Give /data itself a different label to its contents, to ensure that
only init creates files and directories there.
Bug: 139190159
Test: aosp boots, logs look good
Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe
When fsverity_init tries to access files in /system or /product
partition AFTER adb remount, SELinux denial is generated:
avc: denied { sys_admin } for capability=21
scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0
tclass=capability permissive=0
This is due to some internal access to an xattr inside overlayfs, but it
should not report this.
Before the message can be surpressed, dontaudit it to keep the log clean.
Test: no more error log
Bug: 132323675
Change-Id: I323c9330ee6e6b897d1a4e1e74f6e7e0ef1eaa89
Commit dddbaaf1e8 ("update sepolicy
for fs notification hooks") updated global macros, and added
watch, watch_mount, watch_sb, watch_with_perm, and watch_reads
to r_file_perms and r_dir_perms.
In retrospect, the commit was overly permissive and some of the
permissions shouldn't be granted by default. In particular:
1) watch_with_perm: This is only used with fanotify and requires
CAP_SYS_ADMIN. fanotify has limited use cases, including virus scanning
and hierarchical storage management. Granting this by default makes it
harder to audit and understand this powerful capability. In particular,
anti-virus file like monitoring is something which inherently conflicts
with Android app privacy guarantees and would need to be carefully
reviewed.
2) watch_mount & watch_sb: Setting a watch on a mount (FAN_MARK_MOUNT)
or superblock (FAN_MARK_FILESYSTEM) should be extremely unusual.
Granting this by default makes it harder to audit and understand.
Both "watch" and "watch_reads" are retained for now.
References:
* https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ac5656d8a4cdd93cd2c74355ed12e5617817e0e7
* dddbaaf1e8
Test: compiles
Change-Id: Ib74e7119853eb991e0e9828645c7f9e076b919c4
The only distinction that matters for security is if a service is
served by vendor or not AND which process is allowed to talk to which.
coredomain is allowed to talk to vintf_service OR vendor_service, it's
just that for a non-@VintfStability service user-defined APIs (as
opposed to pingBinder/dump) are restricted.
Bug: 136027762
Test: N/A
Change-Id: If3b047d65ed65e9ee7f9dc69a21b7e23813a7789
These attributes are intended to be used w/ services using the system
copy of libbinder (for vendor, this is libbinder_ndk).
Switching vndservicemanager users using the libbinder copy of vendor to
be able to use the system copy of libbinder for registration is an open
problem.
Bug: 136027762
Test: N/A
Change-Id: I1d70380edcb39ca8ef2cb98c25617701b67ba7e1
Since this was an example service providing no real functionality and
accidentally got installed on a device.
Bug: 140115084
Test: install on test device and see that it runs
Change-Id: I553da8e1f4da7d6a9f0c3e7d4a3561f0b22321dc
Commit I35d35016680379e3a9363408704ee890a78a9748 is not yet in AOSP
and is causing a merge conflict with my change aosp/1105757.
Move the lines causing the conflict elsewhere.
Bug: 1105489
Test: treehugger
Cherrypicked-From: 1da93c9f32
Merged-In: I35dca026e40c9e2f89b831395db3958e399bfbb7
Change-Id: I35dca026e40c9e2f89b831395db3958e399bfbb7
Since non-full-Treble devices aren't guaranteed to have coredomain
applied to all system processes, this is breaking some downstream
non-Treble devices.
Bug: 140076135
Test: N/A
Change-Id: I2942506cb0cfd8096c631281389a16aa48b4da08
On cuttlefish devices, the resource loading code apparently maps the file rather
than just reading it.
Denial log:
viewcompiler: type=1400 audit(0.0:308): avc: denied { map } for
path="/data/app/android.startop.test-Z2JxVhtKPw2wx4o-nmo5NA==/base.apk"
dev="vdb" ino=139269 scontext=u:r:viewcompiler:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=android.startop.test
Bug: 139018973
Change-Id: I4bbbc44abc3c4315137f76a0be737236cf10f4ef
am: c7b1be7d4c -s ours
am skip reason: change_id I257c8cc3dba657d98f19eb61b36aae147afea393 with SHA1 d181bc2c16 is in history
Change-Id: Ie7e72803cf068c8035c379ecbc2ab969d6a52848
