Commit graph

81 commits

Author SHA1 Message Date
Jeff Vander Stoep
a7915ceb9d adbd: allow reading apk_data_file
(cherry picked from commit d743ddeab5)

avc: denied { search } for comm=73657276696365203139 name="app" dev="sda35" ino=770049 scontext=u:r:adbd:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0

Bug: 30000600
Change-Id: I86958ebcca815ee1779f85fb425592493f40101a
2016-07-20 13:48:39 -07:00
David Sehr
a5d0792508 SELinux policy for /data/misc/profman
Bug: 28748264
Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5
2016-05-31 17:36:41 -07:00
Nick Kralevich
e3151bd1e8 Restore /mnt/sdcard symlink read access
Allow adbd and app domains to read the symlink at /mnt/sdcard.
This symlink was suppose to have been removed in the Gingerbread
time frame, but lives on.

Read access for this symlink was removed from adbd and the shell user in
8ca19368da, and from untrusted_app in
cbf7ba18db.

Addresses the following denials:

  avc: denied { read } for name="sdcard" dev="tmpfs" ino=9486 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0
  avc: denied { read } for pid=4161 comm=73657276696365203137 name="sdcard" dev="tmpfs" ino=5114 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 25801877
Bug: 28108983
Change-Id: Ia31cd8b53c9c3a5b7d11be42c2fde170f96affb0
2016-04-12 20:46:42 -07:00
Daniel Rosenberg
d25d57a3cd Allow access to media_rw_data_file for now.
With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: adbd, kernel, mediaserver, and shell

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27915475
Bug: 27937873

Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
2016-03-31 20:56:44 +00:00
Daniel Rosenberg
bb90999e9a Allow shell and adbd access to media_rw_data_file for now.
With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27925072
Change-Id: I3ad37c0f12836249c83042bdc1111b6360f22b3c
2016-03-30 18:59:13 -07:00
Rubin Xu
cdf60cc67e Merge "SELinux rule for ro.device_owner and persist.logd.security" am: 65d364b91a
am: 06322b1ec4

* commit '06322b1ec491428feb143c150daa95d68f921de2':
  SELinux rule for ro.device_owner and persist.logd.security
2016-01-19 16:05:51 +00:00
Rubin Xu
0c8286fe74 SELinux rule for ro.device_owner and persist.logd.security
They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.

ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.

Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
2016-01-19 15:27:03 +00:00
Nick Kralevich
693791c0f7 Merge "adbd.te: remove allow adbd toolbox_exec:file rx_file_perms" am: eed6bbdc43
am: 3920e7af95

* commit '3920e7af954aad40e58ac4f644b6b763a355a880':
  adbd.te: remove allow adbd toolbox_exec:file rx_file_perms
2016-01-15 15:31:45 +00:00
Nick Kralevich
155e710830 adbd.te: remove allow adbd toolbox_exec:file rx_file_perms
auditallow says never used.

Change-Id: I6a3f82740bfecf483e0ccbb528b7218af36d37b8
2016-01-14 21:14:30 -08:00
Daniel Cashman
14c4486600 Merge "Allow adbd to pull sepolicy from device." am: 7a46e73cb6
am: 2e40b7471c

* commit '2e40b7471c176cb876fe55ba8924080ccc0fb4e6':
  Allow adbd to pull sepolicy from device.
2016-01-13 20:22:59 +00:00
dcashman
0fb0ab4107 Allow adbd to pull sepolicy from device.
Address the following denial when running CTS:
avc: denied { search } for comm=73657276696365203136 name="/" dev="selinuxfs" ino=1 scontext=u:r:adbd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir permissive=0

Bug: 26290097
Change-Id: Icf51061a65a5fda15f7e7ef78200a62ffbd1ca9b
2016-01-12 16:50:45 -08:00
Nick Kralevich
146f9101c8 Change /dev/ion from read-only to read-write am: 71fd337f04 am: 637af04edd
am: def6593d07

* commit 'def6593d07a01d7fb1d31b26cb70356b9b239dd2':
  Change /dev/ion from read-only to read-write
2015-12-08 09:38:03 -08:00
Nick Kralevich
71fd337f04 Change /dev/ion from read-only to read-write
Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.

Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f
2015-12-08 09:05:12 -08:00
Nick Kralevich
1a45a9051e adbd: allow ddms screen capture to work again am: 5e8402df43 am: 8e5436460b
am: 1d3cebc7f3

* commit '1d3cebc7f3e8597a458de038806d42ef967053b6':
  adbd: allow ddms screen capture to work again
2015-12-08 04:53:50 +00:00
Nick Kralevich
3a5e3376eb adbd: allow "adb pull /sdcard/" am: b899f4fc33 am: e9d43070e4
am: 80c34f6aef

* commit '80c34f6aefe344eb514d66ba377de1d4971d56c5':
  adbd: allow "adb pull /sdcard/"
2015-12-08 00:03:53 +00:00
Nick Kralevich
5e8402df43 adbd: allow ddms screen capture to work again
The removal of domain_deprecated broke ddms screen capturing
functionality.

Steps to reproduce:

1) Run "ddms"
2) Select your device
3) Go to the Device > Screen Capture menu
4) Attempt to take a screenshot

Addresses the following denials:

  avc: denied { read } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { open } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { ioctl } for pid=2728 comm="screencap" path="/dev/ion" dev="tmpfs" ino=7255 ioctlcmd=4905 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26023462
Change-Id: Ie77c65900de56756d5c9b99dcda1e20664151ed2
2015-12-07 15:48:57 -08:00
Nick Kralevich
b899f4fc33 adbd: allow "adb pull /sdcard/"
The removal of domain_deprecated broke the ability for adbd to
pull files from /sdcard. Re-allow it.

Addresses the following denials:

  avc: denied { search } for pid=2753 comm=73657276696365203530 name="/" dev="tmpfs" ino=6242 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
  avc: denied { getattr } for pid=2755 comm=73657276696365203431 path="/sdcard" dev="rootfs" ino=5472 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=0

Change-Id: I70257933f554abd008932c7f122dd0151f464b05
2015-12-07 14:55:23 -08:00
Nick Kralevich
ab26b4892c Remove domain_deprecated from adbd and shell am: 8ca19368da am: 78d03007ae
am: 06f9497794

* commit '06f94977949d858e4743c2856daf7e85c9a72650':
  Remove domain_deprecated from adbd and shell
2015-11-30 15:04:39 +00:00
Nick Kralevich
8ca19368da Remove domain_deprecated from adbd and shell
The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
2015-11-27 19:18:17 -08:00
Jeff Vander Stoep
ae72bf241d Populate autoplay_app with minimal set of permissions
Change-Id: Ia90fb531cfd99d49d179921f041dd93c7325ad50
2015-11-25 09:41:05 -08:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
David Pursell
5e6930e945 am 05056457: adb: add adbd -> shell signal permissions.
* commit '05056457d4b11ff0f1686c63004ba2e2dc81bfbc':
  adb: add adbd -> shell signal permissions.
2015-09-15 20:05:03 +00:00
David Pursell
05056457d4 adb: add adbd -> shell signal permissions.
adbd needs to kill spawned subprocesses if the client terminates
the connection. SIGHUP will be used for this purpose, which
requires the process:signal permission.

Bug: http://b/23825725
Change-Id: I36d19e14809350dd6791a8a44f01b2169effbfd4
2015-09-15 10:25:13 -07:00
Nick Kralevich
b08688628c am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed."
* commit '7af012fc94a34dd42e72d32c246a47140ec2861a':
  Only allow toolbox exec where /system exec was already allowed.
2015-08-25 23:43:46 +00:00
Stephen Smalley
a3c97a7660 Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 12:46:07 -04:00
Nick Kralevich
b4807fe1a8 am 82966219: Merge "Replace unix_socket_connect() and explicit property sets with macro"
* commit '82966219e6962502fbda5a1c911cde06776ccf35':
  Replace unix_socket_connect() and explicit property sets with macro
2015-05-07 16:15:51 +00:00
William Roberts
625a3526f1 Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 00:02:59 +00:00
Nick Kralevich
2d425de9f4 am b1b5e662: am caefbd71: allow adbd to set sys.usb.ffs.ready
* commit 'b1b5e662ffbbaf2fe473c336954ef9d4a835f5f6':
  allow adbd to set sys.usb.ffs.ready
2015-04-24 03:46:32 +00:00
Nick Kralevich
caefbd71c5 allow adbd to set sys.usb.ffs.ready
Needed for https://android-review.googlesource.com/147730

Change-Id: Iceb87f210e4c5d0f39426cc6c96a216a4644eaa9
2015-04-23 19:45:21 -07:00
Jeff Sharkey
346a468b93 am bf75239c: am 4f4a4754: Merge "Apps need more than just search."
* commit 'bf75239cdb3d55c0979fcbc29182aca10e2c1d04':
  Apps need more than just search.
2015-04-03 17:39:55 +00:00
Jeff Sharkey
3bdc0abc68 Apps need more than just search.
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=3129 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=0

Change-Id: I802321331e9bd7ae41d3af7ace39364240db6d84
2015-04-03 09:54:33 -07:00
Jeff Sharkey
c63d824426 am 2768f1cb: am 93fd6f0a: Consistent external storage policy.
* commit '2768f1cb723089a1b281d3fee39503d37bb9154f':
  Consistent external storage policy.
2015-04-03 14:52:53 +00:00
Jeff Sharkey
93fd6f0a4e Consistent external storage policy.
Apps, shell and adbd should all have identical access to external
storage.  Also document where we have files and/or symlinks.

Bug: 20055945
Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe
2015-04-02 18:20:22 -07:00
Nick Kralevich
dee73f90e6 am 106ca81b: am 2714e41a: am b4876619: Merge "bootchart: add policy rules for bootchart"
* commit '106ca81bcb070dad96b2ae29bae6b7e6320a9533':
  bootchart: add policy rules for bootchart
2015-02-24 17:33:10 +00:00
Nick Kralevich
2714e41a3c am b4876619: Merge "bootchart: add policy rules for bootchart"
* commit 'b487661946ad632e34412ffccf55d43723ded572':
  bootchart: add policy rules for bootchart
2015-02-24 17:22:51 +00:00
Yongqin Liu
cc38e6d1a4 bootchart: add policy rules for bootchart
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2015-02-24 01:02:20 +08:00
dcashman
880938af90 am 49e7e0c2: am d8800a10: am cd82557d: Restrict service_manager find and list access.
* commit '49e7e0c24846468fe6ed408ef00b8182058fb30f':
  Restrict service_manager find and list access.
2014-12-16 23:50:11 +00:00
dcashman
49e7e0c248 am d8800a10: am cd82557d: Restrict service_manager find and list access.
* commit 'd8800a10fa987bac8234d87f1d4ff83d90966053':
  Restrict service_manager find and list access.
2014-12-16 23:01:31 +00:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Nick Kralevich
cb71b82565 am c4ed15a8: am 2c38b3b8: DO NOT MERGE: allow access to labeled executables in /system
* commit 'c4ed15a88692ef47d249eb159beb83ec9b054f6a':
  DO NOT MERGE: allow access to labeled executables in /system
2014-10-23 15:58:56 +00:00
Nick Kralevich
2c38b3b809 DO NOT MERGE: allow access to labeled executables in /system
Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.

Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.

This allows "adb pull /system" to work without generating
SELinux denials.

Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604
2014-10-21 22:39:42 -07:00
Nick Kralevich
973877dbc1 Allow adbd to write to /data/adb
adbd writes debugging information to /data/adb
when persist.adb.trace_mask is set. Allow it.

Bug: https://code.google.com/p/android/issues/detail?id=72895
Change-Id: Ia5af09045e9f72a95325b429c30a5ae78e104bdc
2014-10-21 16:15:52 +00:00
dcashman
3e6da1472f Enable selinux read_policy for adb pull.
Remove permission from appdomain.

(cherry picked from commit 309cc668f9)

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116
2014-09-26 14:33:42 -07:00
dcashman
309cc668f9 Enable selinux read_policy for adb pull.
Remove permission from appdomain.

Bug: 16866291

Change-Id: I37936fed33c337e1ab2816258c2aff52700af116
2014-09-09 14:28:25 -07:00
Stephen Smalley
45731c70ef Annotate MLS trusted subjects and objects.
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-08 16:06:40 -04:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
14aa7c0608 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea347)

Change-Id: I25354db2add3135335c80be2c2d350e526137572
2014-07-17 16:30:26 -07:00
Riley Spahn
88157ea347 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb
2014-07-17 21:33:33 +00:00
Ed Heyl
7563a6f1fb reconcile aosp (a7c04dcd74) after branching. Please do not merge.
Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7
2014-07-14 23:31:01 -07:00
Nick Kralevich
a7c04dcd74 Remove domain:process from unconfined
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-10 13:54:20 -07:00