This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.
Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.
Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
system_app is for apps that run in the system UID, e.g. Settings.
system is for the system_server.
Split them into separate files and note their purpose in the comment
header of each file.
Change-Id: I19369abc728ba2159fd50ae6b230828857e19f10
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove sys_nice capability from domains; this does not appear to be necessary
and should not be possible in particular for app domains. If we encounter
specific instances where it should be granted, we can add it back on a
per-domain basis. Allow it explicitly for the system_server. Unconfined
domains get it via unconfined_domain() and the rules in unconfined.te.
Change-Id: I9669db80a04a90a22241b2fbc5236a28dcde8c6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* commit '28029a8d2e5e888cec713e9ea1eaacbf1739754b':
Do not permit appdomain to create/write to download_file.
Remove duplicated rules between appdomain and isolated_app.
* commit 'd1f448d4a53f87ae416aeb84ecf21bb703cc4c80':
Do not permit appdomain to create/write to download_file.
Remove duplicated rules between appdomain and isolated_app.
3.4 goldfish kernel supports sysfs labeling so we no longer need this.
Change-Id: I77514a8f3102ac8be957c57d95e7de7d5901f69d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Otherwise we have different security contexts but the same DAC
permissions:
-rw-rw-rw- root root u:object_r:sysfs_writable:s0 process_name
-rw-rw-rw- root root u:object_r:sysfs:s0 state
-rw-rw-rw- root root u:object_r:sysfs:s0 symbol
This change fixes denials such as:
type=1400 msg=audit(1379096020.770:144): avc: denied { write } for pid=85 comm="SurfaceFlinger" name="symbol" dev="sysfs" ino=47 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I261c7751da3778ee9241ec6b5476e8d9f96ba5ed
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The comment says that apps can read downloaded files, but the
file_type_auto_trans() macro expands to permit create/write access.
Also we don't need a type transition when staying in the same type
as the parent directory so we only truly need allow rules here.
Hence, we remove file_type_auto_trans() altogether, and add an allow
rule for search access to the directory. If create/write access is
truly required, then we can just change the allow rules to use
rw_dir_perms and create_file_perms.
Change-Id: Icd71c9678419442cfd8088317317efd4332f9b4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te;
delete it from isolated_app.te.
binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it.
Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Apps attempting to write to /dev/random or /dev/urandom currently
succeed, but a policy violation is logged. These two Linux RNG
devices are meant to be written to by arbitrary apps. Thus, there's
no reason to deny this capability.
Bug: 10679705
Change-Id: Ife401f1dd2182889471eef7e90fcc92e96f9c4d6
This enables installd to uninstall or clear data of installed apps
whose data directory contains unusual file types, such as FIFO.
Bug: 10680357
(cherry picked from commit 839af9edb5)
Change-Id: I5715f7d6d3214896ad0456d614b052cf5fb79eef
