The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.
Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.
Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.
Addresses the following denial:
W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
(cherrypick from commit e2547c3bff)
Bug: 18504118
Bug: 18340553
Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8
With the move to block based OTAs, we're never going to fix
this bug. Remove the auditallow statement to avoid SELinux log
spam.
Bug: 15575013
Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd
Right now, the system_server has the CAP_SYS_MODULE capability. This allows the
system server to install kernel modules. Effectively, system_server is one
kernel module load away from full root access.
Most devices don't need this capability. Remove this capability from
the core SELinux policy. For devices which require this capability,
they can add it to their device-specific SELinux policy without making
any framework code changes.
In particular, most Nexus devices ship with monolithic kernels, so this
capability isn't needed on those devices.
Bug: 7118228
Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3
isolated apps should only be able to access 2 services.
Remove access permissions for services inappropriately added,
and add a neverallow rule to prevent regressions.
Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
Allow init to
1. Access device mapper to set up dm-verity devices
avc: denied { write } for pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0
2. Access the metadata partition to load and store dm-verity state
avc: denied { write } for pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0
3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered
by dm-verity
avc: denied { getattr } for pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0
These can be reproduced using the following steps:
1. Add fs_mgr flag verify to the system partition in fstab
2. Add a device specific init.rc handler for the init action that
calls the built-in command verity_load_state.
Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
This reverts commit 27042f6da1.
Managed profiles are represented by new android users which have the ability to
communicate across profiles as governed by an IntentFilter provisioned by the
DevicePolicyManager. This communication includes reading and writing content
URIs, which is currently obstructed by the mls separation between an owning user
and its managed profile.
Bug: 19444116
Bug: 19525465
Bug: 19540297
Bug: 19592525
Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference
Address the following denial:
avc: denied { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
As of https://android-review.googlesource.com/127858 ,
open(O_RDONLY) is no longer used for chmod. It's no
longer necessary to allow init to read the SELinux policy.
Change-Id: I691dd220827a01a8d7a9955b62f8aca50eb25447
The install_recovery script creates a new recovery image based
off of the boot image plus a patch on /system. We need to allow
read access to the boot image to allow the patching to succeed,
otherwise OTAs are broken.
Addresses the following denial:
type=1400 audit(9109404.519:6): avc: denied { read } for pid=341 comm="applypatch" name="mmcblk0p37" dev="tmpfs" ino=9186 scontext=u:r:install_recovery:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
TODO: Add device specific labels for the boot image.
Bug: 19534538
Change-Id: Ic811ec03e235df3b1bfca9b0a65e23307cd968aa
Addresses the following denial encountered when sharing photos between personal
and managed profiles:
Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5
When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.
Allow init to relabel a tmpfs /data.
Addresses the following denial:
[ 6.294896] type=1400 audit(29413651.850:4): avc: denied { relabelfrom } for pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
Steps to reproduce:
1) Go into Settings > Security > Encrypt Phone
2) Encrypt phone
3) See denial
4) reboot phone
5) See denial on boot
Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
Updating properties from ueventd may lead to deadlocks with init in rare
cases, which makes these changes unnecessary after all.
This reverts commit 47cd53a558.
Change-Id: I87bdd66f0ec025eb3a9ea17574a67e908f3de6da
STEPS TO REPRODUCE:
1. Connect the device to Mac.
2. Switch to AFT.
3. Now AFT on Mac will show the device contents.
4. Now drag and drop the file to device and observe.
EXPECTED RESULTS:
Should able to copy.
OBSERVED RESULTS:
Showing can not copy file and on clicking ok,
It shows device storage can not connect and close the AFT.
Addresses the following denial:
W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd
12310 12530 E MtpRequestPacket: Malformed MTP request packet
ps -Z entry:
u:r:untrusted_app:s0:c512,c768 u0_a6 12310 203 android.process.media
Bug: 15835289
Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a
clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
capable(CAP_IPC_LOCK), and then checks to see the requested amount is
under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
does not need CAP_IPC_LOCK, so we suppress any denials we see
from clatd asking for this capability.
See https://android-review.googlesource.com/127940
Suppresses the following denial:
type=1400 audit(1424916750.163:7): avc: denied { ipc_lock } for pid=3458 comm="clatd" capability=14 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
Change-Id: Ica108f66010dfc6a5431efa0b4e58f6a784672d1
Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).
Needed by changes from
I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d
Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
