Allow adbd and app domains to read the symlink at /mnt/sdcard.
This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on.
Read access for this symlink was removed from adbd and the shell user in
8ca19368da, and from untrusted_app in
cbf7ba18db.
Addresses the following denials:
avc: denied { read } for name="sdcard" dev="tmpfs" ino=9486 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
avc: denied { read } for pid=4161 comm=73657276696365203137 name="sdcard" dev="tmpfs" ino=5114 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
Bug: 25801877
Bug: 28108983
Change-Id: Ia31cd8b53c9c3a5b7d11be42c2fde170f96affb0
With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell
Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.
Bug: 27915475
Bug: 27937873
Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.
Bug: 27925072
Change-Id: I3ad37c0f12836249c83042bdc1111b6360f22b3c
They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.
ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.
Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.
Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f
The removal of domain_deprecated broke the ability for adbd to
pull files from /sdcard. Re-allow it.
Addresses the following denials:
avc: denied { search } for pid=2753 comm=73657276696365203530 name="/" dev="tmpfs" ino=6242 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
avc: denied { getattr } for pid=2755 comm=73657276696365203431 path="/sdcard" dev="rootfs" ino=5472 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=0
Change-Id: I70257933f554abd008932c7f122dd0151f464b05
The extra permissions are not needed. Delete them.
This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.
Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
adbd needs to kill spawned subprocesses if the client terminates
the connection. SIGHUP will be used for this purpose, which
requires the process:signal permission.
Bug: http://b/23825725
Change-Id: I36d19e14809350dd6791a8a44f01b2169effbfd4
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.
Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service
The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.
To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)
This macro handles steps 1, 2 and 3.
No difference in sediff is expected.
Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
Apps, shell and adbd should all have identical access to external
storage. Also document where we have files and/or symlinks.
Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart
Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.
Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.
This allows "adb pull /system" to work without generating
SELinux denials.
Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file. Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.
This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.
Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.
Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.
(cherry picked from commit 88157ea347)
Change-Id: I25354db2add3135335c80be2c2d350e526137572
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.
Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.
Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d