Commit graph

4080 commits

Author SHA1 Message Date
Paul Lawrence
f7163597f5 New ext4enc kernel switching from xattrs to ioctl
This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-04-29 15:44:46 -07:00
dcashman
7c1dced7d5 Make deviceidle accessible as system_api_service.
deviceidle service should be accessible to all non third-party apps.

Change-Id: Ia410fe0027f212009cc2abeaabc64c7c87841daa
2015-04-29 10:30:10 -07:00
Alex Klyubin
0bc92cea13 Merge "Expand access to gatekeeperd." 2015-04-29 16:30:27 +00:00
Alex Klyubin
effcac7d7e Expand access to gatekeeperd.
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
2015-04-29 09:22:11 -07:00
Paul Lawrence
13dec5fa5b Securely encrypt the master key
Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-04-28 15:28:16 -07:00
Paul Lawrence
3ee85ca6aa Revert "Securely encrypt the master key"
This reverts commit 5287d9a8e5.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a
2015-04-28 19:16:22 +00:00
Paul Lawrence
5287d9a8e5 Securely encrypt the master key
This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1
2015-04-27 20:04:10 +00:00
Nick Kralevich
e05487acc3 init.te: Don't allow mounting on top of /proc
Don't allow init to mount on top of /proc. See
https://android-review.googlesource.com/148295 for details.

Change-Id: I65f66b39f3a5bfb72facb9f716f4537ac2237af1
2015-04-25 15:54:11 -07:00
Jeff Sharkey
90c64542a2 Allow vold to move FUSE backing files directly.
This enables an optimization of bypassing the FUSE overhead when
migrating emulated storage between volumes.

avc: denied { write } for path="/mnt/expand/6cba9b95-4fc8-4096-b51f-bdb2c007d059/media/obb/.nomedia" dev="dm-0" ino=387843 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file permissive=1

Bug: 19993667
Change-Id: I2bb9aaca50ed988ded6afec6d7fbe190903707e0
2015-04-24 15:24:15 -07:00
Jeff Vander Stoep
c2e31a7782 Create context for ctl.console
Change-Id: I1c9fa4da442aa47ae4b7341eab6f788f0329d2d2
2015-04-24 14:39:16 -07:00
Jeffrey Vander Stoep
eb9536488c Revert "Create context for ctl.console"
This reverts commit bbd56b71ce.

Change-Id: I3e295f785aa62de3a04b2f201be97dd7ef0c207f
2015-04-24 21:05:46 +00:00
Jeff Vander Stoep
bbd56b71ce Create context for ctl.console
Change-Id: I9ba4952230ec1b811b8ec6cd19c0286ee791bf08
2015-04-24 20:32:46 +00:00
Elliott Hughes
5aac86dc06 Revert "Revert "SELinux policy changes for re-execing init.""
This reverts commit c450759e8e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 12:28:12 -07:00
Nick Kralevich
6d97d9b818 Merge "Revert "SELinux policy changes for re-execing init."" 2015-04-24 17:00:12 +00:00
Nick Kralevich
c450759e8e Revert "SELinux policy changes for re-execing init."
shamu isn't booting.

This reverts commit 46e832f562.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca
2015-04-24 16:59:43 +00:00
Elliott Hughes
ecd577313e Merge "SELinux policy changes for re-execing init." 2015-04-24 03:10:15 +00:00
Nick Kralevich
caefbd71c5 allow adbd to set sys.usb.ffs.ready
Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
2015-04-23 19:45:21 -07:00
Elliott Hughes
46e832f562 SELinux policy changes for re-execing init.
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
2015-04-23 17:12:18 -07:00
Nick Kralevich
934cf6eaf0 Merge "gatekeeperd: use more specific label for /data file" 2015-04-20 15:24:00 +00:00
Jeff Sharkey
e98cda25e1 Grant apps write access to returned vfat FDs.
Users can pick files from vfat devices through the Storage Access
Framework, which are returned through ParcelFileDescriptors.  Grant
apps write access to those files.  (Direct access to the files on
disk is still controlled through normal filesystem permissions.)

avc: denied { write } for pid=3235 comm="Binder_1" path=2F6D6E742F6D656469615F72772F373243322D303446392F6D656F772F6D79206469722F706963322E706E67 dev="sdb1" ino=87 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I24b4d8826f0a35825b2abc63d1cfe851e1c1bfe9
2015-04-18 14:34:52 -07:00
Jeff Sharkey
c9036fb1c1 Grant platform apps access to /mnt/media_rw.
Raw physical storage devices are mounted by vold under /mnt/media_rw
and then wrapped in a FUSE daemon that presents them under /storage.

Normal apps only have access through /storage, but platform apps
(such as ExternalStorageProvider) often bypass the FUSE daemon for
performance reasons.

avc: denied { search } for pid=6411 comm="Binder_1" name="media_rw" dev="tmpfs" ino=6666 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { write } for pid=3701 comm="Binder_2" name="PANO_20131016_162457.jpg" dev="sda1" ino=127 scontext=u:r:platform_app:s0:c522,c768 tcontext=u:object_r:vfat:s0 tclass=file

Bug: 19993667
Change-Id: I66df236eade3ca25a10749dd43d173ff4628cfad
2015-04-18 14:14:15 -07:00
Nick Kralevich
367757d2ef gatekeeperd: use more specific label for /data file
Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
2015-04-17 17:56:31 -07:00
Andres Morales
6db824a7d9 Merge "New rules for SID access" 2015-04-17 23:16:46 +00:00
Andres Morales
b348f8f55d New rules for SID access
Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e
2015-04-17 10:41:09 -07:00
Nick Kralevich
490a7a8abf Merge "neverallow shell file_type:file link" 2015-04-16 16:09:29 +00:00
Nick Kralevich
e0c8da253c neverallow shell file_type:file link
Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
2015-04-16 08:43:10 -07:00
Nick Kralevich
85416e06a5 su.te: add filesystem dontaudit rule
Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e
2015-04-16 08:38:46 -07:00
dcashman
e96c3abe2e Add neverallow for mounting on proc
Change-Id: Ie19ac00f2e96836667e8a5c18fafeaf6b6eadb25
2015-04-14 11:29:20 -07:00
Andres Morales
dd156fc377 Allow gatekeeperd to use keystore
needs to call addAuthToken

Change-Id: If519df61448f19dfafab254668c17eea6c161ea4
2015-04-13 12:26:02 -07:00
Neil Fuller
4127a4c890 Merge "Add rules for /system/bin/tzdatacheck" 2015-04-13 11:41:24 +00:00
Jeff Sharkey
5e5b0065e9 Merge "Allow sdcard daemon to run above expanded storage." 2015-04-12 18:00:25 +00:00
Jeff Sharkey
3acec6fa17 Allow sdcard daemon to run above expanded storage.
We have a /media directory on expanded storage that behaves just
like internal storage, and has a FUSE daemon running above it.

avc: denied { search } for name="expand" dev="tmpfs" ino=3130 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0

Bug: 19993667
Change-Id: I771ecb8f2808c48ccf4139ac9cfc2a48a2332fec
2015-04-11 22:21:50 -07:00
Nick Kralevich
fdc56c5ffe genfs_contexts: provide a label for binfmt_misc
Provide a default label for binfmt_misc. This is not used by the
core policy, although it may be used in device specific policy.

Bug: 20152930
Change-Id: Id51d69333bfeda40720d0e65e1539fab0b6e1e95
2015-04-10 17:42:49 -07:00
Jeff Sharkey
e32c7b2e68 Merge "Allow installd to move around private app data." 2015-04-10 21:00:43 +00:00
Nick Kralevich
50d506212e Revert "Exclude isolated_app from ptrace self."
Google Breakpad (crash reporter for Chrome) relies on ptrace
functionality. Without the ability to ptrace, the crash reporter
tool is broken.

Addresses the following denial:

  type=1400 audit(1428619926.939:1181): avc: denied { ptrace } for pid=10077 comm="CrRendererMain" scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:r:isolated_app:s0:c512,c768 tclass=process permissive=0

This reverts commit e9623d8fe6.

Bug: 20150694
Bug: https://code.google.com/p/chromium/issues/detail?id=475270
Change-Id: I1727c6a93f10ea6db877687a8f81ec789f9e501f
2015-04-10 11:11:10 -07:00
Nick Kralevich
9fc35a752c Merge "isolated_app: Do not allow access to the gpu_device." 2015-04-10 14:35:40 +00:00
Jeff Sharkey
8da7876bf9 Allow installd to move around private app data.
Add rules that allow installd to move private app data between
internal and expanded storage devices.  For now we'll be reusing
the "cp" binary using android_fork_execvp(), so grant access to
devpts.

avc: denied { read write } for name="14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:installd:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1

avc: denied { read } for name="com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
avc: denied { open } for path="/data/data/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="mmcblk0p16" ino=114672 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=1
avc: denied { create } for name="com.android.opengl.shaders_cache" scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1
avc: denied { read write open } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/user/0/com.example.playground/code_cache/com.android.opengl.shaders_cache" dev="dm-0" ino=64518 scontext=u:r:installd:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=1

Bug: 19993667
Change-Id: I5188e660c8b5e97eab8f0c74147499ec688f3f19
2015-04-09 21:16:25 -07:00
Nick Kralevich
f1b5c665ad isolated_app: Do not allow access to the gpu_device.
Bug: 17471434
Bug: 18609318
Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc
2015-04-09 14:31:16 -07:00
Nick Kralevich
2234f9ff57 gatekeeperd: neverallow non-system_server binder call
The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
2015-04-09 12:55:38 -07:00
dcashman
84f580ac9e Merge "Make persistent_data_block_service a system_api_service." 2015-04-09 18:46:18 +00:00
dcashman
5321279463 Make persistent_data_block_service a system_api_service.
Settings needs to be able to access it when opening developer options.

Address the following denial:
avc:  denied  { find } for service=persistent_data_block scontext=u:r:system_app:s0 tcontext=u:object_r:persistent_data_block_service:s0 tclass=service_manager

Bug: 20131472
Change-Id: I85e2334a92d5b8e23d0a75312c9b4b5bf6aadb0b
2015-04-09 11:45:32 -07:00
dcashman
dd31d68f46 Merge "Make backup service app_api_service." 2015-04-09 17:22:51 +00:00
dcashman
9378ceaf50 Make backup service app_api_service.
Backup service needs to be accessible to all apps to notify the system when
something changes which is being backed-up.

Bug: 18106000
Change-Id: I8f34cca64299960fa45afc8d09110123eb79338b
2015-04-09 10:13:15 -07:00
dcashman
7f2bb0c138 Merge "Enforce more specific service access." 2015-04-09 17:06:00 +00:00
Nick Kralevich
53c84ed4f0 isolated_app: allow app_data_file lock
Chrome's WebSQL implementation works by running sqlite in the
sandboxed renderer process, and sqlite expects to be able to
call flock() on the database file.

Bug: 20134929
Change-Id: Id33a2cd19b779144662056c6f3aba3365b0a2a54
2015-04-09 09:55:12 -07:00
dcashman
bd7f5803f9 Enforce more specific service access.
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-09 09:45:54 -07:00
Neil Fuller
e647578502 Add rules for /system/bin/tzdatacheck
Bug: 19941636
Change-Id: I7cc61e058424c856da88f11ff9b259f34cb39dc7
2015-04-09 09:29:12 +01:00
Andres Morales
186c82ff46 Merge "Allow gatekeeperd to check Android permissions" 2015-04-09 04:08:28 +00:00
Andres Morales
13abb1701b Allow gatekeeperd to check Android permissions
Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5
2015-04-09 04:06:36 +00:00
dcashman
03a6f64f95 Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
2015-04-08 20:26:50 +00:00