Commit graph

5426 commits

Author SHA1 Message Date
Nick Kralevich
fe12b61642 label /sys/kernel/debug/tracing and remove debugfs write
Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.

Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.

Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
2015-12-14 13:57:26 -08:00
Mark Salyzyn
a9bf995425 Merge "dumpstate: storage statistics" 2015-12-14 19:58:27 +00:00
Nick Kralevich
79ecefd01e Merge "bluetoothdomain.te: drop allow bluetoothdomain self:socket create_socket_perms;" 2015-12-14 18:19:59 +00:00
Nick Kralevich
d6765a99f3 Merge "Ensure newlines are added between context config files" 2015-12-13 22:38:33 +00:00
Richard Haines
c8801fec63 Ensure newlines are added between context config files
When multiple file_contexts, service_contexts and property_contexts
are processed by the m4(1) macro processor, they will fail if one
or more of the intermediate files final line is not terminated by
a newline. This patch adds an intervening file only containing a
newline.

Change-Id: Ie66b32fe477d08c69e6d6eb1725f658adc384ce4
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2015-12-13 12:01:53 +00:00
Nick Kralevich
d0113ae0ae bluetoothdomain.te: drop allow bluetoothdomain self:socket create_socket_perms;
An auditallow has been in place since commit
cb835a2852 but nothing has been triggered.
Remove the rule.

Bug: 25768265
Change-Id: Ia9f35c41feabc9ccf5eb5c6dae09c68dc4f465ff
2015-12-11 16:57:45 -08:00
Nick Kralevich
a1f903dab2 bluetoothdomain.te: drop bluetooth unix_stream_socket auditallow
Yes, it's being used.

  type=1400 audit(0.0:19391): avc: granted { read write } for comm="Binder_4" path="socket:[1354209]" dev="sockfs" ino=1354209 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19392): avc: granted { read } for comm="pandora.android" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19393): avc: granted { read } for comm="TransportReader" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19398): avc: granted { shutdown } for comm="AppLinkBluetoot" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:19400): avc: granted { getopt } for comm="AppLinkBluetoot" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:12517): avc: granted { write } for comm="MultiQueueWrite" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket
  type=1400 audit(0.0:12563): avc: granted { read } for comm="WearableReader" scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket

and a lot more...

Bug: 25767747
Change-Id: I15f89be1f44eef471e432e6d9f9ecb60a43801f8
2015-12-11 16:44:23 -08:00
Mark Salyzyn
140a019aed dumpstate: storage statistics
Deal with a few audit failures

Bug: 24200279
Change-Id: Ifb8e936738ef9c8576842576315cca2825310d3a
2015-12-11 12:50:57 -08:00
Nick Kralevich
1638208fd8 su.te: dontaudit su property_type:file
The "su" domain is in globally permissive mode on userdebug/eng
builds. No SELinux denials are suppose to be generated when running
under "su".

Get rid of useless SELinux denials coming from su trying to stat
files in /dev/__properties__. For example: "ls -la /dev/__properties__"
as root.

Addresses the following denials:

  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:wc_transport_prop:s0" dev="tmpfs" ino=10597 scontext=u:r:su:s0 tcontext=u:object_r:wc_transport_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qseecomtee_prop:s0" dev="tmpfs" ino=10596 scontext=u:r:su:s0 tcontext=u:object_r:qseecomtee_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:radio_atfwd_prop:s0" dev="tmpfs" ino=10595 scontext=u:r:su:s0 tcontext=u:object_r:radio_atfwd_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:qcom_ims_prop:s0" dev="tmpfs" ino=10594 scontext=u:r:su:s0 tcontext=u:object_r:qcom_ims_prop:s0 tclass=file permissive=1
  avc: denied { getattr } for pid=14692 comm="ls" path="/dev/__properties__/u:object_r:contexthub_prop:s0" dev="tmpfs" ino=10593 scontext=u:r:su:s0 tcontext=u:object_r:contexthub_prop:s0 tclass=file permissive=1

Change-Id: Ief051a107f48c3ba596a31d01cd90fb0f3442a69
2015-12-10 13:07:27 -08:00
Nick Kralevich
4e2d22451f Restore sysfs_devices_system_cpu to domain.te
Lots of processes access CPU information. This seems to be triggered
by libraries loaded into every Android process. Allow the access.

Addresses the following denials:

adbd    : type=1400 audit(0.0:3): avc: denied { search } for name="cpu" dev="sysfs" ino=32 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir permissive=1
adbd    : type=1400 audit(0.0:4): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:5): avc: denied { open } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1
adbd    : type=1400 audit(0.0:6): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:adbd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=1

Change-Id: Ie7bfae53bdf670028db724d2720447ead42bad35
2015-12-10 11:10:20 -08:00
Nick Kralevich
f01453ad45 Remove core_property_type from ctl_* properties
Per https://android-review.googlesource.com/185392 , ctl.* properties
are not represented as files in the filesystem. So there's no need
to grant read access to them, since it's pointless.

Remove core_property_type from these properties, which has the net
effect of removing read access to these non-existent files.

Change-Id: Ic1ca574668a3511c335a7036a2bb7993ff02c1e3
2015-12-09 08:47:02 -08:00
Nick Kralevich
5a570a4b6b Remove property read access for non-core properties
Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.

Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.

Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
2015-12-08 14:47:04 -08:00
Jeffrey Vander Stoep
5ca5696e8b Revert "Migrate to upstream policy version 30"
This reverts commit 2ea23a6e1a.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
2015-12-08 18:19:04 +00:00
Tao Bao
7a0b8efe97 Merge "Allow update_verifier to access bootctrl_block_device."
am: e8b176ed44

* commit 'e8b176ed44484f680ebb4c3e1474833e7d35ff78':
  Allow update_verifier to access bootctrl_block_device.
2015-12-08 17:59:50 +00:00
Tao Bao
e8b176ed44 Merge "Allow update_verifier to access bootctrl_block_device." 2015-12-08 17:53:59 +00:00
Nick Kralevich
637af04edd Change /dev/ion from read-only to read-write
am: 71fd337f04

* commit '71fd337f040216cf24a09765589dd9a4dfbb4d4d':
  Change /dev/ion from read-only to read-write
2015-12-08 09:31:35 -08:00
Nick Kralevich
71fd337f04 Change /dev/ion from read-only to read-write
Even though /dev/ion can allocate memory when opened in read-only mode,
some processes seem to unnecessarily open it in read-write mode.
This doesn't seem to be harmful, and was originally allowed in
domain_deprecated. Re-allow it.

Bug: 25965160
Change-Id: Icaf948be89a8f2805e9b6a22633fa05b69988e4f
2015-12-08 09:05:12 -08:00
Jeffrey Vander Stoep
862e4ab15f Merge "Migrate to upstream policy version 30"
am: 9a3d490edd

* commit '9a3d490edd843e544084c487422aa54f39080876':
  Migrate to upstream policy version 30
2015-12-08 07:22:25 -08:00
Nick Kralevich
ce890bf8d5 shell.te: Restore /proc/net access
am: 99c78bf2fd

* commit '99c78bf2fdde7e765fc667043b0afaa49c9098e5':
  shell.te: Restore /proc/net access
2015-12-08 07:22:21 -08:00
Jeffrey Vander Stoep
9a3d490edd Merge "Migrate to upstream policy version 30" 2015-12-08 15:21:39 +00:00
Jeff Vander Stoep
2ea23a6e1a Migrate to upstream policy version 30
Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow
priv_sock_perms to disallow access to MAC address and ESSID.

Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
2015-12-08 07:18:41 -08:00
Nick Kralevich
99c78bf2fd shell.te: Restore /proc/net access
The removal of domain_deprecated from the shell user in
https://android-review.googlesource.com/184260 removed /proc/net access.
Restore it.

Bug: 26075092
Change-Id: Iac21a1ec4b9e769c068bfdcdeeef8a7dbc93c593
2015-12-08 07:07:42 -08:00
Tao Bao
8eaf25856e Allow update_verifier to access bootctrl_block_device.
Bug: 26039641
Change-Id: Ifd96b105f054b67f881529db3fe94718cab4a0f4
2015-12-07 22:31:15 -08:00
Nick Kralevich
7fe25900b4 Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
am: 44826cb5e4

* commit '44826cb5e4b20e0f7b7bfa72f64767e5fcc4f253':
  Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
2015-12-08 04:48:01 +00:00
Nick Kralevich
44826cb5e4 Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-07 17:04:49 -08:00
Nick Kralevich
8e5436460b adbd: allow ddms screen capture to work again
am: 5e8402df43

* commit '5e8402df4322182bb4a5c8e61a13d916e4b34afe':
  adbd: allow ddms screen capture to work again
2015-12-08 00:11:19 +00:00
Nick Kralevich
5e8402df43 adbd: allow ddms screen capture to work again
The removal of domain_deprecated broke ddms screen capturing
functionality.

Steps to reproduce:

1) Run "ddms"
2) Select your device
3) Go to the Device > Screen Capture menu
4) Attempt to take a screenshot

Addresses the following denials:

  avc: denied { read } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { open } for pid=2728 comm="screencap" name="ion" dev="tmpfs" ino=7255 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { ioctl } for pid=2728 comm="screencap" path="/dev/ion" dev="tmpfs" ino=7255 ioctlcmd=4905 scontext=u:r:adbd:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  avc: denied { read } for pid=5261 comm="screencap" name="egl" dev="dm-1" ino=210 scontext=u:r:adbd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26023462
Change-Id: Ie77c65900de56756d5c9b99dcda1e20664151ed2
2015-12-07 15:48:57 -08:00
Nick Kralevich
e9d43070e4 adbd: allow "adb pull /sdcard/"
am: b899f4fc33

* commit 'b899f4fc33e93ad6ec3d81c39e17eae5ea2fef4f':
  adbd: allow "adb pull /sdcard/"
2015-12-07 23:20:33 +00:00
Nick Kralevich
b899f4fc33 adbd: allow "adb pull /sdcard/"
The removal of domain_deprecated broke the ability for adbd to
pull files from /sdcard. Re-allow it.

Addresses the following denials:

  avc: denied { search } for pid=2753 comm=73657276696365203530 name="/" dev="tmpfs" ino=6242 scontext=u:r:adbd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
  avc: denied { getattr } for pid=2755 comm=73657276696365203431 path="/sdcard" dev="rootfs" ino=5472 scontext=u:r:adbd:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=0

Change-Id: I70257933f554abd008932c7f122dd0151f464b05
2015-12-07 14:55:23 -08:00
Felipe Leme
8cf8a9d01c Increase communication surface between dumpstate and Shell:
am: 83fd8a54f5

* commit '83fd8a54f54033837f168bbd61012fa5373a4e4c':
  Increase communication surface between dumpstate and Shell:
2015-12-04 14:28:26 -08:00
Felipe Leme
83fd8a54f5 Increase communication surface between dumpstate and Shell:
- Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-04 14:08:28 -08:00
Jeffrey Vander Stoep
0676757d17 Merge "rild: Remove toolbox_exec perms"
am: f6a0b144ae

* commit 'f6a0b144aecee7376ea5e661981354256fc8f375':
  rild: Remove toolbox_exec perms
2015-12-04 21:11:00 +00:00
Jeffrey Vander Stoep
f6a0b144ae Merge "rild: Remove toolbox_exec perms" 2015-12-04 21:05:24 +00:00
Nick Kralevich
298a38ed3d shell.te: Allow read access to system_file
am: 29b9532a9e

* commit '29b9532a9e775184ae47025d3c6aa2c719806483':
  shell.te: Allow read access to system_file
2015-12-04 17:13:33 +00:00
Nick Kralevich
29b9532a9e shell.te: Allow read access to system_file
Certain tests depend on the ability to examine directories
in /system. Allow it to the shell user.

Addresses the following denials:

  avc: denied { read } for name="egl" dev="dm-1" ino=104 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

Bug: 26020967
Bug: 26023420
Change-Id: I509d921e159e99164c85fae9e8b2982a47573d14
2015-12-04 09:05:02 -08:00
Jeff Vander Stoep
e811c49fce rild: Remove toolbox_exec perms
Confirmed via audit logs that it is not required.

Change-Id: I01d4b7ec15d4c852a9f28daf0b40ab4bce930125
2015-12-04 08:36:55 -08:00
Jeffrey Vander Stoep
cd47828c12 Merge "Further restrict access to tun_device"
am: 98c3f9971f

* commit '98c3f9971f4b551fd5578c63f77fa9111bed94ad':
  Further restrict access to tun_device
2015-12-04 01:38:37 +00:00
Jeffrey Vander Stoep
98c3f9971f Merge "Further restrict access to tun_device" 2015-12-04 01:32:54 +00:00
Jeff Vander Stoep
e555f4b971 Further restrict access to tun_device
Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.

Strengthen the neverallow on opening tun_device to include all Apps.

Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
2015-12-03 15:56:04 -08:00
Tom Cherry
c28d909159 Merge "Support fine grain read access control for properties"
am: 6fa6bdb6ee

* commit '6fa6bdb6ee70994da64baff0499687d6a565d773':
  Support fine grain read access control for properties
2015-12-03 22:58:52 +00:00
Tom Cherry
6fa6bdb6ee Merge "Support fine grain read access control for properties" 2015-12-03 22:55:32 +00:00
Tom Cherry
949d7cbc29 Support fine grain read access control for properties
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
2015-12-03 14:06:10 -08:00
Nick Kralevich
d483d2f3d4 shell.te: allow pulling the currently running SELinux policy
am: ad22e86740

* commit 'ad22e86740132ba0541506edebb7a6c1da70017b':
  shell.te: allow pulling the currently running SELinux policy
2015-12-03 21:56:21 +00:00
Nick Kralevich
ad22e86740 shell.te: allow pulling the currently running SELinux policy
Allow pulling the currently running SELinux policy for CTS.

Change-Id: I82ec03724a8e5773b3b693c4f39cc7b5c3ae4516
2015-12-03 13:28:14 -08:00
Jeffrey Vander Stoep
d95780ac93 Merge "Allow priv_apps to stat files on the system partition"
am: 1d58b2fdea

* commit '1d58b2fdea644f2ac02e8c1552754ea7c4b576e4':
  Allow priv_apps to stat files on the system partition
2015-12-03 21:25:31 +00:00
Jeffrey Vander Stoep
1d58b2fdea Merge "Allow priv_apps to stat files on the system partition" 2015-12-03 21:20:18 +00:00
Jeff Vander Stoep
2b56e4844e Allow priv_apps to stat files on the system partition
Allows safetynet to scan the system partition which is made up of
files labeled system_file (already allowed) and/or files with the
exec_type attribute.

Bug: 25821333
Change-Id: I9c1c9c11bc568138aa115ba83238ce7475fbc5e4
2015-12-03 13:00:07 -08:00
Jeffrey Vander Stoep
d9c22bc4bc Merge "bootanim: Remove domain_deprecated"
am: a0757c4d54

* commit 'a0757c4d5487e08d7c8e4428dea1703ce77ca49d':
  bootanim: Remove domain_deprecated
2015-12-02 21:36:39 +00:00
Jeffrey Vander Stoep
a0757c4d54 Merge "bootanim: Remove domain_deprecated" 2015-12-02 21:33:04 +00:00
Jeff Vander Stoep
855ffe588e bootanim: Remove domain_deprecated
Remove domain_deprecated from bootanim. This removes some unnecessarily
permissive rules.

As part of this, re-allow access to cgroups, proc and sysfs, removed as
a result of removing domain_deprecated.

Bug: 25433265
Change-Id: I58658712666c719c8f5a39fe2076c4f6d166616c
2015-12-02 13:29:20 -08:00