Jeff Sharkey
72f4c61979
Allow installd to delete files via sdcardfs.
...
When installd clears cached files on external storage, the sdcardfs
kernel filesystem needs to be kept in the loop to release any cached
dentries that it's holding onto. (Otherwise the underlying disk
space isn't actually released.)
installd can already delete the underlying files directly (via the
media_rw_data_file rules), so this technically isn't expanding its
capabilities.
avc: granted { search } for name="/" dev="tmpfs" ino=6897 scontext=u:r:installd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
avc: denied { open } for path="/mnt/runtime/default/emulated/0/Android/data" dev="sdcardfs" ino=589830 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
avc: denied { write } for name="com.google.android.inputmethod.japanese" dev="sdcardfs" ino=590040 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { remove_name } for name="cache_r.m" dev="sdcardfs" ino=589868 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/runtime/default/emulated/0/Android/data/.nomedia" dev="sdcardfs" ino=589831 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1
Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Bug: 37486230
Change-Id: Icfd00a9ba379b1f50c48fe85849304cf9859bcb2
2017-05-05 16:10:06 -06:00
Nick Kralevich
4a580ccabb
Fix lock logspam and remove domain_deprecated rule
...
Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.
Addresses the following logspam similar to:
avc: granted { lock } for comm="iptables"
path="/system/etc/xtables.lock" dev="sda22" ino=3745
scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file
avc: granted { lock } for comm="dex2oat"
path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file
Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
2017-04-04 18:37:28 -07:00
Roshan Pius
2a9595ede2
sepolicy: Make wpa_supplicant a HIDL service
...
Note: The existing rules allowing socket communication will be removed
once we migrate over to HIDL completely.
Bug: 34603782
Test: Able to connect to wifi networks.
Test: Will be sending for full wifi integration tests
(go/wifi-test-request)
Change-Id: I9ee238fd0017ec330f6eb67ef9049211f7bd4615
2017-02-24 17:10:59 +00:00
Nick Kralevich
596dd09fed
domain_deprecated.te: remove auditallow statements on user builds
...
Make the policy smaller and less noisy on user builds by suppressing
auditallow rules.
Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Iddf6f12f8ce8838e84b09b2f9f3f0c8b700543f5
2017-02-10 12:58:41 -08:00
Nick Kralevich
b59c201604
init.te: remove domain_deprecated
...
auditallows have been in place for a while, and no obvious denials.
Remove domain_deprecated from init.te
While I'm here, clean up the formatting of the lines in
domain_deprecated.te.
Bug: 28760354
Test: policy compiles and device boots. No obvious problems.
Change-Id: Ia12e77c3e25990957abf15744e083eed9ffbb056
2017-02-10 12:06:46 -08:00
Jeff Vander Stoep
a1b4560088
Remove logspam
...
Grant observed uses of permissions being audited in domain_deprecated.
fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir
sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file
update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir
vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424
2017-02-10 12:06:38 -08:00
Nick Kralevich
5ee3151a8e
exclude init from apk_data_file getattr
...
Addresses the following auditallow spam:
avc: granted { getattr } for comm="init"
path="/data/app/com.sling-1/lib/x86/libavcodec-56.so" dev="mmcblk0p11"
ino=32607 scontext=u:r:init:s0 tcontext=u:object_r:apk_data_file:s0
tclass=file
Test: policy compiles.
Change-Id: I81775f8de93f0b4334279e9f5e19d27e6171616f
2017-02-10 02:33:25 -08:00
Josh Gao
cb3eb4eef9
Introduce crash_dump debugging helper.
...
Replace the global debuggerd with a per-process debugging helper that
gets exec'ed by the process that crashed.
Bug: http://b/30705528
Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>`
Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2017-01-18 15:03:24 -08:00
Nick Kralevich
164af1039d
priv_app.te: remove domain_deprecated
...
No denials collected.
Bug: 28760354
Test: no denials collected.
Test: device boots and no obvious problems
Change-Id: I7fc053ecae2db3bb2ca7c298634453e930713bec
2017-01-06 16:32:01 -08:00
Nick Kralevich
dd649da84b
domain_deprecated.te: remove /proc/net access
...
Remove /proc/net access to domain_deprecated. Add it to domains where it
was missing before.
Other than these domains, SELinux denial monitoring hasn't picked up any
denials related to /proc/net
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
2016-11-30 15:23:26 -08:00
Nick Kralevich
49e3588429
Add directory read permissions to certain domains.
...
Addresses the following denials and auditallows:
avc: denied { read } for pid=561 comm="hwservicemanage" name="hw"
dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0"
ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0
avc: granted { read open } for pid=735 comm="fingerprintd"
path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0
tcontext=u:object_r:system_file:s0 tclass=dir
Test: no denials on boot
Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f
2016-11-28 17:03:41 +00:00
Nick Kralevich
06da58b9ab
Delete more from domain_deprecated.te
...
No unexpected usages.
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I43226fd0b8103afb1b25b1eb21445c04bc79954e
2016-11-25 17:14:45 -08:00
Nick Kralevich
f2de07529b
domain_deprecated.te: delete stale permissions
...
auditallows have been in place for quite a while now, and nothing has
triggered. Let's do some cleanup!
Bug: 28760354
Test: device boots and no new denials
Test: SELinux denials collection has seen no instances of these
permissions
Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f
2016-11-20 08:34:02 -08:00
Nick Kralevich
68f233648e
installd: r_dir_file(installd, system_file)
...
Allow installd to read through files, directories, and symlinks
on /system. This is needed to support installd using files in
/system/app and /system/priv-app
Addresses the following auditallow spam:
avc: granted { getattr } for comm="installd"
path="/system/app/Bluetooth/lib/arm/libbluetooth_jni.so"
dev="mmcblk0p41" ino=19 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file
avc: granted { getattr } for comm="installd"
path="/system/priv-app/MtpDocumentsProvider/lib/arm64/libappfuse_jni.so"
dev="dm-0" ino=2305 scontext=u:r:installd:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file
avc: granted { read open } for comm="installd"
path="/system/priv-app/TelephonyProvider" dev="mmcblk0p43" ino=1839
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir
avc: granted { read } for comm="installd" name="Velvet" dev="mmcblk0p43"
ino=1841 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir
avc: granted { read open } for comm="installd"
path="/system/priv-app/GoogleOneTimeInitializer" dev="mmcblk0p43"
ino=1778 scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0
tclass=dir
avc: granted { read open } for comm="installd"
path="/system/app/PlayAutoInstallConfig" dev="mmcblk0p43" ino=112
scontext=u:r:installd:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: policy compiles
Change-Id: I5d14ea2cd7d281f949d0651b9723d5b7fae2e1f2
2016-11-07 16:18:38 -08:00
Nick Kralevich
2c8ea36ad8
Get rid of more auditallow spam
...
Addresses the following audit messages:
[ 7.984957] type=1400 audit(33873666.610:40): avc: granted { getattr
} for pid=1 comm="init" name="system@framework@boot-ext.art" dev="dm-2"
ino=106324 scontext=u:r:init:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
[ 65.528068] type=1400 audit(1477751916.508:96): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.530425] type=1400 audit(1477751916.508:97): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.530487] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.530800] type=1400 audit(1477751916.508:98): avc: granted { open }
for pid=6330 comm="main" path="/dev/cpuctl/tasks" dev="cgroup" ino=12429
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.530842] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.531138] type=1400 audit(1477751916.508:99): avc: granted { search
} for pid=6330 comm="main" name="/" dev="cgroup" ino=12428
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.531176] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir
[ 65.531465] type=1400 audit(1477751916.508:100): avc: granted {
search } for pid=6330 comm="main" name="bg_non_interactive" dev="cgroup"
ino=12444 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0
tclass=dir
[ 65.531502] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.531789] type=1400 audit(1477751916.508:101): avc: granted { open
} for pid=6330 comm="main" path="/dev/cpuctl/bg_non_interactive/tasks"
dev="cgroup" ino=12445 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cgroup:s0 tclass=file
[ 65.531827] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
[ 65.713056] type=1400 audit(1477751916.508:102): avc: granted {
search } for pid=6330 comm="main" name="/" dev="cgroup" ino=12459
scontext=u:r:dumpstate:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
Bug: 32246161
Test: policy compiles
Test: dumpstate no longer generates the audit messages above.
Change-Id: Id5afe2ebeb24f8a7407aac1a0a09806b1521b0e4
2016-10-29 08:15:08 -07:00
Nick Kralevich
79a08e13bd
Get rid of auditallow spam.
...
Fixes the following SELinux messages when running adb bugreport:
avc: granted { read } for name="libart.so" dev="dm-0" ino=1886
scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { read open } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { getattr } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read execute } for path="/system/lib64/libart.so"
dev="dm-0" ino=1886 scontext=u:r:dumpstate:s0
tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { read } for path="/system/lib64/libart.so" dev="dm-0"
ino=1886 scontext=u:r:dumpstate:s0 tcontext=u:object_r:libart_file:s0
tclass=file
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { getattr } for path="/data/dalvik-cache/arm64" dev="dm-2"
ino=106290 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { getattr } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { search } for name="arm64" dev="dm-2" ino=106290
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
avc: granted { read } for name="system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
avc: granted { read open } for
path="/data/dalvik-cache/arm64/system@framework@boot.art" dev="dm-2"
ino=106318 scontext=u:r:dumpstate:s0
tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
avc: granted { search } for name="dalvik-cache" dev="dm-2" ino=106289
scontext=u:r:dumpstate:s0 tcontext=u:object_r:dalvikcache_data_file:s0
tclass=dir
[ 169.349480] type=1400 audit(1477679159.734:129): avc: granted { read
} for pid=6413 comm="main" name="ipv6_route" dev="proc" ino=4026535947
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350030] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350361] type=1400 audit(1477679159.734:130): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350399] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.350963] type=1400 audit(1477679159.734:131): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/ipv6_route"
dev="proc" ino=4026535947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351002] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351330] type=1400 audit(1477679159.734:132): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351366] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351861] type=1400 audit(1477679159.734:133): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.351910] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353105] type=1400 audit(1477679159.734:134): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353186] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353594] type=1400 audit(1477679159.734:135): avc: granted { read
} for pid=6413 comm="main" name="if_inet6" dev="proc" ino=4026535946
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.353636] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.354230] type=1400 audit(1477679159.734:136): avc: granted { read
open } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.354437] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
[ 169.395359] type=1400 audit(1477679159.734:137): avc: granted {
getattr } for pid=6413 comm="main" path="/proc/6413/net/if_inet6"
dev="proc" ino=4026535946 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_net:s0 tclass=file
Test: policy compiles
Test: adb bugreport runs without auditallow messages above.
Bug: 32246161
Change-Id: Ie0ab2ed3c6babc1f93d3b8ae47c92dd905ebc93a
2016-10-28 11:46:00 -07:00
dcashman
cc39f63773
Split general policy into public and private components.
...
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00