tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
1761 commits 1 branch 0 tags 50 MiB
Commit graph

1761 commits

This branch
This branch
All branches
Author SHA1 Message Date
Nick Kralevich
df3d1f86fa am dcfcdbdf: Merge "Don\'t allow ptrace on keystore" 
* commit 'dcfcdbdf49cb81c1133d4c421d138ac0ec073c68':
  Don't allow ptrace on keystore
 2014-05-20 16:04:15 +00:00
Nick Kralevich
7fb77b8125 am 77c00a68: Merge "Suppress installd auditallow" 
* commit '77c00a68fe1115cafa79dc0fcf7ab9adb98e37f0':
  Suppress installd auditallow
 2014-05-20 16:04:14 +00:00
Nick Kralevich
dcfcdbdf49 Merge "Don't allow ptrace on keystore" 2014-05-20 15:59:48 +00:00
Nick Kralevich
77c00a68fe Merge "Suppress installd auditallow" 2014-05-20 15:59:25 +00:00
Nick Kralevich
056dc80716 am fa34d471: unconfined: remove linux_immutable 
* commit 'fa34d47185d6431394ffdfbc85d435653e54256a':
  unconfined: remove linux_immutable
 2014-05-20 15:55:42 +00:00
Nick Kralevich
fa34d47185 unconfined: remove linux_immutable 
As far as I know, this is never used. Get rid of it.

Change-Id: Iee0fb4e3f3952a0c4cc28d0aa96ca6c462ba5211
 2014-05-19 22:54:07 -07:00
Nick Kralevich
8aa754c9be Don't allow ptrace on keystore 
keystore may hold sensitive information in it's memory. Don't
allow anyone to ptrace keystore.

Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f
 2014-05-19 21:49:50 -07:00
Nick Kralevich
7a186b3fa8 Suppress installd auditallow 
installd is expected to be handling unlabeled apps. Don't
emit an audit rule when it occurs.

Change-Id: Ia173914ff4d1b8368a18f326494eda8173d30192
 2014-05-19 16:33:51 -07:00
Nick Kralevich
90901631c7 am 5ce079b9: Bring back the unlabeled allowall rules 
* commit '5ce079b9165c18a5bd27b853e82478de8d9e0a7b':
  Bring back the unlabeled allowall rules
 2014-05-19 14:27:14 +00:00
Nick Kralevich
5ce079b916 Bring back the unlabeled allowall rules 
On an upgrade from 4.2 to tip-of-tree master, there are still a
number of files which aren't properly labeled. Restore the
unlabeled compat rules until we can get everything properly
labeled. It's not ideal, but it works around the immediate
problem.

After applying https://android-review.googlesource.com/94966 ,
I'm still seeing the following denials.

<4>[   12.040639] type=1400 audit(1400289656.430:4): avc:  denied  { read } for  pid=143 comm="installd" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  168.289170] type=1400 audit(1400289812.680:5): avc:  denied  { getattr } for  pid=1079 comm="system_server" path="/data/data/com.android.backupconfirm" dev=mmcblk0p9 ino=112676 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.088406] type=1400 audit(1400289813.480:6): avc:  denied  { read } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.088790] type=1400 audit(1400289813.480:7): avc:  denied  { open } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.089205] type=1400 audit(1400289813.480:8): avc:  denied  { write } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.089615] type=1400 audit(1400289813.480:9): avc:  denied  { remove_name } for  pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.090024] type=1400 audit(1400289813.480:10): avc:  denied  { unlink } for  pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  169.090350] type=1400 audit(1400289813.480:11): avc:  denied  { rmdir } for  pid=143 comm="installd" name="com.android.renderscript.cache" dev=mmcblk0p9 ino=112902 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  171.875822] type=1400 audit(1400289816.260:12): avc:  denied  { unlink } for  pid=143 comm="installd" name="8882B60ADE91B9E4.toc" dev=mmcblk0p9 ino=112903 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  180.615263] type=1400 audit(1400289825.000:13): avc:  denied  { rename } for  pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  180.615578] type=1400 audit(1400289825.000:14): avc:  denied  { setattr } for  pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  393.934310] type=1400 audit(1400290038.320:15): avc:  denied  { read } for  pid=2410 comm="d.process.acore" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  399.370936] type=1400 audit(1400290043.760:16): avc:  denied  { read } for  pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  399.371792] type=1400 audit(1400290043.760:17): avc:  denied  { getattr } for  pid=2998 comm="SharedPreferenc" path="/data/data/com.google.android.backuptransport/shared_prefs/BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  399.372219] type=1400 audit(1400290043.760:18): avc:  denied  { open } for  pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
 2014-05-17 08:42:16 -07:00
Elliott Hughes
676679b1e6 am 7d755eb2: Merge "Allow readlink(2) of /proc from debuggerd." 
* commit '7d755eb290494655dc477ff5a5b7bb8958c5ce8c':
  Allow readlink(2) of /proc from debuggerd.
 2014-05-17 02:48:16 +00:00
Elliott Hughes
7d755eb290 Merge "Allow readlink(2) of /proc from debuggerd." 2014-05-17 02:45:43 +00:00
Elliott Hughes
38138c245a Allow readlink(2) of /proc from debuggerd. 
Bug: 15021938
Change-Id: Id815640302efde3ae089da33ff8e2cb7daee8bfd
 2014-05-16 19:14:13 -07:00
Stephen Smalley
115eeaa336 am ef28e767: Make the surfaceflinger domain enforcing. 
* commit 'ef28e767036baac3228cdb5060a36a9ff27468d6':
  Make the surfaceflinger domain enforcing.
 2014-05-16 18:31:59 +00:00
Stephen Smalley
ef28e76703 Make the surfaceflinger domain enforcing. 
Change-Id: Id6d9a7cabc2fe9c18de10c6e9bc0080cdcd7033d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-16 18:27:24 +00:00
dcashman
fe7aba6519 am 2d9e22f9: Merge "Remove duplicate neverallow rule." 
* commit '2d9e22f9fb8629e3d5b501cc0390a7bf67b3013a':
  Remove duplicate neverallow rule.
 2014-05-16 04:40:13 +00:00
dcashman
2d9e22f9fb Merge "Remove duplicate neverallow rule." 2014-05-16 04:38:37 +00:00
Nick Kralevich
92de005ca3 am cba45592: Merge "Drop unused rules for raw I/O and mknod." 
* commit 'cba45592eadd54979729a997e60888ff038d063a':
  Drop unused rules for raw I/O and mknod.
 2014-05-15 22:33:38 +00:00
Nick Kralevich
cba45592ea Merge "Drop unused rules for raw I/O and mknod." 2014-05-15 22:30:28 +00:00
Mark Salyzyn
04cb83fc50 am 21e6b4d9: Merge "Allow Developer settings to change runtime size of logd" 
* commit '21e6b4d928d94fe2a1dea5de8ea08096e2f2baeb':
  Allow Developer settings to change runtime size of logd
 2014-05-15 18:33:01 +00:00
Mark Salyzyn
21e6b4d928 Merge "Allow Developer settings to change runtime size of logd" 2014-05-15 18:12:09 +00:00
Nick Kralevich
e9f696172d am 2d9c025d: Merge "Remove graphics_device access." 
* commit '2d9c025ddebeefe1132c651a8d0a15fd4d9ed3bc':
  Remove graphics_device access.
 2014-05-15 13:03:07 +00:00
Nick Kralevich
2d9c025dde Merge "Remove graphics_device access." 2014-05-15 13:00:55 +00:00
Narayan Kamath
8914380d6f am 5c655876: app_process is now a symlink. 
* commit '5c655876780f017c472997d7ae2c6a36d5752f09':
  app_process is now a symlink.
 2014-05-15 09:41:36 +00:00
Narayan Kamath
5c65587678 app_process is now a symlink. 
app_process is now a symlink to app_process32 or
app_process64, so we have to update the selinux
rules to explicitly refer to them.

See change 5a7ee9ad63d for context.

Change-Id: I7f7a107d79a8f7a3c193f97809e1e737540258f1
 2014-05-15 10:17:53 +01:00
Nick Kralevich
e64e8b7f3b am 1f065398: Merge "Remove zygote write access to system_data_file." 
* commit '1f065398fc75941f8927887f0da09ecdfa95fb71':
  Remove zygote write access to system_data_file.
 2014-05-14 22:34:49 +00:00
Nick Kralevich
1f065398fc Merge "Remove zygote write access to system_data_file." 2014-05-14 22:30:52 +00:00
Nick Kralevich
c0a26d7996 am df2547b9: Merge "Drop unused rules for raw I/O, mknod, and block device access." 
* commit 'df2547b9b5be0de3806a1426c98efb16b9e3c154':
  Drop unused rules for raw I/O, mknod, and block device access.
 2014-05-14 21:37:48 +00:00
Nick Kralevich
df2547b9b5 Merge "Drop unused rules for raw I/O, mknod, and block device access." 2014-05-14 21:35:47 +00:00
dcashman
71db411043 Remove duplicate neverallow rule. 
Commit: 7ffb997207 added protection against low
memory mapping for all domains, a superset of appdomain.  Remove the same,
redundant neverallow rule from appdomain.

Change-Id: Ia41c02763f6b5a260c56d10adfbab649d9f3f97c
 2014-05-14 13:11:43 -07:00
Sreeram Ramachandran
9134b7c237 am 7e5b6d0c: Merge "Introduce fwmarkd: a service to set the fwmark of sockets." 
* commit '7e5b6d0ca3a492bb907b71f4657c845b0a75163d':
  Introduce fwmarkd: a service to set the fwmark of sockets.
 2014-05-14 19:48:12 +00:00
Nick Kralevich
22fd0f9bbc am 12dbd8f7: Merge "Neverallow low memory mappings." 
* commit '12dbd8f701dee14be3f702937a7293a30f04b3cf':
  Neverallow low memory mappings.
 2014-05-14 19:48:09 +00:00
Sreeram Ramachandran
7e5b6d0ca3 Merge "Introduce fwmarkd: a service to set the fwmark of sockets." 2014-05-14 19:42:09 +00:00
Nick Kralevich
12dbd8f701 Merge "Neverallow low memory mappings." 2014-05-14 19:24:57 +00:00
Stephen Smalley
a16a59e2c7 Remove graphics_device access. 
Neither mediaserver nor system_server appear to require
direct access to graphics_device, i.e. the framebuffer
device.  Drop it.

Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-14 18:47:49 +00:00
Stephen Smalley
7813b36beb am 782e084d: Allow system_server to read tombstones. 
* commit '782e084dc249ec96a4659c523ffc6a53ee46abb1':
  Allow system_server to read tombstones.
 2014-05-14 18:39:37 +00:00
Stephen Smalley
782e084dc2 Allow system_server to read tombstones. 
Address denials such as:
 avc:  denied  { read } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { open } for  name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
 avc:  denied  { getattr } for  path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { read } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
 avc:  denied  { open } for  name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file

Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-14 14:30:43 -04:00
Sreeram Ramachandran
56ecf4bdf8 Introduce fwmarkd: a service to set the fwmark of sockets. 
(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
 2014-05-14 11:23:28 -07:00
Stephen Smalley
7ffb997207 Neverallow low memory mappings. 
This just adds a neverallow rule to ensure we never
add an allow rule permitting such mappings.

Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-14 14:05:49 -04:00
Stephen Smalley
c2c91bba59 Drop unused rules for raw I/O and mknod. 
We added these rules to the recovery domain when we removed them
from unconfined to ensure that we did not break anything. But we
have seen no uses of these rules by the recovery domain.  Tested
wiping userdata and cache from the recovery and performing an
adb sideload of an ota zip file.

Change-Id: I261cb1124130f73e98b87f3e5a31d6d7f521ff11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-14 13:14:54 -04:00
Nick Kralevich
d34d744b2f am 45206a38: Merge "Allow installd to unlink /data/media files and search /data/app-asec." 
* commit '45206a388c580070bbd021f2b167bd8b3e3376f6':
  Allow installd to unlink /data/media files and search /data/app-asec.
 2014-05-14 13:35:44 +00:00
Stephen Smalley
cdae7debe6 Drop unused rules for raw I/O, mknod, and block device access. 
We added these rules to the kernel domain when we removed them
from unconfined to ensure that we did not break anything.  But
we have seen no uses of these rules and this matches our expectation
that any actual operations that require these permissions occurs
after switching to the init domain.

Change-Id: I6f3556a26b0f6f4e6effcb874bfc9498e7dfaa47
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-14 09:31:06 -04:00
Nick Kralevich
45206a388c Merge "Allow installd to unlink /data/media files and search /data/app-asec." 2014-05-14 13:30:28 +00:00
Nick Kralevich
4d9e380ea4 am 4bdd13e4: untrusted_app: neverallow debugfs 
* commit '4bdd13e4c3632587c72b487a16d6c71a7a30714f':
  untrusted_app: neverallow debugfs
 2014-05-14 13:27:31 +00:00
Stephen Smalley
df48bd2ca8 Remove zygote write access to system_data_file. 
These rules seem to be a legacy of old Android or perhaps old policy
before we began splitting types on /data.  I have not been able to
trigger the auditallow rules on AOSP master.  Reduce the rules to
only read access to system data.  If we need write access to some
specific directory under /data, we should introduce a type for it.

Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-14 08:58:06 -04:00
Stephen Smalley
d30060a0cb Allow installd to unlink /data/media files and search /data/app-asec. 
Address recent installd denials resulting from the recent
tightening of installd access to /data file types, including:
 avc:  denied  { unlink } for  name="._playmusicid" dev="mmcblk0p30" ino=1038393 scontext=u:r:installd:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
 avc:  denied  { search } for  pid=195 comm="installd" name="app-asec" dev="mmcblk0p28" ino=578225 scontext=u:r:installd:s0 tcontext=u:object_r:asec_image_file:s0 tclass=dir

Change-Id: I957738139678699949da9ad09d3bddb91605f8cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2014-05-14 08:29:00 -04:00
Nick Kralevich
4bdd13e4c3 untrusted_app: neverallow debugfs 
Too many leaky files in that directory. It's a security best practice
to not mount this filesystem, however, we need it mounted for
tracing support. Even though it's mounted, make sure the files aren't
readable.

Bug: 11635985
Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd
 2014-05-13 14:45:00 -07:00
Nick Kralevich
2680a8c4ea am f78fb4e0: Merge "Make ppp domain enforcing." 
* commit 'f78fb4e0c8ae49bb73e691a37de00f2d5b66f9e1':
  Make ppp domain enforcing.
 2014-05-13 21:19:43 +00:00
Nick Kralevich
132e56b941 am e3519d6c: Merge "Label /data/.layout_version with its own type." 
* commit 'e3519d6c2a39e1abae38109d07fc23f9b0fcaf1d':
  Label /data/.layout_version with its own type.
 2014-05-13 21:19:42 +00:00
Nick Kralevich
f78fb4e0c8 Merge "Make ppp domain enforcing." 2014-05-13 21:17:32 +00:00