The kernel driver has been deprecated by the new userspace
driver. Don't continue to allow access to the old driver.
Maintain the labeling on /dev/log/* for now, just in case.
Bug: 13505761
Change-Id: Ibf8ef3af6274ede4262aada9222eaf63f63307b4
Enable labeling apps differently depending on whether they
are running for the primary user / owner or for a secondary user.
Change-Id: I37aa5b183a7a617cce68ccf14510c31dfee4e04d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
dumpstate and lmkd need to act on apps running at any level.
Various file types need to be writable by apps running at any
level.
Change-Id: Idf574d96ba961cc110a48d0a00d30807df6777ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On 64 bit systems, it's necessary to read the /system/bin executables
elf header to determine if it's a 32 bit or 64 bit executable to
contact the correct debuggerd service.
Bug: 17487122
(cherry picked from commit 04f3d79077)
Change-Id: Ib7835ffac1811a5aef54a250689287c1666720ef
Permits the system server to change keystore passwords for users other
than primary.
(cherrypicked from commit de08be8aa0)
Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file. Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.
This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.
Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If the sdcard daemon is restarted (crash or otherwise), one of the first
things it attempts to do is umount the previously mounted /mnt/shell/emulated
fuse filesystem, which is denied by SELinux with the following denial:
sdcard : type=1400 audit(0.0:6997): avc: denied { unmount } for scontext=u:r:sdcardd:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=0
Allow the operation.
Steps to reproduce:
1) adb shell into the device and su to root
2) run "kill -9 [PID OF SDCARD]
Expected:
sdcard daemon successfully restarts without error message.
Actual:
SELinux denial above, plus attempts to mount a new filesystem
on top of the existing filesystem.
(cherrypicked from commit abfd427a32)
Bug: 17383009
Change-Id: I386bfc98e2b5b32b1d11408f7cfbd6e3c1af68f4
The kernel, when it creates a loop block device, starts a new
kernel thread "loop0" (drivers/block/loop.c). This kernel thread,
which performs writes on behalf of other processes, needs read/write
privileges to the sdcard. Allow it.
Steps to reproduce:
0) Get device with external, removable sdcard
1) Run: "adb install -s foo.apk"
Expected:
APK installs successfully.
Actual:
APK fails to install. Error message:
Vold E Failed to write superblock (I/O error)
loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0
PackageHelper E Failed to create secure container smdl1645334795.tmp
DefContainer E Failed to create container smdl1645334795.tmp
Bug: 17158723
Change-Id: I4aa86e372cc55348f6b8becfa17bd4da583925d4
Remove the CTS specific rule which allows appdomain processes
to view /proc entries for the rest of the system. With this change,
an SELinux domain will only be able to view it's own /proc
entries, e.g. untrusted_app can only view /proc entries for other
untrusted_app, system_app can only view /proc entries for other
system_apps, etc.
/proc contains sensitive information, and we want to avoid
leaking this information between app security domains.
Bug: 17254920
Change-Id: I59da37dde00107a5ab123df3b79a84afa855339f
Add a neverallow rule (compile time assertion) that no SELinux domain
other than init can set default_prop. default_prop is assigned to a
property when no more specific label exists for that property.
This ensures that all properties are labeled properly, and that
no-one (other than init) gets access to unknown properties.
Change-Id: If279960f23737e263d4d1b5face7b5c49cda7ae7
Also enable global reading of kernel policy file. Motivation for this is to
allow read access to the kernel version of the binary selinux policy.
Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.
This change expands on commit a730e50bd9,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.
Change-Id: I12547a75cf68517d54784873846bdadcb60c5112
Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash. Full read permissions may not be necessary:
W/debuggerd( 185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir
Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
Before actual installation, apks are put in a staging area where they are
scanned by a verifier before completing the install flow. This verifier runs as
a priv-app, which is in the untrusted_app domain. Allow untrusted_app
read-access to these files.
Bug: 16515815
Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
The list of processes comes from frameworks/native/cmds/dumpstate/utils.c.
dumpstate calls dump_backtrace_to_file() for each such process, which
asks debuggerd to dump the backtrace.
Resolves denials such as:
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:surfaceflinger:s0 tclass=debuggerd
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:drmserver:s0 tclass=debuggerd
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:mediaserver:s0 tclass=debuggerd
avc: denied { dump_backtrace } for scontext=u:r:dumpstate:s0 tcontext=u:r:sdcardd:s0 tclass=debuggerd
Change-Id: Idbfb0fef0aac138073b7217b7dbad826a1193098
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As described in the system/core commit with the same Change-Id,
there's a race condition between installd and sdcard when it
comes to accessing /data/media. Resolve the race by checking
/data/.layout_version to make sure the filesystem has been upgraded.
Maybe indirectly fixes the following SELinux denial:
sdcard : type=1400 audit(0.0:3): avc: denied { write } for name="media" dev="mmcblk0p17" ino=102753 scontext=u:r:sdcardd:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
(cherrypicked from commit 792d8650d3)
Bug: 16329437
Change-Id: I5e164f08009c1036469f8734ec07cbae9c5e262b
Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.
Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.
Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.
Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs. Include exceptions for
appdomain and recovery as required by current policy.
Change-Id: I73d70ab04719a67f71e48ac795025f2ccd5da385
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.
Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.
Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission. Required for:
https://android-review.googlesource.com/#/c/101800/
Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.
For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.
Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.
Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
