } for  pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc:  denied  { getattr } for  pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { getopt } for  pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { read write } for  pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc:  denied  { write } for  pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-05 12:22:19 -05:00
Stephen Smalley
0296b9434f Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.
Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 21:26:08 +00:00
Stephen Smalley
2c347e0a36 Drop obsolete keystore_socket type and rules.
Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while.  The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).

Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 19:07:03 +00:00
Stephen Smalley
96ff4c053a Add a domain for mdnsd and allow connecting to it.
Change-Id: I0a06fa32a46e515671b4e9a6f68e1a3f8b2c21a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 16:23:12 +00:00
Nick Kralevich
5467fce636 initial lmkd policy.
* Allow writes to /proc/PID/oom_score_adj
* Allow writes to /sys/module/lowmemorykiller/*

Addresses the following denials:
<5>[    3.825371] type=1400 audit(9781555.430:5): avc:  denied  { write } for  pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[   48.874747] type=1400 audit(9781600.639:16): avc:  denied  { search } for  pid=176 comm="lmkd" name="896" dev="proc" ino=9589 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=dir
<5>[   48.874889] type=1400 audit(9781600.639:17): avc:  denied  { dac_override } for  pid=176 comm="lmkd" capability=1  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability
<5>[   48.874982] type=1400 audit(9781600.639:18): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[   48.875075] type=1400 audit(9781600.639:19): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[   49.409231] type=1400 audit(9781601.169:20): avc:  denied  { write } for  pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  209.081990] type=1400 audit(9781760.839:24): avc:  denied  { search } for  pid=176 comm="lmkd" name="1556" dev="proc" ino=10961 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=dir
<5>[  209.082240] type=1400 audit(9781760.839:25): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[  209.082498] type=1400 audit(9781760.839:26): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[  209.119673] type=1400 audit(9781760.879:27): avc:  denied  { search } for  pid=176 comm="lmkd" name="1577" dev="proc" ino=12708 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=dir
<5>[  209.119937] type=1400 audit(9781760.879:28): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[  209.120105] type=1400 audit(9781760.879:29): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[  209.235597] type=1400 audit(9781760.999:30): avc:  denied  { search } for  pid=176 comm="lmkd" name="1600" dev="proc" ino=11659 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[  209.235798] type=1400 audit(9781760.999:31): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  209.236006] type=1400 audit(9781760.999:32): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  214.297283] type=1400 audit(9781766.059:64): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[  214.297415] type=1400 audit(9781766.059:65): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[  214.355060] type=1400 audit(9781766.119:66): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[  214.355236] type=1400 audit(9781766.119:67): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[  214.516920] type=1400 audit(9781766.279:68): avc:  denied  { search } for  pid=176 comm="lmkd" name="1907" dev="proc" ino=11742 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=dir
<5>[  214.678861] type=1400 audit(9781766.439:69): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[  214.678992] type=1400 audit(9781766.439:70): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[  214.708284] type=1400 audit(9781766.469:71): avc:  denied  { search } for  pid=176 comm="lmkd" name="1765" dev="proc" ino=12851 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[  214.708435] type=1400 audit(9781766.469:72): avc:  denied  { write } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[  214.708648] type=1400 audit(9781766.469:73): avc:  denied  { open } for  pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file

Change-Id: Ie3c1ab8ce9e77742d0cc3c73f40010afd018ccd4
2014-02-13 13:48:33 -08:00
Robert Craig
48b18832c4 Introduce asec_public_file type.
This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-11 17:08:10 +00:00
Mark Salyzyn
8ed750e973 sepolicy: Add write_logd, read_logd & control_logd
- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2014-02-04 07:56:50 -08:00
Robert Craig
0cbf06fde4 Drop the typealias for camera_calibration_file.
This was originally used for the /data/fdAlbum
file. Device specific policy properly labels the
file as camera_data_file either during its
initial creation (type_transition rule) or with
a single restorecon call in the respective init.*.rc
file.

Change-Id: Ie953dcf4c40883db09cfb4ffec2a42e8ccd6344c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-30 14:01:44 -05:00
Robert Craig
529fcbe065 Create proc_net type for /proc/sys/net entries.
/proc/sys/net could use its own type to help distinguish
among some of the proc access rules. Fix dhcp and netd
because of this.

Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-07 14:03:32 -05:00
Stephen Smalley
e13fabd75a Label /data/media with its own type and allow access.
/data/media presently is left in system_data_file, which requires
anything that wants to write to it to be able to write to system_data_file.
Introduce a new type for /data/media, media_rw_data_file (to match
the media_rw UID assigned to it and distinguish it from /data/misc/media
which has media UID and media_data_file type), and allow access to it.

We allow this for all platform app domains as WRITE_MEDIA_STORAGE permission is granted
to signature|system.  We should not have to allow it to untrusted_app.

Set up type transitions in sdcardd to automatically label any directories
or files it creates with the new type.

Change-Id: I5c7e6245b854a9213099e40a41d9583755d37d42
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-17 16:11:23 -05:00
Nick Kralevich
09e6abd91b initial dumpstate domain
Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-16 15:29:09 -08:00
Nick Kralevich
7466f9b693 Label /data/misc/zoneinfo
And allow any SELinux domain to read these timezone
related files.

Addresses the following denial:
<5>[    4.746399] type=1400 audit(3430294.470:7): avc:  denied  { open } for  pid=197 comm="time_daemon" name="tzdata" dev="mmcblk0p28" ino=618992 scontext=u:r:time:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Iff32465e62729d7aad8c79607848d89ce0aede86
2013-12-13 15:57:23 -08:00
Nick Kralevich
6a32eec74d alphabetize /data/misc entries.
Alphabetize the entries for the /data/misc subdirectories.

Change-Id: I3690085cbb99c225545545668dedd66341a14edb
2013-12-13 15:57:23 -08:00
Nick Kralevich
2b392fccf3 Move lmkd into it's own domain.
lmkd low memory killer daemon

The kernel low memory killer logic has been moved to a new daemon
called lmkd.  ActivityManager communicates with this daemon over a
named socket.

This is just a placeholder policy, starting off in unconfined_domain.

Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10
2013-12-06 08:16:39 -08:00
Stephen Smalley
7adb999e70 Restrict the ability to set usermodehelpers and proc security settings.
Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 09:44:38 -05:00
Stephen Smalley
8510d31ed3 Rename camera_calibration_file and audio_firmware_file.
Use more general type names for the contents of /data/misc/camera and
/data/misc/audio.  These were the names used in our policy until 4.3
was released, at which point we switched to be consistent with AOSP.
However, the Galaxy S4 4.2.2 image, Galaxy S4 4.3 image, and
Galaxy Note 3 4.3 image all shipped with policies using _data_file names
because they were based on our older policy.  So we may as well switch
AOSP to these names.

Not sure if in fact these could be all coalesced to the new media_data_file
type for /data/misc/media introduced by
Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343.

Options to fix already existing devices, which would only apply
to Nexus devices with 4.3 or 4.4 at this point:
1) Add restorecon_recursive /data/misc/audio /data/misc/camera to either
the system/core init.rc or to the device-specific init.*.rc files.
-or-
2) Add a typealias declaration in the policy to remap the old type names.
to the new ones.  Then existing types on persistent storage will be
remapped internally to the new ones.
-or-
3) Some sort of relabeld.

Option #2 is implemented by this change.

Change-Id: Id36203f5bb66b5200efc1205630b5b260ef97496
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-12 17:01:44 -05:00
Stephen Smalley
a771671877 Label /data/misc/media and allow mediaserver access to it.
Otherwise we get denials like these on 4.4:

type=1400 audit(1383590170.360:29): avc:  denied  { write } for  pid=61 comm="mediaserver" name="media" dev="mtdblock1" ino=6416 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { add_name } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc:  denied  { create } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590170.360:29): avc:  denied  { write open } for  pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { write } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc:  denied  { open } for  pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-07 16:22:50 -08:00
Stephen Smalley
a7c8ea864e Move audio_firmware_file and /data/misc/audio entry to core sepolicy.
Change-Id:  Ib8c96ab9e19d34e8e34a4c859528345763be4906
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-06 13:00:52 -05:00
Nick Kralevich
c4a3b51062 sysfs_devices_system_cpu should be a sysfs_type
Otherwise the following denials occur on mako:

<5>[    2.494246] type=1400 audit(1382544550.200:4): avc:  denied  { associate } for  pid=1 comm="init" name="time_in_state" dev="sysfs" ino=17444 scontext=u:object_r:sy
sfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.494735] type=1400 audit(1382544550.200:5): avc:  denied  { associate } for  pid=1 comm="init" name="total_trans" dev="sysfs" ino=17443 scontext=u:object_r:sysf
s_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.495162] type=1400 audit(1382544550.200:6): avc:  denied  { associate } for  pid=1 comm="init" name="stats" dev="sysfs" ino=17442 scontext=u:object_r:sysfs_devi
ces_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.495620] type=1400 audit(1382544550.200:7): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_governor" dev="sysfs" ino=17435 scontext=u:object_r
:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496047] type=1400 audit(1382544550.200:8): avc:  denied  { associate } for  pid=1 comm="init" name="cpuinfo_transition_latency" dev="sysfs" ino=17429 scontext=
u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496505] type=1400 audit(1382544550.200:9): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_available_frequencies" dev="sysfs" ino=17439 sconte
xt=u:object_r:sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem
<5>[    2.496963] type=1400 audit(1382544550.200:10): avc:  denied  { associate } for  pid=1 comm="init" name="scaling_driver" dev="sysfs" ino=17436 scontext=u:object_r:
sysfs_devices_system_cpu:s0 tcontext=u:object_r:sysfs:s0 tclass=filesystem

Change-Id: I584a1cf61cb871a38be4d3b308cef03e64cfda8e
2013-10-23 10:42:58 -07:00
William Roberts
ec7d39ba16 Introduce controls on wake lock interface
Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1
2013-10-03 15:17:32 -07:00
Stephen Smalley
55540755bc Label adb keys file and allow access to it.
The /adb_keys entry will only take effect if a restorecon is
applied by init.rc on a kernel that includes the rootfs labeling
support, but does no harm otherwise.

The /data/misc/adb labeling ensures correct labeling of the adb_keys
file created if the device has ro.adb.secure=1 set.

Allow adbd to read the file.

Change-Id: I97b3d86a69681330bba549491a2fb39df6cf20ef
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-01 09:08:28 -04:00
Stephen Smalley
45ba665cfc Label and allow access to /data/system/ndebugsocket.
Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 16:09:27 -04:00
Stephen Smalley
7aba0bc425 Allow file types to be associated with the rootfs.
This is now possible due to the kernel change to support
setting security contexts on rootfs inodes.

Change-Id: I2a9aac1508eceabb92c3ae8eb5c63a16b28dda6f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-20 10:42:31 -07:00
Stephen Smalley
4caf8c997a Label /dev/socket/mdns with its own type.
Otherwise it gets left in the general device type, and we get denials such
as:
type=1400 msg=audit(1379617262.940:102): avc:  denied  { write } for  pid=579 comm="mDnsConnector" name="mdns" dev="tmpfs" ino=3213 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=sock_file

This of course only shows up if using a confined system_server.

Change-Id: I2456dd7aa4d72e6fd15b55c251245186eb54a80a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-19 15:09:38 -04:00
Stephen Smalley
a770f55b18 Remove dbusd policy; dbusd is no more.
Change-Id: I9652284bd34d07bd47e2e7df66fcbe5db185ab3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-13 16:16:25 -07:00
Stephen Smalley
1d435de685 Remove bluetoothd policy; bluetoothd is no more.
Change-Id: I153b0aa8a747d6c79839d06fc04b3923eacfa213
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-13 16:15:25 -07:00
William Luh
aca2f5ebd2 Stop breaking build by defining sysfs_devices_system_cpu.
Change-Id: Ie96d573be971b2dcc3d60614794ba9ca13b31471
2013-04-25 16:32:57 -07:00
Nick Kralevich
1e25b98074 Revert "Add the sysrq_file special file and give ADB write access."
This rule doesn't work, as /proc/sysrq-trigger isn't properly labeled.
Revert this change for now.

This reverts commit bb2591e56f.
2013-04-25 14:46:36 -07:00
Geremy Condra
bb2591e56f Add the sysrq_file special file and give ADB write access.
Change-Id: Ief2d412dddf4cefdf43a26538c4be060df4cc787
2013-04-05 13:13:52 -07:00
Geremy Condra
bfb26e7b07 Add downloaded file policy.
Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366
2013-04-05 13:13:44 -07:00
Robert Craig
ffd8c441a5 Add new domains for private apps.
/data/app-private is used when making an
app purchase or forward locking. Provide a
new label for the directory as well as the
tmp files that appear under it.

Change-Id: I910cd1aa63538253e10a8d80268212ad9fc9fca5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-04-05 13:10:57 -07:00
Robert Craig
65d4f44c1f Various policy updates.
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 06:30:25 -04:00
Robert Craig
18b5f87ea1 racoon policy.
Initial policy for racoon (IKE key management).

Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479
2013-03-22 17:09:26 -07:00
William Roberts
c195ec3148 Split internal and external sdcards
Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
2013-03-22 15:26:39 -04:00
William Roberts
9e70c8bf68 Move policy files
Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.

Change-Id: Idc475901ed437efb325807897e620904f4ff03e9
2013-03-22 10:42:10 -07:00
rpcraig
1c8464e136 App data backup security policy.
Policy covers:

 * backup_data_file type for labeling all
   files/dirs under /data dealing with
   backup mechanism.

 * cache_backup_file type for labeling all
   files/dirs under /cache dealing with
   backup mechanism. This also covers the
   the use of LocalTransport for local archive
   and restore testing.

 * the use of 'adb shell bmgr' to initiate
   backup mechanism from shell.

 * the use of 'adb backup/restore' to archive
   and restore the device's data.

Change-Id: I700a92d8addb9bb91474bc07ca4bb71eb4fc840e
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-19 22:22:10 +00:00
Stephen Smalley
e884872655 Add policy for run-as program.
Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-27 10:05:42 -08:00
Stephen Smalley
61c80d5ec8 Update policy for Android 4.2 / latest master.
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-19 09:55:10 -05:00
rpcraig
7672eac5fb Add SELinux policy for asec containers.
Creates 2 new types:
- asec_apk_file : files found under /mnt/asec
                  when the asec images are mounted
- asec_image_file : the actual encrypted apks under
                    /data/app-asec

Change-Id: I963472add1980ac068d3a6d36a24f27233022832
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2012-10-22 14:14:11 -04:00
William Roberts
c27d30a6ad Correct spelling mistake
Change-Id: If4deccfe740c8de6b88929a0d0439667c3ea340d
2012-09-06 19:38:39 -07:00
rpcraig
e7e65d474f New asec container labeling.
This patchset covers the /mnt/asec variety only.
2012-07-30 14:20:40 -04:00
Stephen Smalley
b9760aa0d5 Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps.
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder.  Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.

Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
2012-07-27 11:07:09 -04:00
hqjiang
4c06d273bc Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device.
Actually, some of policies related to qtaguid have been there already, but
we refind existing ones and add new ones.
2012-07-19 16:11:24 -04:00
hqjiang
20d6963ac2 allow camera calibration 2012-07-19 16:09:58 -04:00
hqjiang
81039ab556 Corrected denials for LocationManager when accessing gps over uart. 2012-07-12 09:27:40 -04:00
Stephen Smalley
e4682a63ab Allow apps to write to /proc/net/xt_qtaguid/ctrl. 2012-06-27 08:54:53 -04:00
Stephen Smalley
6c39ee00e1 Make wallpaper_file a mlstrustedobject to permit writes from any app level. 2012-06-27 08:50:27 -04:00
William Roberts
7fa2f9e0f5 Policy for hci_attach service. 2012-05-31 09:40:12 -04:00
Stephen Smalley
a883c38637 Allow apps to write to anr_data_file for /data/anr/traces.txt. 2012-04-04 16:00:11 -04:00
Stephen Smalley
f7948230ef Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton. 2012-03-19 15:58:11 -04:00
Stephen Smalley
f6cbbe255b Introduce a separate wallpaper_file type for the wallpaper file. 2012-03-19 10:29:36 -04:00
Stephen Smalley
59d28035a1 Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files. 2012-03-19 10:24:52 -04:00
Stephen Smalley
c83d0087e4 Policy changes to support running the latest CTS. 2012-03-07 14:59:01 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00