Cross Reference: /external/sepolicy/app.te

History log of /external/sepolicy/app.te
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
480374e4d082238a71773f29483c5d24ad8b3f6d	17-Oct-2014	Nick Kralevich <nnk@google.com>	Fix compile time / CTS gps_data_files neverallow assertion Currently, zygote spawned apps are prohibited from modifying GPS data files. If someone tries to allow GPS access to any app domain, it generates a compile time / CTS exception. Relax the rules slightly for system_app. These apps run with UID=system, and shouldn't be banned from handling gps data files. This change doesn't add or remove any SELinux rules. Rather, it just relaxes a compile time assertion, allow partners to create SELinux rules allowing the access if they desire. Bug: 18021422 Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93 /external/sepolicy/app.te
51bfecf49d50982f64aba1fa73bbbdd2e40a444f	13-Oct-2014	Robin Lee <rgl@google.com>	Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547 /external/sepolicy/app.te
49fd9567d933acedeedc6d2927951ec07ef65723	26-Sep-2014	Martijn Coenen <maco@google.com>	Merge "Allow NFC to read/write nfc. system properties." into lmp-dev
05383ebfb439bed8436912ed28db550e8842b343	26-Sep-2014	Martijn Coenen <maco@google.com>	Allow NFC to read/write nfc. system properties. Bug: 17298769 Change-Id: I1994ff9f9da9b13249099f6c9bcec88dcdc2bb97 /external/sepolicy/app.te
62083414a4cc2b9fd7eb22c3bc4ffa4d9285d4be	25-Sep-2014	Nick Kralevich <nnk@google.com>	allow apps to read the contents of mounted OBBs Apps should be able to read the contents of mounted OBBs. Steps to reproduce: 1) Install com.namcobandaigames.soulcaliburgp (SoulCalibur) 2) Attempt to run the app. Expected: App runs successfully. Actual: App crashes. See denials below. This can also be reproduced by running the newly introduced CTS test in I2018b63b0236ce6b5aee4094e40473315b1948c3 Addresses the following denials: avc: denied { read } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file avc: denied { open } for pid=4133 comm="roidJUnitRunner" name="test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file avc: denied { getattr } for pid=4133 comm="roidJUnitRunner" path="/mnt/obb/f73da56689d166b5389d49ad31ecbadb/test1.txt" dev="loop0" ino=23 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=file avc: denied { search } for name="/" dev="loop0" ino=1 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:vfat:s0 tclass=dir permissive=0 Bug: 17633509 Change-Id: I49b722b24c1c7d9ab084ebee7c1e349d8d660ffa /external/sepolicy/app.te
a8b651bfba433ab91b565fea5276ceb7743ad15a	23-Sep-2014	Nick Kralevich <nnk@google.com>	relax appdomain efs_file neverallow rules [DO NOT MERGE] During factory provisioning, some manufacturers may need to pull files from /factory (label efs_file and bluetooth_efs_file) to collect device specific identifiers such as the mac address, using commands similar to the following: adb shell cat /factory/ssn adb shell cat /factory/bt/bd_addr.conf adb shell cat /factory/wifi/mac.txt adb shell cat /factory/60isn read-only access to these files is currently disallowed by a neverallow rule. Relax the rules to allow read-only access to the shell user if desired. No new SELinux rules are added or deleted by this change. This is only a relaxation in what's allowed for vendor specific policy. Bug: 17600278 (cherry picked from commit 200a9f0e20337b48824cf621a017e2852245e5ca) Change-Id: I2e277b1068a35cc06e0973df994ec3a49f2c26e7 /external/sepolicy/app.te
36fb1f1bf3fa29a639e4c9d793b36cbbceae2ec7	22-Sep-2014	Nick Kralevich <nnk@google.com>	relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets Netlink uevent sockets are used by the kernel to inform userspace when certain events occur, for example, when new hardware is added or removed. This allows userspace to take some action based on those messages. Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets. Certain device specific app domains, such as system_app, may have a need to receive messages from this socket type. Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app. These sockets have been the source of rooting attacks in Android in the past, and it doesn't make sense to expose this to untrusted_apps. No new SELinux rules are introduced by this change. This is an adjustment of compile time assertions only. Bug: 17525863 (cherry picked from commit 642b80427ec2e95eb13cf03a74d814f240813e71) Change-Id: I35f3dc8b1ead9f427645a13fb202e760d1e68e64 /external/sepolicy/app.te
309cc668f9da5a3e4df7ecd44f3618864e4cf7eb	09-Sep-2014	dcashman <dcashman@google.com>	Enable selinux read_policy for adb pull. Remove permission from appdomain. Bug: 16866291 Change-Id: I37936fed33c337e1ab2816258c2aff52700af116 /external/sepolicy/app.te
bcdff890304e694c09bf0a4a90fb76a82434fa57	01-Sep-2014	Mark Salyzyn <salyzyn@google.com>	logd: permit app access to clear logs I/auditd(19949): type=1400 audit(0.0:71): avc: denied { write } for comm="logcat" name="logd" dev="tmpfs" ino=5924 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:logd_socket:s0 tclass=sock_file (cherry picked from 60f0be84c0cf3a895c6b95ee8387b71e1b0c6d83) Bug: 17323719 Change-Id: Id8399195196ffad884eef98030d544c68ed0596f /external/sepolicy/app.te
67d58acb9b8d28dddeb9670e9801962b6fd7dcfd	28-Aug-2014	dcashman <dcashman@google.com>	Merge "Add permissive domains check to sepolicy-analyze." into lmp-dev
c30dd63f56ba5035eeb604b0b9b48f36ef5e8937	26-Mar-2014	dcashman <dcashman@google.com>	Add permissive domains check to sepolicy-analyze. Also enable global reading of kernel policy file. Motivation for this is to allow read access to the kernel version of the binary selinux policy. Bug: 17288791 Change-Id: I1eefb457cea1164a8aa9eeb7683b3d99ee56ca99 /external/sepolicy/app.te
711895db2897bc5d001899eb5e0f931c79a1ad3f	27-Aug-2014	dcashman <dcashman@google.com>	Allow appdomain read perms on apk_data_files. Address: type=1400 audit(0.0:103): avc: denied { read } for name="arm" dev="mmcblk0p28" ino=195471 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir Bug: 16204150 Change-Id: I8bf0172b26b780c110c0d95c691785143acd7dd2 /external/sepolicy/app.te
d990a78f8ef398488d6c0ce0a2d18b3d3a5183c4	29-Jul-2014	Stephen Smalley <sds@tycho.nsa.gov>	Fix neverallow rules to eliminate CTS SELinuxTest warnings. Fix two neverallow rules that yield Invalid SELinux context warnings from the CTS SELinuxTest. For transitions from app domains, we only need to check { domain -appdomain } (i.e. domains other than app domains), not ~appdomain (i.e. all types other than app domains). Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing since the target class is process, and such contexts are invalid. For keeping file_type and fs_type exclusive, we only need to check associate permission, not all filesystem permissions, as only associate takes a file type as the source context. Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing filesystem permissions other than associate, since the source of such checks is normally a process context. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 21ada26daea538397029396099dce865267bae2f) Change-Id: I3346584da9b89f352864dcc30dde06d6bf42e98e /external/sepolicy/app.te
8ee37b4f1c58e1dcd00b198a9bbfeafb4221fdc9	15-Jul-2014	Ed Heyl <edheyl@google.com>	reconcile aosp (c103da877b72aae80616dbc192982aaf75dfe888) after branching. Please do not merge. Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4 /external/sepolicy/app.te
e9c90bddcea8d3d466fbc34361a7feea3eea4ad3	15-Jul-2014	Ed Heyl <edheyl@google.com>	reconcile aosp (4da3bb1481e4e894a7dee3f3b9ec8cef6f6b1aed) after branching. Please do not merge. Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e /external/sepolicy/app.te
be66069765b019257ed3bf1ca1285e643360a998	04-Jul-2014	Nick Kralevich <nnk@google.com>	Remove -unconfineddomain from neverallow rules Many of the neverallow rules have -unconfineddomain. This was intended to allow us to support permissive_or_unconfined(), and ensure that all domains were enforcing at least a minimal set of rules. Now that all the app domains are in enforcing / confined, there's no need to allow for these exceptions. Remove them. Change-Id: Ieb29872dad415269f7fc2fe5be5a3d536d292d4f /external/sepolicy/app.te
77eb35263f40607e36fdcd85d95050a4ecedb6b8	29-Jun-2014	Sharvil Nanavati <sharvil@google.com>	Grant Bluetooth CAP_WAKE_ALARM so it can use the POSIX timer API for wake alarms. Change-Id: Ic7b25e79116b90378e5e89a879d8e6b87e4f052e /external/sepolicy/app.te
22e0c414a50feed2f0475ab0d75301dce3488873	01-Jul-2014	Riley Spahn <rileyspahn@google.com>	Remove auditallow statements causing log spam. Remove the auditallow statements from app.te and binderservicedomain.te which were causing log spam. Change-Id: If1c33d1612866df9f338e6d8c19d73950ee028eb /external/sepolicy/app.te
1196d2a5763c9a99be99ba81a4a29d938a83cc06	17-Jun-2014	Riley Spahn <rileyspahn@google.com>	Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc /external/sepolicy/app.te
cf610692252b4df30b42f2bce3de464ac1804f97	20-Jun-2014	Stephen Smalley <sds@tycho.nsa.gov>	Only allow app domains to access SDcard via fuse mount. sdcard_internal is assigned to fuse mounts while sdcard_external is assigned to vfat mounts by genfs_contexts. Originally we allowed access to both via the sdcard_type attribute, and access via both means was required. IIUC however, in 4.4 and later, SDcard access should always occur via the fuse mount and we can drop access to sdcard_external. I think we can do the same for all domains except sdcardd. However, I cannot test this as the Nexus devices do not have external SDcard support. Also wondering if we should rename sdcard_internal type to fuse and sdcard_external type to vfat to more clearly represent their meaning, since one accesses the external SDcard via the fuse mount now. Change-Id: Ie44221e9eea90e627a48df5398c456b86293f724 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
fad4d5fb00ddb1f61c22c003429e10f10b046d0d	16-Jun-2014	Nick Kralevich <nnk@google.com>	Fix SELinux policies to allow resource overlays. The following commits added support for runtime resource overlays. New command line tool 'idmap' * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5 Runtime resource overlay, iteration 2 * 48d22323ce39f9aab003dce74456889b6414af55 Runtime resource overlay, iteration 2, test cases * ad6ed950dbfa152c193dd7e49c369d9e831f1591 During SELinux tightening, support for these runtime resource overlays was unknowingly broken. Fix it. This change has been tested by hackbod and she reports that everything is working after this change. I haven't independently verified the functionality. Test cases are available for this by running: * python frameworks/base/core/tests/overlaytests/testrunner.py Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40 /external/sepolicy/app.te
867030517724036b64fcaf39deaba1b27f3ca77e	11-Jun-2014	Nick Kralevich <nnk@google.com>	Remove world-read access to /data/dalvik-cache/profiles Remove /data/dalvik-cache/profiles from domain. Profiling information leaks data about how people interact with apps, so we don't want the data to be available in all SELinux domains. Add read/write capabilities back to app domains, since apps need to read/write profiling data. Remove restorecon specific rules. The directory is now created by init, not installd, so installd doesn't need to set the label. Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3 /external/sepolicy/app.te
42fb824ca9f3e46b4419f05083f2694ac67a8229	11-Jun-2014	Stephen Smalley <sds@tycho.nsa.gov>	Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
84ed890aebce5235018b846fac734b47833ee364	04-Jun-2014	Nick Kralevich <nnk@google.com>	Merge adf_device into graphics_device As of sepolicy commit a16a59e2c7f1e2f09bf7b750101973a974c972e8 (https://android-review.googlesource.com/94580), adf_device and graphics_device have the exact same security properties. Merge them into one type to avoid a proliferation of SELinux types. Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95 /external/sepolicy/app.te
6f6c425563f4faa4e1e12bf430c32d0b81a78f64	31-May-2014	Christopher Tate <ctate@android.com>	Adjust rules around /data/app entities This is to accomodate migration to (and ongoing support of) a new installed-app file topology, in which APK files are placed in /data/app/$PACKAGE-rev/, there is a canonical-path symlink /data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native libraries exist not under a top-level /data/app-lib/$PACKAGE-rev hard directory, but rather under /data/app/$PACKAGE/lib (when referenced by canonical path). Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0 /external/sepolicy/app.te
78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57	02-Jun-2014	Nick Kralevich <nnk@google.com>	add execmod to various app domains NDK r8c and below induced text relocations into every NDK compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203). For compatibility, we need to support shared libraries with text relocations in them. Addresses the following error / denial: 06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix. <4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Steps to reproduce: 1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air) 2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd) 3) Attempt to run Play & Learn app Expected: App runs Actual: App crashes with error above. Bug: 15388851 Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663 /external/sepolicy/app.te
3235f61aa859af1d1c3d060eb55cf1929bc6914f	30-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Restrict /data/security and setprop selinux.reload_policy access. Remove /data/security and setprop selinux.reload_policy access from unconfineddomain, and only add back what is needed to init (system_server already gets the required allow rules via the selinux_manage_policy macro). init (via init.rc post-fs-data) originally creates /data/security and may later restorecon it. init also sets the property (also from init.rc post-fs-data) to trigger a reload once /data is mounted. The system_server (SELinuxPolicyInstallReceiver in particular) creates subdirectories under /data/security for updates, writes files to these subdirectories, creates the /data/security/current symlink to the update directory, and sets the property to trigger a reload when an update bundle is received. Add neverallow rules to ensure that we do not allow undesired access to security_file or security_prop. This is only truly meaningful if the support for /data/security policies is restored, but is harmless otherwise. Also drop the persist.mmac property_contexts entry; it was never used in AOSP, only in our tree (for middleware MAC) and is obsolete. Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
685e2f9d9c0d3f64e9eabb789adb0b34f5f11836	28-May-2014	Nick Kralevich <nnk@google.com>	remove syslog_* from unconfined As suggested in https://android-review.googlesource.com/95966 , remove various syslog_* from unconfined. SELinux domains which want to use syslog_* can declare it themselves. Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4 /external/sepolicy/app.te
f821b5a7977102a417b32f358bf87d1e0cdeb06d	28-May-2014	Nick Kralevich <nnk@google.com>	allow shell dmesg Allow the shell user to see the dmesg output. This data is already available via "adb bugreport", but isn't easy to access. Bug: 10020939 Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177 /external/sepolicy/app.te
9786af2bcaaf0ba25c0a50c81c748a05793ec847	23-May-2014	Torne (Richard Coles) <torne@google.com>	Define SELinux policy for RELRO sharing support. Define a domain and appropriate access rules for shared RELRO files (used for loading the WebView native library). Any app is permitted to read the files as they are public data, but only the shared_relro process is permitted to create/update them. Bug: 13005501 Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e /external/sepolicy/app.te
4fce0ef97c2a4cb6e0ce2adf17c012c8be6252bf	23-May-2014	Nick Kralevich <nnk@google.com>	Fix use of valgrind via app wrapping On userdebug / eng builds, Android supports the concept of app wrapping. You can run an app wrapped by another process. This is traditionally used to run valgrind on apps, looking for memory leaks and other problems. App wrapping is enabled by running the following command: adb shell setprop wrap.com.android.foo "TMPDIR=/data/data/com.android.foo logwrapper valgrind" Valgrind attempts to mmap exec /system/bin/app_process, which is being denied by SELinux. Allow app_process exec. Addresses the following denial: <4>[ 82.643790] type=1400 audit(16301075.079:26): avc: denied { execute } for pid=1519 comm="memcheck-arm-li" path="/system/bin/app_process32" dev="mmcblk0p25" ino=61 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file Bug: 15146424 Change-Id: I65394938c53da9252ea57856d9f2de465bb30c25 /external/sepolicy/app.te
71db4110434d18adfaf87fd788f8dfd1d5709899	14-May-2014	dcashman <dcashman@google.com>	Remove duplicate neverallow rule. Commit: 7ffb9972076bfbd2abab1df6b4d759d14d55af96 added protection against low memory mapping for all domains, a superset of appdomain. Remove the same, redundant neverallow rule from appdomain. Change-Id: Ia41c02763f6b5a260c56d10adfbab649d9f3f97c /external/sepolicy/app.te
681a687a6032e060742cf57b8e1f9d122fd5afca	08-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Drop appdomain unlabeled file execute. Should no longer be required due to restorecon_recursive of /data by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to restorecon_recursive of /data/data by installd (covers /data/data directories). Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
7004789de39c1e712169ac6d4c98bdbe43dcce6e	07-May-2014	Greg Hackmann <ghackmann@google.com>	Add policies for Atomic Display Framework ADF is a modern replacement for fbdev. ADF's device nodes (/dev/adf[X]), interface nodes (/dev/adf-interface[X].[Y]), and overlay engine nodes (/dev/adf-overlay-engine[X].[Y]) are collectively used in similar contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and healthd will need to send R/W ioctls to these nodes to prepare and update the display. Ordinary apps should not talk to ADF directly. Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343 Signed-off-by: Greg Hackmann <ghackmann@google.com> /external/sepolicy/app.te
91a4f8d4fdab7df8474c2ffaa996c879166d8a4c	07-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Label app data directories for system UID apps with a different type. We were using system_data_file for the /data/data directories of system UID apps to match the DAC ownership of system UID shared with other system files. However, we are seeing cases where files created in these directories must be writable by other apps, and we would like to avoid allowing write to system data files outside of these directories. So introduce a separate system_app_data_file type and assign it. This should also help protect against arbitrary writes by system UID apps to other system data directories. This resolves the following denial when cropping or taking a user photo for secondary users: avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 14604553 Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
1545b6061518bac473cf93af576cbea12a992298	05-May-2014	Nick Kralevich <nnk@google.com>	allow untrusted_app to write to MMS files Commit 3fbc536dfd5afbce5ef45f18d0afb3516089ed88 allowed untrusted app to read radio data files passed via binder, but didn't allow write access. Write access is needed when sending MMS messages. Steps to reproduce: 1) have some photos on the device 2) Launch messaging app 3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..) 4) Send EXPECTED RESULTS: No crash OBSERVED RESULTS: - Messaging crashes on sending MMS - messages are stuck in sending state Additional details: 05-05 10:14:01.196 2457 2457 W Binder_3: type=1400 audit(0.0:20): avc: denied { write } for path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file 05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!! 05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream. 05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966) 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:674) 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:650) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228) 05-05 10:14:01.203 27809 28219 E PduPersister: at java.lang.Thread.run(Thread.java:818) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS 05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809 05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at android.content.ContentUris.parseId(ContentUris.java:85) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at java.lang.Thread.run(Thread.java:818) 05-05 10:14:01.222 659 5253 W ActivityManager: Force finishing activity com.android.mms/.ui.ComposeMessageActivity Bug: 14562421 Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9 /external/sepolicy/app.te
6736bac21870bdc8bb6098ddffdb70103f7bc2a3	24-Apr-2014	Jeff Sharkey <jsharkey@android.com>	Define types for an OEM-provided filesystem. Bug: 13340779 Change-Id: I6151b6b61ddf90327d51815d13fd65be561be587 /external/sepolicy/app.te
2562843425bb5f13e42b8605a1568308c6faff71	18-Apr-2014	Stephen Smalley <sds@tycho.nsa.gov>	Audit accesses on unlabeled files. To see whether we can safely remove these allow rules on unlabeled files since we now have restorecon_recursive /data in init.rc to fully relabel legacy userdata partitions, audit all accesses on such files. Exclude the init domain since it performs the restorecon_recursive /data and therefore will read unlabeled directories, stat unlabeled files, and relabel unlabeled directories and files on upgrade. init may also create/write unlabeled files in /data prior to the restorecon_recursive /data being called. Exclude the kernel domain for search on unlabeled:dir as this happens during cgroup filesystem initialization in the kernel as a side effect of populating the cgroup directory during the superblock initialization before SELinux has set the label on the root directory. Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
19c509034ee309c60c958637841c151d3c273421	09-Apr-2014	Stephen Smalley <sds@tycho.nsa.gov>	Define a type for /data/dalvik-cache/profiles. I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles subdirectory to /data/dalvik-cache with files that must be app-writable. As a result, we have denials such as: W/Profiler( 3328): type=1400 audit(0.0:199): avc: denied { write } for name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null) W/auditd ( 286): type=1307 audit(0.0:199): cwd="/" W/auditd ( 286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0 We do not want to allow untrusted app domains to write to the existing type on other /data/dalvik-cache files as that could be used for code injection into another app domain, the zygote or the system_server. So define a new type for this subdirectory. The restorecon_recursive /data in init.rc will fix the labeling on devices that already have a profiles directory created. For correct labeling on first creation, we also need a separate change to installd under the same change id. Bug: 13927667 Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
9ba844fea12a0b08770e870d63f3d3c375c7c9b5	04-Apr-2014	Stephen Smalley <sds@tycho.nsa.gov>	Coalesce shared_app, media_app, release_app into untrusted_app. This change folds the shared_app, media_app, and release_app domains into untrusted_app, reducing the set of app domains down to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth, nfc, radio), a single domain for apps signed by the platform key (platform_app), and a single domain for all other apps (untrusted_app). Thus, SELinux only distinguishes when already distinguished by a predefined Android ID (AID) or by the platform certificate (which get the signature-only Android permissions and thus may require special OS-level accesses). It is still possible to introduce specific app domains for specific apps by adding signer and package stanzas to mac_permissions.xml, but this can be done on an as-needed basis for specialized apps that require particular OS-level permissions outside the usual set. As there is now only a single platform app domains, get rid of the platformappdomain attribute and platform_app_domain() macro. We used to add mlstrustedsubject to those domains but drop this since we are not using MLS in AOSP presently; we can revisit which domains need it if/when we use MLS. Since we are dropping the shared, media, and release seinfo entries from seapp_contexts, drop them from mac_permissions.xml as well. However, we leave the keys.conf entries in case someone wants to add a signer entry in the future for specific apps signed by those keys to mac_permissions.xml. Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
3fbc536dfd5afbce5ef45f18d0afb3516089ed88	27-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow reading of radio data files passed over binder. Addresses denials such as: avc: denied { read } for pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { getattr } for pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file avc: denied { read } for pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file This does not allow write denials such as: avc: denied { write } for pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file Need to understand whether write access is in fact required. Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
f9c3257fbaa16dbbffe3493b103d0b16ada1c0b5	12-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Get rid of separate download_file type. This appears to have been created to allow untrusted_app to access DownloadProvider cache files without needing to allow open access to platform_app_data_file. Now that platform_app_data_file is gone, there is no benefit to having this type. Retain a typealias for download_file to app_data_file until restorecon /data/data support is in place to provide compatibility. This change depends on: https://android-review.googlesource.com/#/c/87801/ Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
dc88dca115791053d00354785be37a38259b3781	12-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Get rid of separate platform_app_data_file type. The original concept was to allow separation between /data/data/<pkgdir> files of "platform" apps (signed by one of the four build keys) and untrusted apps. But we had to allow read/write to support passing of open files via Binder or local socket for compatibilty, and it seems that direct open by pathname is in fact used in Android as well, only passing the pathname via Binder or local socket. So there is no real benefit to keeping it as a separate type. Retain a type alias for platform_app_data_file to app_data_file until restorecon /data/data support is in place to provide compatibility. Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
853ffaad323b3e5db14d3f2e4fbe7fa96160ede4	06-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Deduplicate neverallow rules on selinuxfs operations. We already have neverallow rules for all domains about loading policy, setting enforcing mode, and setting checkreqprot, so we can drop redundant ones from netd and appdomain. Add neverallow rules to domain.te for setbool and setsecparam and exclude them from unconfined to allow fully eliminating separate neverallow rules on the :security class from anything other than domain.te. Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
b0db712bf048dc634363b658a647b1f1897d8433	06-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Clean up, unify, and deduplicate app domain rules. Coalesce a number of allow rules replicated among multiple app domains. Get rid of duplicated rules already covered by domain, appdomain, or platformappdomain rules. Split the platformappdomain rules to their own platformappdomain.te file, document them more fully, and note the inheritance in each of the relevant *_app.te files. Generalize isolated app unix_stream_socket rules to all app domains to resolve denials such as: avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket Change-Id: I770d7d51d498b15447219083739153265d951fe5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
3dad7b611a448fa43a678ff760c23a00f387947e	05-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Address system_server denials. Label /proc/sysrq-trigger and allow access. Label /dev/socket/mtpd and allow access. Resolves denials such as: avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv er:s0 tclass=udp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]" dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s 0 tclass=tcp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
2737ceff233a32be67ebc6e3dba6e80b8df6df0a	04-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow stat/read of /data/media files by app domains. Resolves denials such as: avc: denied { read } for pid=23862 comm="Binder_4" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file avc: denied { getattr } for pid=26800 comm="ImageLoader" path="/data/media/0/DCIM/.thumbnails/1390499643135.jpg" dev="mmcblk0p28" ino=171695 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Change-Id: I8221359123ecc41ea28e4fcbce4912b42a6510f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
28afdd9234236d0b3c510f28255aa14625d11457	26-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Deduplicate binder_call rules. A number of binder_call rules are duplicated by other rules written in terms of attributes/sets (e.g. appdomain, binderservicedomain). Get rid of the duplicates. Also use binder_use() in racoon.te rather than manually writing the base rule for communicating with the servicemanager. Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
2c347e0a3676bb50cac796ca94eb6ab53c08fc87	25-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Drop obsolete keystore_socket type and rules. Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched the keystore to using binder instead of a socket, so this socket type and rules have been unused for a while. The type was only ever assigned to a /dev/socket socket file (tmpfs) so there is no issue with removing the type (no persistent files will have this xattr value). Change-Id: Id584233c58f6276774c3432ea76878aca28d6280 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
85708ec4f91fd70b215dc69e00b80e0e7a7d4686	24-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Resolve overlapping rules between app.te and net.te. There is some overlap between socket rules in app.te and the net.te rules, but they aren't quite identical since not all app domains presently include the net_domain() macro and because the rules in app.te allow more permissions for netlink_route_socket and allow rawip_socket permissions for ping. The current app.te rules prevent one from ever creating a non-networked app domain. Resolve this overlap by: 1) Adding the missing permissions allowed by app.te to net.te for netlink_route_socket and rawip_socket. 2) Adding net_domain() calls to all existing app domains that do not already have it. 3) Deleting the redundant socket rules from app.te. Then we'll have no effective change in what is allowed for apps but allow one to define app domains in the future that are not allowed network access. Also cleanup net.te to use the create_socket_perms macro rather than * and add macros for stream socket permissions. Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
0b218ec5fc7a1bce349dc319de6c5c904d9368e6	06-Feb-2014	Dave Platt <dplatt@google.com>	Finish fixing Zygote descriptor leakage problem In order to prevent Zygote descriptors from leaking into the child environment, they should be closed by the forked-off child process before the child switches to the application UID. These changes close the descriptors via dup2(), substituting a descriptor open to /dev/null in their place; this allows the Zygote Java code to close the FileDescriptor objects cleanly. This is a multi-project change: dalvik, art, libcore, frameworks/base, and external/sepolicy are affected. The CLs need to be approved together, lest the build break or the software fail to boot. Bug: 12114500 Change-Id: Ie45ddf6d661a1ea8570cd49dfea76421f2cadf72 /external/sepolicy/app.te
8ed750e9731e6e3a21785e91e9b1cf7390c16738	13-Nov-2013	Mark Salyzyn <salyzyn@google.com>	sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 /external/sepolicy/app.te
a637b2f21eda997f6d1bcb8f2600a5ee3195785d	30-Jan-2014	William Roberts <wroberts@tresys.com>	assert: Do not allow access to generic device:chr_file Rather, enforce that a relabel should be done. This tightens an existing assertion. Change-Id: I0500e3dc483e6bf97e5b017043e358bcbdc69904 /external/sepolicy/app.te
fc4c6b798a0c8ff38b4b943209ba1653a0276dfa	23-Jan-2014	Robert Craig <rpcraig@tycho.ncsc.mil>	Allow all appdomains to grab file attributes of wallpaper_file. When setting a static wallpaper on multiple devices the following denials were encountered. avc: denied { getattr } for pid=1775 comm="llpaper_chooser" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:shared_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=799 comm="ndroid.systemui" path="/data/system/users/0/wallpaper" dev="mmcblk0p23" ino=104679 scontext=u:r:platform_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=1909 comm=4173796E635461736B202332 path="/data/system/users/0/wallpaper" dev="mmcblk0p28" ino=586422 scontext=u:r:release_app:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file platform_app access is from the SystemUI app whereas the other denials are from the Launcher that is used on the particular device. For instance, Launcher2 triggers the shared_app denial whereas release_app (used by Launcher3) triggers the other denial. Because of this, add the rule to all appdomains. The static wallpaper is still set without this change. Just add the rule to avoid the noise in the logs. Change-Id: Ida84d1695d52379d67b87318403f629fd07109a4 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /external/sepolicy/app.te
2e7a301fad5b6065e2d364170a80bc58bc41aab0	11-Jan-2014	Nick Kralevich <nnk@google.com>	Address bug report denials. Triggering a bug report via Settings > Developer Options > Take bug report generates a number of denials. Two bugs here: 1) According to the "allowed" list in frameworks/native/cmds/servicemanager/service_manager.c , media apps, nfc, radio, and apps with system/root UIDs can register as a binder service. However, they were not placed into the binder_service domain. Fix them. 2) The bugreport mechanism queries all the services and java programs and asks them to write to a shell owned file. Grant the corresponding SELinux capability. Addresses the following denials: <5>[ 149.342181] type=1400 audit(1389419775.872:17): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.371844] type=1400 audit(1389419775.902:18): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.980161] type=1400 audit(1389419776.512:22): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.095066] type=1400 audit(1389419776.622:23): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.096748] type=1400 audit(1389419776.632:24): avc: denied { getattr } for pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.097090] type=1400 audit(1389419776.632:25): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 154.545583] type=1400 audit(1389419781.072:43): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.000877] type=1400 audit(1389419782.532:44): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.022567] type=1400 audit(1389419782.552:45): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.043463] type=1400 audit(1389419782.572:46): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.062550] type=1400 audit(1389419782.592:47): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3 /external/sepolicy/app.te
09f6a99b667c63cb4084583df10b13cde9b1e78a	13-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow mediaserver to connect to bluetooth. Re-purpose the existing bluetooth_socket type, originally for /dev/socket/bluetooth used by bluetoothd in the old bluetooth stack, for sockets created by bluedroid under /data/misc/bluedroid, and allow mediaserver to connect to such sockets. This is required for playing audio on paired BT devices. Based on b/12417855. Change-Id: I24ecdf407d066e7c4939ed2a0edb97222a1879f6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
df8af76f2678e3ea63e83701ac4b5afec24adf9f	13-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Add an exception for bluetooth to the sysfs neverallow rule. This is required for the grouper sepolicy, where we must allow bluetooth domain to write to the base sysfs type due to a kernel bug. Change-Id: I14b0530387edce1097387223f0def9b59e4292e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
959fdaaa25d7dbfad8a1900dfe9575f873cea649	09-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Remove unlabeled execute access from domain, add to appdomain. Otherwise all domains can create/write files that are executable by all other domains. If I understand correctly, this should only be necessary for app domains executing content from legacy unlabeled userdata partitions on existing devices and zygote and system_server mappings of dalvikcache files, so only allow it for those domains. If required for others, add it to the individual domain .te file, not for all domains. Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
396015c3952bcbd5678dc20d5e5e4407cf6a4d4a	07-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Remove ping domain. ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1	23-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Only allow PROT_EXEC for ashmem where required. tmpfs_domain() macro defines a per-domain type and allows access for tmpfs-backed files, including ashmem regions. execute-related permissions crept into it, thereby allowing write + execute to ashmem regions for most domains. Move the execute permission out of tmpfs_domain() to app_domain() and specific domains as required. Drop execmod for now we are not seeing it. Similarly, execute permission for /dev/ashmem crept into binder_use() as it was common to many binder using domains. Move it out of binder_use() to app_domain() and specific domains as required. Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
ad7df7bb76ce00cdef711ad1f96a9a7243981f4e	20-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Remove execmem permission from domain, add to appdomain. execmem permission controls the ability to make an anonymous mapping executable or to make a private file mapping writable and executable. Remove this permission from domain (i.e. all domains) by default, and add it explicitly to app domains. It is already allowed in other specific .te files as required. There may be additional cases in device-specific policy where it is required for proprietary binaries. Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
527316a21b80c2a70d8ed23351299a4dce0c77bf	23-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Allow use of art as the Android runtime. system_server and app domains need to map dalvik-cache files with PROT_EXEC. type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file Apps need to map cached dex files with PROT_EXEC. We already allow this for untrusted_app to support packaging of shared objects as assets but not for the platform app domains. type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
594693705f0d5768db3c3212037da5fd5d5653be	16-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Add rules to permit CTS security-related tests to run. Change-Id: I184458af1f40de6f1ab99452e76ba586dad1319e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
61dc35072090f2735af2b39572e39eadb30573eb	17-Dec-2013	Nick Kralevich <nnk@google.com>	app.te: allow getopt/getattr on zygote socket The closure of /dev/socket/zygote occurs in the zygote child process, after Zygote has dropped privileges and changed SELinux domains. In Google's internal tree, socket closures are following a different path, which is causing getopt/getattr to be used on the file descriptor. This is generating a large number of denials. Allow the operations for now. getopt/getattr are fairly harmless. Long term, we shouldn't be performing these operations on the zygote socket. Addresses the following denials: 18.352783 type=1400 audit(1386374111.043:7): avc: denied { getattr } for pid=682 comm="ndroid.systemui" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 18.353088 type=1400 audit(1386374111.043:8): avc: denied { getopt } for pid=682 comm="ndroid.systemui" path="/dev/socket/zygote" scontext=u:r:platform_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 18.833251 type=1400 audit(1386374111.524:9): avc: denied { getattr } for pid=761 comm="d.process.acore" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 18.833557 type=1400 audit(1386374111.524:10): avc: denied { getopt } for pid=761 comm="d.process.acore" path="/dev/socket/zygote" scontext=u:r:shared_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.042419 type=1400 audit(1386374111.734:11): avc: denied { getattr } for pid=806 comm="d.process.media" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.042724 type=1400 audit(1386374111.734:12): avc: denied { getopt } for pid=806 comm="d.process.media" path="/dev/socket/zygote" scontext=u:r:media_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.182830 type=1400 audit(1386374111.874:14): avc: denied { getattr } for pid=825 comm="putmethod.latin" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.183105 type=1400 audit(1386374111.874:15): avc: denied { getopt } for pid=825 comm="putmethod.latin" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket 19.235473 type=1400 audit(1386374111.924:16): avc: denied { getattr } for pid=840 comm="ndroid.settings" path="socket:[9287]" dev="sockfs" ino=9287 scontext=u:r:system_app:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket Bug: 12061011 Change-Id: Ie1ec7636185aba7954656802e5eed735f49830c9 /external/sepolicy/app.te
09e6abd91b3aaaa11a44d032e095360c64a97b3a	14-Dec-2013	Nick Kralevich <nnk@google.com>	initial dumpstate domain Add the necessary rules to support dumpstate. Start off initially in permissive until it has more testing. Dumpstate is triggered by running "adb bugreport" Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd /external/sepolicy/app.te
3ba9012535d8412d94db4ae9a5ce928b806e26d8	12-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Move gpu_device type and rules to core policy. Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
cf6b350a32ea65fa359981bd42ca0324547e2784	11-Dec-2013	Nick Kralevich <nnk@google.com>	Allow apps to execute ping Addresses the following denials: <5>[ 170.166218] type=1400 audit(1386789488.029:57): avc: denied { getattr } for pid=4352 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file <5>[ 170.166356] type=1400 audit(1386789488.029:58): avc: denied { execute } for pid=4352 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file <5>[ 170.166841] type=1400 audit(1386789488.029:59): avc: denied { read open } for pid=4389 comm="sh" name="ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file <5>[ 170.166962] type=1400 audit(1386789488.029:60): avc: denied { execute_no_trans } for pid=4389 comm="sh" path="/system/bin/ping" dev="mmcblk0p25" ino=182 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:ping_exec:s0 tclass=file Change-Id: Ic175ef7392897a3941c36db67dfa59ded35204b5 /external/sepolicy/app.te
65317124a0bb7db4829f78e74c7bfe18e27f1c43	11-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Allow untrusted apps to execute binaries from their sandbox directories. Various third party apps come with their own binaries that they write out to their sandbox directories and then execute, e.g.: audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file While this is not ideal from a security POV, it seems necessary to support for compatibility with Android today. Split out the execute-related permissions to a separate allow rule as it only makes sense for regular files (class file) not other kinds of files (e.g. fifos, sockets, symlinks), and use the rx_file_perms macro. Move the rule to untrusted_app only so that we do not permit system apps to execute files written by untrusted apps. Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
48759ca2054fa742724cd81debed51208b69e758	29-Oct-2013	Stephen Smalley <sds@tycho.nsa.gov>	Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
82fc3b524164588388aa3595bd2158020d93d28a	06-Dec-2013	Nick Kralevich <nnk@google.com>	Allow app-app communication via pipes Allow apps to communicate with each other via pipes. In particular, this fixes a bug where printing from Chrome wasn't working. STEPS TO REPRODUCE: 1. Launch Chrome 2. From menu tap print and observe OR 1. Launch Drive, Select any file (.txt, .doc. *.pdf.........) 2. Select print Addresses the following denials: <5>[ 122.352797] type=1400 audit(1386363998.374:18): avc: denied { write } for pid=3786 comm=4173796E635461736B202332 path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file <5>[ 123.248363] type=1400 audit(1386363999.264:19): avc: denied { getattr } for pid=2677 comm=".android.chrome" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:untrusted_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file <5>[ 123.248620] type=1400 audit(1386363999.264:20): avc: denied { write } for pid=3308 comm="ChildProcessMai" path="pipe:[19164]" dev="pipefs" ino=19164 scontext=u:r:isolated_app:s0 tcontext=u:r:release_app:s0 tclass=fifo_file Bug: 12032455 Change-Id: Ic1cb5c1d42596f5a8fc3fe82fcbfe47aa43a7d6c /external/sepolicy/app.te
ddf98fa8cf11000f91329945abc23ee791adfe69	31-Oct-2013	Geremy Condra <gcondra@google.com>	Neverallow access to the kmem device from userspace. Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4 /external/sepolicy/app.te
73c5ea722c7ee328f0d10179601afd9d5a054b94	26-Oct-2013	Nick Kralevich <nnk@google.com>	fix typo Change-Id: Ieda312d5607dd17af0bb70045fbaba8ddec38c94 /external/sepolicy/app.te
d7fd22e601293ffae0de2166b226adbae1f7e33e	22-Oct-2013	Stephen Smalley <sds@tycho.nsa.gov>	Confine bluetooth app. Remove unconfined_domain() from the bluetooth app domain, restore the rules from our policy, and move the neverallow rule for bluetooth capabilities to bluetooth.te. Make the bluetooth domain permissive again until it has received sufficient testing. Change-Id: I3b3072d76e053eefd3d0e883a4fdb7c333bbfc09 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
0b8c20e7ddce7cf791447f15be540ee2d0a6bfb2	09-Oct-2013	Nick Kralevich <nnk@google.com>	Allow apps to use the USB Accessory functionality Apps may need to access the USB Accessory interface, which involves reads / writes / etc to /dev/usb_accessory and /dev/bus/usb/* See http://developer.android.com/guide/topics/connectivity/usb/accessory.html for more information. This addresses the following denials: [ 80.075727] type=1400 audit(1379351306.384:9): avc: denied { read write } for pid=496 comm="Binder_1" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file [ 86.204387] type=1400 audit(1379304688.579:10): avc: denied { getattr } for pid=1750 comm="Thread-126" path="/dev/usb_accessory" dev=tmpfs ino=5320 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usbaccessory_device:s0 tclass=chr_file [ 2773.581032] type=1400 audit(1379307375.959:22): avc: denied { read write } for pid=761 comm="Binder_A" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file [ 2773.590843] type=1400 audit(1379307375.969:23): avc: denied { getattr } for pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file [ 2773.591111] type=1400 audit(1379307375.969:24): avc: denied { ioctl } for pid=5481 comm="android.app" path="/dev/bus/usb/002/002" dev=tmpfs ino=12862 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:usb_device:s0 tclass=chr_file Bug: 10780497 Change-Id: I9663222f7a75dcbf3c42788a5b8eac45e69e00bb /external/sepolicy/app.te
57085446eb49777189123a994884f76b8491ed26	30-Sep-2013	Stephen Smalley <sds@tycho.nsa.gov>	Except the shell domain from the transition neverallow rule. Shell domain can transition to other domains for runas, ping, etc. Change-Id: If9aabb4f51346dc00a89d03efea25499505f278d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
2a273ad2c50b255985a71e92898ac9224a9d2bd7	27-Sep-2013	Stephen Smalley <sds@tycho.nsa.gov>	Expand the set of neverallow rules applied to app domains. This change synchronizes the AOSP set of neverallow rules for app domains with our own. However, as we exclude unconfineddomain from each neverallow rule, it causes no breakage in the AOSP policy. As app domains are confined, you will need to either adjust the app domain or the neverallow rule according to your preference. But our policy builds with all of these applied with all app domains confined. Change-Id: I00163d46a6ca3a87e3d742d90866300f889a0b11 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
1fdee11df2552e29da0c48e3432f26f7a93e3bff	14-Sep-2013	Alex Klyubin <klyubin@google.com>	1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00 /external/sepolicy/app.te
a62d5c667984435fd9ba3bf1eb11d4fdaa3849c1	10-Sep-2013	Stephen Smalley <sds@tycho.nsa.gov>	Drop obsolete comments about SEAndroidManager. Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
17454cf805748a8792608a44bbfddb00fb918841	11-Sep-2013	Stephen Smalley <sds@tycho.nsa.gov>	Do not permit appdomain to create/write to download_file. The comment says that apps can read downloaded files, but the file_type_auto_trans() macro expands to permit create/write access. Also we don't need a type transition when staying in the same type as the parent directory so we only truly need allow rules here. Hence, we remove file_type_auto_trans() altogether, and add an allow rule for search access to the directory. If create/write access is truly required, then we can just change the allow rules to use rw_dir_perms and create_file_perms. Change-Id: Icd71c9678419442cfd8088317317efd4332f9b4a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
5b00f223495ccb87cc8069d819bee6be9b3b99d6	11-Sep-2013	Stephen Smalley <sds@tycho.nsa.gov>	Remove duplicated rules between appdomain and isolated_app. r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te; delete it from isolated_app.te. binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it. Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
a24a991dd59fe03cdc681aadcb6bbca1ffac9b7b	12-Sep-2013	Nick Kralevich <nnk@google.com>	Allow apps to execute app_data_files Fixes the following denial: <5>[28362.335293] type=1400 audit(1378991198.292:24): avc: denied { execute } for pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12 /external/sepolicy/app.te
81560733a47633036133ce548bf638bc3d91f5cf	30-Aug-2013	Geremy Condra <gcondra@google.com>	Fix denials encountered while getting bugreports. Bug: 10498304 Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74 /external/sepolicy/app.te
2637198f92d5d9c65262e42d78123d216889d546	16-Jul-2013	Nick Kralevich <nnk@google.com>	Only init should be able to load a security policy Bug: 9859477 Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b /external/sepolicy/app.te
6634a1080e6617854d0b29bc65bb1c852ad3d5b6	13-Jul-2013	Nick Kralevich <nnk@google.com>	untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35 /external/sepolicy/app.te
748fdef626d1dda2a0a727ea35d85d04363f5307	13-Jul-2013	Nick Kralevich <nnk@google.com>	Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f /external/sepolicy/app.te
0c9708b2af4ea345277a47ae7bc1ce890e90d2bc	10-Jul-2013	Nick Kralevich <nnk@google.com>	domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 /external/sepolicy/app.te
77d4731e9d30c8971e076e2469d6957619019921	18-May-2013	repo sync <gcondra@google.com>	Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11 /external/sepolicy/app.te
50e37b93ac97631dcac6961285b92af5026557af	15-May-2013	repo sync <gcondra@google.com>	Move domains into per-domain permissive mode. Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1 /external/sepolicy/app.te
11153ef34928ab9d13658606695cba192aa03e21	08-May-2013	repo sync <gcondra@google.com>	Add rules for asec containers. Change-Id: I91f6965dafad54e98e2f7deda956e86acf7d0c96 /external/sepolicy/app.te
bfb26e7b0761121039dea36ad34b6c5054babcfa	04-Apr-2013	Geremy Condra <gcondra@google.com>	Add downloaded file policy. Change-Id: I6f68323cddcf9e13b2a730b8d6b8730587fb4366 /external/sepolicy/app.te
ffd8c441a5903772af1705ddea5756d117bc9ec9	03-Apr-2013	Robert Craig <rpcraig@tycho.ncsc.mil>	Add new domains for private apps. /data/app-private is used when making an app purchase or forward locking. Provide a new label for the directory as well as the tmp files that appear under it. Change-Id: I910cd1aa63538253e10a8d80268212ad9fc9fca5 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /external/sepolicy/app.te
62508bf498af44ea7d54bf85b4a8c1202cd26c8e	04-Apr-2013	Stephen Smalley <sds@tycho.nsa.gov>	Allow apps to execute the shell or system commands unconditionally. Change-Id: I54af993bd478d6b8d0462d43950bb1a991131c82 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
0677cb2ebda66adfabced3390f6c8b40eb06bc33	04-Apr-2013	Stephen Smalley <sds@tycho.nsa.gov>	Allow fstat of platform app /data/data files. Change-Id: I8d46a809c08cd21b0d6c3173998035ab3cc79ada Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
b5f6977a28ae7c8474fe23cefe26f3556a533207	04-Apr-2013	Stephen Smalley <sds@tycho.nsa.gov>	Coalesce rules for allowing execution of shared objects by app domains. Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
9de4c6920220880e236ef1648ebd900c69727d43	04-Apr-2013	Stephen Smalley <sds@tycho.nsa.gov>	Strip unnecessary trailing semicolon on macro calls. Change-Id: I013e08bcd82a9e2311a958e1c98931f53f6720c9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
81fe5f7c0f47d48faa820ad5f8d3f4f44637a486	04-Apr-2013	Stephen Smalley <sds@tycho.nsa.gov>	Allow all domains to read the log devices. Read access to /dev/log/* is no longer restricted. Filtering on reads is performed per-uid by the kernel logger driver. Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
4387956f2607f9836e13267c10c5a5d0929eeb4c	28-Mar-2013	Geremy Condra <gcondra@google.com>	Add the ability to stat files under /cache for media_app. This feels like a hidden bug- it shouldn't be trying to stat everything under /cache anyways- but allowing for now. Change-Id: Ib5ddfbb408c9f0b6c6218c78a678fcdb09360ccd /external/sepolicy/app.te
2ae799e44e6603c4b5edc941ce41df9eaa7785ae	28-Mar-2013	Stephen Smalley <sds@tycho.nsa.gov>	Drop separate domain for browser. Change-Id: Ib37b392cb6f6d3fb80852b9a2a6547ab86cd9bff Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
0ecb0f886660da5ddfd6945e4b993048727caac8	28-Mar-2013	Stephen Smalley <sds@tycho.nsa.gov>	Eliminate most of the app policy booleans. Just allow them unconditionally for compatibility. Change-Id: I85b56532c6389bdfa25731042b98d8f254bd80ee Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
e69552ba2d76174d443d1b8457295e4d72f2a986	26-Mar-2013	Geremy Condra <gcondra@google.com>	Revert "Revert "Various minor policy fixes based on CTS."" This reverts commit ba84bf1dec64d745b6efc516799b2c722a672cd9 Hidden dependency resolved. Change-Id: I9f0844f643abfda8405db2c722a36c847882c392 /external/sepolicy/app.te
18b5f87ea18baaf7356a1f1729dc2737be3c141e	07-Jan-2013	Robert Craig <rpcraig@tycho.ncsc.mil>	racoon policy. Initial policy for racoon (IKE key management). Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil> Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479 /external/sepolicy/app.te
ba84bf1dec64d745b6efc516799b2c722a672cd9	22-Mar-2013	Geremy Condra <gcondra@google.com>	Revert "Various minor policy fixes based on CTS." This reverts commit 8a814a7604afd20f12c9ff3dcdae7d10e9b75f84 Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad /external/sepolicy/app.te
8a814a7604afd20f12c9ff3dcdae7d10e9b75f84	12-Mar-2013	Stephen Smalley <sds@tycho.nsa.gov>	Various minor policy fixes based on CTS. Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
c195ec31485766d065d3e3101268d5ce727ff4c0	07-Mar-2013	William Roberts <w.roberts@sta.samsung.com>	Split internal and external sdcards Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5 /external/sepolicy/app.te
9ce99e3908fcd81430bc9612e5d86819939b6db2	16-Nov-2012	Stephen Smalley <sds@tycho.nsa.gov>	Update binder-related policy. The binder_transfer_binder hook was changed in the kernel, obsoleting the receive permission and changing the target of the transfer permission. Update the binder-related policy to match the revised permission checking. Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
c8106f12c09dfffebebcff6b435d4974e6b2a9d7	11-Jan-2013	Stephen Smalley <sds@tycho.nsa.gov>	Only allow read/write not open on platform_app_data_file. Change-Id: Iad4ad43ce7ba3c00b69b7aac752b40bc2d3be002 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
1c8464e1365950538e9e4647a4f220910f79ab1e	04-Dec-2012	rpcraig <rpcraig@tycho.ncsc.mil>	App data backup security policy. Policy covers: * backup_data_file type for labeling all files/dirs under /data dealing with backup mechanism. * cache_backup_file type for labeling all files/dirs under /cache dealing with backup mechanism. This also covers the the use of LocalTransport for local archive and restore testing. * the use of 'adb shell bmgr' to initiate backup mechanism from shell. * the use of 'adb backup/restore' to archive and restore the device's data. Change-Id: I700a92d8addb9bb91474bc07ca4bb71eb4fc840e Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /external/sepolicy/app.te
4c266ba1bc71b8aeb09deb1574550f44807ac0e3	03-Dec-2012	rpcraig <rpcraig@tycho.ncsc.mil>	Change security policy so all apps can read /dev/xt_qtaguid. Generic init.rc allows any process to use socket tagging. Adjust app policy to ensure that any app can read from the misc device. Change-Id: I4076f0fbc1795f57a4227492f6bfc39a4398ffa5 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /external/sepolicy/app.te
7672eac5fb0d0ce3bcb52f11b125b25ac597ea3f	22-Oct-2012	rpcraig <rpcraig@tycho.ncsc.mil>	Add SELinux policy for asec containers. Creates 2 new types: - asec_apk_file : files found under /mnt/asec when the asec images are mounted - asec_image_file : the actual encrypted apks under /data/app-asec Change-Id: I963472add1980ac068d3a6d36a24f27233022832 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /external/sepolicy/app.te
f26d813033b6e2b669efc7e030a705fd0fa6d0ca	26-Sep-2012	Joshua Brindle <jbrindle@tresys.com>	allow apps access to the keystore, dhcp/pptp fixes, wifi fixes and isolated_app access - allow all apps to connect to the keystore over unix socket - dhcp runs scripts in /system/etc/dhcpcd/dhcpcd-hooks and creates/removes lease files - mtp connects to dnsproxyd when a pptp vpn connection is established - allow appdomain to also open qtaguid_proc and release_app to read qtaguid_device - WifiWatchDog uses packet_socket when wifi comes up - apps interact with isolated_apps when an app uses an isolated service and uses sockets for that interaction - for apps with levelFromUid=true to interact with isolated_app, isolated_app must be an mlstrustedsubject Change-Id: I09ff676267ab588ad4c73f04d8f23dba863c5949 Signed-off-by: Joshua Brindle <jbrindle@tresys.com> /external/sepolicy/app.te
061f254def394fdc4784fe6c446bdd779cfec768	20-Sep-2012	Stephen Smalley <sds@tycho.nsa.gov>	Define security labeling for isolated processes. Used when an app service is declared with android:isolatedProcess="true". Place such processes in a separate domain, and further isolate them from each other via categories. Change-Id: I1d64f8278f0619eedb448f9a741f1d2c31985325 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /external/sepolicy/app.te
abd977a79ec0a1f90cf236339e080775491b9919	10-Aug-2012	rpcraig <rpcraig@tycho.ncsc.mil>	Additions for grouper/JB /external/sepolicy/app.te
901cc36664399f5803c64bd5a26932807d6749aa	30-Jul-2012	Haiqing Jiang <hqjiang1988@gmail.com>	Untrusted_app gets route information /external/sepolicy/app.te
d28714c6f9169b4a3ac6e8ada9b3ffdd1a225480	30-Jul-2012	Stephen Smalley <sds@tycho.nsa.gov>	Introduce app_read_logs boolean. /external/sepolicy/app.te
3261feef9794db542516097faba62c58492c13bb	30-Jul-2012	Haiqing Jiang <hqjiang1988@gmail.com>	untrusted_app reads logs when android_cts enabled /external/sepolicy/app.te
1f0f77fcdf95fefb5ac7737f33a891e0bff42455	28-Jul-2012	Haiqing Jiang <hqjiang1988@gmail.com>	Allow CTS Test apps to access to system_data_file /external/sepolicy/app.te
59e9680825b6d07c2ce42a0bd70fa420b8d90acd	28-Jul-2012	Haiqing Jiang <hqjiang1988@gmail.com>	socket permissions to untrusted_app /external/sepolicy/app.te
2b47c3fc351977b801d1c154bb7a8def2e784948	27-Jul-2012	Haiqing Jiang <hqjiang1988@gmail.com>	allocate perms to platformappdomain over system_data_file /external/sepolicy/app.te
7585fc64003a2caf56643e80fbc9984903cf3d2d	27-Jul-2012	Haiqing Jiang <hqjiang1988@gmail.com>	Platform app domain sdcard accesses /external/sepolicy/app.te
b9760aa0d59aafe5c36ee4522fb36d51a9c147df	27-Jul-2012	Stephen Smalley <sds@tycho.nsa.gov>	Only enforce per-app process and file isolation via SELinux for third party apps, not platform apps. Platform (any of the apps signed by build keys, i.e. platform\|release\|shared\|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps. Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps. Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps. Specify this new type for the platform app entries in seapp_contexts. Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them. /external/sepolicy/app.te
4c06d273bc3d278e7061bf93cfa97fdf2a4e8ee3	19-Jul-2012	hqjiang <hqjiang1988@gmail.com>	Target the denials/policies over qtaguid file and device: 1. Relabel /proc/net/xt_qtaguid/ctrl from "qtaguid" to "qtaguid_proc"; 2. Label /dev/xt_qtaguid with "qtaguid_device"; 3. Allow mediaserver read/[write] to qtaguid_proc and qtaguid_device; 4. Allow media apps read/[write] to qtaguid_proc and qtaguid_device; 5. Allow system read/[write] to qtaguid_proc and qtaguid_device. Actually, some of policies related to qtaguid have been there already, but we refind existing ones and add new ones. /external/sepolicy/app.te
1c7351652c69bc571b8edfa4a8874b58c73568aa	12-Jul-2012	Stephen Smalley <sds@tycho.nsa.gov>	Address various denials introduced by JB/4.1. /external/sepolicy/app.te
96bf5059621cd3903e1a402b2c90dbb652aedf90	11-Jul-2012	Michal Mašek <michal.masek@circletech.net>	Fix the app_ndk policy boolean allow rule. /external/sepolicy/app.te
03d2803c542cbae539dba785153e58d81c503bf3	25-Jun-2012	William Roberts <bill.c.roberts@gmail.com>	media app should have rw access to sdcard dir and files. /external/sepolicy/app.te
f3b587cab01a7a54a5a2c3296844083d90fc6641	21-Jun-2012	Stephen Smalley <sds@tycho.nsa.gov>	Rewrite app domains and seapp_contexts to leverage new seinfo tags. /external/sepolicy/app.te
e4682a63ab87f79130b4f914b79be0867e0d669d	27-Jun-2012	Stephen Smalley <sds@tycho.nsa.gov>	Allow apps to write to /proc/net/xt_qtaguid/ctrl. /external/sepolicy/app.te
a883c3863739d5ada3509517af148a9499401600	04-Apr-2012	Stephen Smalley <sds@tycho.nsa.gov>	Allow apps to write to anr_data_file for /data/anr/traces.txt. /external/sepolicy/app.te
f6cbbe255bc57a241f35c35629705e8f63bdd77a	19-Mar-2012	Stephen Smalley <sds@tycho.nsa.gov>	Introduce a separate wallpaper_file type for the wallpaper file. /external/sepolicy/app.te
59d28035a1e0779a81cde104ea9afffd2bb1a77f	19-Mar-2012	Stephen Smalley <sds@tycho.nsa.gov>	Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files. /external/sepolicy/app.te
c83d0087e457787fc0441d959a20d56fc5200048	07-Mar-2012	Stephen Smalley <sds@tycho.nsa.gov>	Policy changes to support running the latest CTS. /external/sepolicy/app.te
c94e2392f6d92064e3aa32fff2c5a70116c7398a	06-Jan-2012	Stephen Smalley <sds@tycho.nsa.gov>	Further policy for Motorola Xoom. /external/sepolicy/app.te
2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35	04-Jan-2012	Stephen Smalley <sds@tycho.nsa.gov>	SE Android policy. /external/sepolicy/app.te