History log of /external/sepolicy/system_server.te
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
01898ea4aa2dbd676c2c20a796251285a1671a96 04-Jun-2015 Narayan Kamath <narayan@google.com> Revert "Allow system_server to link,relabel and create_dir dalvikcache_data_file."

This reverts commit e929ad8b524a7e444008b657adaafff97b5dea79.

bug: 20889739
Change-Id: I6729f4e26041b481f2442a2d8c3dfb42e2d4144a
/external/sepolicy/system_server.te
41f233f4658f20ac36845ed262bfeb8a7a9eea45 14-May-2015 Narayan Kamath <narayan@google.com> Allow system_server to link,relabel and create_dir dalvikcache_data_file.

Required by the installation flow for split APKs.

bug: 20889739

Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1
/external/sepolicy/system_server.te
12e8b61bc08da1482a9309e8b2dc1a0670671445 28-May-2015 Tao Bao <tbao@google.com> Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
70c6dbf06cb06fc46d5143557ea960392849106d 21-May-2015 Tao Bao <tbao@google.com> Allow system server and uncrypt to operate pipe file

System server and uncrypt need to communicate with a named pipe on the
/cache partition. It will be created and deleted by system server.

Bug: 20012567
Bug: 20949086
Change-Id: I9494a67016c23294e803ca39d377ec321537bca0
/external/sepolicy/system_server.te
83554d2c923b17b6d5ee811c278e2ab0bb65579d 22-May-2015 Jim Miller <jaggies@google.com> Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev
a39b131e9db1fed7e5ce90174f19515f465c8739 22-May-2015 Jim Miller <jaggies@google.com> Selinux: Allow system_server to create fpdata dir.

Fixes avc errors;
avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0
avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0

Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6
/external/sepolicy/system_server.te
b3df4389f31b5ae206fc2c1f50f1efe4de1bcf75 21-May-2015 Chad Brubaker <cbrubaker@google.com> Merge "Rename keystore methods and delete unused permissions" into mnc-dev
264eb6566ae75ba1ae37835f0ba83f951550fe85 13-May-2015 Jim Miller <jaggies@google.com> Add selinux policy for fingerprintd

Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef
/external/sepolicy/system_server.te
807d8d0249f196e172f30b96b48699e3b10a3866 18-May-2015 dcashman <dcashman@google.com> Label /dev/rtc0 as rtc_device.

Grant access to system_server, as it is used by AlarmManagerService.

(cherry-pick of c7594898dbce021677e6444eb855eb591df1097b)

Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f
/external/sepolicy/system_server.te
eaa1a1e975627a00b09a84810d0aa77cfde1edd2 13-May-2015 Chad Brubaker <cbrubaker@google.com> Rename keystore methods and delete unused permissions

Keystore is going through an API cleanup to make names more clear and
remove unclear methods.

(cherry-picked from commit cbc8f796551151c0d9651500d5d9f116177a07dc)

Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
/external/sepolicy/system_server.te
77a824600bfe80abccc9fdcab8d1566380b43ce4 12-May-2015 Chad Brubaker <cbrubaker@google.com> Add keystore user_changed permission

user_changed will be used for state change methods around android user
creation/deletion.

(cherry-picked from commit 520bb816b86fe36440767db6e2f05fb4e8a08f3e)

Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
/external/sepolicy/system_server.te
3526a6696fdc2b7d3b7a8fe452ce8b287160c42b 13-May-2015 Adam Lesinski <adamlesinski@google.com> Allow system_server to read/write /proc/uid_cputime/ module

Bug:20182139
Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868
/external/sepolicy/system_server.te
2f5a6a96bdc284dc070a2c222243dd8e19edb9ef 05-May-2015 William Roberts <william.c.roberts@linux.intel.com> Replace unix_socket_connect() and explicit property sets with macro

A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
/external/sepolicy/system_server.te
1301f2b64b91507c6599a8d31fdfd1731aee8a63 10-Apr-2015 Nick Kralevich <nnk@google.com> am 2a7a4037: am 2234f9ff: gatekeeperd: neverallow non-system_server binder call

* commit '2a7a403724370ebe16f05602685a654ca4448d59':
gatekeeperd: neverallow non-system_server binder call
2234f9ff579f9e928d868372f5bd7499e2da7bd1 09-Apr-2015 Nick Kralevich <nnk@google.com> gatekeeperd: neverallow non-system_server binder call

The current neverallow rule (compile time assertion)

neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

* all app processes
* dumpstate
* system_server
* mediaserver
* surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
/external/sepolicy/system_server.te
710c5a2af915c5638a758c083f1295b916239728 09-Apr-2015 dcashman <dcashman@google.com> am 29f90b1e: am 7f2bb0c1: Merge "Enforce more specific service access."

* commit '29f90b1eb7376b39d94cd5d981a15ff8317a5cdb':
Enforce more specific service access.
bd7f5803f924b0ca318c1d426b683c3f658754f9 09-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
/external/sepolicy/system_server.te
2686b6ab808e3c8e26beec9cb40c54655daaf142 09-Apr-2015 dcashman <dcashman@google.com> am 18867dbb: am 03a6f64f: Enforce more specific service access.

* commit '18867dbb42f128db00f6c8ee4f05fd098d9eaaa4':
Enforce more specific service access.
746a73c41b19ec6318d565e3f177b1cd00941816 09-Apr-2015 Nick Kralevich <nnk@google.com> am 2a762352: am 9bef2502: system_server: support hard linking for split APKs

* commit '2a762352f34f147cdb83e34bf3591e48a9378425':
system_server: support hard linking for split APKs
03a6f64f9568e2c58eb043463a5b4ff1cf10bef6 08-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
/external/sepolicy/system_server.te
9bef25026b43ccfb656a3a53b74a787ca3376227 08-Apr-2015 Nick Kralevich <nnk@google.com> system_server: support hard linking for split APKs

Commit 85ce2c706e95f96c95b3af418b7bda0bfe9918f4 removed hard link
support from create_file_perms, but system_server requires hard
link support for split APKs. Allow it.

Addresses the following denial:

audit(0.0:152): avc: denied { link } for name="base.apk" dev="dm-0" ino=816009 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0

Steps to reproduce:
1) Find the directory "hellogoogle3.splitapk"
2) adb install-multiple -r hellogoogle3_incremental.apk
3) adb install-multiple -r -p com.google.android.samples.hellogoogle3 native.apk

Expected:
2nd APK installs successfully.

Actual:
2nd APK fails to install.

Change-Id: Ib69fc70dd1c7cd158590db3fd117d6b05acf1cf7
/external/sepolicy/system_server.te
d20c61af723ae194a2c47ac5a03ec607438e5c66 08-Apr-2015 Nick Kralevich <nnk@google.com> am 63b07909: am 8a06c077: Allow system_server to collect app heapdumps (debug builds only)

* commit '63b0790965be39da4ee1aee13ae1ab029d6d02ae':
Allow system_server to collect app heapdumps (debug builds only)
5fd66b3cb84aa88df58ce60bc7d2a2880d0a5674 08-Apr-2015 dcashman <dcashman@google.com> am 0bc36ada: am 91b7c67d: Enforce more specific service access.

* commit '0bc36adada7421b0e8ec05565617b7a8a6cef794':
Enforce more specific service access.
6e4143558793ae063c1b205f33c788f8ea2ec4f4 08-Apr-2015 dcashman <dcashman@google.com> am b1a13728: am 3cc6fc5f: Enforce more specific service access.

* commit 'b1a137280e6e8f282469f91b0f58df6c95919d18':
Enforce more specific service access.
8a06c07724ad538d6c2f1d703fec88929c118894 08-Apr-2015 Nick Kralevich <nnk@google.com> Allow system_server to collect app heapdumps (debug builds only)

On debuggable builds, system_server can request app heap dumps
by running something similar to the following commands:

% adb shell am set-watch-heap com.android.systemui 1048576
% adb shell dumpsys procstats --start-testing

which will dump the app's heap to /data/system/heapdump. See
framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d.

Allow this behavior.

Addresses the following denial:

avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0

Bug: 20073185
Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
/external/sepolicy/system_server.te
91b7c67d1647b2a88b1547cc57b69fc685bbac18 08-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
/external/sepolicy/system_server.te
3cc6fc5ffbd6e3d647f8c425e5298912d3733e45 07-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
/external/sepolicy/system_server.te
8a439726b9d61cef77c7e3858eee0f28ddc1d766 07-Apr-2015 Fyodor Kupolov <fkupolov@google.com> am 26ef3bbc: am 3af8c9d0: Allow system_server to read oat dir

* commit '26ef3bbc8759fb67ad5a71facfdf4f5611621f84':
Allow system_server to read oat dir
d0c06a7051f3199e95bc27d2058b864eb2e6ac27 07-Apr-2015 dcashman <dcashman@google.com> am 86501cde: am d4c78f4b: Enforce more specific service access.

* commit '86501cde107f4208b2afb82f2e21647dab70e4ef':
Enforce more specific service access.
3af8c9d0ef0e4385f69a1a50dd04a010a76c6b19 07-Apr-2015 Fyodor Kupolov <fkupolov@google.com> Allow system_server to read oat dir

Required for PackageManagerService to perform restorecon recursively on a
staging dir.

Addresses the following denial:
avc: denied { open } for name="oat" dev="mmcblk0p28" ino=163027 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir

Bug: 19550105
Bug: 20087446
Change-Id: I0f6ebb79745091ecb4d6d3dbe92f65606b7469da
/external/sepolicy/system_server.te
d4c78f4b3fed1ca77aa9f13e757644aca3ed2b21 07-Apr-2015 dcashman <dcashman@google.com> Enforce more specific service access.

Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
/external/sepolicy/system_server.te
abef255597c0bd45b41832acdd9cb4dde383cd49 07-Apr-2015 Jeff Sharkey <jsharkey@android.com> am 8a6ac553: am 73d9c2a9: Initial policy for expanded storage.

* commit '8a6ac553b5f64f002177790823d0e15e8ff74030':
Initial policy for expanded storage.
73d9c2a97b232389ab1dd179ac72c2fbefc5482b 07-Apr-2015 Jeff Sharkey <jsharkey@android.com> Initial policy for expanded storage.

Expanded storage supports a subset of the features of the internal
data partition. Mirror that policy for consistency. vold is also
granted enough permissions to prepare initial directories.

avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1
avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1

avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1
avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1

avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1

avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1
avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1

Bug: 19993667
Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5
/external/sepolicy/system_server.te
151a02a9bc4a9ce22bed2bc4310bb91a986c564f 07-Apr-2015 Andres Morales <anmorales@google.com> am 258ea8ed: am e207986e: SELinux permissions for gatekeeper TEE proxy

* commit '258ea8ed2e199855b4384ce11d7861fb7ae84683':
SELinux permissions for gatekeeper TEE proxy
e207986ea08feebd04f32cd2beff0b1602d08074 04-Apr-2015 Andres Morales <anmorales@google.com> SELinux permissions for gatekeeper TEE proxy

sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
/external/sepolicy/system_server.te
593c1dbd03c03e181b6e306d954295b86969b12e 07-Apr-2015 dcashman <dcashman@google.com> am 2e45bba5: am 4cdea7fc: Assign app_api_service attribute to services.

* commit '2e45bba5a89348febd99ce0e820a3d4f4f4f5a58':
Assign app_api_service attribute to services.
4cdea7fc40ea29c8cf4134a71b67808d143ec9dc 04-Apr-2015 dcashman <dcashman@google.com> Assign app_api_service attribute to services.

Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
/external/sepolicy/system_server.te
ad5720c3e5430c61733e2bd6a6ae48d9769fc34f 04-Apr-2015 dcashman <dcashman@google.com> am b40dd46a: am b075338d: Assign app_api_service attribute to services.

* commit 'b40dd46a6b9dd60817a178ae929566ca471dcd8a':
Assign app_api_service attribute to services.
b075338d0e335eb2dbd786ae4f8e033e78eeca37 03-Apr-2015 dcashman <dcashman@google.com> Assign app_api_service attribute to services.

Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
/external/sepolicy/system_server.te
117ba9e2f92e63b5167c60d8dbfc0c84cdb8edfc 02-Apr-2015 dcashman <dcashman@google.com> am e83172c5: am 1598b52b: Merge "Remove obsolete system_server auditallow logging."

* commit 'e83172c5731a7d9272a3ef0e11c72673134f192b':
Remove obsolete system_server auditallow logging.
73c06a9b009fd4e0b166c334f1c016cf70bd0c1c 02-Apr-2015 dcashman <dcashman@google.com> am c8197153: am 59abf4cc: Merge "Record observed service accesses."

* commit 'c819715336f06f11b50af521d56998da9e9000de':
Record observed service accesses.
513d77b5cb976af0052b0e152cddf0ccb001d9f2 01-Apr-2015 dcashman <dcashman@google.com> Remove obsolete system_server auditallow logging.

system_server no longer has universal service_manager_type permissions and so no
longer needs the auditallow rules therewith associated.

Change-Id: I1e6584c120f6fc464a4bf6b377d9d7ea90441477
/external/sepolicy/system_server.te
8af4e9cb0032244b0a356eb236ea97379956fa52 01-Apr-2015 dcashman <dcashman@google.com> Record observed service accesses.

Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
/external/sepolicy/system_server.te
6cc74a4745acb6cd67fd141e9c66cd9288442729 01-Apr-2015 Chad Brubaker <cbrubaker@google.com> am 0a913546: am 66cc49c1: Merge "Add keystore add_auth"

* commit '0a913546f605fd04824750997996b492643fbe22':
Add keystore add_auth
8927772caa421f1c9ccc80337527e039353d65dd 31-Mar-2015 Chad Brubaker <cbrubaker@google.com> Add keystore add_auth

This is for the new addAuthToken keystore method from
I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to
authorize keymaster operations. The tokens are HMAC'd and so shouldn't
be fakeable but this is still limited to system_server only.

Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47
/external/sepolicy/system_server.te
cab251ed1e4dc37bd824aa33d6a7e1ad1103f823 31-Mar-2015 Jeff Sharkey <jsharkey@android.com> am 8d6a1000: am f063f461: Updated policy for external storage.

* commit '8d6a100067affcea330e97b2294960d32b94ae3d':
Updated policy for external storage.
f063f461a9e5b6049f3516e48806b6a87848ac1a 27-Mar-2015 Jeff Sharkey <jsharkey@android.com> Updated policy for external storage.

An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.

This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.

For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.

Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.

Here are the relevant violations that this CL is designed to allow:

avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd

Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
/external/sepolicy/system_server.te
08c224f597771048b13ab05b5c980b9af28d5d72 30-Mar-2015 John Reck <jreck@google.com> am a8c74889: am ec4008ec: Merge "Add graphicsstats service"

* commit 'a8c74889a0349cc896c41fdd360e4661ff0cb742':
Add graphicsstats service
e8064afb5e8adc96d1becc7b31a8a92f77e284d9 23-Mar-2015 John Reck <jreck@google.com> Add graphicsstats service

Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
/external/sepolicy/system_server.te
323d741f1c6c68f7274f007a8480d687af5b9737 14-Mar-2015 Nick Kralevich <nnk@google.com> am a5649f32: am 6ece49c3: Merge "Revert "allow system_server to set kernel scheduling priority""

* commit 'a5649f328a0ccf6edf746be3750563e2d3646442':
Revert "allow system_server to set kernel scheduling priority"
39f082f8826ec781c98c2ee89a8db6ab403093f0 13-Mar-2015 Nick Kralevich <nnk@google.com> am b9d7c2c6: am 5434a8a9: Merge "system_server: neverallow blk_file read/write"

* commit 'b9d7c2c650805850370b4c40613d624afcfb485b':
system_server: neverallow blk_file read/write
cd14eb443e18d94f3248da77089155c888d8720e 12-Mar-2015 Nick Kralevich <nnk@google.com> Revert "allow system_server to set kernel scheduling priority"

Periodically, SELinux denials of the form:

type=1400 audit(0.0:8574): avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

are being generated. These denials come from system_server and other
processes. There's no reason why system_server should be calling
sched_setscheduler() on a kernel thread.

Current belief is that these SELinux denials are a bug in the kernel,
and are being inappropriately triggered.

Revert 2d1650f4075db4f4f458de4c1a4cb5869c44b936. The original reason
for accepting this change was to see if it would fix bug 18085992.
Unfortunately, even after the commit, the bug was still present.
The change had no impact on the bug.

Don't inappropriately grant system_server the ability to minipulate
the scheduling priority of kernel threads.

This reverts commit 2d1650f4075db4f4f458de4c1a4cb5869c44b936.

Change-Id: I59bdf26ad247a02b741af2fa58a18e7e83ef44d8
/external/sepolicy/system_server.te
3e1a7a4c4f9af3c284e680ead43d2fc96b1e674e 12-Mar-2015 Nick Kralevich <nnk@google.com> am cbfe9d57: am c01f7fd1: system_server: remove appdomain:file write

* commit 'cbfe9d5733c0f52449e81cc450a3a7edd93db9f4':
system_server: remove appdomain:file write
acc0842c4bed8690fe29858070215d7a74f4a44b 11-Mar-2015 Nick Kralevich <nnk@google.com> system_server: neverallow blk_file read/write

With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
/external/sepolicy/system_server.te
c01f7fd1c1569a0649703d24747ad1ddd857bc93 10-Mar-2015 Nick Kralevich <nnk@google.com> system_server: remove appdomain:file write

system_server no longer writes to /proc/pid/oom_adj_score. This is
handled exclusively by lmkd now.

See the following commits:

Kernel 3.18:
* https://android-review.googlesource.com/139083
* https://android-review.googlesource.com/139082

Kernel 3.14:
* https://android-review.googlesource.com/139081
* https://android-review.googlesource.com/139080

Kernel 3.10:
* https://android-review.googlesource.com/139071
* https://android-review.googlesource.com/139671

Kernel 3.4:
* https://android-review.googlesource.com/139061
* https://android-review.googlesource.com/139060

Bug: 19636629
Change-Id: Ib79081365bcce4aa1190de037861a87b55c15db9
/external/sepolicy/system_server.te
7b2d879b33e7a660fb59e36c94f71dd430216239 10-Mar-2015 dcashman <dcashman@google.com> am 1193bdf4: am 6843a793: am 8f81dcad: Only allow system_server to send commands to zygote.

* commit '1193bdf4ae1498581b4d5c3e964db963e79622dc':
Only allow system_server to send commands to zygote.
6843a7932a9b48a549143b5ad8bf79659ebeb328 09-Mar-2015 dcashman <dcashman@google.com> am 8f81dcad: Only allow system_server to send commands to zygote.

* commit '8f81dcad5bb322a75bc61c8b42f8287e2afeaddc':
Only allow system_server to send commands to zygote.
8f81dcad5bb322a75bc61c8b42f8287e2afeaddc 09-Mar-2015 dcashman <dcashman@google.com> Only allow system_server to send commands to zygote.

Add neverallow rules to ensure that zygote commands are only taken from
system_server.

Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7

Bug: 19624279

Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
/external/sepolicy/system_server.te
c2b3ff7f7f740fbb8fccf167960dadbb0c2266fa 09-Mar-2015 Nick Kralevich <nnk@google.com> am 3e616ee8: am b41eb698: am 0560e75e: system_server: allow handling app generated unix_stream_sockets

* commit '3e616ee8982251921da22c0ea0f9afaf45212374':
system_server: allow handling app generated unix_stream_sockets
b41eb698ee1bf2f3cf52f23161226475fe6ffff0 09-Mar-2015 Nick Kralevich <nnk@google.com> am 0560e75e: system_server: allow handling app generated unix_stream_sockets

* commit '0560e75e4f03e4637637de8512a4718fe7870df8':
system_server: allow handling app generated unix_stream_sockets
0560e75e4f03e4637637de8512a4718fe7870df8 09-Mar-2015 Nick Kralevich <nnk@google.com> system_server: allow handling app generated unix_stream_sockets

Allow system server to handle already open app unix_stream_sockets.
This is needed to support system_server receiving a socket
created using socketpair(AF_UNIX, SOCK_STREAM) and
socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android
functionality.

Addresses the following denial:

type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0

Bug: 19648474
Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39
/external/sepolicy/system_server.te
f3a6abbb889f567d32df41577db7760714e957ae 06-Mar-2015 Nick Kralevich <nnk@google.com> am f42b8dbc: am efb4bdb9: am 92b10ddb: Eliminate CAP_SYS_MODULE from system_server

* commit 'f42b8dbc3066c70c1cf9a5722f699b4ac00a0306':
Eliminate CAP_SYS_MODULE from system_server
efb4bdb9f49d19f4ea9a7348eb019ed8d77955e4 05-Mar-2015 Nick Kralevich <nnk@google.com> am 92b10ddb: Eliminate CAP_SYS_MODULE from system_server

* commit '92b10ddb47caa4c80a626e6c70330439feb4aa30':
Eliminate CAP_SYS_MODULE from system_server
92b10ddb47caa4c80a626e6c70330439feb4aa30 05-Mar-2015 Nick Kralevich <nnk@google.com> Eliminate CAP_SYS_MODULE from system_server

Right now, the system_server has the CAP_SYS_MODULE capability. This allows the
system server to install kernel modules. Effectively, system_server is one
kernel module load away from full root access.

Most devices don't need this capability. Remove this capability from
the core SELinux policy. For devices which require this capability,
they can add it to their device-specific SELinux policy without making
any framework code changes.

In particular, most Nexus devices ship with monolithic kernels, so this
capability isn't needed on those devices.

Bug: 7118228
Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3
/external/sepolicy/system_server.te
e5d81d1434d187c0de9624b5a3a1cd8a5bb63ba0 03-Mar-2015 dcashman <dcashman@google.com> am 40af9962: am 31a8511a: am 23f33615: Record observed system_server servicemanager service requests.

* commit '40af996297e7c07dd396fdba9a8f4bce90338e6f':
Record observed system_server servicemanager service requests.
31a8511a79aca6954abe04afb8c7a364863ca5a9 03-Mar-2015 dcashman <dcashman@google.com> am 23f33615: Record observed system_server servicemanager service requests.

* commit '23f336156daf61ba07c024af2fe96994605f46eb':
Record observed system_server servicemanager service requests.
23f336156daf61ba07c024af2fe96994605f46eb 03-Mar-2015 dcashman <dcashman@google.com> Record observed system_server servicemanager service requests.

Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
/external/sepolicy/system_server.te
7939f440f5deb51f4e195bc064c83f25b2d06145 26-Feb-2015 Nick Kralevich <nnk@google.com> am ca77ce09: am cd31111d: am d99ea5a8: Merge "Revert /proc/net related changes"

* commit 'ca77ce09878196a8958eac3786cb13bf3426520a':
Revert /proc/net related changes
cd31111d5e941fe67264b985b4e2ca2841e91e2b 26-Feb-2015 Nick Kralevich <nnk@google.com> am d99ea5a8: Merge "Revert /proc/net related changes"

* commit 'd99ea5a8af11216fb3e2e315c6310d2af4f02afc':
Revert /proc/net related changes
5cf3994d8ab039f9ba47164ef9d13e2ddb5e7acd 25-Feb-2015 Nick Kralevich <nnk@google.com> Revert /proc/net related changes

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc826afb9beefda802d496befe823a081e
and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
/external/sepolicy/system_server.te
ffbc3de99f3e7a4f2d0c51bb91dd48a5db62ae4e 30-Jan-2015 Nick Kralevich <nnk@google.com> am f4c0a09b: am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec

* commit 'f4c0a09bd3c77486faf53eb0c89fdc720dd10353':
system_server: neverallow dex2oat exec
f4c0a09bd3c77486faf53eb0c89fdc720dd10353 30-Jan-2015 Nick Kralevich <nnk@google.com> am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec

* commit '437f713936148eb0cf3eb277eab72b07a1d533ca':
system_server: neverallow dex2oat exec
361cdaff3096fafc16bbe88b84d6f99f7944def7 30-Jan-2015 Nick Kralevich <nnk@google.com> system_server: neverallow dex2oat exec

system_server should never be executing dex2oat. This is either
a bug (for example, bug 16317188), or represents an attempt by
system server to dynamically load a dex file, something we don't
want to allow.

This change adds a compile time assertion which will detect
if an allow rule granting this access is ever added.
No new rules are added or deleted as a result of this change.
This neverallow rule is automatically enforced via CTS.

Bug: 16317188
Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c
/external/sepolicy/system_server.te
63168cc8d7be62d34a02cd0cb157b13c35ff4049 20-Jan-2015 dcashman <dcashman@google.com> am 854ad128: am a5119ee7: am 566e8fe2: Record service accesses.

* commit '854ad128c9de75aae66ca8868f317a133974e4a8':
Record service accesses.
854ad128c9de75aae66ca8868f317a133974e4a8 20-Jan-2015 dcashman <dcashman@google.com> am a5119ee7: am 566e8fe2: Record service accesses.

* commit 'a5119ee7900d511278b12d04f436ed25110556cf':
Record service accesses.
566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63 17-Jan-2015 dcashman <dcashman@google.com> Record service accesses.

Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
/external/sepolicy/system_server.te
6ca7a15ad212c62b591cf906169b200155407c2a 16-Jan-2015 dcashman <dcashman@google.com> am 7dc1417b: am c1142451: am 0d16b5ac: Merge "Remove known system_server service accesses from auditing."

* commit '7dc1417b628d017b79848c62b450078834e7c612':
Remove known system_server service accesses from auditing.
1267d6674581e60901184030c3a9c77828ab91fb 16-Jan-2015 Nick Kralevich <nnk@google.com> am 5585c30a: am acf209e8: am 99940d1a: remove /proc/net read access from domain.te

* commit '5585c30ace954b880b8099e2847f3f860bc7b9e3':
remove /proc/net read access from domain.te
7dc1417b628d017b79848c62b450078834e7c612 16-Jan-2015 dcashman <dcashman@google.com> am c1142451: am 0d16b5ac: Merge "Remove known system_server service accesses from auditing."

* commit 'c1142451d9d91fba3f4f3910ecbfd0b2263c445d':
Remove known system_server service accesses from auditing.
c631ede7dc7cb131b1bdd03ce296eeac53dc9add 16-Jan-2015 dcashman <dcashman@google.com> Remove known system_server service accesses from auditing.

Address observed audit logs of the form:
granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
/external/sepolicy/system_server.te
5585c30ace954b880b8099e2847f3f860bc7b9e3 15-Jan-2015 Nick Kralevich <nnk@google.com> am acf209e8: am 99940d1a: remove /proc/net read access from domain.te

* commit 'acf209e8c38e2a2ed7510551961a5812f63a4935':
remove /proc/net read access from domain.te
3c2e91f325225323e1414a27a94e2279d94e26ba 15-Jan-2015 Brian Carlstrom <bdc@google.com> resolved conflicts for merge of 61e82a2c to master

Change-Id: Iab9f024f046ca5393e3625267d1cedfbdd74e8e7
61e82a2cfc5483fb89d5b210db0495627d758150 15-Jan-2015 dcashman <dcashman@google.com> resolved conflicts for merge of e55f2b81 to lmp-mr1-dev-plus-aosp

Change-Id: If8473c40d1b3da93d1f0f74d24f40633b2209f5e
99940d1af5719f1622fa2a17f8daf6cb21de3ad1 14-Jan-2015 Nick Kralevich <nnk@google.com> remove /proc/net read access from domain.te

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
/external/sepolicy/system_server.te
4a89cdfa89448c8660308a31bfcb517fffaa239e 17-Dec-2014 dcashman <dcashman@google.com> Make system_server_service an attribute.

Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
/external/sepolicy/system_server.te
880938af90019a600b10baf8ce225cb371e9473b 17-Dec-2014 dcashman <dcashman@google.com> am 49e7e0c2: am d8800a10: am cd82557d: Restrict service_manager find and list access.

* commit '49e7e0c24846468fe6ed408ef00b8182058fb30f':
Restrict service_manager find and list access.
49e7e0c24846468fe6ed408ef00b8182058fb30f 17-Dec-2014 dcashman <dcashman@google.com> am d8800a10: am cd82557d: Restrict service_manager find and list access.

* commit 'd8800a10fa987bac8234d87f1d4ff83d90966053':
Restrict service_manager find and list access.
cd82557d4069c20bda8e18aa7f72fc0521a3ae32 12-Dec-2014 dcashman <dcashman@google.com> Restrict service_manager find and list access.

All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
/external/sepolicy/system_server.te
fba17fd2f413e8fc376752d9c9ef6d7d924bd6a4 15-Nov-2014 Mike Lockwood <lockwood@google.com> Add support for MIDI service

Change-Id: If7241659a8252d65187673f0d8e87150d5dfb72d
/external/sepolicy/system_server.te
6eabeb20f9e5aff2cd46c219903ea4479cc9f3e5 19-Nov-2014 Nick Kralevich <nnk@google.com> am c230c292: am c48971f6: allow system_server to set ro.build.fingerprint

* commit 'c230c2926d7ce3ca7348a391ad15adb55d5c74f3':
allow system_server to set ro.build.fingerprint
c48971f69fa07c98e62b9a8b0a2ba171846fbea1 18-Nov-2014 Nick Kralevich <nnk@google.com> allow system_server to set ro.build.fingerprint

Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8
for details.

Allow system_server to set ro.build.fingerprint

Addresses the following denial/error:

avc: denied { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
init: sys_prop: permission denied uid:1000 name:ro.build.fingerprint

Bug: 18188956
Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29
/external/sepolicy/system_server.te
0ff85767a30885a65a61aa9b854c8b929cc6b33e 29-Oct-2014 Nick Kralevich <nnk@google.com> am 4d9648e3: am b519949d: system_server: assert app data files never opened directly

* commit '4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9':
system_server: assert app data files never opened directly
4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9 28-Oct-2014 Nick Kralevich <nnk@google.com> am b519949d: system_server: assert app data files never opened directly

* commit 'b519949df150ebe4fc9bf3db52542bb5d9238d4e':
system_server: assert app data files never opened directly
8526aced7551291a2a8d9d1fca3f8a719d9ecb24 25-Oct-2014 Nick Kralevich <nnk@google.com> am 491c5368: am 2d1650f4: allow system_server to set kernel scheduling priority

* commit '491c5368f7cdae8f7b94ed620706ed61c092e8d1':
allow system_server to set kernel scheduling priority
2d1650f4075db4f4f458de4c1a4cb5869c44b936 24-Oct-2014 Nick Kralevich <nnk@google.com> allow system_server to set kernel scheduling priority

Addresses the following denial:

avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

It's not clear why system_server is adjusting the scheduling priority
of kernel processes (ps -Z | grep kernel). For now, allow the operation,
although this is likely a kernel bug.

Maybe fix bug 18085992.

Bug: 18085992
Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855
/external/sepolicy/system_server.te
b519949df150ebe4fc9bf3db52542bb5d9238d4e 23-Oct-2014 Nick Kralevich <nnk@google.com> system_server: assert app data files never opened directly

Add a compile time assertion that app data files are never
directly opened by system_server. Instead, system_server always
expects files to be passed via file descriptors.

This neverallow rule will help prevent accidental regressions and
allow us to perform other security tightening, for example
bug 7208882 - Make an application's home directory 700

Bug: 7208882
Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d
/external/sepolicy/system_server.te
255d40927631a9fb71b068db5022bd969562b49a 16-Oct-2014 Robin Lee <rgl@google.com> resolved conflicts for merge of bdec09b9 to lmp-mr1-dev-plus-aosp

Change-Id: I9f1dd4fd401df73006f79205557daa17313d36f4
5871d1bc18f32b4411c731c1bd9c8d3974691eab 16-Oct-2014 Robin Lee <rgl@google.com> resolved conflicts for merge of 51bfecf4 to lmp-dev-plus-aosp

Change-Id: I8ea400354e33a01d3223b4efced6db76ba00aed6
51bfecf49d50982f64aba1fa73bbbdd2e40a444f 13-Oct-2014 Robin Lee <rgl@google.com> Pull keychain-data policy out of system-data

Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
/external/sepolicy/system_server.te
86facd93880604879486221e462b4f8a451247a5 11-Oct-2014 Nick Kralevich <nnk@google.com> am 0ed8f86e: am 2380d05f: allow system_server oemfs read access

* commit '0ed8f86eba294cfc76c283852d0da6542c631c31':
allow system_server oemfs read access
7fe94a1c79b4fa0c8049ac23c66ccf77b5b3ad33 11-Oct-2014 Nick Kralevich <nnk@google.com> am 2380d05f: allow system_server oemfs read access

* commit '2380d05f9791b6789b81e28ca8841df1b8b62c6d':
allow system_server oemfs read access
2380d05f9791b6789b81e28ca8841df1b8b62c6d 11-Oct-2014 Nick Kralevich <nnk@google.com> allow system_server oemfs read access

Bug: 17954291
Change-Id: Ia904fff65df5142732928561d81ea0ece0c52a8d
/external/sepolicy/system_server.te
f37ce3f3e2ad68da61f709567cd166a83316e3f3 08-Sep-2014 dcashman <dcashman@google.com> Add support for factory reset protection.

Address the following denials:
<12>[ 417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[ 417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

(cherrypick of commit 47bd7300a522fb9c7e233b6d040533ad16708a0e)

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
/external/sepolicy/system_server.te
72acd6bbbe65f8d776028a4097c427fd1dad235b 27-Aug-2014 Robin Lee <rgl@google.com> Allow system reset_uid, sync_uid, password_uid

Permits the system server to change keystore passwords for users other
than primary.

(cherrypicked from commit de08be8aa006c313e5025ba5f032abf786a39f71)

Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
/external/sepolicy/system_server.te
43b8bc53ab177296f88fbc6fc8c3c8b225f13bca 09-Sep-2014 dcashman <dcashman@google.com> resolved conflicts for merge of 47bd7300 to lmp-dev-plus-aosp

Change-Id: I9631fb1774893d2eeccd7f1f5a867cb5dd98d53d
47bd7300a522fb9c7e233b6d040533ad16708a0e 08-Sep-2014 dcashman <dcashman@google.com> Add support for factory reset protection.

Address the following denials:
<12>[ 417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[ 417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
/external/sepolicy/system_server.te
f9ea564a9ee3d80c92d198bf52e28eed7dac509d 30-Aug-2014 Robin Lee <rgl@google.com> am de08be8a: Allow system reset_uid, sync_uid, password_uid

* commit 'de08be8aa006c313e5025ba5f032abf786a39f71':
Allow system reset_uid, sync_uid, password_uid
de08be8aa006c313e5025ba5f032abf786a39f71 27-Aug-2014 Robin Lee <rgl@google.com> Allow system reset_uid, sync_uid, password_uid

Permits the system server to change keystore passwords for users other
than primary.

Bug: 16233206
Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
/external/sepolicy/system_server.te
bd6d1f385b7d3eec5ba49947c3b01464a809f8d0 29-Aug-2014 Brian Carlstrom <bdc@google.com> am 09eae908: Remove system_server create access from /data/dalvik-cache

* commit '09eae90890d4a2545358b8ba104e1f2a46df1408':
Remove system_server create access from /data/dalvik-cache
09eae90890d4a2545358b8ba104e1f2a46df1408 29-Aug-2014 Brian Carlstrom <bdc@google.com> Remove system_server create access from /data/dalvik-cache

Bug: 16875245

(cherry picked from commit 372d0df796389e2f6295a394492585ed64f0ceca)

Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7
/external/sepolicy/system_server.te
372d0df796389e2f6295a394492585ed64f0ceca 29-Aug-2014 Brian Carlstrom <bdc@google.com> Remove system_server create access from /data/dalvik-cache

Bug: 16875245
Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a
/external/sepolicy/system_server.te
4a518b8bbf1e085fd4984f652209442f39ac0cfe 29-Jul-2014 Sreeram Ramachandran <sreeram@google.com> am 997461bd: Allow system_server to talk to netlink directly.

* commit '997461bda5aaedeabf48021e3291293e48501ef7':
Allow system_server to talk to netlink directly.
997461bda5aaedeabf48021e3291293e48501ef7 29-Jul-2014 Sreeram Ramachandran <sreeram@google.com> Allow system_server to talk to netlink directly.

This is needed for http://ag/512212 to work.

Bug: 15409819
Change-Id: If91fc6891d7ce04060362c6cde8c57462394c4e8
/external/sepolicy/system_server.te
d065f0483c89d18aa92f60646b3e0867072bc8ff 26-Jul-2014 Nick Kralevich <nnk@google.com> Resync lmp-dev-plus-aosp with master

A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp.
This is expected, but it's causing unnecessary merge conflicts
when handling AOSP contributions.

Resolve those conflicts.

This is essentially a revert of bf696327246833c9aba55a645e6c433e9f321e27
for lmp-dev-plus-aosp only.

Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c
/external/sepolicy/system_server.te
7d62aceef4918c1fd08d7774c7a7d4f4562c317b 25-Jul-2014 Narayan Kamath <narayan@google.com> am aa8e657e: Revert "fix system_server dex2oat exec"

* commit 'aa8e657ef09d70d8ea5657b624022925d92f4711':
Revert "fix system_server dex2oat exec"
aa8e657ef09d70d8ea5657b624022925d92f4711 25-Jul-2014 Narayan Kamath <narayan@google.com> Revert "fix system_server dex2oat exec"

This reverts commit 10370f5ff47745fe9678d18ff788e51e665bf36e.

The underlying issue has been fixed and the system_server
will now go via installd to get stuff compiled, if required.

bug: 16317188

Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d
/external/sepolicy/system_server.te
9d24d52e9742cca22425aa6fbc34dde69b3bd0df 24-Jul-2014 Stephen Smalley <sds@tycho.nsa.gov> am ba992496: Define debuggerd class, permissions, and rules.

* commit 'ba992496f01e40a10d9749bb25b6498138e607fb':
Define debuggerd class, permissions, and rules.
ba992496f01e40a10d9749bb25b6498138e607fb 24-Jul-2014 Stephen Smalley <sds@tycho.nsa.gov> Define debuggerd class, permissions, and rules.

Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.

Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.

Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
bf696327246833c9aba55a645e6c433e9f321e27 18-Jul-2014 Riley Spahn <rileyspahn@google.com> DO NOT MERGE: Remove service_manager audit_allows.

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
/external/sepolicy/system_server.te
d26357641d9f85750f63c9e4ec441a506e806389 16-Jul-2014 Riley Spahn <rileyspahn@google.com> Remove auditallow from system_server.

system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

(cherry picked from commit 5a25fbf7ca281d2b372def95b92b400a073604b6)

Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f
/external/sepolicy/system_server.te
5a25fbf7ca281d2b372def95b92b400a073604b6 16-Jul-2014 Riley Spahn <rileyspahn@google.com> Remove auditallow from system_server.

system_server auditallow statements were causing logspam and
there is not a good way to negate services from specific devices
so as a fix we are removing all system_server auditallows. These
logs may not be useful anyway because I suspsect that system_server
will probe for most all services anyway.

Change-Id: I27a05761c14def3a86b0749cdb895190bdcf9d71
/external/sepolicy/system_server.te
344fc109e9787f91946ac852bb513c796aab38f6 07-Jul-2014 Riley Spahn <rileyspahn@google.com> Add access control for each service_manager action.

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98880a683c276589ab7d8d7666b7f8c1)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
/external/sepolicy/system_server.te
10370f5ff47745fe9678d18ff788e51e665bf36e 15-Jul-2014 Nick Kralevich <nnk@google.com> fix system_server dex2oat exec

Addresses the following denial:

W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Bug: 16317188
Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
/external/sepolicy/system_server.te
81839dfb24094803125f7ac9d4844207b61569ed 15-Jul-2014 Ed Heyl <edheyl@google.com> reconcile aosp (3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea) after branching. Please do not merge.

Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2
/external/sepolicy/system_server.te
8395bb4ad005c1a2fc8085715bb3155867b212e5 15-Jul-2014 Nick Kralevich <nnk@google.com> fix system_server dex2oat exec

Addresses the following denial:

W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0

Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
/external/sepolicy/system_server.te
b8511e0d98880a683c276589ab7d8d7666b7f8c1 07-Jul-2014 Riley Spahn <rileyspahn@google.com> Add access control for each service_manager action.

Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
/external/sepolicy/system_server.te
3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea 11-Jul-2014 Todd Poynor <toddpoynor@google.com> Allow oemfs search for system_server and bootanim

Address denials in devices that use /oem

Change-Id: I80b76bb58bab9b6c54d6550eb801664d82a4d403
/external/sepolicy/system_server.te
5d60f04e5d43d084992d59c38a631a034b88e715 10-Jul-2014 Colin Cross <ccross@android.com> sepolicy: allow system server to remove cgroups

Bug: 15313911
Change-Id: Ib7d39561a0d52632929d063a7ab97b6856f28ffe
/external/sepolicy/system_server.te
d8447fdfe1db8571158659bc2daf058335842a06 10-Jul-2014 Andres Morales <anmorales@google.com> Typedef+rules for SysSer to access persistent block device

Defines new device type persistent_data_block_device

This block device will allow storage of data that
will live across factory resets.

Gives rw and search access to SystemServer.

Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e
/external/sepolicy/system_server.te
be092af039148e3cadcd49ee7042b8f39c7e95a2 07-Jul-2014 Jeff Sharkey <jsharkey@android.com> Rules to allow installing package directories.

Earlier changes had extended the rules, but some additional changes
are needed.

avc: denied { relabelfrom } for name="vmdl-723825123.tmp"
dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0
tcontext=u:object_r:apk_data_file:s0 tclass=dir

Bug: 14975160
Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976
/external/sepolicy/system_server.te
d00eff47fe1f0b73dce96241ac348599f7d8e41c 04-Jul-2014 Nick Kralevich <nnk@google.com> system_server: bring back sdcard_type neverallow rule

We had disabled the neverallow rule when system_server was
in permissive_or_unconfined(), but forgot to reenable it.
Now that system_server is in enforcing/confined, bring it
back.

Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba
/external/sepolicy/system_server.te
596bcc768758f38534a537a3fb54875225417f2c 01-Jul-2014 Riley Spahn <rileyspahn@google.com> Remove keystore auditallow statements from system.

Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28
/external/sepolicy/system_server.te
1196d2a5763c9a99be99ba81a4a29d938a83cc06 17-Jun-2014 Riley Spahn <rileyspahn@google.com> Adding policies for KeyStore MAC.

Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
/external/sepolicy/system_server.te
8c6552acfba677442d565a0c7f8e44f5f2af57f2 25-Jun-2014 Nick Kralevich <nnk@google.com> Allow system_server to read all /proc files

system_server scans through /proc to keep track of process
memory and CPU usage. It needs to do this for all processes,
not just appdomain processes, to properly account for CPU and
memory usage.

Allow it.

Addresses the following errors which have been showing up
in logcat:

W/ProcessCpuTracker(12159): Skipping unknown process pid 1
W/ProcessCpuTracker(12159): Skipping unknown process pid 2
W/ProcessCpuTracker(12159): Skipping unknown process pid 3

Bug: 15862412
Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512
/external/sepolicy/system_server.te
fee49159e760162b0e8ee5a4590c50a65b8e322f 19-Jun-2014 Stephen Smalley <sds@tycho.nsa.gov> Align SELinux property policy with init property_perms.

Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
97a2cfdf6618f98fe1da51c5e77d9a5d2765c04e 18-Jun-2014 Paul Jensen <pauljensen@google.com> Allow Bluetooth app to initiate DHCP service on bt-pan interface.

bug:15407087
Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658
/external/sepolicy/system_server.te
04e730b635d961f1610886e96622214b9a5e40d4 19-Jun-2014 Nick Kralevich <nnk@google.com> system_server: allow open /dev/snd and read files

system_server needs to open /dev/snd and access files
within that directory. Allow it.

system_server need to parse the ALSA card descriptors after a USB device
has been inserted. This happens from USBService in system_server.

Addresses the following denial:

system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir

and likely others

Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8
/external/sepolicy/system_server.te
00b180dfb8195fa559f45e812c9c2a82bdbd9c40 17-Jun-2014 Stephen Smalley <sds@tycho.nsa.gov> Eliminate some duplicated rules.

As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.

Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).

Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
fad4d5fb00ddb1f61c22c003429e10f10b046d0d 16-Jun-2014 Nick Kralevich <nnk@google.com> Fix SELinux policies to allow resource overlays.

The following commits added support for runtime resource overlays.

New command line tool 'idmap'
* 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
Runtime resource overlay, iteration 2
* 48d22323ce39f9aab003dce74456889b6414af55
Runtime resource overlay, iteration 2, test cases
* ad6ed950dbfa152c193dd7e49c369d9e831f1591

During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.

This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.

Test cases are available for this by running:
* python frameworks/base/core/tests/overlaytests/testrunner.py

Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
/external/sepolicy/system_server.te
a76d9ddf6bf8f0ee0768a2129fa7606f66b0b510 14-Jun-2014 Nick Kralevich <nnk@google.com> system_server profile access

Still not fixed. *sigh*

Addresses the following denial:

<4>[ 40.515398] type=1400 audit(15842931.469:9): avc: denied { read } for pid=814 comm="system_server" name="profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir

Change-Id: I705a4cc9c508200ace46780c18b7112b62f27994
/external/sepolicy/system_server.te
96d9af423575aec5559bd1a7094203c9e0586347 13-Jun-2014 Nick Kralevich <nnk@google.com> allow system_server getattr on /data/dalvik-cache/profiles

867030517724036b64fcaf39deaba1b27f3ca77e wasn't complete. I thought
getattr on the directory wasn't needed but I was wrong. Not sure
how I missed this.

Addresses the following denial:

<4>[ 40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir

Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6
/external/sepolicy/system_server.te
867030517724036b64fcaf39deaba1b27f3ca77e 11-Jun-2014 Nick Kralevich <nnk@google.com> Remove world-read access to /data/dalvik-cache/profiles

Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.

Add read/write capabilities back to app domains, since apps need to
read/write profiling data.

Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.

Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
/external/sepolicy/system_server.te
f90c41f6e8d5c1266e154f46586a2ceb260f1be6 06-Jun-2014 Riley Spahn <rileyspahn@google.com> Add SELinux rules for service_manager.

Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
/external/sepolicy/system_server.te
13d5886363675915e5115ccc0a95ca5d7776730b 11-Jun-2014 Ruchi Kandoi <kandoiruchi@google.com> system_server: Adds permission to system_server to write sysfs file

Need this for changing the max_cpufreq and min_cpufreq for the low power
mode.

Denials:
type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854
comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file

Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8

Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646
Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
/external/sepolicy/system_server.te
6bb672e6b3df2fb3dbb49f32e5f30589ff539e6e 26-Nov-2013 Stephen Smalley <sds@tycho.nsa.gov> Make the system_server domain enforcing.

Change-Id: I1ea20044bd6789dde002da7fc9613cfbf1ee2d23
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
2cc6d63d5d88824527a7fd89a0cacf5702109eae 04-Jun-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow system_server access to /data/media files passed via Binder.

Addresses denials such as:
avc: denied { read } for comm="Binder_6" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
avc: denied { getattr } for comm="Binder_9" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Change-Id: I5e5744eecf2cbd4fc584db8584be4e9101bcb60c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
f85c1fc293523db241c48d815b165067b8a0f471 27-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow installd, vold, system_server unlabeled access.

The bugs that motivated bringing back the unlabeled allowall rules,
https://android-review.googlesource.com/#/c/94971/
should be resolved by the following changes:
https://android-review.googlesource.com/#/c/94966/
https://android-review.googlesource.com/#/c/96080/

Beyond those changes, installd needs to be able to remove package directories
for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so
allow it the permissions required for this purpose. vold needs to be able
to chown/chmod/restorecon files in asec containers so allow it the
permissions to do so. system_server tries to access all /data/data
subdirectories so permit it to do so. installd and system_server
read the pkg.apk file before it has been relabeled by vold and therefore
need to read unlabeled files.

Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
8599e34b95705638034b798c56bc2cc8bb2e6372 23-May-2014 Nick Kralevich <nnk@google.com> Introduce wakelock_use()

Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.

Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.

Still TODO: fix device specific wakelock use.

Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
/external/sepolicy/system_server.te
a16a59e2c7f1e2f09bf7b750101973a974c972e8 14-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Remove graphics_device access.

Neither mediaserver nor system_server appear to require
direct access to graphics_device, i.e. the framebuffer
device. Drop it.

Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
782e084dc249ec96a4659c523ffc6a53ee46abb1 14-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow system_server to read tombstones.

Address denials such as:
avc: denied { read } for name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
avc: denied { open } for name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
avc: denied { getattr } for path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
avc: denied { read } for name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file
avc: denied { open } for name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file

Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
538edd3317fd56d6d1871aebe83f0636946fbc94 12-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Restrict system_server to only the data file types needed.

Drop rules on data_file_type attribute and replace with rules
on specific types under /data.

Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
02dac03a8c7cc79306cf5807f86af3e01f5dc4af 09-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Drop relabelto_domain() macro and its associated definitions.

This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
cd905ec04e6db7f9116afe05c95c0d5e387e5b15 09-May-2014 Nick Kralevich <nnk@google.com> Protect keystore's files.

Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
/external/sepolicy/system_server.te
53cde700cda6caad25ba06092fa850ff51dd2431 07-May-2014 Stephen Smalley <sds@tycho.nsa.gov> Report graphics_device accesses by system_server or mediaserver.

See if we can remove these allow rules by auditing any granting
of these permissions. These rules may be a legacy of older Android
or some board where the gpu device lived under /dev/graphics too.

Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
3f3d6ffb7ee98116404e4a85ad027a98b70c2331 15-Apr-2014 Nick Kralevich <nnk@google.com> Allow system_server pstore access.

pstore contains /sys/fs/pstore/console-ramoops, which is the
replacement for /proc/last_kmsg. Both files are read by system_server
on startup. Allow access.

Addresses the following denials:

<12>[ 53.836838] type=1400 audit(949060020.909:19): avc: denied { search } for pid=1233 comm="Thread-119" name="/" dev="pstore" ino=10296 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir
<12>[ 53.856546] type=1400 audit(949060020.909:20): avc: denied { getattr } for pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[ 53.878425] type=1400 audit(949060020.909:21): avc: denied { read } for pid=1233 comm="Thread-119" name="console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file
<12>[ 53.898476] type=1400 audit(949060020.909:22): avc: denied { open } for pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file

Change-Id: I7307da751961b242e68adb319da9c00192e77bbb
/external/sepolicy/system_server.te
e06e53638808ec0d14aaee701590fdc93cfd3150 21-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow inputflinger to call system_server.

Resolves denials such as:
avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc: denied { open } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc: denied { search } for pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir
avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc: denied { call } for pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: I099d7dacf7116efa73163245597c3de629d358c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
971b5d7c9f6cd134cfa89ca211cbaabe1ac606a4 18-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow system_server to set ctl.bugreport property.

Resolves denials such as:
avc: denied { set } for property=ctl.bugreport scontext=u:r:system_server:s0 tcontext=u:object_r:ctl_bugreport_prop:s0 tclass=property_service

Change-Id: I6c3085065157f418fc0cd4d01fa178eecfe334ad
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
bafbf8133015204ac1b9116ccd4235e8a615895c 14-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow system_server to read from log daemon.

Addresses denials such as:
avc: denied { write } for pid=1797 comm="logcat" name="logdr" dev="tmpfs" ino=7523 scontext=u:r:system_server:s0 tcontext=u:object_r:logdr_socket:s0 tclass=sock_file
avc: denied { connectto } for pid=1797 comm="logcat" path="/dev/socket/logdr" scontext=u:r:system_server:s0 tcontext=u:r:logd:s0 tclass=unix_stream_socket

Change-Id: Idc4f48519ca3d81125102e8f15f68989500f5e9e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
6fe899a0d1905682c3224f1a3809288dacc0ca3f 13-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Silence /proc/pid denials.

system_server components such as ActivityManager and CpuTracker
try to access all /proc/pid directories, triggering denials on
domains that are not explicitly allowed to the system_server.
Silence these denials to avoid filling the logs with noise
and overwriting actual useful messages in the kernel ring buffer.

Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
c18121811c59335b4b59e8ffc52179ad6049640b 06-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Deduplicate and rationalize system_server /proc/pid access.

The system_server has duplicate/overlapping rules regarding
/proc/pid access as well as a lack of clarity on the reason
for the different rules. Deduplicate the rules and clarify
the purpose of different sets of rules.

Replace the rules granting /proc/pid access for all domains with
specific rules only for domains that we know should be accessible
by the system_server, i.e. all apps (appdomain) and the set of
native processes listed in com.android.server.Watchdog.NATIVE_STACKS_OF_INTEREST.

Change-Id: Idae6fc87e19e1700cdc4bdbde521d35caa046d74
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
d9d9d2f4170b96a674c8222287bbe4cddfc8de3a 05-Mar-2014 Nick Kralevich <nnk@google.com> temp fix for build breakage.

libsepol.check_assertion_helper: neverallow on line 8857 violated by allow system_server sdcard_external:file { ioctl read write getattr lock append open };
Error while expanding policy
make: *** [out/target/product/manta/obj/ETC/sepolicy_intermediates/sepolicy] Error 1

Change-Id: I181707ed66bad3db56f9084b3d9ba161d13b34bd
/external/sepolicy/system_server.te
d331e00bd8101b5ab63e08822cdad7a223c2a5dd 05-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Do not allow system_server to access SDcard files.

As per:
https://android-review.googlesource.com/#/c/84130/3/system_server.te@240
it is unsafe to allow such access.

Add a neverallow rule to prohibit any rules on sdcard_type in the
future.

Change-Id: Ife714b65b07144eb6228a048a55ba82181595213
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
3dad7b611a448fa43a678ff760c23a00f387947e 05-Mar-2014 Stephen Smalley <sds@tycho.nsa.gov> Address system_server denials.

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
28afdd9234236d0b3c510f28255aa14625d11457 26-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Deduplicate binder_call rules.

A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
63b98b17e41b74a7595dc80e1958550cf6b887d1 26-Feb-2014 Nick Kralevich <nnk@google.com> restore system_server zygote socket rules

1601132086b054adc70e7f8f38ed24574c90bc37 removed the getattr/getopt
support for system_server, which is needed to close the zygote socket.
See b/12061011 for details.

system_server still needs this rule, and it's expected to stay
permanently. Restore the rule and remove the comment about it eventually
being deleted.

Addresses the following denials:

<5>[ 86.307639] type=1400 audit(1393376281.530:5): avc: denied { getattr } for pid=656 comm="main" path="socket:[7195]" dev=sockfs ino=7195 scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket
<5>[ 86.307945] type=1400 audit(1393376281.530:6): avc: denied { getopt } for pid=656 comm="main" path="/dev/socket/zygote" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket

Bug: 12114500
Change-Id: I47033766dea3ba2fdaa8ce9b4251370bd64aea6d
/external/sepolicy/system_server.te
37afd3f6c337a6914de36ec8658593b523f32e3d 27-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Remove system_server and zygote unlabeled execute access.

Now that all of /data outside of /data/data should be labeled
even on legacy devices as a result of
Ib8d9751a47c8e0238cf499fcec61898937945d9d, there
should be no reason to permit the system_server or zygote
execute access to unlabeled files.

This is the only remaining case where a type writable by
app domains can be executed by system services, so eliminating
it is desirable.

That said, I have not specifically tested the non-SE to SE
upgrade path to confirm that this causes no problems.

Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
0296b9434f3b933b37f67c143788f87cb80b3325 25-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.

Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
2c347e0a3676bb50cac796ca94eb6ab53c08fc87 25-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Drop obsolete keystore_socket type and rules.

Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while. The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).

Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
1601132086b054adc70e7f8f38ed24574c90bc37 24-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Clean up socket rules.

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
335faf2b9b2d68d02223d1aedecf826bb9597f34 21-Feb-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow stat of /sys/module/lowmemorykiller files by system_server.

<5>[ 43.929760] type=1400 audit(6342882.819:16): avc: denied { getattr } for pid=779 comm="system_server" path="/sys/module/lowmemorykiller/parameters/adj" dev="sysfs" ino=6048 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=file

Change-Id: I48828ca26814c6376c9c71c368f3eff0f7a8f219
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
5467fce636d0cebb86f3684f7a69d883324384ca 13-Feb-2014 Nick Kralevich <nnk@google.com> initial lmkd policy.

* Allow writes to /proc/PID/oom_score_adj
* Allow writes to /sys/module/lowmemorykiller/*

Addresses the following denials:
<5>[ 3.825371] type=1400 audit(9781555.430:5): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[ 48.874747] type=1400 audit(9781600.639:16): avc: denied { search } for pid=176 comm="lmkd" name="896" dev="proc" ino=9589 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=dir
<5>[ 48.874889] type=1400 audit(9781600.639:17): avc: denied { dac_override } for pid=176 comm="lmkd" capability=1 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability
<5>[ 48.874982] type=1400 audit(9781600.639:18): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[ 48.875075] type=1400 audit(9781600.639:19): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file
<5>[ 49.409231] type=1400 audit(9781601.169:20): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
<5>[ 209.081990] type=1400 audit(9781760.839:24): avc: denied { search } for pid=176 comm="lmkd" name="1556" dev="proc" ino=10961 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=dir
<5>[ 209.082240] type=1400 audit(9781760.839:25): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[ 209.082498] type=1400 audit(9781760.839:26): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file
<5>[ 209.119673] type=1400 audit(9781760.879:27): avc: denied { search } for pid=176 comm="lmkd" name="1577" dev="proc" ino=12708 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=dir
<5>[ 209.119937] type=1400 audit(9781760.879:28): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[ 209.120105] type=1400 audit(9781760.879:29): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file
<5>[ 209.235597] type=1400 audit(9781760.999:30): avc: denied { search } for pid=176 comm="lmkd" name="1600" dev="proc" ino=11659 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[ 209.235798] type=1400 audit(9781760.999:31): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[ 209.236006] type=1400 audit(9781760.999:32): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[ 214.297283] type=1400 audit(9781766.059:64): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[ 214.297415] type=1400 audit(9781766.059:65): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file
<5>[ 214.355060] type=1400 audit(9781766.119:66): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[ 214.355236] type=1400 audit(9781766.119:67): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file
<5>[ 214.516920] type=1400 audit(9781766.279:68): avc: denied { search } for pid=176 comm="lmkd" name="1907" dev="proc" ino=11742 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=dir
<5>[ 214.678861] type=1400 audit(9781766.439:69): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[ 214.678992] type=1400 audit(9781766.439:70): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file
<5>[ 214.708284] type=1400 audit(9781766.469:71): avc: denied { search } for pid=176 comm="lmkd" name="1765" dev="proc" ino=12851 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir
<5>[ 214.708435] type=1400 audit(9781766.469:72): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file
<5>[ 214.708648] type=1400 audit(9781766.469:73): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file

Change-Id: Ie3c1ab8ce9e77742d0cc3c73f40010afd018ccd4
/external/sepolicy/system_server.te
418e2abd39a3c86c4f8c7fcac93a1a7beea7a092 29-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Label /data/misc/wifi/sockets with wpa_socket.

This will ensure that any sockets created in this directory
will default to wpa_socket unless a type_transition is defined.
Define a type transition for system_server to keep its separate
system_wpa_socket type assigned for its socket. Allow wpa
to create and unlink sockets in the directory. We leave the
already existing rules for wifi_data_file in place for compatibility
with existing devices that have wifi_data_file on /data/misc/wifi/sockets.

Change-Id: I9e35cc93abf89ce3594860aa3193f84a3b42ea6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
8ed750e9731e6e3a21785e91e9b1cf7390c16738 13-Nov-2013 Mark Salyzyn <salyzyn@google.com> sepolicy: Add write_logd, read_logd & control_logd

- Add write_logd, read_logd and control_logd macros added along
with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
deal with fd inheritance. ToDo: investigate means to allow
references to close, and reopen in context of application
or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
/external/sepolicy/system_server.te
208deb335719280c11ab0e6aa033bfd33629320a 29-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Allow dumpstate to run am and shell.

See http://code.google.com/p/android/issues/detail?id=65339

Further denials were observed in testing and allowed as well.

Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
623975fa5aece708032aaf29689d73e1f3a615e7 11-Jan-2014 Nick Kralevich <nnk@google.com> Support forcing permissive domains to unconfined.

Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/external/sepolicy/system_server.te
959fdaaa25d7dbfad8a1900dfe9575f873cea649 09-Jan-2014 Stephen Smalley <sds@tycho.nsa.gov> Remove unlabeled execute access from domain, add to appdomain.

Otherwise all domains can create/write files that are executable
by all other domains. If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.

If required for others, add it to the individual
domain .te file, not for all domains.

Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
c50bf17d4f4ae4615c9f189236f593db5ff21180 08-Jan-2014 Robert Craig <rpcraig@tycho.ncsc.mil> Address new system server denial.

Allow system_server to unlink sockets created
by the wpa supplicant. This will resolve the following
denial seen across mutliple devices.

avc: denied { unlink } for pid=584 comm="WifiStateMachin" name="wlan0" dev=mmcblk0p10 ino=138762 scontext=u:r:system_server:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file

Change-Id: If3a8b1f270dfcd3dc6838eb8ac72e3d5004cc36d
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/external/sepolicy/system_server.te
37339c763e9082573fcc86e14a6fb9d2d4b9d20c 06-Jan-2014 Nick Kralevich <nnk@google.com> fix mediaserver selinux denials.

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[ 22.812859] type=1400 audit(1389041093.955:17): avc: denied { read } for pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 22.813103] type=1400 audit(1389041093.955:18): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 22.832041] type=1400 audit(1389041093.975:19): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 52.357470] type=1400 audit(1389041123.494:29): avc: denied { read } for pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 52.357717] type=1400 audit(1389041123.494:30): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 52.382276] type=1400 audit(1389041123.524:31): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074
/external/sepolicy/system_server.te
e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1 23-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Only allow PROT_EXEC for ashmem where required.

tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions. execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains. Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
527316a21b80c2a70d8ed23351299a4dce0c77bf 23-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Allow use of art as the Android runtime.

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
13e44ec74d326463213c4c01963c776a699467cb 19-Dec-2013 Nick Kralevich <nnk@google.com> allow system_server block_suspend

I'm only seeing this denial on one device (manta), but it feels like
it should be part of the generic policy. I don't understand
why it's happening on only one device.

Addresses the following denial:

14.711671 type=1400 audit(1387474628.570:6): avc: denied { block_suspend } for pid=533 comm="InputReader" capability=36 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2

Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47
/external/sepolicy/system_server.te
c4d7c0d797a9ef48df1d581578a8f84f9a45aac7 17-Dec-2013 Nick Kralevich <nnk@google.com> system_server.te: allow getopt/getattr on zygote socket

In 61dc35072090f2735af2b39572e39eadb30573eb, I forgot to allow
system_server to run getopt/getattr on the zygote socket.

Bug: 12061011
Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6
/external/sepolicy/system_server.te
3ba9012535d8412d94db4ae9a5ce928b806e26d8 12-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Move gpu_device type and rules to core policy.

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
2b392fccf35c790bdc55bdce51a196f4953644ce 06-Dec-2013 Nick Kralevich <nnk@google.com> Move lmkd into it's own domain.

lmkd low memory killer daemon

The kernel low memory killer logic has been moved to a new daemon
called lmkd. ActivityManager communicates with this daemon over a
named socket.

This is just a placeholder policy, starting off in unconfined_domain.

Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10
/external/sepolicy/system_server.te
a49ba927e39bb21f18f8340334cf5781e124eb3d 02-Dec-2013 Stephen Smalley <sds@tycho.nsa.gov> Allow SELinuxPolicyInstallReceiver to work.

Change-Id: I10006f43c142f07168e2ea0f4f5f7af68d03e504
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
af47ebb67aa64d699615693bf4603ec173417175 04-Nov-2013 Stephen Smalley <sds@tycho.nsa.gov> Label /dev/fscklogs and allow system_server access to it.

Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc: denied { getattr } for pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc: denied { open } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc: denied { write } for pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc: denied { remove_name } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc: denied { unlink } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file

Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
2a604adf1b8fd887f01bc717d64fd1c8105f4d8e 04-Nov-2013 Stephen Smalley <sds@tycho.nsa.gov> Confine healthd, but leave it permissive for now.

Remove unconfined_domain() and add the allow rules required for
operation of healthd. Restore the permissive declaration until
I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4
kernel.

Resolves the following denials in 4.4:
type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file
type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2
type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder
type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
cd95e0acf18c940288f4abb8e1cfe6c052bb6543 01-Nov-2013 Nick Kralevich <nnk@google.com> Allow system_server to set powerctl_prop

Otherwise we break "adb root && adb shell svc power reboot",
which has the side effect of killing all of our test automation
(oops).

Bug: 11477487
Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631
/external/sepolicy/system_server.te
dd1ec6d557e80c688f7f1e4aef522b6441e8151a 01-Nov-2013 Nick Kralevich <nnk@google.com> Give system_server / system_app ability to write some properties

Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[ 131.700473] avc: denied { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[ 131.700625] init: sys_prop: permission denied uid:1000 name:debug.force_rtl
<4>[ 132.630062] avc: denied { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[ 132.630184] init: sys_prop: permission denied uid:1000 name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
/external/sepolicy/system_server.te
1ff644112e260d2aab55e696b32350dcda0a99b8 29-Oct-2013 Stephen Smalley <sds@tycho.nsa.gov> Confine system_server, but leave it permissive for now.

Change-Id: Ia0de9d739575c34a7391db5f0be24048d89a7bd1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
353c72e3b0b4d7d729af20f0c9a13c976baa8753 21-Oct-2013 Nick Kralevich <nnk@google.com> Move unconfined domains out of permissive mode.

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
/external/sepolicy/system_server.te
ec7d39ba168a5b620e6bb526f316581acc5c1238 29-Sep-2013 William Roberts <wroberts@tresys.com> Introduce controls on wake lock interface

Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1
/external/sepolicy/system_server.te
8d688315aeb053eadc2606badbe4ce52899bb694 03-Oct-2013 Alex Klyubin <klyubin@google.com> Restrict access to /dev/hw_random to system_server and init.

/dev/hw_random is accessed only by init and by EntropyMixer (which
runs inside system_server). Other domains are denied access because
apps/services should be obtaining randomness from the Linux RNG.

Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
/external/sepolicy/system_server.te
45ba665cfcc5c2fc3242a013e6070c2bed860b0a 27-Sep-2013 Stephen Smalley <sds@tycho.nsa.gov> Label and allow access to /data/system/ndebugsocket.

Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/sepolicy/system_server.te
4103b3f27ac0c6fdf16dac918ae791b709b24c6f 17-Sep-2013 Alex Klyubin <klyubin@google.com> 2/2: Rename domain "system" to "system_server".

This CL completes the renaming of domain system to system_server by
removing the "system" typealias that was temporarily added to avoid
breaking the build while the rename CLs are landing.

Change-Id: I05d11571f0e3d639026fcb9341c3476d44c54fca
/external/sepolicy/system_server.te
1fdee11df2552e29da0c48e3432f26f7a93e3bff 14-Sep-2013 Alex Klyubin <klyubin@google.com> 1/2: Rename domain "system" to "system_server".

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
/external/sepolicy/system_server.te