480374e4d082238a71773f29483c5d24ad8b3f6d |
|
17-Oct-2014 |
Nick Kralevich <nnk@google.com> |
Fix compile time / CTS gps_data_files neverallow assertion Currently, zygote spawned apps are prohibited from modifying GPS data files. If someone tries to allow GPS access to any app domain, it generates a compile time / CTS exception. Relax the rules slightly for system_app. These apps run with UID=system, and shouldn't be banned from handling gps data files. This change doesn't add or remove any SELinux rules. Rather, it just relaxes a compile time assertion, allow partners to create SELinux rules allowing the access if they desire. Bug: 18021422 Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93
/external/sepolicy/app.te
|
51bfecf49d50982f64aba1fa73bbbdd2e40a444f |
|
13-Oct-2014 |
Robin Lee <rgl@google.com> |
Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
/external/sepolicy/app.te
|
49fd9567d933acedeedc6d2927951ec07ef65723 |
|
26-Sep-2014 |
Martijn Coenen <maco@google.com> |
Merge "Allow NFC to read/write nfc. system properties." into lmp-dev
|
05383ebfb439bed8436912ed28db550e8842b343 |
|
26-Sep-2014 |
Martijn Coenen <maco@google.com> |
Allow NFC to read/write nfc. system properties. Bug: 17298769 Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97
/external/sepolicy/app.te
|
62083414a4cc2b9fd7eb22c3bc4ffa4d9285d4be |
|
25-Sep-2014 |
Nick Kralevich <nnk@google.com> |
allow apps to read the contents of mounted OBBs Apps should be able to read the contents of mounted OBBs. Steps to reproduce: 1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur) 2) Attempt to run the app. Expected: App runs successfully. Actual: App crashes. See denials below. This can also be reproduced by running the newly introduced CTS test in I2018b63b0236ce6b5aee4094e40473315b1948c3 Addresses the following denials: avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 Bug: 17633509 Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa
/external/sepolicy/app.te
|
a8b651bfba433ab91b565fea5276ceb7743ad15a |
|
23-Sep-2014 |
Nick Kralevich <nnk@google.com> |
relax appdomain efs_file neverallow rules [DO NOT MERGE] During factory provisioning, some manufacturers may need to pull files from /factory (label efs_file and bluetooth_efs_file) to collect device specific identifiers such as the mac address, using commands similar to the following: adb shell cat /factory/ssn adb shell cat /factory/bt/bd_addr.conf adb shell cat /factory/wifi/mac.txt adb shell cat /factory/60isn read-only access to these files is currently disallowed by a neverallow rule. Relax the rules to allow read-only access to the shell user if desired. No new SELinux rules are added or deleted by this change. This is only a relaxation in what's allowed for vendor specific policy. Bug: 17600278 (cherry picked from commit 200a9f0e20337b48824cf621a017e2852245e5ca) Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7
/external/sepolicy/app.te
|
36fb1f1bf3fa29a639e4c9d793b36cbbceae2ec7 |
|
22-Sep-2014 |
Nick Kralevich <nnk@google.com> |
relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets Netlink uevent sockets are used by the kernel to inform userspace when certain events occur, for example, when new hardware is added or removed. This allows userspace to take some action based on those messages. Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets. Certain device specific app domains, such as system_app, may have a need to receive messages from this socket type. Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app. These sockets have been the source of rooting attacks in Android in the past, and it doesn't make sense to expose this to untrusted_apps. No new SELinux rules are introduced by this change. This is an adjustment of compile time assertions only. Bug: 17525863 (cherry picked from commit 642b80427ec2e95eb13cf03a74d814f240813e71) Change-Id: I35f3dc8b1ead9f427645a13fb202e760d1e68e64
/external/sepolicy/app.te
|
309cc668f9da5a3e4df7ecd44f3618864e4cf7eb |
|
09-Sep-2014 |
dcashman <dcashman@google.com> |
Enable selinux read_policy for adb pull. Remove permission from appdomain. Bug: 16866291 Change-Id: I37936fed33c337e1ab2816258c2aff52700af116
/external/sepolicy/app.te
|
bcdff890304e694c09bf0a4a90fb76a82434fa57 |
|
01-Sep-2014 |
Mark Salyzyn <salyzyn@google.com> |
logd: permit app access to clear logs I/auditd(19949): type=1400 audit(0.0:71): avc: denied { write } for comm="logcat" name="logd" dev="tmpfs" ino=5924 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:logd_socket:s0 tclass=sock_file (cherry picked from 60f0be84c0cf3a895c6b95ee8387b71e1b0c6d83) Bug: 17323719 Change-Id: Id8399195196ffad884eef98030d544c68ed0596f
/external/sepolicy/app.te
|
67d58acb9b8d28dddeb9670e9801962b6fd7dcfd |
|
28-Aug-2014 |
dcashman <dcashman@google.com> |
Merge "Add permissive domains check to sepolicy-analyze." into lmp-dev
|
c30dd63f56ba5035eeb604b0b9b48f36ef5e8937 |
|
26-Mar-2014 |
dcashman <dcashman@google.com> |
Add permissive domains check to sepolicy-analyze. Also enable global reading of kernel policy file. Motivation for this is to allow read access to the kernel version of the binary selinux policy. Bug: 17288791 Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99
/external/sepolicy/app.te
|
711895db2897bc5d001899eb5e0f931c79a1ad3f |
|
27-Aug-2014 |
dcashman <dcashman@google.com> |
Allow appdomain read perms on apk_data_files. Address: type=1400 audit(0.0:103): avc: denied { read } for name="arm" dev="mmcblk0p28" ino=195471 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir Bug: 16204150 Change-Id: I8bf0172b26b780c110c0d95c691785143acd7dd2
/external/sepolicy/app.te
|
d990a78f8ef398488d6c0ce0a2d18b3d3a5183c4 |
|
29-Jul-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix neverallow rules to eliminate CTS SELinuxTest warnings. Fix two neverallow rules that yield Invalid SELinux context warnings from the CTS SELinuxTest. For transitions from app domains, we only need to check { domain -appdomain } (i.e. domains other than app domains), not ~appdomain (i.e. all types other than app domains). Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing since the target class is process, and such contexts are invalid. For keeping file_type and fs_type exclusive, we only need to check associate permission, not all filesystem permissions, as only associate takes a file type as the source context. Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing filesystem permissions other than associate, since the source of such checks is normally a process context. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 21ada26daea538397029396099dce865267bae2f) Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e
/external/sepolicy/app.te
|
8ee37b4f1c58e1dcd00b198a9bbfeafb4221fdc9 |
|
15-Jul-2014 |
Ed Heyl <edheyl@google.com> |
reconcile aosp (c103da877b72aae80616dbc192982aaf75dfe888) after branching. Please do not merge. Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
/external/sepolicy/app.te
|
e9c90bddcea8d3d466fbc34361a7feea3eea4ad3 |
|
15-Jul-2014 |
Ed Heyl <edheyl@google.com> |
reconcile aosp (4da3bb1481e4e894a7dee3f3b9ec8cef6f6b1aed) after branching. Please do not merge. Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e
/external/sepolicy/app.te
|
be66069765b019257ed3bf1ca1285e643360a998 |
|
04-Jul-2014 |
Nick Kralevich <nnk@google.com> |
Remove -unconfineddomain from neverallow rules Many of the neverallow rules have -unconfineddomain. This was intended to allow us to support permissive_or_unconfined(), and ensure that all domains were enforcing at least a minimal set of rules. Now that all the app domains are in enforcing / confined, there's no need to allow for these exceptions. Remove them. Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f
/external/sepolicy/app.te
|
77eb35263f40607e36fdcd85d95050a4ecedb6b8 |
|
29-Jun-2014 |
Sharvil Nanavati <sharvil@google.com> |
Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms. Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e
/external/sepolicy/app.te
|
22e0c414a50feed2f0475ab0d75301dce3488873 |
|
01-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Remove auditallow statements causing log spam. Remove the auditallow statements from app.te and binderservicedomain.te which were causing log spam. Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb
/external/sepolicy/app.te
|
1196d2a5763c9a99be99ba81a4a29d938a83cc06 |
|
17-Jun-2014 |
Riley Spahn <rileyspahn@google.com> |
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
/external/sepolicy/app.te
|
cf610692252b4df30b42f2bce3de464ac1804f97 |
|
20-Jun-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only allow app domains to access SDcard via fuse mount. sdcard_internal is assigned to fuse mounts while sdcard_external is assigned to vfat mounts by genfs_contexts. Originally we allowed access to both via the sdcard_type attribute, and access via both means was required. IIUC however, in 4.4 and later, SDcard access should always occur via the fuse mount and we can drop access to sdcard_external. I think we can do the same for all domains except sdcardd. However, I cannot test this as the Nexus devices do not have external SDcard support. Also wondering if we should rename sdcard_internal type to fuse and sdcard_external type to vfat to more clearly represent their meaning, since one accesses the external SDcard via the fuse mount now. Change-Id: Ie44221e9eea90e627a48df5398c456b86293f724 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
fad4d5fb00ddb1f61c22c003429e10f10b046d0d |
|
16-Jun-2014 |
Nick Kralevich <nnk@google.com> |
Fix SELinux policies to allow resource overlays. The following commits added support for runtime resource overlays. New command line tool 'idmap' * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5 Runtime resource overlay, iteration 2 * 48d22323ce39f9aab003dce74456889b6414af55 Runtime resource overlay, iteration 2, test cases * ad6ed950dbfa152c193dd7e49c369d9e831f1591 During SELinux tightening, support for these runtime resource overlays was unknowingly broken. Fix it. This change has been tested by hackbod and she reports that everything is working after this change. I haven't independently verified the functionality. Test cases are available for this by running: * python frameworks/base/core/tests/overlaytests/testrunner.py Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
/external/sepolicy/app.te
|
867030517724036b64fcaf39deaba1b27f3ca77e |
|
11-Jun-2014 |
Nick Kralevich <nnk@google.com> |
Remove world-read access to /data/dalvik-cache/profiles Remove /data/dalvik-cache/profiles from domain. Profiling information leaks data about how people interact with apps, so we don't want the data to be available in all SELinux domains. Add read/write capabilities back to app domains, since apps need to read/write profiling data. Remove restorecon specific rules. The directory is now created by init, not installd, so installd doesn't need to set the label. Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
/external/sepolicy/app.te
|
42fb824ca9f3e46b4419f05083f2694ac67a8229 |
|
11-Jun-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
84ed890aebce5235018b846fac734b47833ee364 |
|
04-Jun-2014 |
Nick Kralevich <nnk@google.com> |
Merge adf_device into graphics_device As of sepolicy commit a16a59e2c7f1e2f09bf7b750101973a974c972e8 (https://android-review.googlesource.com/94580), adf_device and graphics_device have the exact same security properties. Merge them into one type to avoid a proliferation of SELinux types. Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95
/external/sepolicy/app.te
|
6f6c425563f4faa4e1e12bf430c32d0b81a78f64 |
|
31-May-2014 |
Christopher Tate <ctate@android.com> |
Adjust rules around /data/app entities This is to accomodate migration to (and ongoing support of) a new installed-app file topology, in which APK files are placed in /data/app/$PACKAGE-rev/, there is a canonical-path symlink /data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native libraries exist not under a top-level /data/app-lib/$PACKAGE-rev hard directory, but rather under /data/app/$PACKAGE/lib (when referenced by canonical path). Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0
/external/sepolicy/app.te
|
78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57 |
|
02-Jun-2014 |
Nick Kralevich <nnk@google.com> |
add execmod to various app domains NDK r8c and below induced text relocations into every NDK compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203). For compatibility, we need to support shared libraries with text relocations in them. Addresses the following error / denial: 06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix. <4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Steps to reproduce: 1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air) 2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd) 3) Attempt to run Play & Learn app Expected: App runs Actual: App crashes with error above. Bug: 15388851 Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
/external/sepolicy/app.te
|
3235f61aa859af1d1c3d060eb55cf1929bc6914f |
|
30-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Restrict /data/security and setprop selinux.reload_policy access. Remove /data/security and setprop selinux.reload_policy access from unconfineddomain, and only add back what is needed to init (system_server already gets the required allow rules via the selinux_manage_policy macro). init (via init.rc post-fs-data) originally creates /data/security and may later restorecon it. init also sets the property (also from init.rc post-fs-data) to trigger a reload once /data is mounted. The system_server (SELinuxPolicyInstallReceiver in particular) creates subdirectories under /data/security for updates, writes files to these subdirectories, creates the /data/security/current symlink to the update directory, and sets the property to trigger a reload when an update bundle is received. Add neverallow rules to ensure that we do not allow undesired access to security_file or security_prop. This is only truly meaningful if the support for /data/security policies is restored, but is harmless otherwise. Also drop the persist.mmac property_contexts entry; it was never used in AOSP, only in our tree (for middleware MAC) and is obsolete. Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
685e2f9d9c0d3f64e9eabb789adb0b34f5f11836 |
|
28-May-2014 |
Nick Kralevich <nnk@google.com> |
remove syslog_* from unconfined As suggested in https://android-review.googlesource.com/95966 , remove various syslog_* from unconfined. SELinux domains which want to use syslog_* can declare it themselves. Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
/external/sepolicy/app.te
|
f821b5a7977102a417b32f358bf87d1e0cdeb06d |
|
28-May-2014 |
Nick Kralevich <nnk@google.com> |
allow shell dmesg Allow the shell user to see the dmesg output. This data is already available via "adb bugreport", but isn't easy to access. Bug: 10020939 Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177
/external/sepolicy/app.te
|
9786af2bcaaf0ba25c0a50c81c748a05793ec847 |
|
23-May-2014 |
Torne (Richard Coles) <torne@google.com> |
Define SELinux policy for RELRO sharing support. Define a domain and appropriate access rules for shared RELRO files (used for loading the WebView native library). Any app is permitted to read the files as they are public data, but only the shared_relro process is permitted to create/update them. Bug: 13005501 Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e
/external/sepolicy/app.te
|
4fce0ef97c2a4cb6e0ce2adf17c012c8be6252bf |
|
23-May-2014 |
Nick Kralevich <nnk@google.com> |
Fix use of valgrind via app wrapping On userdebug / eng builds, Android supports the concept of app wrapping. You can run an app wrapped by another process. This is traditionally used to run valgrind on apps, looking for memory leaks and other problems. App wrapping is enabled by running the following command: adb shell setprop wrap.com.android.foo "TMPDIR=/data/data/com.android.foo logwrapper valgrind" Valgrind attempts to mmap exec /system/bin/app_process, which is being denied by SELinux. Allow app_process exec. Addresses the following denial: <4>[ 82.643790] type=1400 audit(16301075.079:26): avc: denied { execute } for pid=1519 comm="memcheck-arm-li" path="/system/bin/app_process32" dev="mmcblk0p25" ino=61 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file Bug: 15146424 Change-Id: I65394938c53da9252ea57856d9f2de465bb30c25
/external/sepolicy/app.te
|
71db4110434d18adfaf87fd788f8dfd1d5709899 |
|
14-May-2014 |
dcashman <dcashman@google.com> |
Remove duplicate neverallow rule. Commit: 7ffb9972076bfbd2abab1df6b4d759d14d55af96 added protection against low memory mapping for all domains, a superset of appdomain. Remove the same, redundant neverallow rule from appdomain. Change-Id: Ia41c02763f6b5a260c56d10adfbab649d9f3f97c
/external/sepolicy/app.te
|
681a687a6032e060742cf57b8e1f9d122fd5afca |
|
08-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop appdomain unlabeled file execute. Should no longer be required due to restorecon_recursive of /data by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to restorecon_recursive of /data/data by installd (covers /data/data directories). Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
7004789de39c1e712169ac6d4c98bdbe43dcce6e |
|
07-May-2014 |
Greg Hackmann <ghackmann@google.com> |
Add policies for Atomic Display Framework ADF is a modern replacement for fbdev. ADF's device nodes (/dev/adf[X]), interface nodes (/dev/adf-interface[X].[Y]), and overlay engine nodes (/dev/adf-overlay-engine[X].[Y]) are collectively used in similar contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and healthd will need to send R/W ioctls to these nodes to prepare and update the display. Ordinary apps should not talk to ADF directly. Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343 Signed-off-by: Greg Hackmann <ghackmann@google.com>
/external/sepolicy/app.te
|
91a4f8d4fdab7df8474c2ffaa996c879166d8a4c |
|
07-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Label app data directories for system UID apps with a different type. We were using system_data_file for the /data/data directories of system UID apps to match the DAC ownership of system UID shared with other system files. However, we are seeing cases where files created in these directories must be writable by other apps, and we would like to avoid allowing write to system data files outside of these directories. So introduce a separate system_app_data_file type and assign it. This should also help protect against arbitrary writes by system UID apps to other system data directories. This resolves the following denial when cropping or taking a user photo for secondary users: avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 14604553 Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
1545b6061518bac473cf93af576cbea12a992298 |
|
05-May-2014 |
Nick Kralevich <nnk@google.com> |
allow untrusted_app to write to MMS files Commit 3fbc536dfd5afbce5ef45f18d0afb3516089ed88 allowed untrusted app to read radio data files passed via binder, but didn't allow write access. Write access is needed when sending MMS messages. Steps to reproduce: 1) have some photos on the device 2) Launch messaging app 3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..) 4) Send EXPECTED RESULTS: No crash OBSERVED RESULTS: - Messaging crashes on sending MMS - messages are stuck in sending state Additional details: 05-05 10:14:01.196 2457 2457 W Binder_3: type=1400 audit(0.0:20): avc: denied { write } for path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file 05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!! 05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream. 05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966) 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:674) 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:650) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228) 05-05 10:14:01.203 27809 28219 E PduPersister: at java.lang.Thread.run(Thread.java:818) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS 05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809 05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at android.content.ContentUris.parseId(ContentUris.java:85) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at java.lang.Thread.run(Thread.java:818) 05-05 10:14:01.222 659 5253 W ActivityManager: Force finishing activity com.android.mms/.ui.ComposeMessageActivity Bug: 14562421 Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9
/external/sepolicy/app.te
|
6736bac21870bdc8bb6098ddffdb70103f7bc2a3 |
|
24-Apr-2014 |
Jeff Sharkey <jsharkey@android.com> |
Define types for an OEM-provided filesystem. Bug: 13340779 Change-Id: I6151b6b61ddf90327d51815d13fd65be561be587
/external/sepolicy/app.te
|
2562843425bb5f13e42b8605a1568308c6faff71 |
|
18-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Audit accesses on unlabeled files. To see whether we can safely remove these allow rules on unlabeled files since we now have restorecon_recursive /data in init.rc to fully relabel legacy userdata partitions, audit all accesses on such files. Exclude the init domain since it performs the restorecon_recursive /data and therefore will read unlabeled directories, stat unlabeled files, and relabel unlabeled directories and files on upgrade. init may also create/write unlabeled files in /data prior to the restorecon_recursive /data being called. Exclude the kernel domain for search on unlabeled:dir as this happens during cgroup filesystem initialization in the kernel as a side effect of populating the cgroup directory during the superblock initialization before SELinux has set the label on the root directory. Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
19c509034ee309c60c958637841c151d3c273421 |
|
09-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define a type for /data/dalvik-cache/profiles. I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles subdirectory to /data/dalvik-cache with files that must be app-writable. As a result, we have denials such as: W/Profiler( 3328): type=1400 audit(0.0:199): avc: denied { write } for name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null) W/auditd ( 286): type=1307 audit(0.0:199): cwd="/" W/auditd ( 286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0 We do not want to allow untrusted app domains to write to the existing type on other /data/dalvik-cache files as that could be used for code injection into another app domain, the zygote or the system_server. So define a new type for this subdirectory. The restorecon_recursive /data in init.rc will fix the labeling on devices that already have a profiles directory created. For correct labeling on first creation, we also need a separate change to installd under the same change id. Bug: 13927667 Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
9ba844fea12a0b08770e870d63f3d3c375c7c9b5 |
|
04-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Coalesce shared_app, media_app, release_app into untrusted_app. This change folds the shared_app, media_app, and release_app domains into untrusted_app, reducing the set of app domains down to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth, nfc, radio), a single domain for apps signed by the platform key (platform_app), and a single domain for all other apps (untrusted_app). Thus, SELinux only distinguishes when already distinguished by a predefined Android ID (AID) or by the platform certificate (which get the signature-only Android permissions and thus may require special OS-level accesses). It is still possible to introduce specific app domains for specific apps by adding signer and package stanzas to mac_permissions.xml, but this can be done on an as-needed basis for specialized apps that require particular OS-level permissions outside the usual set. As there is now only a single platform app domains, get rid of the platformappdomain attribute and platform_app_domain() macro. We used to add mlstrustedsubject to those domains but drop this since we are not using MLS in AOSP presently; we can revisit which domains need it if/when we use MLS. Since we are dropping the shared, media, and release seinfo entries from seapp_contexts, drop them from mac_permissions.xml as well. However, we leave the keys.conf entries in case someone wants to add a signer entry in the future for specific apps signed by those keys to mac_permissions.xml. Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
3fbc536dfd5afbce5ef45f18d0afb3516089ed88 |
|
27-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow reading of radio data files passed over binder. Addresses denials such as: avc: denied { read } for pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file This does not allow write denials such as: avc: denied { write } for pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file Need to understand whether write access is in fact required. Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
f9c3257fbaa16dbbffe3493b103d0b16ada1c0b5 |
|
12-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Get rid of separate download_file type. This appears to have been created to allow untrusted_app to access DownloadProvider cache files without needing to allow open access to platform_app_data_file. Now that platform_app_data_file is gone, there is no benefit to having this type. Retain a typealias for download_file to app_data_file until restorecon /data/data support is in place to provide compatibility. This change depends on: https://android-review.googlesource.com/#/c/87801/ Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
dc88dca115791053d00354785be37a38259b3781 |
|
12-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Get rid of separate platform_app_data_file type. The original concept was to allow separation between /data/data/<pkgdir> files of "platform" apps (signed by one of the four build keys) and untrusted apps. But we had to allow read/write to support passing of open files via Binder or local socket for compatibilty, and it seems that direct open by pathname is in fact used in Android as well, only passing the pathname via Binder or local socket. So there is no real benefit to keeping it as a separate type. Retain a type alias for platform_app_data_file to app_data_file until restorecon /data/data support is in place to provide compatibility. Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
853ffaad323b3e5db14d3f2e4fbe7fa96160ede4 |
|
06-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Deduplicate neverallow rules on selinuxfs operations. We already have neverallow rules for all domains about loading policy, setting enforcing mode, and setting checkreqprot, so we can drop redundant ones from netd and appdomain. Add neverallow rules to domain.te for setbool and setsecparam and exclude them from unconfined to allow fully eliminating separate neverallow rules on the :security class from anything other than domain.te. Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
b0db712bf048dc634363b658a647b1f1897d8433 |
|
06-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Clean up, unify, and deduplicate app domain rules. Coalesce a number of allow rules replicated among multiple app domains. Get rid of duplicated rules already covered by domain, appdomain, or platformappdomain rules. Split the platformappdomain rules to their own platformappdomain.te file, document them more fully, and note the inheritance in each of the relevant *_app.te files. Generalize isolated app unix_stream_socket rules to all app domains to resolve denials such as: avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket Change-Id: I770d7d51d498b15447219083739153265d951fe5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
3dad7b611a448fa43a678ff760c23a00f387947e |
|
05-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Address system_server denials. Label /proc/sysrq-trigger and allow access. Label /dev/socket/mtpd and allow access. Resolves denials such as: avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv er:s0 tclass=udp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]" dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s 0 tclass=tcp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
2737ceff233a32be67ebc6e3dba6e80b8df6df0a |
|
04-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow stat/read of /data/media files by app domains. Resolves denials such as: avc: denied { read } for pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file avc: denied { getattr } for pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
28afdd9234236d0b3c510f28255aa14625d11457 |
|
26-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Deduplicate binder_call rules. A number of binder_call rules are duplicated by other rules written in terms of attributes/sets (e.g. appdomain, binderservicedomain). Get rid of the duplicates. Also use binder_use() in racoon.te rather than manually writing the base rule for communicating with the servicemanager. Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
2c347e0a3676bb50cac796ca94eb6ab53c08fc87 |
|
25-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop obsolete keystore_socket type and rules. Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched the keystore to using binder instead of a socket, so this socket type and rules have been unused for a while. The type was only ever assigned to a /dev/socket socket file (tmpfs) so there is no issue with removing the type (no persistent files will have this xattr value). Change-Id: Id584233c58f6276774c3432ea76878aca28d6280 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
85708ec4f91fd70b215dc69e00b80e0e7a7d4686 |
|
24-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Resolve overlapping rules between app.te and net.te. There is some overlap between socket rules in app.te and the net.te rules, but they aren't quite identical since not all app domains presently include the net_domain() macro and because the rules in app.te allow more permissions for netlink_route_socket and allow rawip_socket permissions for ping. The current app.te rules prevent one from ever creating a non-networked app domain. Resolve this overlap by: 1) Adding the missing permissions allowed by app.te to net.te for netlink_route_socket and rawip_socket. 2) Adding net_domain() calls to all existing app domains that do not already have it. 3) Deleting the redundant socket rules from app.te. Then we'll have no effective change in what is allowed for apps but allow one to define app domains in the future that are not allowed network access. Also cleanup net.te to use the create_socket_perms macro rather than * and add macros for stream socket permissions. Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
0b218ec5fc7a1bce349dc319de6c5c904d9368e6 |
|
06-Feb-2014 |
Dave Platt <dplatt@google.com> |
Finish fixing Zygote descriptor leakage problem In order to prevent Zygote descriptors from leaking into the child environment, they should be closed by the forked-off child process before the child switches to the application UID. These changes close the descriptors via dup2(), substituting a descriptor open to /dev/null in their place; this allows the Zygote Java code to close the FileDescriptor objects cleanly. This is a multi-project change: dalvik, art, libcore, frameworks/base, and external/sepolicy are affected. The CLs need to be approved together, lest the build break or the software fail to boot. Bug: 12114500 Change-Id: Ie45ddf6d661a1ea8570cd49dfea76421f2cadf72
/external/sepolicy/app.te
|
8ed750e9731e6e3a21785e91e9b1cf7390c16738 |
|
13-Nov-2013 |
Mark Salyzyn <salyzyn@google.com> |
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
/external/sepolicy/app.te
|
a637b2f21eda997f6d1bcb8f2600a5ee3195785d |
|
30-Jan-2014 |
William Roberts <wroberts@tresys.com> |
assert: Do not allow access to generic device:chr_file Rather, enforce that a relabel should be done. This tightens an existing assertion. Change-Id: I0500e3dc483e6bf97e5b017043e358bcbdc69904
/external/sepolicy/app.te
|
fc4c6b798a0c8ff38b4b943209ba1653a0276dfa |
|
23-Jan-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Allow all appdomains to grab file attributes of wallpaper_file. When setting a static wallpaper on multiple devices the following denials were encountered. avc: denied { getattr } for pid=1775 comm="llpaper_chooser" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:shared_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=799 comm="ndroid.systemui" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:platform_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=1909 comm=4173796E635461736B202332 path="/data/system/users/0/wallpaper" dev="mmcblk0p28" ino=586422 scontext=u:r:release_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file platform_app access is from the SystemUI app whereas the other denials are from the Launcher that is used on the particular device. For instance, Launcher2 triggers the shared_app denial whereas release_app (used by Launcher3) triggers the other denial. Because of this, add the rule to all appdomains. The static wallpaper is still set without this change. Just add the rule to avoid the noise in the logs. Change-Id: Ida84d1695d52379d67b87318403f629fd07109a4 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/external/sepolicy/app.te
|
2e7a301fad5b6065e2d364170a80bc58bc41aab0 |
|
11-Jan-2014 |
Nick Kralevich <nnk@google.com> |
Address bug report denials. Triggering a bug report via Settings > Developer Options > Take bug report generates a number of denials. Two bugs here: 1) According to the "allowed" list in frameworks/native/cmds/servicemanager/service_manager.c , media apps, nfc, radio, and apps with system/root UIDs can register as a binder service. However, they were not placed into the binder_service domain. Fix them. 2) The bugreport mechanism queries all the services and java programs and asks them to write to a shell owned file. Grant the corresponding SELinux capability. Addresses the following denials: <5>[ 149.342181] type=1400 audit(1389419775.872:17): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.371844] type=1400 audit(1389419775.902:18): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.980161] type=1400 audit(1389419776.512:22): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.095066] type=1400 audit(1389419776.622:23): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.096748] type=1400 audit(1389419776.632:24): avc: denied { getattr } for pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.097090] type=1400 audit(1389419776.632:25): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 154.545583] type=1400 audit(1389419781.072:43): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.000877] type=1400 audit(1389419782.532:44): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.022567] type=1400 audit(1389419782.552:45): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.043463] type=1400 audit(1389419782.572:46): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.062550] type=1400 audit(1389419782.592:47): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
/external/sepolicy/app.te
|
09f6a99b667c63cb4084583df10b13cde9b1e78a |
|
13-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow mediaserver to connect to bluetooth. Re-purpose the existing bluetooth_socket type, originally for /dev/socket/bluetooth used by bluetoothd in the old bluetooth stack, for sockets created by bluedroid under /data/misc/bluedroid, and allow mediaserver to connect to such sockets. This is required for playing audio on paired BT devices. Based on b/12417855. Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
df8af76f2678e3ea63e83701ac4b5afec24adf9f |
|
13-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add an exception for bluetooth to the sysfs neverallow rule. This is required for the grouper sepolicy, where we must allow bluetooth domain to write to the base sysfs type due to a kernel bug. Change-Id: I14b0530387edce1097387223f0def9b59e4292e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
959fdaaa25d7dbfad8a1900dfe9575f873cea649 |
|
09-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove unlabeled execute access from domain, add to appdomain. Otherwise all domains can create/write files that are executable by all other domains. If I understand correctly, this should only be necessary for app domains executing content from legacy unlabeled userdata partitions on existing devices and zygote and system_server mappings of dalvikcache files, so only allow it for those domains. If required for others, add it to the individual domain .te file, not for all domains. Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
396015c3952bcbd5678dc20d5e5e4407cf6a4d4a |
|
07-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove ping domain. ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1 |
|
23-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only allow PROT_EXEC for ashmem where required. tmpfs_domain() macro defines a per-domain type and allows access for tmpfs-backed files, including ashmem regions. execute-related permissions crept into it, thereby allowing write + execute to ashmem regions for most domains. Move the execute permission out of tmpfs_domain() to app_domain() and specific domains as required. Drop execmod for now we are not seeing it. Similarly, execute permission for /dev/ashmem crept into binder_use() as it was common to many binder using domains. Move it out of binder_use() to app_domain() and specific domains as required. Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
ad7df7bb76ce00cdef711ad1f96a9a7243981f4e |
|
20-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove execmem permission from domain, add to appdomain. execmem permission controls the ability to make an anonymous mapping executable or to make a private file mapping writable and executable. Remove this permission from domain (i.e. all domains) by default, and add it explicitly to app domains. It is already allowed in other specific .te files as required. There may be additional cases in device-specific policy where it is required for proprietary binaries. Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
527316a21b80c2a70d8ed23351299a4dce0c77bf |
|
23-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow use of art as the Android runtime. system_server and app domains need to map dalvik-cache files with PROT_EXEC. type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file Apps need to map cached dex files with PROT_EXEC. We already allow this for untrusted_app to support packaging of shared objects as assets but not for the platform app domains. type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
594693705f0d5768db3c3212037da5fd5d5653be |
|
16-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Add rules to permit CTS security-related tests to run. Change-Id: I184458af1f40de6f1ab99452e76ba586dad1319e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
61dc35072090f2735af2b39572e39eadb30573eb |
|
17-Dec-2013 |
Nick Kralevich <nnk@google.com> |
app.te: allow getopt/getattr on zygote socket The closure of /dev/socket/zygote occurs in the zygote child process, after Zygote has dropped privileges and changed SELinux domains. In Google's internal tree, socket closures are following a different path, which is causing getopt/getattr to be used on the file descriptor. This is generating a large number of denials. Allow the operations for now. getopt/getattr are fairly harmless. Long term, we shouldn't be performing these operations on the zygote socket. Addresses the following denials: 18.352783 type=1400 audit(1386374111.043:7): avc: denied { getattr } for pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 18.353088 type=1400 audit(1386374111.043:8): avc: denied { getopt } for pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 18.833251 type=1400 audit(1386374111.524:9): avc: denied { getattr } for pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 18.833557 type=1400 audit(1386374111.524:10): avc: denied { getopt } for pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.042419 type=1400 audit(1386374111.734:11): avc: denied { getattr } for pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.042724 type=1400 audit(1386374111.734:12): avc: denied { getopt } for pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.182830 type=1400 audit(1386374111.874:14): avc: denied { getattr } for pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.183105 type=1400 audit(1386374111.874:15): avc: denied { getopt } for pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.235473 type=1400 audit(1386374111.924:16): avc: denied { getattr } for pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket Bug: 12061011 Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9
/external/sepolicy/app.te
|
09e6abd91b3aaaa11a44d032e095360c64a97b3a |
|
14-Dec-2013 |
Nick Kralevich <nnk@google.com> |
initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
/external/sepolicy/app.te
|
3ba9012535d8412d94db4ae9a5ce928b806e26d8 |
|
12-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Move gpu_device type and rules to core policy. Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
cf6b350a32ea65fa359981bd42ca0324547e2784 |
|
11-Dec-2013 |
Nick Kralevich <nnk@google.com> |
Allow apps to execute ping Addresses the following denials: <5>[ 170.166218] type=1400 audit(1386789488.029:57): avc: denied { getattr } for pid=4352 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file <5>[ 170.166356] type=1400 audit(1386789488.029:58): avc: denied { execute } for pid=4352 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file <5>[ 170.166841] type=1400 audit(1386789488.029:59): avc: denied { read open } for pid=4389 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file <5>[ 170.166962] type=1400 audit(1386789488.029:60): avc: denied { execute_no_trans } for pid=4389 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file Change-Id: Ic175ef7392897a3941c36db67dfa59ded35204b5
/external/sepolicy/app.te
|
65317124a0bb7db4829f78e74c7bfe18e27f1c43 |
|
11-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow untrusted apps to execute binaries from their sandbox directories. Various third party apps come with their own binaries that they write out to their sandbox directories and then execute, e.g.: audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file While this is not ideal from a security POV, it seems necessary to support for compatibility with Android today. Split out the execute-related permissions to a separate allow rule as it only makes sense for regular files (class file) not other kinds of files (e.g. fifos, sockets, symlinks), and use the rx_file_perms macro. Move the rule to untrusted_app only so that we do not permit system apps to execute files written by untrusted apps. Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
48759ca2054fa742724cd81debed51208b69e758 |
|
29-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
82fc3b524164588388aa3595bd2158020d93d28a |
|
06-Dec-2013 |
Nick Kralevich <nnk@google.com> |
Allow app-app communication via pipes Allow apps to communicate with each other via pipes. In particular, this fixes a bug where printing from Chrome wasn't working. STEPS TO REPRODUCE: 1. Launch Chrome 2. From menu tap print and observe OR 1. Launch Drive, Select any file (*.txt, *.doc. *.pdf.........) 2. Select print Addresses the following denials: <5>[ 122.352797] type=1400 audit(1386363998.374:18): avc: denied { write } for pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file <5>[ 123.248363] type=1400 audit(1386363999.264:19): avc: denied { getattr } for pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file <5>[ 123.248620] type=1400 audit(1386363999.264:20): avc: denied { write } for pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file Bug: 12032455 Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c
/external/sepolicy/app.te
|
ddf98fa8cf11000f91329945abc23ee791adfe69 |
|
31-Oct-2013 |
Geremy Condra <gcondra@google.com> |
Neverallow access to the kmem device from userspace. Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
/external/sepolicy/app.te
|
73c5ea722c7ee328f0d10179601afd9d5a054b94 |
|
26-Oct-2013 |
Nick Kralevich <nnk@google.com> |
fix typo Change-Id: Ieda312d5607dd17af0bb70045fbaba8ddec38c94
/external/sepolicy/app.te
|
d7fd22e601293ffae0de2166b226adbae1f7e33e |
|
22-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Confine bluetooth app. Remove unconfined_domain() from the bluetooth app domain, restore the rules from our policy, and move the neverallow rule for bluetooth capabilities to bluetooth.te. Make the bluetooth domain permissive again until it has received sufficient testing. Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
0b8c20e7ddce7cf791447f15be540ee2d0a6bfb2 |
|
09-Oct-2013 |
Nick Kralevich <nnk@google.com> |
Allow apps to use the USB Accessory functionality Apps may need to access the USB Accessory interface, which involves reads / writes / etc to /dev/usb_accessory and /dev/bus/usb/* See http://developer.android.com/guide/topics/connectivity/usb/accessory.html for more information. This addresses the following denials: [ 80.075727] type=1400 audit(1379351306.384:9): avc: denied { read write } for pid=496 comm="Binder_1" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file [ 86.204387] type=1400 audit(1379304688.579:10): avc: denied { getattr } for pid=1750 comm="Thread-126" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file [ 2773.581032] type=1400 audit(1379307375.959:22): avc: denied { read write } for pid=761 comm="Binder_A" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file [ 2773.590843] type=1400 audit(1379307375.969:23): avc: denied { getattr } for pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file [ 2773.591111] type=1400 audit(1379307375.969:24): avc: denied { ioctl } for pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file Bug: 10780497 Change-Id: I9663222f7a75dcbf3c42788a5b8eac45e69e00bb
/external/sepolicy/app.te
|
57085446eb49777189123a994884f76b8491ed26 |
|
30-Sep-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Except the shell domain from the transition neverallow rule. Shell domain can transition to other domains for runas, ping, etc. Change-Id: If9aabb4f51346dc00a89d03efea25499505f278d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
2a273ad2c50b255985a71e92898ac9224a9d2bd7 |
|
27-Sep-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Expand the set of neverallow rules applied to app domains. This change synchronizes the AOSP set of neverallow rules for app domains with our own. However, as we exclude unconfineddomain from each neverallow rule, it causes no breakage in the AOSP policy. As app domains are confined, you will need to either adjust the app domain or the neverallow rule according to your preference. But our policy builds with all of these applied with all app domains confined. Change-Id: I00163d46a6ca3a87e3d742d90866300f889a0b11 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
1fdee11df2552e29da0c48e3432f26f7a93e3bff |
|
14-Sep-2013 |
Alex Klyubin <klyubin@google.com> |
1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
/external/sepolicy/app.te
|
a62d5c667984435fd9ba3bf1eb11d4fdaa3849c1 |
|
10-Sep-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop obsolete comments about SEAndroidManager. Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
17454cf805748a8792608a44bbfddb00fb918841 |
|
11-Sep-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not permit appdomain to create/write to download_file. The comment says that apps can read downloaded files, but the file_type_auto_trans() macro expands to permit create/write access. Also we don't need a type transition when staying in the same type as the parent directory so we only truly need allow rules here. Hence, we remove file_type_auto_trans() altogether, and add an allow rule for search access to the directory. If create/write access is truly required, then we can just change the allow rules to use rw_dir_perms and create_file_perms. Change-Id: Icd71c9678419442cfd8088317317efd4332f9b4a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
5b00f223495ccb87cc8069d819bee6be9b3b99d6 |
|
11-Sep-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove duplicated rules between appdomain and isolated_app. r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te; delete it from isolated_app.te. binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it. Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
a24a991dd59fe03cdc681aadcb6bbca1ffac9b7b |
|
12-Sep-2013 |
Nick Kralevich <nnk@google.com> |
Allow apps to execute app_data_files Fixes the following denial: <5>[28362.335293] type=1400 audit(1378991198.292:24): avc: denied { execute } for pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12
/external/sepolicy/app.te
|
81560733a47633036133ce548bf638bc3d91f5cf |
|
30-Aug-2013 |
Geremy Condra <gcondra@google.com> |
Fix denials encountered while getting bugreports. Bug: 10498304 Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74
/external/sepolicy/app.te
|
2637198f92d5d9c65262e42d78123d216889d546 |
|
16-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Only init should be able to load a security policy Bug: 9859477 Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b
/external/sepolicy/app.te
|
6634a1080e6617854d0b29bc65bb1c852ad3d5b6 |
|
13-Jul-2013 |
Nick Kralevich <nnk@google.com> |
untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
/external/sepolicy/app.te
|
748fdef626d1dda2a0a727ea35d85d04363f5307 |
|
13-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
/external/sepolicy/app.te
|
0c9708b2af4ea345277a47ae7bc1ce890e90d2bc |
|
10-Jul-2013 |
Nick Kralevich <nnk@google.com> |
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
/external/sepolicy/app.te
|
77d4731e9d30c8971e076e2469d6957619019921 |
|
18-May-2013 |
repo sync <gcondra@google.com> |
Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
/external/sepolicy/app.te
|
50e37b93ac97631dcac6961285b92af5026557af |
|
15-May-2013 |
repo sync <gcondra@google.com> |
Move domains into per-domain permissive mode. Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
/external/sepolicy/app.te
|
11153ef34928ab9d13658606695cba192aa03e21 |
|
08-May-2013 |
repo sync <gcondra@google.com> |
Add rules for asec containers. Change-Id: I91f6965dafad54e98e2f7deda956e86acf7d0c96
/external/sepolicy/app.te
|
bfb26e7b0761121039dea36ad34b6c5054babcfa |
|
04-Apr-2013 |
Geremy Condra <gcondra@google.com> |
Add downloaded file policy. Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366
/external/sepolicy/app.te
|
ffd8c441a5903772af1705ddea5756d117bc9ec9 |
|
03-Apr-2013 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Add new domains for private apps. /data/app-private is used when making an app purchase or forward locking. Provide a new label for the directory as well as the tmp files that appear under it. Change-Id: I910cd1aa63538253e10a8d80268212ad9fc9fca5 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/external/sepolicy/app.te
|
62508bf498af44ea7d54bf85b4a8c1202cd26c8e |
|
04-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow apps to execute the shell or system commands unconditionally. Change-Id: I54af993bd478d6b8d0462d43950bb1a991131c82 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
0677cb2ebda66adfabced3390f6c8b40eb06bc33 |
|
04-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow fstat of platform app /data/data files. Change-Id: I8d46a809c08cd21b0d6c3173998035ab3cc79ada Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
b5f6977a28ae7c8474fe23cefe26f3556a533207 |
|
04-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Coalesce rules for allowing execution of shared objects by app domains. Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
9de4c6920220880e236ef1648ebd900c69727d43 |
|
04-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Strip unnecessary trailing semicolon on macro calls. Change-Id: I013e08bcd82a9e2311a958e1c98931f53f6720c9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
81fe5f7c0f47d48faa820ad5f8d3f4f44637a486 |
|
04-Apr-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow all domains to read the log devices. Read access to /dev/log/* is no longer restricted. Filtering on reads is performed per-uid by the kernel logger driver. Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
4387956f2607f9836e13267c10c5a5d0929eeb4c |
|
28-Mar-2013 |
Geremy Condra <gcondra@google.com> |
Add the ability to stat files under /cache for media_app. This feels like a hidden bug- it shouldn't be trying to stat everything under /cache anyways- but allowing for now. Change-Id: Ib5ddfbb408c9f0b6c6218c78a678fcdb09360ccd
/external/sepolicy/app.te
|
2ae799e44e6603c4b5edc941ce41df9eaa7785ae |
|
28-Mar-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop separate domain for browser. Change-Id: Ib37b392cb6f6d3fb80852b9a2a6547ab86cd9bff Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
0ecb0f886660da5ddfd6945e4b993048727caac8 |
|
28-Mar-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Eliminate most of the app policy booleans. Just allow them unconditionally for compatibility. Change-Id: I85b56532c6389bdfa25731042b98d8f254bd80ee Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
e69552ba2d76174d443d1b8457295e4d72f2a986 |
|
26-Mar-2013 |
Geremy Condra <gcondra@google.com> |
Revert "Revert "Various minor policy fixes based on CTS."" This reverts commit ba84bf1dec64d745b6efc516799b2c722a672cd9 Hidden dependency resolved. Change-Id: I9f0844f643abfda8405db2c722a36c847882c392
/external/sepolicy/app.te
|
18b5f87ea18baaf7356a1f1729dc2737be3c141e |
|
07-Jan-2013 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
racoon policy. Initial policy for racoon (IKE key management). Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil> Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479
/external/sepolicy/app.te
|
ba84bf1dec64d745b6efc516799b2c722a672cd9 |
|
22-Mar-2013 |
Geremy Condra <gcondra@google.com> |
Revert "Various minor policy fixes based on CTS." This reverts commit 8a814a7604afd20f12c9ff3dcdae7d10e9b75f84 Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
/external/sepolicy/app.te
|
8a814a7604afd20f12c9ff3dcdae7d10e9b75f84 |
|
12-Mar-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Various minor policy fixes based on CTS. Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
c195ec31485766d065d3e3101268d5ce727ff4c0 |
|
07-Mar-2013 |
William Roberts <w.roberts@sta.samsung.com> |
Split internal and external sdcards Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
/external/sepolicy/app.te
|
9ce99e3908fcd81430bc9612e5d86819939b6db2 |
|
16-Nov-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Update binder-related policy. The binder_transfer_binder hook was changed in the kernel, obsoleting the receive permission and changing the target of the transfer permission. Update the binder-related policy to match the revised permission checking. Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
c8106f12c09dfffebebcff6b435d4974e6b2a9d7 |
|
11-Jan-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only allow read/write not open on platform_app_data_file. Change-Id: Iad4ad43ce7ba3c00b69b7aac752b40bc2d3be002 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
1c8464e1365950538e9e4647a4f220910f79ab1e |
|
04-Dec-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
App data backup security policy. Policy covers: * backup_data_file type for labeling all files/dirs under /data dealing with backup mechanism. * cache_backup_file type for labeling all files/dirs under /cache dealing with backup mechanism. This also covers the the use of LocalTransport for local archive and restore testing. * the use of 'adb shell bmgr' to initiate backup mechanism from shell. * the use of 'adb backup/restore' to archive and restore the device's data. Change-Id: I700a92d8addb9bb91474bc07ca4bb71eb4fc840e Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/external/sepolicy/app.te
|
4c266ba1bc71b8aeb09deb1574550f44807ac0e3 |
|
03-Dec-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Change security policy so all apps can read /dev/xt_qtaguid. Generic init.rc allows any process to use socket tagging. Adjust app policy to ensure that any app can read from the misc device. Change-Id: I4076f0fbc1795f57a4227492f6bfc39a4398ffa5 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/external/sepolicy/app.te
|
7672eac5fb0d0ce3bcb52f11b125b25ac597ea3f |
|
22-Oct-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Add SELinux policy for asec containers. Creates 2 new types: - asec_apk_file : files found under /mnt/asec when the asec images are mounted - asec_image_file : the actual encrypted apks under /data/app-asec Change-Id: I963472add1980ac068d3a6d36a24f27233022832 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/external/sepolicy/app.te
|
f26d813033b6e2b669efc7e030a705fd0fa6d0ca |
|
26-Sep-2012 |
Joshua Brindle <jbrindle@tresys.com> |
allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access - allow all apps to connect to the keystore over unix socket - dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files - mtp connects to dnsproxyd when a pptp vpn connection is established - allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device - WifiWatchDog uses packet_socket when wifi comes up - apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction - for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949 Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
/external/sepolicy/app.te
|
061f254def394fdc4784fe6c446bdd779cfec768 |
|
20-Sep-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define security labeling for isolated processes. Used when an app service is declared with android:isolatedProcess="true". Place such processes in a separate domain, and further isolate them from each other via categories. Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/app.te
|
abd977a79ec0a1f90cf236339e080775491b9919 |
|
10-Aug-2012 |
rpcraig <rpcraig@tycho.ncsc.mil> |
Additions for grouper/JB
/external/sepolicy/app.te
|
901cc36664399f5803c64bd5a26932807d6749aa |
|
30-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
Untrusted_app gets route information
/external/sepolicy/app.te
|
d28714c6f9169b4a3ac6e8ada9b3ffdd1a225480 |
|
30-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce app_read_logs boolean.
/external/sepolicy/app.te
|
3261feef9794db542516097faba62c58492c13bb |
|
30-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
untrusted_app reads logs when android_cts enabled
/external/sepolicy/app.te
|
1f0f77fcdf95fefb5ac7737f33a891e0bff42455 |
|
28-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
Allow CTS Test apps to access to system_data_file
/external/sepolicy/app.te
|
59e9680825b6d07c2ce42a0bd70fa420b8d90acd |
|
28-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
socket permissions to untrusted_app
/external/sepolicy/app.te
|
2b47c3fc351977b801d1c154bb7a8def2e784948 |
|
27-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
allocate perms to platformappdomain over system_data_file
/external/sepolicy/app.te
|
7585fc64003a2caf56643e80fbc9984903cf3d2d |
|
27-Jul-2012 |
Haiqing Jiang <hqjiang1988@gmail.com> |
Platform app domain sdcard accesses
/external/sepolicy/app.te
|
b9760aa0d59aafe5c36ee4522fb36d51a9c147df |
|
27-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps. Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps. Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps. Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps. Specify this new type for the platform app entries in seapp_contexts. Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.
/external/sepolicy/app.te
|
4c06d273bc3d278e7061bf93cfa97fdf2a4e8ee3 |
|
19-Jul-2012 |
hqjiang <hqjiang1988@gmail.com> |
Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. Actually, some of policies related to qtaguid have been there already, but we refind existing ones and add new ones.
/external/sepolicy/app.te
|
1c7351652c69bc571b8edfa4a8874b58c73568aa |
|
12-Jul-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Address various denials introduced by JB/4.1.
/external/sepolicy/app.te
|
96bf5059621cd3903e1a402b2c90dbb652aedf90 |
|
11-Jul-2012 |
Michal MaĊĦek <michal.masek@circletech.net> |
Fix the app_ndk policy boolean allow rule.
/external/sepolicy/app.te
|
03d2803c542cbae539dba785153e58d81c503bf3 |
|
25-Jun-2012 |
William Roberts <bill.c.roberts@gmail.com> |
media app should have rw access to sdcard dir and files.
/external/sepolicy/app.te
|
f3b587cab01a7a54a5a2c3296844083d90fc6641 |
|
21-Jun-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Rewrite app domains and seapp_contexts to leverage new seinfo tags.
/external/sepolicy/app.te
|
e4682a63ab87f79130b4f914b79be0867e0d669d |
|
27-Jun-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow apps to write to /proc/net/xt_qtaguid/ctrl.
/external/sepolicy/app.te
|
a883c3863739d5ada3509517af148a9499401600 |
|
04-Apr-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow apps to write to anr_data_file for /data/anr/traces.txt.
/external/sepolicy/app.te
|
f6cbbe255bc57a241f35c35629705e8f63bdd77a |
|
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce a separate wallpaper_file type for the wallpaper file.
/external/sepolicy/app.te
|
59d28035a1e0779a81cde104ea9afffd2bb1a77f |
|
19-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files.
/external/sepolicy/app.te
|
c83d0087e457787fc0441d959a20d56fc5200048 |
|
07-Mar-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Policy changes to support running the latest CTS.
/external/sepolicy/app.te
|
c94e2392f6d92064e3aa32fff2c5a70116c7398a |
|
06-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
Further policy for Motorola Xoom.
/external/sepolicy/app.te
|
2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 |
|
04-Jan-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
SE Android policy.
/external/sepolicy/app.te
|