Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.
Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.
Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.
Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
An auditallow has been in place since commit
cb835a2852 but nothing has been triggered.
Remove the rule.
Bug: 25768265
Change-Id: Ia9f35c41feabc9ccf5eb5c6dae09c68dc4f465ff
The "su" domain is in globally permissive mode on userdebug/eng
builds. No SELinux denials are suppose to be generated when running
under "su".
Get rid of useless SELinux denials coming from su trying to stat
files in /dev/__properties__. For example: "ls -la /dev/__properties__"
as root.
Addresses the following denials:
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:wc_transport_prop:s0" dev="tmpfs" ino=10597 scontext=u:r:su:s0 tcontext=u:object_r:wc_transport_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qseecomtee_prop:s0" dev="tmpfs" ino=10596 scontext=u:r:su:s0 tcontext=u:object_r:qseecomtee_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:radio_atfwd_prop:s0" dev="tmpfs" ino=10595 scontext=u:r:su:s0 tcontext=u:object_r:radio_atfwd_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=10594 scontext=u:r:su:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:contexthub_prop:s0" dev="tmpfs" ino=10593 scontext=u:r:su:s0 tcontext=u:object_r:contexthub_prop:s0 tclass=file permissive=1
Change-Id: Ief051a107f48c3ba596a31d01cd90fb0f3442a69
Per https://android-review.googlesource.com/185392 , ctl.* properties
are not represented as files in the filesystem. So there's no need
to grant read access to them, since it's pointless.
Remove core_property_type from these properties, which has the net
effect of removing read access to these non-existent files.
Change-Id: Ic1ca574668a3511c335a7036a2bb7993ff02c1e3
Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.
Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.
Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.
Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.
Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
The removal of domain_deprecated from the shell user in
https://android-review.googlesource.com/184260 removed /proc/net access.
Restore it.
Bug: 26075092
Change-Id: Iac21a1ec4b9e769c068bfdcdeeef8a7dbc93c593
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.
Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.
This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.
Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
The removal of domain_deprecated broke the ability for adbd to
pull files from /sdcard. Re-allow it.
Addresses the following denials:
avc: denied { search } for pid=2753 comm=73657276696365203530 name="/" dev="tmpfs" ino=6242 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
avc: denied { getattr } for pid=2755 comm=73657276696365203431 path="/sdcard" dev="rootfs" ino=5472 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=0
Change-Id: I70257933f554abd008932c7f122dd0151f464b05
- Add a new 'dumpstate' context for system properties. This context
will be used to share state between dumpstate and Shell. For example,
as dumpstate progresses, it will update a system property, which Shell
will use to display the progress in the UI as a system
notification. The user could also rename the bugreport file, in which
case Shell would use another system property to communicate such
change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
notification can be used to stop dumpstate.
BUG: 25794470
Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
Certain tests depend on the ability to examine directories
in /system. Allow it to the shell user.
Addresses the following denials:
avc: denied { read } for name="egl" dev="dm-1" ino=104 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
Bug: 26020967
Bug: 26023420
Change-Id: I509d921e159e99164c85fae9e8b2982a47573d14
Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.
Strengthen the neverallow on opening tun_device to include all Apps.
Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label. This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.
This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__. Future
commits will restrict the access.
Bug: 21852512
Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
Allows safetynet to scan the system partition which is made up of
files labeled system_file (already allowed) and/or files with the
exec_type attribute.
Bug: 25821333
Change-Id: I9c1c9c11bc568138aa115ba83238ce7475fbc5e4
Remove domain_deprecated from bootanim. This removes some unnecessarily
permissive rules.
As part of this, re-allow access to cgroups, proc and sysfs, removed as
a result of removing domain_deprecated.
Bug: 25433265
Change-Id: I58658712666c719c8f5a39fe2076c4f6d166616c