Commit graph

3153 commits

Author SHA1 Message Date
Robin Lee
de08be8aa0 Allow system reset_uid, sync_uid, password_uid
Permits the system server to change keystore passwords for users other
than primary.

Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
2014-08-29 23:48:07 +01:00
Brian Carlstrom
372d0df796 Remove system_server create access from /data/dalvik-cache
Bug: 16875245
Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a
2014-08-28 21:15:38 -07:00
dcashman
67d58acb9b Merge "Add permissive domains check to sepolicy-analyze." into lmp-dev 2014-08-27 23:56:55 +00:00
dcashman
c30dd63f56 Add permissive domains check to sepolicy-analyze.
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.

Bug: 17288791

Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
2014-08-27 14:54:48 -07:00
Nick Kralevich
28b26bcf42 support kernel writes to external SDcards
The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.

Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"

Expected:

  APK installs successfully.

Actual:

  APK fails to install. Error message:

    Vold  E  Failed to write superblock (I/O error)
    loop0  W  type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
    PackageHelper  E  Failed to create secure container smdl1645334795.tmp
    DefContainer  E  Failed to create container smdl1645334795.tmp

Bug: 17158723

(cherry picked from commit 4c6b13508d)

Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
2014-08-27 12:38:27 -07:00
dcashman
711895db28 Allow appdomain read perms on apk_data_files.
Address:
type=1400 audit(0.0:103): avc: denied { read } for name="arm" dev="mmcblk0p28" ino=195471 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 16204150
Change-Id: I8bf0172b26b780c110c0d95c691785143acd7dd2
2014-08-27 10:22:02 -07:00
dcashman
85f255b8e6 DO NOT MERGE. Allow debuggerd read access to shared_relro files.
Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash.  Full read permissions may not be necessary:

W/debuggerd(  185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir

Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
2014-08-19 13:51:41 -07:00
Stephen Smalley
9a725b284e Allow init to restorecon sysfs files.
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission.   Required for:
https://android-review.googlesource.com/#/c/101800/

Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-08-15 14:34:39 -07:00
dcashman
4ddc6eb39e Merge "DO NOT MERGE. Allow untrusted_app access to temporary apk files." into lmp-dev 2014-08-06 23:49:20 +00:00
dcashman
1c1eb869f0 DO NOT MERGE. Allow untrusted_app access to temporary apk files.
Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow.  This verifier runs as
a priv-app, which is in the untrusted_app domain.  Allow untrusted_app
read-access to these files.

Bug: 16515815

Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
2014-08-07 09:51:36 -07:00
Alex Light
feedd3c621 Make system use patchoat to relocate during runtime.
Add patchoat selinux rules.

Bug: 15358152

(cherry picked from commit fbc8ec2eac)

Change-Id: Ic84a370548393be62db740092e8393b662bcf345
2014-08-06 13:48:58 -07:00
Stephen Smalley
d990a78f8e Fix neverallow rules to eliminate CTS SELinuxTest warnings.
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.

For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains).  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.

For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context.  Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 21ada26dae)

Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
2014-07-30 08:58:44 -07:00
Ye Wen
770910bb82 Implement broker pattern for imms (3/3)
b/16324360

Change-Id: I4adacdb1d87badfaa109da200aae91869b9786a8
2014-07-29 16:32:28 -07:00
Sreeram Ramachandran
997461bda5 Allow system_server to talk to netlink directly.
This is needed for http://ag/512212 to work.

Bug: 15409819
Change-Id: If91fc6891d7ce04060362c6cde8c57462394c4e8
2014-07-28 15:13:34 -07:00
Vinit Deshpande
fab00f7487 Add rttmanager in sepolicy's whitelist
Looks like system server doesn't let you start a service without
white listing anymore.

Bug: 16628456

Change-Id: I0f6df8fd2afa24f4a1758a90cb5f8e451e0edb6a
2014-07-28 13:38:17 -07:00
Narayan Kamath
aa8e657ef0 Revert "fix system_server dex2oat exec"
This reverts commit 10370f5ff4.

The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.

bug: 16317188

Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d
2014-07-25 15:37:27 +01:00
Nick Kralevich
792d8650d3 Allow sdcardd to read /data/.layout_version
As described in the system/core commit with the same Change-Id,
there's a race condition between installd and sdcard when it
comes to accessing /data/media. Resolve the race by checking
/data/.layout_version to make sure the filesystem has been upgraded.

Maybe indirectly fixes the following SELinux denial:

  sdcard  : type=1400 audit(0.0:3): avc: denied { write } for name="media" dev="mmcblk0p17" ino=102753 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir

Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
2014-07-24 17:07:27 -07:00
Christopher Ferris
12b8f79d38 Allow dumpstate to read /data/tombstones.
Change-Id: Iad32cfb4d5b69176fc551b8339d84956415a4fe7
2014-07-23 19:16:36 -07:00
dcashman
af4a3db073 Merge "DO NOT MERGE. Update readme to reflect addition of SEPOLICY_IGNORE." into lmp-dev 2014-07-22 22:02:49 +00:00
dcashman
ea44c79701 DO NOT MERGE. Update readme to reflect addition of SEPOLICY_IGNORE.
Change-Id: I427c0f4828d45f2c43206c09cb37e3eb30455dee
2014-07-22 15:31:20 -07:00
Ye Wen
9f49e9f9e1 Merge "Move MmsService into phone process (2/2)" into lmp-dev 2014-07-18 22:16:50 +00:00
Ye Wen
eb8d86c0c8 Move MmsService into phone process (2/2)
b/16324360

Change-Id: If79f293a547deef570a80a5569ff8eb973ce29be
2014-07-21 14:22:39 -07:00
Stephen Smalley
9d2703a53b Prohibit execute to fs_type other than rootfs for most domains.
Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs.  Include exceptions for
appdomain and recovery as required by current policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

(cherry picked from commit 4644ac4836)

Change-Id: I5e2609a128d1bf982a7a5c3fa3140d1e9346c621
2014-07-21 10:07:31 -07:00
Colin Cross
3cfc7ea89f sepolicy: allow charger to read /sys/fs/pstore/console-ramoops
Addresses the denial in charger mode:
[   17.993733] type=1400 audit(1405412231.119:4): avc:  denied  { search } for  pid=123 comm="charger" name="/" dev="pstore" ino=10287 scontext=u:r:healthd:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=0

(cherry picked from commit bb96bffc37)

Change-Id: I2dde6adc3ff99df99409d4da3ef32c3987228801
2014-07-21 09:53:12 -07:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
4a24475b9d Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc20509)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f
2014-07-18 12:24:36 -07:00
Riley Spahn
14aa7c0608 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea347)

Change-Id: I25354db2add3135335c80be2c2d350e526137572
2014-07-17 16:30:26 -07:00
Riley Spahn
ac47ee26c5 Add com.android.net.IProxyService to service_contexts.
Add com.android.net.IProxyService as a system_server_service
to service_contexts.

Bug: 16369427

(cherry picked from commit 26d6371c5a)

Change-Id: I3e58681971683bdc7f26a1d130c8bcf8ffcb89e2
2014-07-17 09:05:49 -07:00
Nick Kralevich
57f1b89db6 lmkd: avoid locking libsigchain into memory
https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.

For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.

Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.

(cherry picked from commit 8a5b28d259)

Change-Id: I39baaf62058986d35ad43de708aaa3daf93b2df4
2014-07-17 08:58:37 -07:00
Michael Wright
08ac1247d9 Merge "Add MediaProjectionManagerService to service list DO NOT MERGE" into lmp-dev 2014-07-17 02:40:09 +00:00
Michael Wright
0ccfd5da80 Add MediaProjectionManagerService to service list DO NOT MERGE
Change-Id: I66a88b5dafc295e6daa9f4c0225aa593c97fe187
2014-07-16 16:28:29 -07:00
Nick Kralevich
e4aa75db61 dex2oat: fix forward-locked upgrades with unlabeled asecs
dex2oat fails when upgrading unlabeled asec containers.

Steps to reproduce:

1) Install a forward locked app on Android 4.1
  adb install -l foo.apk
2) Upgrade to tip-of-tree

Addresses the following denial:

  <4>[  379.886665] type=1400 audit(1405549869.210:4): avc: denied { read } for pid=2389 comm="dex2oat" path="/mnt/asec/jackpal.androidterm-1/pkg.apk" dev=dm-0 ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

(cherry picked from commit 270be6e86a)

Change-Id: I58dc6ebe61a5b5840434077a55f1afbeed602137
2014-07-16 16:04:40 -07:00
Nick Kralevich
555c3c5a5c lmkd: allow lmkd to lock itself in memory
addresses the following denial:

  type=1400 audit(1.871:3): avc:  denied  { ipc_lock } for  pid=1406 comm="lmkd" capability=14  scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability

Bug: 16236289

(cherry picked from commit 6a1405d745)

Change-Id: I560f1e52eac9360d10d81fc8a9f60eba907a8466
2014-07-16 12:58:26 -07:00
Torne (Richard Coles)
64940d884e Add "webviewupdate" system server service.
Define the service context for "webviewupdate", a new service that will
run in the system server.

Bug: 13005501
Change-Id: I841437c59b362fda88d130be2f2871aef87d9231
2014-07-16 11:21:27 -07:00
Nick Kralevich
94b2ba9463 dex2oat: fix forward locked apps
dex2oat can't access file descriptors associated with asec_apk_files.
This breaks installing forward locked apps, and generates the following
denial:

  type=1400 audit(0.0:18): avc: denied { read } for path="/mnt/asec/com.example.android.simplejni-1/pkg.apk" dev="dm-0" ino=12 scontext=u:r:dex2oat:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

Steps to reproduce:

  $ adb install -r -l SimpleJNI.apk

Expected:

  app installs

Actual:

  app fails to install.

Bug: 16328233

(cherry picked from commit 5259c5e616)

Change-Id: I1969b9ae8d2187f4860587f7ff42d16139657b5b
2014-07-16 09:53:40 -07:00
Riley Spahn
d26357641d Remove auditallow from system_server.
system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

(cherry picked from commit 5a25fbf7ca)

Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f
2014-07-16 09:52:13 -07:00
Riley Spahn
354d6caeaf Remove radio_service from untrusted_app auditallow.
Change untrusted_app to not auditallow radio_service find requests
to cut down on log spam.

(cherry picked from commit af8d7ca9e9)

Change-Id: Ibfcc1abe927b6114af5a3a82188bf9f1e009d7f7
2014-07-15 22:40:06 -07:00
Colin Cross
2203fda5e7 lmkd: allow removing cgroups and setting self to SCHED_FIFO
Addresses the following selinux denials:
type=1400 audit(1405383429.107:22): avc: denied { remove_name } for pid=137 comm="lmkd" name="uid_10060" dev="cgroup" ino=18368 scontext=u:r:lmkd:s0 tcontext=u:object_r:cgroup:s0 tclass=dir permissive=0
type=1400 audit(1405383794.109:6): avc: denied { sys_nice } for pid=1619 comm="lmkd" capability=23 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability permissive=0

(cherry picked from commit 5329731802)

Change-Id: I7b6e5a396bf345c4768defd7b39af2435631a35b
2014-07-15 20:41:15 -07:00
Nick Kralevich
caf347b515 Tweak rules for su domain.
1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45bdd)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d
2014-07-15 10:45:46 -07:00
Riley Spahn
344fc109e9 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
2014-07-15 10:09:52 -07:00
Nick Kralevich
10370f5ff4 fix system_server dex2oat exec
Addresses the following denial:

  W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
2014-07-15 16:10:16 +00:00
Ed Heyl
8ee37b4f1c reconcile aosp (c103da877b) after branching. Please do not merge.
Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
2014-07-14 23:32:08 -07:00
Ed Heyl
81839dfb24 reconcile aosp (3a8c5dc05f) after branching. Please do not merge.
Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2
2014-07-14 23:31:31 -07:00
Ed Heyl
7563a6f1fb reconcile aosp (a7c04dcd74) after branching. Please do not merge.
Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7
2014-07-14 23:31:01 -07:00
Ed Heyl
e9c90bddce reconcile aosp (4da3bb1481) after branching. Please do not merge.
Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e
2014-07-14 23:29:21 -07:00
Nick Kralevich
2aa727e3f0 DO NOT MERGE: Flip FORCE_PERMISSIVE_TO_UNCONFINED to true
Force any experimental SELinux domains (ones tagged with
"permissive_or_unconfined") into unconfined. This flag is
intended to be flipped when we're preparing a release,
to eliminate inconsistencies between user and userdebug devices,
and to ensure that we're enforcing a minimal set of rules for all
SELinux domains.

Without this change, our user builds will behave differently than
userdebug builds, complicating testing.

Change-Id: I52fd5fbe30a7f52f1143f176915ce55fb6a33f87
2014-07-14 09:15:08 -07:00
Sreeram Ramachandran
0ff90f1ac9 am 2f91ce55: am e4409728: am 65edb75d: Allow netd to create data files in /data/misc/net/.
* commit '2f91ce5519d46e38a609e3aed0c507af072507ec':
2014-07-11 17:56:33 +00:00
Nick Kralevich
deb52ba4d6 am 1c7463ac: am d27aeb21: am e9d97b74: recovery: allow read access to fuse filesystem
* commit '1c7463aca155e397855e2863dd85a4b90965cc3a':
2014-07-11 17:56:32 +00:00
Nick Kralevich
69aaf4a9c5 am ddfaf822: am d86b0a81: am 9f6af083: New domain "install_recovery"
* commit 'ddfaf822e9786100a7bb9a399bea906f0ed7b7c8':
2014-07-11 17:33:00 +00:00
Jeff Sharkey
611922e7e1 am 554a8a3d: am e900e573: am 77e85289: Merge "Rules to allow installing package directories."
* commit '554a8a3d2928faf3117bc77bff4214d63ba504c3':
2014-07-11 17:32:59 +00:00