This is extremely useful as it allows timeouts on the socket.
Since ioctl is allowed, setopt shouldn't be a problem.
Resolves denials, in 3rd party apps, such as:
avc: denied { setopt } for pid=18107 comm="AudioRouter-6"
scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0
tclass=unix_stream_socket
Change-Id: I6f38d7b86983c517575b735f43b62a2ed811e81c
Signed-off-by: Sérgio Faria <sergio91pt@gmail.com>
Chrome renderer processes dlopen() a shared library from
gmscore. Open and read on app data file is already allowed,
but execute isn't, so the dlopen() fails. This is a regression
from K, where the dlopen succeeded.
Longer term, there's questions about whether this is appropriate
behavior for an isolated app. For now, allow the behavior.
See the discussion in b/15902433 for details.
Addresses the following denial:
I/auditd ( 5087): type=1400 audit(0.0:76): avc: denied { execute } for comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file
Bug: 15902433
Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678
Adding services to service_contexts for the
pending commits Icf5997dd6a6ba5e1de675cf5f4334c78c2c037f1
and Ibe79be30b80c18ec45ff69db7527c7a4adf0ee08.
Change-Id: Ie898866d1ab3abba6211943e87bcec77ba568567
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
dumpstate uses vdc to collect asec lists and do a vold dump.
Force a transition into the vdc domain when this occurs.
Addresses the following denial:
<4>[ 1099.623572] type=1400 audit(1403716545.565:7): avc: denied { execute } for pid=6987 comm="dumpstate" name="vdc" dev="mmcblk0p8" ino=222 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vdc_exec:s0 tclass=file permissive=0
Change-Id: I4bd9f3ad83480f8c9f9843ffe136295c582f96fe
system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.
Allow it.
Addresses the following errors which have been showing up
in logcat:
W/ProcessCpuTracker(12159): Skipping unknown process pid 1
W/ProcessCpuTracker(12159): Skipping unknown process pid 2
W/ProcessCpuTracker(12159): Skipping unknown process pid 3
Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Don't allow unconfined domains to access the internet. Restrict
internet functionality to domains which explicitly declare their
use. Removing internet access from unconfined domains helps
protect daemons from network level attacks.
In unconfined.te, expand out socket_class_set, and explicitly remove
tcp_socket, udp_socket, rawip_socket, packet_socket, and
appletalk_socket. Remove name_bind, node_bind and name_connect rules,
since they only apply to internet accessible rules.
Add limited udp support to init.te. This is needed to bring up
the loopback interface at boot.
Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
execmod is checked on attempts to make executable a file mapping
that has been modified. Typically this indicates a text relocation
attempt. As we do not ever allow this for any confined domain to
system_file or exec_type, we should not need it for unconfineddomain
either.
Change-Id: I8fdc858f836ae0d2aa56da2abd7797fba9c258b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.
Addresses denials such as:
avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.
Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Trying to run dumpsys from the serial console generates the
following errors:
shell@device:/ # dumpsys power
[ 3244.099015] binder: 2259:2259 transaction failed 29201, size 28-8
[ 3244.099291] type=1400 audit(1403313679.642:12): avc: denied { read write } for pid=2259 comm="dumpsys" path="/dev/console" dev="tmpfs" ino=6188 scontext=u:r:system_server:s0 tcontext=u:object_r:console_device:s0 tclass=chr_file permissive=0
Error dumping service info: (Unknown error -2147483646) power
and the operation fails. Allow binderservicedomains to perform
writes to /dev/console.
Bug: 15779131
Change-Id: Iff55ab09c3a4d40e12d49ff2308bf147f9cb6937
The init.rc one-shot services "defaultcrypto" and "encrypt" call
out to the /system/bin/vdc command line to ask vold to perform
encryption operations. Create a new domain for these one-shot
services. Allow the vdc domain to talk to vold.
Change-Id: I73dc2ee4cc265bc16056b27307c254254940fd9f
