Commit graph

37 commits

Author SHA1 Message Date
Nick Kralevich
d065f0483c Resync lmp-dev-plus-aosp with master
A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf69632724
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c
2014-07-25 15:19:47 -07:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
4a24475b9d Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

(cherry picked from commit 603bc20509)

Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f
2014-07-18 12:24:36 -07:00
Riley Spahn
344fc109e9 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
2014-07-15 10:09:52 -07:00
Nick Kralevich
be66069765 Remove -unconfineddomain from neverallow rules
Many of the neverallow rules have -unconfineddomain. This was
intended to allow us to support permissive_or_unconfined(), and
ensure that all domains were enforcing at least a minimal set of
rules.

Now that all the app domains are in enforcing / confined, there's
no need to allow for these exceptions. Remove them.

Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f
2014-07-04 10:12:13 -07:00
Sharvil Nanavati
77eb35263f Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms.
Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e
2014-07-01 11:58:30 -07:00
Sérgio Faria
536ddba898 Allow setopt on bluetooth's unix_stream_socket.
This is extremely useful as it allows timeouts on the socket.
Since ioctl is allowed, setopt shouldn't be a problem.

Resolves denials, in 3rd party apps, such as:

avc:  denied  { setopt } for  pid=18107 comm="AudioRouter-6"
scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0
tclass=unix_stream_socket

Change-Id: I6f38d7b86983c517575b735f43b62a2ed811e81c
Signed-off-by: Sérgio Faria <sergio91pt@gmail.com>
2014-06-30 15:15:12 +00:00
Paul Jensen
97a2cfdf66 Allow Bluetooth app to initiate DHCP service on bt-pan interface.
bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658
2014-06-19 02:49:37 +00:00
Stephen Smalley
eab85946a5 Allow bluetooth users ioctl access to bluetooth unix stream socket.
Resolves denials such as:
avc:  denied  { ioctl } for  pid=6390 comm="m.wimmcompanion" path="socket:[472596]" dev="sockfs" ino=472596 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Idd4fa219fe8674c6e1c40211b3c105d6276cfc5a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-11 08:43:23 -04:00
Stephen Smalley
b0db712bf0 Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-07 15:47:33 -05:00
Stephen Smalley
2737ceff23 Allow stat/read of /data/media files by app domains.
Resolves denials such as:
avc:  denied  { read } for  pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

avc:  denied  { getattr } for  pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-04 19:07:19 +00:00
Stephen Smalley
495e9d12b9 Allow getopt / getattr to bluetooth unix_stream_socket.
Resolve denials such as:

avc:  denied  { getattr } for  pid=16226 comm="Thread-2096" path="socket:[414657]" dev="sockfs" ino=414657 scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=5890 comm="FinalizerDaemon" scontext=u:r:untrusted_app:s0 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

Change-Id: Iea7790aa4f8e24f3ec0d2c029933a3902333472e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-04 13:34:54 -05:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Stephen Smalley
85708ec4f9 Resolve overlapping rules between app.te and net.te.
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 17:26:06 +00:00
Nick Kralevich
997680a3b7 bluetooth: allow media_rw_data_file
Allow bluetooth to handle media_rw_data_file file descriptors
sent to it from other processes. Without this, bluetooth
picture / video sharing is broken.

Steps to reproduce:
1. Take few pictures
2. launch gallery and choose a picture/video and click on share and choose
   available BT device and share

Other info from bug report:

- Bluetooth process queries media content provider for a file descriptor,
  with an Uri like "content://media/external/images/media/69"
- Media server resolves the uri to a file on the filesystem, in the case of
  Gallery at "/storage/emulated/0/DCIM/Camera/IMG_20140128_141656.jpg"
- Media server returns the FD over binder to bluetooth
- Bluetooth is unable to read the file backed by the file descriptor.

Fixes Denial:

<5>[  821.040286] type=1400 audit(1390952161.805:11): avc:  denied  { read } for  pid=1348 comm="Binder_3" path="/data/media/0/DCIM/Camera/IMG_20140128_141656.jpg" dev="mmcblk0p23" ino=236246 scontext=u:r:bluetooth:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Bug: 12457805
Change-Id: I1423d06a98416ae4ab19508f0d005a6353acadc4
2014-01-28 16:14:52 -08:00
Stephen Smalley
d14e9deaa4 Make bluetooth enforcing (again).
Previous bluetooth denials should be addressed by
I14b0530387edce1097387223f0def9b59e4292e0.

Change-Id: I5c6b44a142a7e545230b89df9c4500ce2fab4ab6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-18 15:12:12 +00:00
Stephen Smalley
09f6a99b66 Allow mediaserver to connect to bluetooth.
Re-purpose the existing bluetooth_socket type, originally
for /dev/socket/bluetooth used by bluetoothd in the old
bluetooth stack, for sockets created by bluedroid under
/data/misc/bluedroid, and allow mediaserver to connect
to such sockets.  This is required for playing audio
on paired BT devices.

Based on b/12417855.

Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-16 18:35:28 +00:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Nick Kralevich
85396e93df Revert "Make bluetooth enforcing."
The following CTS tests are failing on nakasig-userdebug

Failing tests
android.bluetooth.cts.BasicAdapterTest#test_enableDisable
android.bluetooth.cts.BasicAdapterTest#test_getAddress
android.bluetooth.cts.BasicAdapterTest#test_getBondedDevices
android.bluetooth.cts.BasicAdapterTest#test_getName
android.bluetooth.cts.BasicAdapterTest#test_listenUsingRfcommWithServiceRecord

Logs
=====
junit.framework.AssertionFailedError: expected:<11> but was:<10>
at android.bluetooth.cts.BasicAdapterTest.enable(BasicAdapterTest.java:278)
at android.bluetooth.cts.BasicAdapterTest.test_enableDisable(BasicAdapterTest.java:128)
at java.lang.reflect.Method.invokeNative(Native Method)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:191)
at android.test.AndroidTestRunner.runTest(AndroidTestRunner.java:176)
at android.test.InstrumentationTestRunner.onStart(InstrumentationTestRunner.java:554)
at android.app.Instrumentation$InstrumentationThread.run(Instrumentation.java:1701)

Reverting this change until we get a proper fix in place.

SELinux bluetooth denials:

nnk@nnk:~$ grep "avc: " Redirecting.txt | grep bluetooth
<5>[  831.249360] type=1400 audit(1389206307.416:215): avc:  denied  { write } for  pid=14216 comm="BluetoothAdapte" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[  834.329536] type=1400 audit(1389206310.496:217): avc:  denied  { write } for  pid=14218 comm="BTIF" name="state" dev=sysfs ino=4279 scontext=u:r:bluetooth:s0 tcontext=u:object_r:sysfs:s0 tclass=file

This reverts commit 2eba9c5fa2.

Bug: 12475767
Change-Id: Id4989f6b371fa02986299114db70279e151ad64a
2014-01-10 09:31:50 -08:00
Stephen Smalley
2eba9c5fa2 Make bluetooth enforcing.
Change-Id: I6243819e7c9d71c561e77014b49456e9afc11153
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 10:25:42 -05:00
Stephen Smalley
b3c48b66bc Change the type on /dev/uinput to match /dev/uhid.
/dev/uinput is accessed in the same way as /dev/uhid,
and unlike /dev/input/*.  bluetooth requires access to
the former and not to the latter, while shell requires access
to the latter and not the former.  This is also consistent
with their DAC group ownerships (net_bt_stack for /dev/uinput
and /dev/uhid vs input for /dev/input/*).

Change-Id: I0059d832a7fe036ed888c91e1fb96f3e6e0bd2d4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-31 08:24:49 -07:00
Nick Kralevich
5b38c47b7e Allow bluetooth to write to bluetooth properties
Some bluetooth implementations write to bluetooth.* properties.
It seems reasonable to allow this for all bluetooth implementations.

This addresses the following denial (seen on mako):

<4>[  132.182755] avc:  denied  { set } for property=bluetooth.hciattach scontext=u:r:bluetooth:s0 tcontext=u:object_r:bluetooth_prop:s0 tclass=property_service

Change-Id: I6d92c0ff108838dd1107c5fb3c436699ef824814
2013-10-29 12:45:10 -07:00
Stephen Smalley
d7fd22e601 Confine bluetooth app.
Remove unconfined_domain() from the bluetooth app domain,
restore the rules from our policy, and move the neverallow
rule for bluetooth capabilities to bluetooth.te.
Make the bluetooth domain permissive again until it has
received sufficient testing.

Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-22 12:58:06 -04:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
Alex Klyubin
3123b1eef7 SELinux policy for Bluetooth properties.
Properties under bluetooth. and persist.service.bdroid. are
considered Bluetooth-related properties.

Change-Id: Iee937d9a1184c2494deec46f9ed7090c643acda7
2013-05-06 10:18:27 -07:00
Robert Craig
350d2ae9c9 am 65d4f44c: Various policy updates.
* commit '65d4f44c1fd999d9cf9c4ef4dc65deb71bafcd8e':
  Various policy updates.
2013-03-27 13:37:13 -07:00
Robert Craig
65d4f44c1f Various policy updates.
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 06:30:25 -04:00
Stephen Smalley
ddda5adca2 am f766c4d9: Allow bluetooth users to use socket provided by bluetooth app.
* commit 'f766c4d9ee8e0d95755a8b54622b424a224830d1':
  Allow bluetooth users to use socket provided by bluetooth app.
2013-03-22 14:20:24 -07:00
Jeff Sharkey
036baf6ae9 Remove uhid_device to fix build.
Change-Id: Ifec28b8ae2f21e1765194bd698fc0b7f479a96d7
2013-03-22 14:02:54 -07:00
Jeff Sharkey
04d7c71c2c Remove tun_device to fix build.
Change-Id: I3d5e6a2fefc7b975baf849d1fd7a628e86a27222
2013-03-22 13:56:21 -07:00
Stephen Smalley
f766c4d9ee Allow bluetooth users to use socket provided by bluetooth app.
Change-Id: Ia061aa3b19229b96f643ca0285a7fa5fa06fd780
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-22 15:06:57 -04:00
rpcraig
ff7e5305b8 Create policy for PAN connections.
Policy to allow bluetooth tethering.

Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-22 15:05:44 -04:00
Stephen Smalley
346cae2781 bluetooth app requires net_admin for enabling bluetooth.
Change-Id: I571731169036a3203d0145af67f45b3d9eb6366b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-21 21:01:57 +00:00
Stephen Smalley
61c80d5ec8 Update policy for Android 4.2 / latest master.
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-19 09:55:10 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00