Now that we have assigned specific types to userdata and cache
block devices, we can remove the ability of fsck to run on other
block devices.
Change-Id: I8cfb3dc0e4ebe6b73346ff291ecb11397bb0c2d0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The Nexus 9 uses f2fs for /data. Make sure to properly label
/system/bin/fsck.f2fs so that the appropriate domain transition occurs.
Add support for getattr on devpts, required for fsck.f2fs.
Addresses the following denials:
avc: denied { execute_no_trans } for pid=172 comm="init" path="/system/bin/fsck.f2fs" dev="dm-0" ino=272 scontext=u:r:init:s0 tcontext=u:object_r:system_file:s0 tclass=file permissive=0
avc: denied { getattr } for pid=170 comm="fsck.f2fs" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
Change-Id: I34b3f91374d1eb3fb4ba76abce14ff67db259f96
This is causing the version of Chrome in Android's tree to crash. The
version of Chrome in Android's tree does not have the following patch:
https://codereview.chromium.org/630123003
Until Chrome updates the version in Android's tree, we need to revert.
Works around the following denials:
audit(0.0:19): avc: denied { search } for name="com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:20): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:21): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
This reverts commit 669a977303.
Bug: 18006219
Change-Id: Id44137ec6a0dfe4a597b34ab3dad9e3feecc2a5e
Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.
Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.
This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.
(cherrypick from commit 480374e4d0)
Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93
Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.
Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.
This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.
Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.
TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.
Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
See NEVERALLOW CHECKING in tools/README for documentation.
Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.
Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
mediaserver and drmserver both have permission to read oemfs
related files. However, there are no search permissions on the
directory, so the files would be unreachable.
Grant search permissions on the oemfs directory, so that the files
within that directory can be read.
Bug: 17954291
Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db
Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.
Change-Id: I3c096607a74fd0f360d41f3e6f06535ca00c58ec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
isolated_app performs no direct network socket communication, so
we can remove net_domain() from it.
Change-Id: I112aa4140fd577a5ea28f7a3d62567ebabcdb48d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Assign a more specific type than block_device to all
block devices created or accessed by vold. Allow vold
to set the context on the device nodes it creates.
vold can create extra loop devices (/dev/block/loopN) and
block devices for volumes it manages (/dev/block/vold/M:N).
vold can read/write device mapper block devices (/dev/block/dm-N)
created for encrypted volumes.
vold can read/write metadata partitions used to store encryption metadata.
The metadata_block_device type should be assigned in device-specific
policy to the partition specified by the encryptable= mount option
for the userata entry in the fstab.<board> file.
This change does not remove the ability to create or read/write
generic block_device devices by vold, so it should not break anything.
It does add an auditallow statement on such accesses so that we can track
remaining cases where we need to label such device nodes so that we can
ultimately remove this access.
Change-Id: Id3bea28f5958086716cd3db055bea309b3b5fa5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Define a specific block device type for system so that we can
prevent raw writes to the system partition by anything other than
recovery.
Define a specific block device type for recovery so that we
can prevent raw writes to the recovery partition by anything
other than install_recovery or recovery.
These types must be assigned to specific block device nodes
via device-specific policy. This change merely defines the types,
adds allow rules so that nothing will break when the types are assigned,
and adds neverallow rules to prevent adding further allow rules
on these types.
This change does not remove access to the generic block_device type
from any domain so nothing should break even on devices without these
type assignments.
Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In commit ad891591e6, we allowed
isolated processes to execute files from /data/data/APPNAME.
I'm pretty sure all the necessary linker changes have been made
so that this functionality isn't required anymore. Remove the
allow rule.
This is essentially a revert of ad891591e6.
Change-Id: I1b073916f66f4965dfc53c0ea2b624bbb2fe8816
Allow error reporting via the pty supplied by init.
Allow vold to invoke fsck for checking volumes.
Addresses denials such as:
avc: denied { ioctl } for pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file
avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file
These denials show up if you have encrypted userdata.
Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Resolves denials such as:
avc: denied { write } for pid=1546 comm="Binder_1" name="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir
This is required to install a forward-locked app.
Change-Id: I2b37a56d087bff7baf82c738896d9563f0ab4fc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
