17cfd3fce72613613a92929ba564ad14d2a50241 |
|
14-Jun-2016 |
dcashman <dcashman@google.com> |
Keep pre-existing sysfs write permissions. Commit: b144ebab482891cef32ee84c06dbb0f943823573 added the sysfs_usb type and granted the read perms globally, but did not add write permissions for all domains that previously had them. Add the ability to write to sysfs_usb for all domains that had the ability to write to those files previously (sysfs). Address denials such as: type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0 Bug: 28417852 Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
/system/sepolicy/system_server.te
|
d82df3bdb8e544fda0cd8250fa3aa527883db643 |
|
02-Jun-2016 |
Narayan Kamath <narayan@google.com> |
sepolicy: broaden system_server access to foreign_dex_data_file. The system_server needs to rename these files when an app is upgraded. bug: 28998083 Change-Id: Idb0c1ae774228faaecc359e4e35603dbb534592a
/system/sepolicy/system_server.te
|
49ac2a3d7a40d998e3b1be0b0172be8f651bc935 |
|
20-May-2016 |
Fyodor Kupolov <fkupolov@google.com> |
SELinux policies for /data/preloads directory A new directory is created in user data partition that contains preloaded content such as a retail mode demo video and pre-loaded APKs. The new directory is writable/deletable by system server. It can only be readable (including directory list) by privileged or platform apps Bug: 28855287 Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037
/system/sepolicy/system_server.te
|
13bdd39cf1c4aa1f86623820aea167abf1b263f2 |
|
12-May-2016 |
Narayan Kamath <narayan@google.com> |
sepolicy: broaden system_server access to foreign_dex_data_file{dir}. The system_server needs to clear these markers along with other app data that it's responsible for clearing. bug: 28510916 Change-Id: If9ba8b5b372cccefffd03ffddc51acac8e0b4649
/system/sepolicy/system_server.te
|
50c2909f23df270f75d23e16de2bb9e5363b54dd |
|
13-May-2016 |
Andreas Gampe <agampe@google.com> |
Merge changes from topic 'dump_bluetooth_through_debuggerd' into nyc-dev * changes: Sepolicy: Allow debuggerd to dump backtraces of Bluetooth Sepolicy: Refactor long lines for debuggerd backtraces
|
cbfa8ddfb6b9b7441ad2205f54a1914609283bce |
|
13-May-2016 |
Andreas Gampe <agampe@google.com> |
Sepolicy: Allow debuggerd to dump backtraces of Bluetooth Allow to dump traces of the Bluetooth process during ANR and system-server watchdog dumps. Bug: 28658141 Change-Id: Ie78bcb25e94e1ed96ccd75f7a35ecb04e7cb2b82
/system/sepolicy/system_server.te
|
0983db4aa94b13995b5fbef5f60eb5a07e00378d |
|
12-May-2016 |
Andreas Gampe <agampe@google.com> |
Sepolicy: Refactor long lines for debuggerd backtraces Split single lines in preparation for new additions. Bug: 28658141 Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf
/system/sepolicy/system_server.te
|
95fd38169b867c0e45d11a9dbae698bc65e43a89 |
|
12-May-2016 |
Philip Cuadra <philipcuadra@google.com> |
Merge "Add CAP_IPC_LOCK and pinner to system_server" into nyc-dev
|
96da70eb4f92dcf38b28e4a9854de5b222bb84e6 |
|
02-May-2016 |
Philip Cuadra <philipcuadra@google.com> |
Add CAP_IPC_LOCK and pinner to system_server Add pinner service to system_service services. Add CAP_IPC_LOCK permissions to system_server in order to allow system_server to pin more memory than the lockedmem ulimit. bug 28251566 Change-Id: I990c73d25fce4f2cc9a2db0015aa238fa7b0e984
/system/sepolicy/system_server.te
|
39cfed0b23c542cf4b95e0e2835c1886914f88ce |
|
30-Apr-2016 |
Christopher Tate <ctate@google.com> |
Allow the system to rename wallpaper files Fast system -> lock wallpaper migration wants rename, not copy. Bug 27599080 Change-Id: I4b07dff210fe952afb4675eecba3c5f7bf262e83
/system/sepolicy/system_server.te
|
8785a647a15a5bf49c64756f59a48e1b4d551be3 |
|
22-Apr-2016 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Selinux: Policies for otapreopt_chroot and postinstall_dexopt" into nyc-dev
|
e5d8a947bdde4face86b9387b9024faaeb7724c7 |
|
30-Mar-2016 |
Andreas Gampe <agampe@google.com> |
Selinux: Policies for otapreopt_chroot and postinstall_dexopt Give mount & chroot permissions to otapreopt_chroot related to postinstall. Add postinstall_dexopt for otapreopt in the B partition. Allow the things installd can do for dexopt. Give a few more rights to dex2oat for postinstall files. Allow postinstall files to call the system server. Bug: 25612095 Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7
/system/sepolicy/system_server.te
|
fbb6d2de1cf4d4ce6e86c353b963824b1b98d43b |
|
21-Apr-2016 |
Mukesh Agrawal <quiche@google.com> |
Merge changes I9cdd52a2,Idf00e7a6 into nyc-dev * changes: allow system server to set log.tag.WifiHAL limit shell's access to log.* properties
|
d9b0a34ad4c0797e7e648c0dfa4ce0866f6d62fe |
|
20-Apr-2016 |
Christopher Tate <ctate@google.com> |
Allow system_server to hard link its own files Specifically, backup of wallpaper imagery needs to use hard links to achieve "real file" access to the large imagery files without rewriting the contents all the time just to stage for backup. They can't be symlinks because the underlying backup mechanisms refuse to act on symbolic links for other security reasons. Bug 25727875 Change-Id: Ic48fba3f94c92a4b16ced27a23646296acf8f3a5
/system/sepolicy/system_server.te
|
e651f6f4687eff068e73d84f67121ffbc3486f07 |
|
15-Apr-2016 |
mukesh agrawal <quiche@google.com> |
allow system server to set log.tag.WifiHAL On eng and userdebug builds (only), allow system server to change the value of log.tag.WifiHAL. WifiStateMachine will set this property to 'D' by default. If/when a user enables "Developer options -> Enable Wi-Fi Verbose Logging", WifiStateMachine change log.tag.WifiHAL to 'V'. BUG=27857554 TEST=manual (see below) Test detail 1. on user build: $ adb shell setprop log.tag.WifiHAL V $ adb shell getprop log.tag.WifiHAL <blank line> $ adb bugreport | grep log.tag.WifiHAL <11>[ 141.918517] init: avc: denied { set } for property=log.tag.WifiHAL pid=4583 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:wifi_log_prop:s0 tclass=property_service permissive=0 <11>[ 141.918566] init: sys_prop: permission denied uid:2000 name:log.tag.WifiHAL 2. on userdebug build: $ adb shell getprop log.tag.WifiHAL $ <blank line> $ adb shell setprop log.tag.WifiHAL V $ adb shell getprop log.tag.WifiHAL V 3. on userdebug build with modified WifiStateMachine: $ adb shell getprop log.tag.WifiHAL D Change-Id: I9cdd52a2b47a3dd1065262ea8c329130b7b044db
/system/sepolicy/system_server.te
|
f3bfc96b843902ce14650bd70024d952291fac64 |
|
14-Apr-2016 |
Andy Hung <hunga@google.com> |
Unify dumped native stack traces Bug: 28179196 Change-Id: I580f0ae2b3d86f9f124195271f6dbb6364e4fade
/system/sepolicy/system_server.te
|
75b25dd1d603e73bb213c1545dba981e0d9d8333 |
|
06-Apr-2016 |
Jeff Sharkey <jsharkey@android.com> |
Allow system_server to execute timeout. We've seen evidence that the logcat binary can end up wedged, which means we can eventually starve system_server for FDs. To mitigate this, wrap logcat using the timeout utility to kill and clean up if it takes too long to exit. avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 Bug: 27994717, 28021719, 28009200 Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee
/system/sepolicy/system_server.te
|
b80bdef034b603efc7333f678b2cef2ce26273f6 |
|
05-Apr-2016 |
Daniel Rosenberg <drosen@google.com> |
Allow search/getattr access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: system_server, dumpstate, and bluetooth Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27932396 Change-Id: I294cfe23269b7959586252250f5527f13e60529b
/system/sepolicy/system_server.te
|
0b8a181ecdada662cf7f1345efe8d196616adebb |
|
25-Mar-2016 |
Pierre Imai <imaipi@google.com> |
Merge "Remove references to deleted dhcpcd" into nyc-dev
|
98eff7c3d46abe2db996c0718b7386a3e368f344 |
|
24-Mar-2016 |
dcashman <dcashman@google.com> |
Move sysfs_thermal to global policy and grant access. sysfs_thermal nodes are common enough to warrant an entry in global policy and the new HardwarePropertiesManagerService exists explicitly to expose some of this information. Address the following denials: avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1 avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 Bug: 27809332 Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d
/system/sepolicy/system_server.te
|
c585995185eaedf5bb7ae38bc1fd9a084de0e809 |
|
23-Mar-2016 |
Pierre Imai <imaipi@google.com> |
Remove references to deleted dhcpcd Change-Id: I0c0bce9cd50a25897f5c4521ee9b4fada6648a59
/system/sepolicy/system_server.te
|
cf8719e7bad53d6c38b2825b736c27c3f37dbf4e |
|
22-Mar-2016 |
Daniel Rosenberg <drosen@google.com> |
Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
|
027ec20696a46ee9e5fd0d89a8d98a89ca916a2f |
|
14-Mar-2016 |
dcashman <dcashman@google.com> |
Mark batteryproperties service as app_api_service. Applications do not explicitly request handles to the batteryproperties service, but the BatteryManager obtains a reference to it and uses it for its underlying property queries. Mark it as an app_api_service so that all applications may use this API. Also remove the batterypropreg service label, as this does not appear to be used and may have been a duplication of batteryproperties. As a result, remove the healthd_service type and replace it with a more specific batteryproperties_service type. (cherry-picked from commit: 9ed71eff4bed91653cba393ea6cb42f041d4e257) Bug: 27442760 Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9
/system/sepolicy/system_server.te
|
ff2745064431351235367b1aeff586afdf3beae3 |
|
10-Mar-2016 |
Nick Kralevich <nnk@google.com> |
system_server: clean up duplicate permissions Remove permissions which are already covered by other permissions. Found by running: sepolicy-analyze path/to/sepolicy dups No functional change. Change-Id: I526d1c1111df718b29e8276b024fa0788ad17c71
/system/sepolicy/system_server.te
|
33fe4784c35b1c33d470e9bdfdf7d0f865561947 |
|
25-Feb-2016 |
Oleksandr Peletskyi <peletskyi@google.com> |
Modified security policy to allow user to get their own icon. BUG: 27583869 Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d
/system/sepolicy/system_server.te
|
085c16914cc27f8b23927ca5756f74239f102859 |
|
09-Mar-2016 |
Makoto Onuki <omakoto@google.com> |
Allow "shortcut manager" icons to be returned to apps ... and client apps to read them. A full path looks like this: /data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png System server will: - Create/delete the directories. - Write/remove PNG files in them. - Open the PNG files and return file descriptors to client apps Client apps will: - Receive file descriptors and read from them. Bug 27548047 Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b
/system/sepolicy/system_server.te
|
47fb4b9fc46fe2675b509874da340797fc43a947 |
|
02-Mar-2016 |
Daniel Rosenberg <drosen@google.com> |
sepolicy: Add policy for sdcardfs and configfs Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff Bug: 19160983
/system/sepolicy/system_server.te
|
423fd19d91259b19f3460eb4dd5ff9d63731429b |
|
21-May-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Update netlink socket classes. Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 01d95c23ab8c14d72e4ce98b3dda64ce81ab6306) Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114
/system/sepolicy/system_server.te
|
acf4e099994e9dc11946e50f802e6470a18192cd |
|
03-Mar-2016 |
Tao Bao <tbao@google.com> |
Merge "Add /dev/socket/uncrypt." into nyc-dev
|
c285cad1a6a52763c0faf2faa60a287341e23842 |
|
26-Feb-2016 |
Tao Bao <tbao@google.com> |
Add /dev/socket/uncrypt. system_server used to communicate with uncrypt via files (e.g. /cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B devices may not have /cache partitions anymore, we switch to communicate via /dev/socket/uncrypt to allow things like factory reset to keep working. Bug: 27176738 Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca
/system/sepolicy/system_server.te
|
837bc42f5f52760c511140b5ae146898ea75cba8 |
|
23-Feb-2016 |
Calin Juravle <calin@google.com> |
Add SElinux policies to allow foreign dex usage tracking. This is a special profile folder where apps will leave profile markers for the dex files they load and don't own. System server will read the markers and decide which apk should be fully compiled instead of profile guide compiled. Apps need only to be able to create (touch) files in this directory. System server needs only to be able to check wheter or not a file with a given name exists. Bug: 27334750 Bug: 26080105 Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
/system/sepolicy/system_server.te
|
6fb97cd5473192f4a24fb9c32d2a152482121365 |
|
23-Feb-2016 |
Jeff Sharkey <jsharkey@google.com> |
Merge "Offer to cache ringtones in system DE storage." into nyc-dev
|
62bb52c4d4cce270ef2743a557bfe179813dd928 |
|
23-Feb-2016 |
Jeff Sharkey <jsharkey@android.com> |
Offer to cache ringtones in system DE storage. Ringtones often live on shared media, which is now encrypted with CE keys and not available until after the user is unlocked. To improve the user experience while locked, cache the default ringtone, notification sound, and alarm sound in a DE storage area. Also fix bug where wallpaper_file wasn't getting data_file_type. Bug: 26730753 Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d
/system/sepolicy/system_server.te
|
a92c7fe3fb6c0ce9060dbd66b4d52c51d410f663 |
|
23-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Merge "Allow the framework to communicate with netd via a binder service" into nyc-dev
|
f40afcb1b487724f98e8e33997c11c6c3d4454aa |
|
06-Feb-2016 |
Sami Tolvanen <samitolvanen@google.com> |
Allow logd.auditd to reboot to safe mode Bug: 26902605 Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7 (cherry picked from commit 9c168711d5f79642a5357cd4c58ad5e88a9795ba)
/system/sepolicy/system_server.te
|
24dcc8b1ce38079cba9c0266389f88699cae88c7 |
|
18-Feb-2016 |
Lorenzo Colitti <lorenzo@google.com> |
Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af
/system/sepolicy/system_server.te
|
0d5bac13e1a98a942689f3b2183ed6f7ff66b976 |
|
12-Feb-2016 |
Jeff Tinker <jtinker@google.com> |
Add mediadrm service Part of media security hardening This is an intermediate step toward moving mediadrm to a new service separate from mediaserver. This first step allows mediadrmservice to run based on the system property media.mediadrmservice.enable so it can be selectively enabled on devices that support using native_handles for secure buffers. bug: 22990512 Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
/system/sepolicy/system_server.te
|
d2b36b2f3e90902bb16d1f6a825a4d5149666d4b |
|
11-Feb-2016 |
Chien-Yu Chen <cychen@google.com> |
Merge "cameraserver: Build up least privileged policy" into nyc-dev
|
4541687be516e00492efe3e0ff906f14c8b48910 |
|
05-Feb-2016 |
Jeff Vander Stoep <jeffv@google.com> |
cameraserver: Build up least privileged policy Remove all permissions not observed during testing. Remove domain_deprecated. Bug: 26982110 Change-Id: I33f1887c95bdf378c945319494378225b41db215
/system/sepolicy/system_server.te
|
c3ba2e5130d28a0025f798f8b739ee86084fe9da |
|
03-Feb-2016 |
Marco Nelissen <marcone@google.com> |
selinux rules for codec process Bug: 22775369 Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b
/system/sepolicy/system_server.te
|
fd5b74285020d26e5991d7640ac51373dddd371b |
|
04-Feb-2016 |
Daichi Hirono <hirono@google.com> |
Merge "Fix SELinux warning when passing fuse FD from system server." am: 4c42a0dcc0 am: f9065c89e6 * commit 'f9065c89e6ac9cf601e1e580959b57a31cd256ca': Fix SELinux warning when passing fuse FD from system server.
|
59e3d7b42dab41a42c37c84ec872a8584c4e7258 |
|
28-Jan-2016 |
Daichi Hirono <hirono@google.com> |
Fix SELinux warning when passing fuse FD from system server. Before applying the CL, Android shows the following error when passing FD of /dev/fuse. > Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for > path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0 > tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0 Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd
/system/sepolicy/system_server.te
|
b8104a47dd361050c9ebadcbeabf515a29cf94e4 |
|
28-Jan-2016 |
Christopher Tate <ctate@google.com> |
Move staged backup content to a specific cache subdir Also narrowly specify the domain for the local transport's bookkeeping. Bug 26834865 Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535
/system/sepolicy/system_server.te
|
b1bf83fd794c5863289edf459c8c05a906dac9f7 |
|
28-Jan-2016 |
Marco Nelissen <marcone@google.com> |
Revert "selinux rules for codec process" This reverts commit 2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd. Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
/system/sepolicy/system_server.te
|
e0378303b5ec8a4440fcdea38cca7ebf695dc2b3 |
|
04-Dec-2015 |
Chien-Yu Chen <cychen@google.com> |
selinux: Update policies for cameraserver Update policies for cameraserver so it has the same permissions as mediaserver. Bug: 24511454 Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
/system/sepolicy/system_server.te
|
87a79cf9dd5e677b9ae51a4196dec27d480b9b69 |
|
27-Jan-2016 |
Marco Nelissen <marcone@google.com> |
Merge "selinux rules for codec process"
|
d35776053198e67ebdd65971623353038f10c893 |
|
26-Jan-2016 |
dcashman <dcashman@google.com> |
Add adbd socket perms to system_server. am: b037a6c94b am: c37fa20383 * commit 'c37fa2038327c8879e297b6fa9b76ba45ddcf67c': Add adbd socket perms to system_server.
|
b037a6c94b357c9a85d13dde548f5799c592c6ac |
|
26-Jan-2016 |
dcashman <dcashman@google.com> |
Add adbd socket perms to system_server. Commit 2fdeab3789ec6e5ec6f7424abf41a9aaa73564b0 added ability to debug over adbd for zygote-spawned apps, required by removal of domain_deprecated from untrusted_app. This functionality is a core debugabble component of the android runtime, so it is needed by system_server as well. Bug: 26458796 Change-Id: I29f5390122b3644449a5c3dcf4db2d0e969f6a9a
/system/sepolicy/system_server.te
|
2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd |
|
17-Dec-2015 |
Marco Nelissen <marcone@google.com> |
selinux rules for codec process Bug: 22775369 Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44
/system/sepolicy/system_server.te
|
cdf60cc67e90b8782367c03068f80fdfbd0dc3fe |
|
19-Jan-2016 |
Rubin Xu <rubinxu@google.com> |
Merge "SELinux rule for ro.device_owner and persist.logd.security" am: 65d364b91a am: 06322b1ec4 * commit '06322b1ec491428feb143c150daa95d68f921de2': SELinux rule for ro.device_owner and persist.logd.security
|
0c8286fe74d878243e850b8c1ec50ea5312b1a48 |
|
04-Jan-2016 |
Rubin Xu <rubinxu@google.com> |
SELinux rule for ro.device_owner and persist.logd.security They are introduced for the device owner process logging feature. That is, for enterprise-owned devices with device owner app provisioned, the device owner may choose to turn on additional device-wide logging for auditing and intrusion detection purposes. Logging includes histories of app process startup, commands issued over ADB and lockscreen unlocking attempts. These logs will available to the device owner for analysis, potentially shipped to a remote server if it chooses to. ro.device_owner will be a master switch to turn off logging, if the device has no device owner provisioned. persist.logd.security is a switch that device owner can toggle (via DevicePoliyManager) to enable/disable logging. Writing to both properties should be only allowed by the system server. Bug: 22860162 Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
/system/sepolicy/system_server.te
|
e97bd887ca353ae02dd1641687431786d7d60cd6 |
|
05-Jan-2016 |
Felipe Leme <felipeal@google.com> |
Creates a new permission for /cache/recovery am: 549ccf77e3 am: b16fc899d7 * commit 'b16fc899d718f91935932fb9b15de0a0b82835c8': Creates a new permission for /cache/recovery
|
05e68e126917ef243a89844076000a4fac398381 |
|
05-Jan-2016 |
dcashman <dcashman@google.com> |
resolve merge conflicts of 8350a7f152 to master. Change-Id: I80109bb0167f06a8d39d8b036b3c487ec2f06124
|
549ccf77e3fd23bb6c690da7023441c1007c4fd8 |
|
22-Dec-2015 |
Felipe Leme <felipeal@google.com> |
Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
/system/sepolicy/system_server.te
|
36f255ff5209cb8b13217ec050d8def5472aed23 |
|
04-Jan-2016 |
dcashman <dcashman@google.com> |
Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
/system/sepolicy/system_server.te
|
6dde20ed4d92d0cdefba65f670d484aeec4b585f |
|
24-Dec-2015 |
Daichi Hirono <hirono@google.com> |
Add new rules for appfuse. am: a20802ddb8 am: 0912601e89 * commit '0912601e897905549292c15445acbf1225938f3d': Add new rules for appfuse.
|
a20802ddb87befbbd80d19e0a206aeb493528319 |
|
02-Dec-2015 |
Daichi Hirono <hirono@google.com> |
Add new rules for appfuse. The new rules are used to allow to mount FUSE file system for priv-app. Change-Id: I5ce2d261be501e2b3fef09b7666f1e5d1cddbe52
/system/sepolicy/system_server.te
|
47947857650535e8ab4f6b630f7af6e638b2d470 |
|
17-Dec-2015 |
Amith Yamasani <yamasani@google.com> |
Add policies for system_server to delete fpdata folder am: 107c55393c am: 899a3e0fcc * commit '899a3e0fcc78330bf1f9060c3e1d29ab4ebc10b0': Add policies for system_server to delete fpdata folder
|
107c55393c680eb14d5dee11f060b943b8d2e9aa |
|
16-Dec-2015 |
Amith Yamasani <yamasani@google.com> |
Add policies for system_server to delete fpdata folder Bug: 26211308 Change-Id: I8fd2d14ea52d49a33e6cdbcdf90630eea89f7dd0
/system/sepolicy/system_server.te
|
b03831fe58be86cfd94c31b91def6ae53ebd614f |
|
09-Sep-2015 |
Marco Nelissen <marcone@google.com> |
Add rules for running audio services in audioserver audioserver has the same rules as mediaserver so there is no loss of rights or permissions. media.log moves to audioserver. TBD: Pare down permissions. Bug: 24511453 Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d
/system/sepolicy/system_server.te
|
5e4e731626870b35b357bf81e2d4eb34bdaf08f4 |
|
01-Dec-2015 |
Vinit Deshpande <vinitd@google.com> |
Merge "Allow system_server access to system logs"
|
7ac66bb12d991ef01059ff5d3ffb6b0a7e91d70a |
|
25-Nov-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Populate autoplay_app with minimal set of permissions"
|
ae72bf241d4fb85685068950e3d4da5d7f4589e3 |
|
25-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Populate autoplay_app with minimal set of permissions Change-Id: Ia90fb531cfd99d49d179921f041dd93c7325ad50
/system/sepolicy/system_server.te
|
de7d39e435d71a586f7b444515b47675a2fe78b2 |
|
24-Nov-2015 |
Nick Kralevich <nnk@google.com> |
Add auditallow for bluetoothdomain rules am: cb835a2852 am: 4eee81382a am: d798e1e503 * commit 'd798e1e50312e46517ce46474e553508bc0e1522': Add auditallow for bluetoothdomain rules
|
cb835a2852997dde0be2941173f8c879ebbef157 |
|
24-Nov-2015 |
Nick Kralevich <nnk@google.com> |
Add auditallow for bluetoothdomain rules Let's see if it's safe to get rid of them. Bug: 25768265 Bug: 25767747 Change-Id: Iaf022b4dafe1cc9eab871c8d7ec5afd3cf20bf96
/system/sepolicy/system_server.te
|
55b9341fcd2722eec0c0795b998fd37d0aa24d13 |
|
20-Nov-2015 |
Nick Kralevich <nnk@google.com> |
system_server: allow restorecon /data/system/users/0/fpdata am: 4fd216060c am: a049bb302f am: 7cb2197f9a * commit '7cb2197f9a919ea67ee2b92f57b522d5a51134a2': system_server: allow restorecon /data/system/users/0/fpdata
|
4fd216060ceb1353416d9398d30efbb5094dba9f |
|
20-Nov-2015 |
Nick Kralevich <nnk@google.com> |
system_server: allow restorecon /data/system/users/0/fpdata Addresses the following denial: avc: denied { relabelfrom } for pid=9971 comm="system_server" name="fpdata" dev="dm-0" ino=678683 scontext=u:r:system_server:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 Bug: 25801240 Change-Id: I043f48f410505acaee4bb97446945316f656a210
/system/sepolicy/system_server.te
|
71016f7cc8f595f69a7cd1b8cde4ffdbc2d26bd7 |
|
18-Nov-2015 |
Vinit Deshpande <vinitd@google.com> |
Allow system_server access to system logs This is enabled for debugging purposes only. Since kernel buffer for logs is small, this will allow external services to capture a bit of data so it can be reported later. Change-Id: I588eb91159e6aad07ead9afab9759764b8b3520d
/system/sepolicy/system_server.te
|
e485606fba1f4a7f54a5390ed39a9738dc51c185 |
|
18-Nov-2015 |
Calin Juravle <calin@google.com> |
Remove handling of dalvik-cache/profiles am: 2469b32e15 am: b67f8d5c94 am: 278350f236 * commit '278350f2361d187021aa291ff363b66a02a3c557': Remove handling of dalvik-cache/profiles
|
2469b32e15b569fabaeca066ce53b65fa0ee8995 |
|
04-Nov-2015 |
Calin Juravle <calin@google.com> |
Remove handling of dalvik-cache/profiles Bug: 24698874 Bug: 17173268 Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18
/system/sepolicy/system_server.te
|
4925574d9d0f5a870466a7df11e85c1ef1aa543e |
|
11-Nov-2015 |
Calin Juravle <calin@google.com> |
resolve merge conflicts of 2c353c29e4 to master. Change-Id: I2c5706b0064d099dc728c8032163d6fb1e686533
|
f255d775fceb18df08011f61560815cd1bfe47fd |
|
10-Nov-2015 |
Calin Juravle <calin@google.com> |
Add SElinux rules for /data/misc/trace The directory is to be used in eng/userdebug build to store method traces (previously stored in /data/dalvik-cache/profiles). Bug: 25612377 Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993
/system/sepolicy/system_server.te
|
6f4a3ce0296e99fedd7cd38c5570af0fca9fbe19 |
|
07-Nov-2015 |
Nick Kralevich <nnk@google.com> |
system_server: clean up stale rules am: 142f97b758 am: 7de86e2c62 am: 22af8da991 * commit '22af8da991978be045d666e9d0e35c93f6a09d5a': system_server: clean up stale rules
|
142f97b758c232ef0300578371152739d81408a3 |
|
07-Nov-2015 |
Nick Kralevich <nnk@google.com> |
system_server: clean up stale rules 979adffd45914bd7b357c404437c64bb59bec51a added an auditallow to see if system_server was relabeling system_data_file. The auditallow rule hasn't triggered, so remove the allow rule. a3c97a7660bae649674e717bf7a9593f0d8370d7 added an auditallow to see if system_server was executing toolbox. The auditallow rule hasn't triggered, so remove the allow rule. AFAIK, system_server never executes ANY file, so further tightening here is feasible. Change-Id: Ia0a93f3833e32c3e2c898463bd8813701a6dd20a
/system/sepolicy/system_server.te
|
d20a46ef175079d210da8320d8c8ce32cbe8207f |
|
04-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Create attribute for moving perms out of domain am: d22987b4da am: e2280fbcdd am: b476b95488 * commit 'b476b954882a48bf2c27da0227209c197dcfb666': Create attribute for moving perms out of domain
|
d22987b4daf02a8dae5bb10119d9ec5ec9f637cf |
|
03-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
/system/sepolicy/system_server.te
|
0f754edf7b72582ed28d062a9c8f1b911d57a6f3 |
|
22-Sep-2015 |
Marco Nelissen <marcone@google.com> |
Update selinux policies for mediaextractor process Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd
/system/sepolicy/system_server.te
|
6ea1cc2f56a04731574ea991cb0650ee624d73be |
|
14-Oct-2015 |
Nick Kralevich <nnk@google.com> |
am 56c91f70: am 82bdd796: system_server: (eng builds) remove JIT capabilities * commit '56c91f70b22cf3c5b00278d93cb8b2581684146c': system_server: (eng builds) remove JIT capabilities
|
82bdd796e1265bd0e4b0497e9bed1d0cafc9883b |
|
14-Oct-2015 |
Nick Kralevich <nnk@google.com> |
system_server: (eng builds) remove JIT capabilities 23cde8776b94ff2228f3a8d845d41052af52319e removed JIT capabilities from system_server for user and userdebug builds. Remove the capability from eng builds to be consistent across build types. Add a neverallow rule (compile time assertion + CTS test) to verify this doesn't regress on our devices or partner devices. Bug: 23468805 Bug: 24915206 Change-Id: Ib2154255c611b8812aa1092631a89bc59a27514b
/system/sepolicy/system_server.te
|
45c2fd690d09f89f58dda7f3ba42f57a865f6f27 |
|
09-Sep-2015 |
Lorenzo Colitti <lorenzo@google.com> |
am e3298a7a: am e24aab28: am c3712143: Allow system_server to bind ping sockets. * commit 'e3298a7af681ab4f3fc647d58516cb0d19a1d3d6': Allow system_server to bind ping sockets.
|
e24aab286a6464904d6688f107c1086e93523fda |
|
09-Sep-2015 |
Lorenzo Colitti <lorenzo@google.com> |
am c3712143: Allow system_server to bind ping sockets. * commit 'c37121436be95ae2ed75cb83605940455446ef4e': Allow system_server to bind ping sockets.
|
c37121436be95ae2ed75cb83605940455446ef4e |
|
09-Sep-2015 |
Lorenzo Colitti <lorenzo@google.com> |
Allow system_server to bind ping sockets. This allows NetworkDiagnostics to send ping packets from specific source addresses in order to detect reachability problems on the reverse path. This addresses the following denial: [ 209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0 Bug: 23661687 Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2
/system/sepolicy/system_server.te
|
2af091641f5aaf1a4b2ffe36392a7ddbc06c40dd |
|
02-Sep-2015 |
Jeff Vander Stoep <jeffv@google.com> |
am 1c4e3cb2: am a3aa1db3: am 0243e5cf: system_server.te: remove policy load permissions * commit '1c4e3cb2c4f0cc3b3703228f6afb4f00ce16a6d3': system_server.te: remove policy load permissions
|
a3aa1db39ce6aad0c43d0854c8a138e6350809f1 |
|
02-Sep-2015 |
Jeff Vander Stoep <jeffv@google.com> |
am 0243e5cf: system_server.te: remove policy load permissions * commit '0243e5cf4f8898b7acedc24efd58fdcd163e3048': system_server.te: remove policy load permissions
|
0243e5cf4f8898b7acedc24efd58fdcd163e3048 |
|
02-Sep-2015 |
Jeff Vander Stoep <jeffv@google.com> |
system_server.te: remove policy load permissions Remove system server's permission to dynamically update SELinux policy on the device. 1) This functionality has never been used, so we have no idea if it works or not. 2) If system_server is compromised, this functionality allows a complete bypass of the SELinux policy on the device. In particular, an attacker can force a regression of the following patch * https://android-review.googlesource.com/138510 see also https://code.google.com/p/android/issues/detail?id=181826 3) Dynamic policy update can be used to bypass neverallow protections enforced in CTS, by pushing a policy to the device after certification. Such an updated policy could bring the device out of compliance or deliberately introduce security weaknesses. Bug: 22885422 Bug: 8949824 Change-Id: I3c64d64359060561102e1587531836b69cfeef00
/system/sepolicy/system_server.te
|
206dea92b9ba01b4deb18fba5f7024845f04ccd5 |
|
26-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am c2a138f6: am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed." * commit 'c2a138f657649f030068e60fd1009666ff560f02': Only allow toolbox exec where /system exec was already allowed.
|
c2a138f657649f030068e60fd1009666ff560f02 |
|
26-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed." * commit '7af012fc94a34dd42e72d32c246a47140ec2861a': Only allow toolbox exec where /system exec was already allowed.
|
b08688628c11dbd548dc2d917d36484407767f2c |
|
26-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed." * commit '7af012fc94a34dd42e72d32c246a47140ec2861a': Only allow toolbox exec where /system exec was already allowed.
|
a3c97a7660bae649674e717bf7a9593f0d8370d7 |
|
25-Aug-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
ba5a9f13dfeaf0a94b9d3aa630aee75627d1108d |
|
25-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am a847ab53: am 48d98e35: Merge "system_server: remove old dalvik JIT rules on user/userdebug builds" * commit 'a847ab538e158e13be41331c98421faf6ce77ea2': system_server: remove old dalvik JIT rules on user/userdebug builds
|
a847ab538e158e13be41331c98421faf6ce77ea2 |
|
25-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am 48d98e35: Merge "system_server: remove old dalvik JIT rules on user/userdebug builds" * commit '48d98e35419f74fe515ec560277726081c2fd0e3': system_server: remove old dalvik JIT rules on user/userdebug builds
|
e9ac2d6d5dc7a0b7ee63f1003e5508fc91ec052e |
|
25-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am 48d98e35: Merge "system_server: remove old dalvik JIT rules on user/userdebug builds" * commit '48d98e35419f74fe515ec560277726081c2fd0e3': system_server: remove old dalvik JIT rules on user/userdebug builds
|
23cde8776b94ff2228f3a8d845d41052af52319e |
|
22-Aug-2015 |
Nick Kralevich <nnk@google.com> |
system_server: remove old dalvik JIT rules on user/userdebug builds On user and userdebug builds, system_server only loads executable content from /data/dalvik_cache and /system. JITing for system_server is only supported on eng builds. Remove the rules for user and userdebug builds. Going forward, the plan of record is that system_server will never use JIT functionality, instead using dex2oat or interpreted mode. Inspired by https://android-review.googlesource.com/98944 Change-Id: I54515acaae4792085869b89f0d21b87c66137510
/system/sepolicy/system_server.te
|
fa72e49841bef39f13d0be53bdd0c5814e14e771 |
|
22-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am 9ee2b23f: am acfd140c: Merge "eliminate some anr_data_file permissions." * commit '9ee2b23fba0de96c21ff1cd9fc3c3a20f3cd51d1': eliminate some anr_data_file permissions.
|
9ee2b23fba0de96c21ff1cd9fc3c3a20f3cd51d1 |
|
22-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am acfd140c: Merge "eliminate some anr_data_file permissions." * commit 'acfd140c045d0bd295389a508ef6952acefb91fc': eliminate some anr_data_file permissions.
|
4734a636d31a02a2c70d179d8142a78d54e5782e |
|
22-Aug-2015 |
Nick Kralevich <nnk@google.com> |
am acfd140c: Merge "eliminate some anr_data_file permissions." * commit 'acfd140c045d0bd295389a508ef6952acefb91fc': eliminate some anr_data_file permissions.
|
979adffd45914bd7b357c404437c64bb59bec51a |
|
13-Aug-2015 |
Nick Kralevich <nnk@google.com> |
eliminate some anr_data_file permissions. Init is now responsible for creating /data/anr, so it's unnecessary to grant system_server and dumpstate permissions to relabel this directory. Remove the excess permissions. Leave system_data_file relabelfrom, since it's possible we're still using it somewhere. See commits: https://android-review.googlesource.com/161650 https://android-review.googlesource.com/161477 https://android-review.googlesource.com/161638 Bug: 22385254 Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9
/system/sepolicy/system_server.te
|
1c5dca43b8b78d64f28ad58505262f39f8b50be0 |
|
29-Jul-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am 278658c2: am 6f7de297: Merge "Do not allow apps to access network address file" * commit '278658c2d8a80cf15ca016affbecf17297a234d6': Do not allow apps to access network address file
|
cd68c3a84eaa019434d0adebef0bc46b585e9d02 |
|
29-Jul-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am 6f7de297: Merge "Do not allow apps to access network address file" * commit '6f7de297b3e67942cdc525b6f626a811ddf5132e': Do not allow apps to access network address file
|
278658c2d8a80cf15ca016affbecf17297a234d6 |
|
29-Jul-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am 6f7de297: Merge "Do not allow apps to access network address file" * commit '6f7de297b3e67942cdc525b6f626a811ddf5132e': Do not allow apps to access network address file
|
e45cad770c6ffcc46ca834320d7892d744d0693b |
|
24-Jul-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Do not allow apps to access network address file Bug: 18068520 Bug: 21852542 Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049
/system/sepolicy/system_server.te
|
3638c1b4e73ec51d0ef920d598a2e89e821e04e3 |
|
24-Jul-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Do not allow apps to access network address file Bug: 18068520 Bug: 21852542 Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff
/system/sepolicy/system_server.te
|
75d095a2144a7c365efc35961611e4ccc189ce2c |
|
09-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
am 7028bdcc: neverallow: domain execute data_file_type * commit '7028bdccd5b3e91928d345990587738212973f1d': neverallow: domain execute data_file_type
|
ab7764bf821ac0c6409b285cf11d85ce5f538a71 |
|
09-Jul-2015 |
William Roberts <william.c.roberts@intel.com> |
am 7028bdcc: neverallow: domain execute data_file_type * commit '7028bdccd5b3e91928d345990587738212973f1d': neverallow: domain execute data_file_type
|
7028bdccd5b3e91928d345990587738212973f1d |
|
22-Jun-2015 |
William Roberts <william.c.roberts@intel.com> |
neverallow: domain execute data_file_type To help reduce code injection paths, a neverallow is placed to prevent domain, sans untrusted_app and shell, execute on data_file_type. A few data_file_type's are also exempt from this rule as they label files that should be executable. Additional constraints, on top of the above, are placed on domains system_server and zygote. They can only execute data_file_type's of type dalvikcache_data_file. Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02 Signed-off-by: William Roberts <william.c.roberts@intel.com>
/system/sepolicy/system_server.te
|
51b33ac90b9049db6c3d257c83006c33f677750a |
|
21-May-2015 |
Tao Bao <tbao@google.com> |
Allow system server and uncrypt to operate pipe file System server and uncrypt need to communicate with a named pipe on the /cache partition. It will be created and deleted by system server. Bug: 20012567 Bug: 20949086 (cherry picked from commit 70c6dbf06cb06fc46d5143557ea960392849106d) Change-Id: I4ddc523c2a0f4218877dae8f8a9b7fcf3f786625
/system/sepolicy/system_server.te
|
01898ea4aa2dbd676c2c20a796251285a1671a96 |
|
04-Jun-2015 |
Narayan Kamath <narayan@google.com> |
Revert "Allow system_server to link,relabel and create_dir dalvikcache_data_file." This reverts commit e929ad8b524a7e444008b657adaafff97b5dea79. bug: 20889739 Change-Id: I6729f4e26041b481f2442a2d8c3dfb42e2d4144a
/system/sepolicy/system_server.te
|
41f233f4658f20ac36845ed262bfeb8a7a9eea45 |
|
14-May-2015 |
Narayan Kamath <narayan@google.com> |
Allow system_server to link,relabel and create_dir dalvikcache_data_file. Required by the installation flow for split APKs. bug: 20889739 Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1
/system/sepolicy/system_server.te
|
12e8b61bc08da1482a9309e8b2dc1a0670671445 |
|
28-May-2015 |
Tao Bao <tbao@google.com> |
Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
|
70c6dbf06cb06fc46d5143557ea960392849106d |
|
21-May-2015 |
Tao Bao <tbao@google.com> |
Allow system server and uncrypt to operate pipe file System server and uncrypt need to communicate with a named pipe on the /cache partition. It will be created and deleted by system server. Bug: 20012567 Bug: 20949086 Change-Id: I9494a67016c23294e803ca39d377ec321537bca0
/system/sepolicy/system_server.te
|
83554d2c923b17b6d5ee811c278e2ab0bb65579d |
|
22-May-2015 |
Jim Miller <jaggies@google.com> |
Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev
|
a39b131e9db1fed7e5ce90174f19515f465c8739 |
|
22-May-2015 |
Jim Miller <jaggies@google.com> |
Selinux: Allow system_server to create fpdata dir. Fixes avc errors; avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0 avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0 Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6
/system/sepolicy/system_server.te
|
b3df4389f31b5ae206fc2c1f50f1efe4de1bcf75 |
|
21-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Merge "Rename keystore methods and delete unused permissions" into mnc-dev
|
264eb6566ae75ba1ae37835f0ba83f951550fe85 |
|
13-May-2015 |
Jim Miller <jaggies@google.com> |
Add selinux policy for fingerprintd Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef
/system/sepolicy/system_server.te
|
807d8d0249f196e172f30b96b48699e3b10a3866 |
|
18-May-2015 |
dcashman <dcashman@google.com> |
Label /dev/rtc0 as rtc_device. Grant access to system_server, as it is used by AlarmManagerService. (cherry-pick of c7594898dbce021677e6444eb855eb591df1097b) Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f
/system/sepolicy/system_server.te
|
c7594898dbce021677e6444eb855eb591df1097b |
|
18-May-2015 |
dcashman <dcashman@google.com> |
Label /dev/rtc0 as rtc_device. Grant access to system_server, as it is used by AlarmManagerService. Change-Id: I4f099fe30ba206db07d636dd454d43d3df9d3015
/system/sepolicy/system_server.te
|
eaa1a1e975627a00b09a84810d0aa77cfde1edd2 |
|
13-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. (cherry-picked from commit cbc8f796551151c0d9651500d5d9f116177a07dc) Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
/system/sepolicy/system_server.te
|
77a824600bfe80abccc9fdcab8d1566380b43ce4 |
|
12-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add keystore user_changed permission user_changed will be used for state change methods around android user creation/deletion. (cherry-picked from commit 520bb816b86fe36440767db6e2f05fb4e8a08f3e) Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
/system/sepolicy/system_server.te
|
cbc8f796551151c0d9651500d5d9f116177a07dc |
|
13-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
/system/sepolicy/system_server.te
|
3526a6696fdc2b7d3b7a8fe452ce8b287160c42b |
|
13-May-2015 |
Adam Lesinski <adamlesinski@google.com> |
Allow system_server to read/write /proc/uid_cputime/ module Bug:20182139 Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868
/system/sepolicy/system_server.te
|
520bb816b86fe36440767db6e2f05fb4e8a08f3e |
|
12-May-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add keystore user_changed permission user_changed will be used for state change methods around android user creation/deletion. Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
/system/sepolicy/system_server.te
|
2f5a6a96bdc284dc070a2c222243dd8e19edb9ef |
|
05-May-2015 |
William Roberts <william.c.roberts@linux.intel.com> |
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
/system/sepolicy/system_server.te
|
625a3526f1ebaaa014bb563239cc33829f616232 |
|
05-May-2015 |
William Roberts <william.c.roberts@linux.intel.com> |
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
/system/sepolicy/system_server.te
|
1301f2b64b91507c6599a8d31fdfd1731aee8a63 |
|
10-Apr-2015 |
Nick Kralevich <nnk@google.com> |
am 2a7a4037: am 2234f9ff: gatekeeperd: neverallow non-system_server binder call * commit '2a7a403724370ebe16f05602685a654ca4448d59': gatekeeperd: neverallow non-system_server binder call
|
2234f9ff579f9e928d868372f5bd7499e2da7bd1 |
|
09-Apr-2015 |
Nick Kralevich <nnk@google.com> |
gatekeeperd: neverallow non-system_server binder call The current neverallow rule (compile time assertion) neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find; asserts that no rule is present which allows processes other than system_server from asking servicemanager for a gatekeeperd token. However, if system_server leaks the token to other processes, it may be possible for those processes to access gatekeeperd directly, bypassing servicemanager. Add a neverallow rule to assert that no process other than system_server are allowed to make binder calls to gatekeeperd. Even if another process was to manage to get a binder token to gatekeeperd, it would be useless. Remove binder_service() from gatekeeperd. The original use of the binder_service() macro was to widely publish a binder service. If this macro is present and the calling process has a gatekeeperd binder token, it's implicitly possible for the following processes to make a binder call to gatekeeperd: * all app processes * dumpstate * system_server * mediaserver * surfaceflinger Removing binder_service revokes this implicit access. Add explicit access for system_server to make binder calls to gatekeeperd. Add explicit access for gatekeeperd to make calls to keystore. This was implicitly granted via binder_service() before, but now needs to be explicit. Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
/system/sepolicy/system_server.te
|
710c5a2af915c5638a758c083f1295b916239728 |
|
09-Apr-2015 |
dcashman <dcashman@google.com> |
am 29f90b1e: am 7f2bb0c1: Merge "Enforce more specific service access." * commit '29f90b1eb7376b39d94cd5d981a15ff8317a5cdb': Enforce more specific service access.
|
bd7f5803f924b0ca318c1d426b683c3f658754f9 |
|
09-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
/system/sepolicy/system_server.te
|
2686b6ab808e3c8e26beec9cb40c54655daaf142 |
|
09-Apr-2015 |
dcashman <dcashman@google.com> |
am 18867dbb: am 03a6f64f: Enforce more specific service access. * commit '18867dbb42f128db00f6c8ee4f05fd098d9eaaa4': Enforce more specific service access.
|
746a73c41b19ec6318d565e3f177b1cd00941816 |
|
09-Apr-2015 |
Nick Kralevich <nnk@google.com> |
am 2a762352: am 9bef2502: system_server: support hard linking for split APKs * commit '2a762352f34f147cdb83e34bf3591e48a9378425': system_server: support hard linking for split APKs
|
03a6f64f9568e2c58eb043463a5b4ff1cf10bef6 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: network_management network_score notification package permission persistent power print processinfo procstats Bug: 18106000 Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
/system/sepolicy/system_server.te
|
9bef25026b43ccfb656a3a53b74a787ca3376227 |
|
08-Apr-2015 |
Nick Kralevich <nnk@google.com> |
system_server: support hard linking for split APKs Commit 85ce2c706e95f96c95b3af418b7bda0bfe9918f4 removed hard link support from create_file_perms, but system_server requires hard link support for split APKs. Allow it. Addresses the following denial: audit(0.0:152): avc: denied { link } for name="base.apk" dev="dm-0" ino=816009 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 Steps to reproduce: 1) Find the directory "hellogoogle3.splitapk" 2) adb install-multiple -r hellogoogle3_incremental.apk 3) adb install-multiple -r -p com.google.android.samples.hellogoogle3 native.apk Expected: 2nd APK installs successfully. Actual: 2nd APK fails to install. Change-Id: Ib69fc70dd1c7cd158590db3fd117d6b05acf1cf7
/system/sepolicy/system_server.te
|
d20c61af723ae194a2c47ac5a03ec607438e5c66 |
|
08-Apr-2015 |
Nick Kralevich <nnk@google.com> |
am 63b07909: am 8a06c077: Allow system_server to collect app heapdumps (debug builds only) * commit '63b0790965be39da4ee1aee13ae1ab029d6d02ae': Allow system_server to collect app heapdumps (debug builds only)
|
5fd66b3cb84aa88df58ce60bc7d2a2880d0a5674 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
am 0bc36ada: am 91b7c67d: Enforce more specific service access. * commit '0bc36adada7421b0e8ec05565617b7a8a6cef794': Enforce more specific service access.
|
6e4143558793ae063c1b205f33c788f8ea2ec4f4 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
am b1a13728: am 3cc6fc5f: Enforce more specific service access. * commit 'b1a137280e6e8f282469f91b0f58df6c95919d18': Enforce more specific service access.
|
8a06c07724ad538d6c2f1d703fec88929c118894 |
|
08-Apr-2015 |
Nick Kralevich <nnk@google.com> |
Allow system_server to collect app heapdumps (debug builds only) On debuggable builds, system_server can request app heap dumps by running something similar to the following commands: % adb shell am set-watch-heap com.android.systemui 1048576 % adb shell dumpsys procstats --start-testing which will dump the app's heap to /data/system/heapdump. See framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d. Allow this behavior. Addresses the following denial: avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 Bug: 20073185 Change-Id: I4b925033a5456867caf2697de6c2d683d0743540
/system/sepolicy/system_server.te
|
91b7c67d1647b2a88b1547cc57b69fc685bbac18 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: jobscheduler launcherapps location lock_settings media_projection media_router media_session mount netpolicy netstats Bug: 18106000 Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
/system/sepolicy/system_server.te
|
3cc6fc5ffbd6e3d647f8c425e5298912d3733e45 |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: diskstats display dreams dropbox ethernet fingerprint graphicstats hardware hdmi_control input_method input_service Bug: 18106000 Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
/system/sepolicy/system_server.te
|
8a439726b9d61cef77c7e3858eee0f28ddc1d766 |
|
07-Apr-2015 |
Fyodor Kupolov <fkupolov@google.com> |
am 26ef3bbc: am 3af8c9d0: Allow system_server to read oat dir * commit '26ef3bbc8759fb67ad5a71facfdf4f5611621f84': Allow system_server to read oat dir
|
d0c06a7051f3199e95bc27d2058b864eb2e6ac27 |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
am 86501cde: am d4c78f4b: Enforce more specific service access. * commit '86501cde107f4208b2afb82f2e21647dab70e4ef': Enforce more specific service access.
|
3af8c9d0ef0e4385f69a1a50dd04a010a76c6b19 |
|
07-Apr-2015 |
Fyodor Kupolov <fkupolov@google.com> |
Allow system_server to read oat dir Required for PackageManagerService to perform restorecon recursively on a staging dir. Addresses the following denial: avc: denied { open } for name="oat" dev="mmcblk0p28" ino=163027 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir Bug: 19550105 Bug: 20087446 Change-Id: I0f6ebb79745091ecb4d6d3dbe92f65606b7469da
/system/sepolicy/system_server.te
|
d4c78f4b3fed1ca77aa9f13e757644aca3ed2b21 |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: battery bluetooth_manager clipboard commontime_management connectivity content country_detector device_policy deviceidle Bug: 18106000 Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
/system/sepolicy/system_server.te
|
abef255597c0bd45b41832acdd9cb4dde383cd49 |
|
07-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
am 8a6ac553: am 73d9c2a9: Initial policy for expanded storage. * commit '8a6ac553b5f64f002177790823d0e15e8ff74030': Initial policy for expanded storage.
|
73d9c2a97b232389ab1dd179ac72c2fbefc5482b |
|
07-Apr-2015 |
Jeff Sharkey <jsharkey@android.com> |
Initial policy for expanded storage. Expanded storage supports a subset of the features of the internal data partition. Mirror that policy for consistency. vold is also granted enough permissions to prepare initial directories. avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1 avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 Bug: 19993667 Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5
/system/sepolicy/system_server.te
|
151a02a9bc4a9ce22bed2bc4310bb91a986c564f |
|
07-Apr-2015 |
Andres Morales <anmorales@google.com> |
am 258ea8ed: am e207986e: SELinux permissions for gatekeeper TEE proxy * commit '258ea8ed2e199855b4384ce11d7861fb7ae84683': SELinux permissions for gatekeeper TEE proxy
|
e207986ea08feebd04f32cd2beff0b1602d08074 |
|
04-Apr-2015 |
Andres Morales <anmorales@google.com> |
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
/system/sepolicy/system_server.te
|
593c1dbd03c03e181b6e306d954295b86969b12e |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
am 2e45bba5: am 4cdea7fc: Assign app_api_service attribute to services. * commit '2e45bba5a89348febd99ce0e820a3d4f4f4f5a58': Assign app_api_service attribute to services.
|
4cdea7fc40ea29c8cf4134a71b67808d143ec9dc |
|
04-Apr-2015 |
dcashman <dcashman@google.com> |
Assign app_api_service attribute to services. Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services the appropriate service access levels and move into enforcing. Bug: 18106000 Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
/system/sepolicy/system_server.te
|
ad5720c3e5430c61733e2bd6a6ae48d9769fc34f |
|
04-Apr-2015 |
dcashman <dcashman@google.com> |
am b40dd46a: am b075338d: Assign app_api_service attribute to services. * commit 'b40dd46a6b9dd60817a178ae929566ca471dcd8a': Assign app_api_service attribute to services.
|
b075338d0e335eb2dbd786ae4f8e033e78eeca37 |
|
03-Apr-2015 |
dcashman <dcashman@google.com> |
Assign app_api_service attribute to services. Move accessibility, account, appops and activity services into enforcing with app_api_service level of access, with additional grants to mediaserver and isolated app. Bug: 18106000 Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
/system/sepolicy/system_server.te
|
117ba9e2f92e63b5167c60d8dbfc0c84cdb8edfc |
|
02-Apr-2015 |
dcashman <dcashman@google.com> |
am e83172c5: am 1598b52b: Merge "Remove obsolete system_server auditallow logging." * commit 'e83172c5731a7d9272a3ef0e11c72673134f192b': Remove obsolete system_server auditallow logging.
|
73c06a9b009fd4e0b166c334f1c016cf70bd0c1c |
|
02-Apr-2015 |
dcashman <dcashman@google.com> |
am c8197153: am 59abf4cc: Merge "Record observed service accesses." * commit 'c819715336f06f11b50af521d56998da9e9000de': Record observed service accesses.
|
513d77b5cb976af0052b0e152cddf0ccb001d9f2 |
|
01-Apr-2015 |
dcashman <dcashman@google.com> |
Remove obsolete system_server auditallow logging. system_server no longer has universal service_manager_type permissions and so no longer needs the auditallow rules therewith associated. Change-Id: I1e6584c120f6fc464a4bf6b377d9d7ea90441477
/system/sepolicy/system_server.te
|
8af4e9cb0032244b0a356eb236ea97379956fa52 |
|
01-Apr-2015 |
dcashman <dcashman@google.com> |
Record observed service accesses. Get ready to switch system_server service lookups into enforcing. Bug: 18106000 Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
/system/sepolicy/system_server.te
|
6cc74a4745acb6cd67fd141e9c66cd9288442729 |
|
01-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
am 0a913546: am 66cc49c1: Merge "Add keystore add_auth" * commit '0a913546f605fd04824750997996b492643fbe22': Add keystore add_auth
|
8927772caa421f1c9ccc80337527e039353d65dd |
|
31-Mar-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add keystore add_auth This is for the new addAuthToken keystore method from I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to authorize keymaster operations. The tokens are HMAC'd and so shouldn't be fakeable but this is still limited to system_server only. Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47
/system/sepolicy/system_server.te
|
cab251ed1e4dc37bd824aa33d6a7e1ad1103f823 |
|
31-Mar-2015 |
Jeff Sharkey <jsharkey@android.com> |
am 8d6a1000: am f063f461: Updated policy for external storage. * commit '8d6a100067affcea330e97b2294960d32b94ae3d': Updated policy for external storage.
|
f063f461a9e5b6049f3516e48806b6a87848ac1a |
|
27-Mar-2015 |
Jeff Sharkey <jsharkey@android.com> |
Updated policy for external storage. An upcoming platform release is redesigning how external storage works. At a high level, vold is taking on a more active role in managing devices that dynamically appear. This change also creates further restricted domains for tools doing low-level access of external storage devices, including sgdisk and blkid. It also extends sdcardd to be launchable by vold, since launching by init will eventually go away. For compatibility, rules required to keep AOSP builds working are marked with "TODO" to eventually remove. Slightly relax system_server external storage rules to allow calls like statfs(). Still neverallow open file descriptors, since they can cause kernel to kill us. Here are the relevant violations that this CL is designed to allow: avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
/system/sepolicy/system_server.te
|
08c224f597771048b13ab05b5c980b9af28d5d72 |
|
30-Mar-2015 |
John Reck <jreck@google.com> |
am a8c74889: am ec4008ec: Merge "Add graphicsstats service" * commit 'a8c74889a0349cc896c41fdd360e4661ff0cb742': Add graphicsstats service
|
e8064afb5e8adc96d1becc7b31a8a92f77e284d9 |
|
23-Mar-2015 |
John Reck <jreck@google.com> |
Add graphicsstats service Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
/system/sepolicy/system_server.te
|
323d741f1c6c68f7274f007a8480d687af5b9737 |
|
14-Mar-2015 |
Nick Kralevich <nnk@google.com> |
am a5649f32: am 6ece49c3: Merge "Revert "allow system_server to set kernel scheduling priority"" * commit 'a5649f328a0ccf6edf746be3750563e2d3646442': Revert "allow system_server to set kernel scheduling priority"
|
39f082f8826ec781c98c2ee89a8db6ab403093f0 |
|
13-Mar-2015 |
Nick Kralevich <nnk@google.com> |
am b9d7c2c6: am 5434a8a9: Merge "system_server: neverallow blk_file read/write" * commit 'b9d7c2c650805850370b4c40613d624afcfb485b': system_server: neverallow blk_file read/write
|
cd14eb443e18d94f3248da77089155c888d8720e |
|
12-Mar-2015 |
Nick Kralevich <nnk@google.com> |
Revert "allow system_server to set kernel scheduling priority" Periodically, SELinux denials of the form: type=1400 audit(0.0:8574): avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0 are being generated. These denials come from system_server and other processes. There's no reason why system_server should be calling sched_setscheduler() on a kernel thread. Current belief is that these SELinux denials are a bug in the kernel, and are being inappropriately triggered. Revert 2d1650f4075db4f4f458de4c1a4cb5869c44b936. The original reason for accepting this change was to see if it would fix bug 18085992. Unfortunately, even after the commit, the bug was still present. The change had no impact on the bug. Don't inappropriately grant system_server the ability to minipulate the scheduling priority of kernel threads. This reverts commit 2d1650f4075db4f4f458de4c1a4cb5869c44b936. Change-Id: I59bdf26ad247a02b741af2fa58a18e7e83ef44d8
/system/sepolicy/system_server.te
|
3e1a7a4c4f9af3c284e680ead43d2fc96b1e674e |
|
12-Mar-2015 |
Nick Kralevich <nnk@google.com> |
am cbfe9d57: am c01f7fd1: system_server: remove appdomain:file write * commit 'cbfe9d5733c0f52449e81cc450a3a7edd93db9f4': system_server: remove appdomain:file write
|
acc0842c4bed8690fe29858070215d7a74f4a44b |
|
11-Mar-2015 |
Nick Kralevich <nnk@google.com> |
system_server: neverallow blk_file read/write With the exception of the factory reset protection block device, don't allow system_server to read or write to any other block devices. This helps protect against a system->root escalation when system_server has the ability to directly minipulate raw block devices / partitions / partition tables. This change adds a neverallow rule, which is a compile time assertion that no SELinux policy is written which allows this access. No new rules are added or removed. Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
/system/sepolicy/system_server.te
|
c01f7fd1c1569a0649703d24747ad1ddd857bc93 |
|
10-Mar-2015 |
Nick Kralevich <nnk@google.com> |
system_server: remove appdomain:file write system_server no longer writes to /proc/pid/oom_adj_score. This is handled exclusively by lmkd now. See the following commits: Kernel 3.18: * https://android-review.googlesource.com/139083 * https://android-review.googlesource.com/139082 Kernel 3.14: * https://android-review.googlesource.com/139081 * https://android-review.googlesource.com/139080 Kernel 3.10: * https://android-review.googlesource.com/139071 * https://android-review.googlesource.com/139671 Kernel 3.4: * https://android-review.googlesource.com/139061 * https://android-review.googlesource.com/139060 Bug: 19636629 Change-Id: Ib79081365bcce4aa1190de037861a87b55c15db9
/system/sepolicy/system_server.te
|
7b2d879b33e7a660fb59e36c94f71dd430216239 |
|
10-Mar-2015 |
dcashman <dcashman@google.com> |
am 1193bdf4: am 6843a793: am 8f81dcad: Only allow system_server to send commands to zygote. * commit '1193bdf4ae1498581b4d5c3e964db963e79622dc': Only allow system_server to send commands to zygote.
|
6843a7932a9b48a549143b5ad8bf79659ebeb328 |
|
09-Mar-2015 |
dcashman <dcashman@google.com> |
am 8f81dcad: Only allow system_server to send commands to zygote. * commit '8f81dcad5bb322a75bc61c8b42f8287e2afeaddc': Only allow system_server to send commands to zygote.
|
8f81dcad5bb322a75bc61c8b42f8287e2afeaddc |
|
09-Mar-2015 |
dcashman <dcashman@google.com> |
Only allow system_server to send commands to zygote. Add neverallow rules to ensure that zygote commands are only taken from system_server. Also remove the zygote policy class which was removed as an object manager in commit: ccb3424639821b5ef85264bc5836451590e8ade7 Bug: 19624279 Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
/system/sepolicy/system_server.te
|
c2b3ff7f7f740fbb8fccf167960dadbb0c2266fa |
|
09-Mar-2015 |
Nick Kralevich <nnk@google.com> |
am 3e616ee8: am b41eb698: am 0560e75e: system_server: allow handling app generated unix_stream_sockets * commit '3e616ee8982251921da22c0ea0f9afaf45212374': system_server: allow handling app generated unix_stream_sockets
|
b41eb698ee1bf2f3cf52f23161226475fe6ffff0 |
|
09-Mar-2015 |
Nick Kralevich <nnk@google.com> |
am 0560e75e: system_server: allow handling app generated unix_stream_sockets * commit '0560e75e4f03e4637637de8512a4718fe7870df8': system_server: allow handling app generated unix_stream_sockets
|
0560e75e4f03e4637637de8512a4718fe7870df8 |
|
09-Mar-2015 |
Nick Kralevich <nnk@google.com> |
system_server: allow handling app generated unix_stream_sockets Allow system server to handle already open app unix_stream_sockets. This is needed to support system_server receiving a socket created using socketpair(AF_UNIX, SOCK_STREAM) and socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android functionality. Addresses the following denial: type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0 Bug: 19648474 Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39
/system/sepolicy/system_server.te
|
f3a6abbb889f567d32df41577db7760714e957ae |
|
06-Mar-2015 |
Nick Kralevich <nnk@google.com> |
am f42b8dbc: am efb4bdb9: am 92b10ddb: Eliminate CAP_SYS_MODULE from system_server * commit 'f42b8dbc3066c70c1cf9a5722f699b4ac00a0306': Eliminate CAP_SYS_MODULE from system_server
|
efb4bdb9f49d19f4ea9a7348eb019ed8d77955e4 |
|
05-Mar-2015 |
Nick Kralevich <nnk@google.com> |
am 92b10ddb: Eliminate CAP_SYS_MODULE from system_server * commit '92b10ddb47caa4c80a626e6c70330439feb4aa30': Eliminate CAP_SYS_MODULE from system_server
|
92b10ddb47caa4c80a626e6c70330439feb4aa30 |
|
05-Mar-2015 |
Nick Kralevich <nnk@google.com> |
Eliminate CAP_SYS_MODULE from system_server Right now, the system_server has the CAP_SYS_MODULE capability. This allows the system server to install kernel modules. Effectively, system_server is one kernel module load away from full root access. Most devices don't need this capability. Remove this capability from the core SELinux policy. For devices which require this capability, they can add it to their device-specific SELinux policy without making any framework code changes. In particular, most Nexus devices ship with monolithic kernels, so this capability isn't needed on those devices. Bug: 7118228 Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3
/system/sepolicy/system_server.te
|
e5d81d1434d187c0de9624b5a3a1cd8a5bb63ba0 |
|
03-Mar-2015 |
dcashman <dcashman@google.com> |
am 40af9962: am 31a8511a: am 23f33615: Record observed system_server servicemanager service requests. * commit '40af996297e7c07dd396fdba9a8f4bce90338e6f': Record observed system_server servicemanager service requests.
|
31a8511a79aca6954abe04afb8c7a364863ca5a9 |
|
03-Mar-2015 |
dcashman <dcashman@google.com> |
am 23f33615: Record observed system_server servicemanager service requests. * commit '23f336156daf61ba07c024af2fe96994605f46eb': Record observed system_server servicemanager service requests.
|
23f336156daf61ba07c024af2fe96994605f46eb |
|
03-Mar-2015 |
dcashman <dcashman@google.com> |
Record observed system_server servicemanager service requests. Also formally allow dumpstate access to all services and grant system_server access to address the following non-system_server_service entries: avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager Bug: 18106000 Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
/system/sepolicy/system_server.te
|
7939f440f5deb51f4e195bc064c83f25b2d06145 |
|
26-Feb-2015 |
Nick Kralevich <nnk@google.com> |
am ca77ce09: am cd31111d: am d99ea5a8: Merge "Revert /proc/net related changes" * commit 'ca77ce09878196a8958eac3786cb13bf3426520a': Revert /proc/net related changes
|
cd31111d5e941fe67264b985b4e2ca2841e91e2b |
|
26-Feb-2015 |
Nick Kralevich <nnk@google.com> |
am d99ea5a8: Merge "Revert /proc/net related changes" * commit 'd99ea5a8af11216fb3e2e315c6310d2af4f02afc': Revert /proc/net related changes
|
5cf3994d8ab039f9ba47164ef9d13e2ddb5e7acd |
|
25-Feb-2015 |
Nick Kralevich <nnk@google.com> |
Revert /proc/net related changes Revert the tightening of /proc/net access. These changes are causing a lot of denials, and I want additional time to figure out a better solution. Addresses the following denials (and many more): avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file This reverts commit 0f0324cc826afb9beefda802d496befe823a081e and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 Bug: 9496886 Bug: 19034637 Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
/system/sepolicy/system_server.te
|
ffbc3de99f3e7a4f2d0c51bb91dd48a5db62ae4e |
|
30-Jan-2015 |
Nick Kralevich <nnk@google.com> |
am f4c0a09b: am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec * commit 'f4c0a09bd3c77486faf53eb0c89fdc720dd10353': system_server: neverallow dex2oat exec
|
f4c0a09bd3c77486faf53eb0c89fdc720dd10353 |
|
30-Jan-2015 |
Nick Kralevich <nnk@google.com> |
am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec * commit '437f713936148eb0cf3eb277eab72b07a1d533ca': system_server: neverallow dex2oat exec
|
361cdaff3096fafc16bbe88b84d6f99f7944def7 |
|
30-Jan-2015 |
Nick Kralevich <nnk@google.com> |
system_server: neverallow dex2oat exec system_server should never be executing dex2oat. This is either a bug (for example, bug 16317188), or represents an attempt by system server to dynamically load a dex file, something we don't want to allow. This change adds a compile time assertion which will detect if an allow rule granting this access is ever added. No new rules are added or deleted as a result of this change. This neverallow rule is automatically enforced via CTS. Bug: 16317188 Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c
/system/sepolicy/system_server.te
|
63168cc8d7be62d34a02cd0cb157b13c35ff4049 |
|
20-Jan-2015 |
dcashman <dcashman@google.com> |
am 854ad128: am a5119ee7: am 566e8fe2: Record service accesses. * commit '854ad128c9de75aae66ca8868f317a133974e4a8': Record service accesses.
|
854ad128c9de75aae66ca8868f317a133974e4a8 |
|
20-Jan-2015 |
dcashman <dcashman@google.com> |
am a5119ee7: am 566e8fe2: Record service accesses. * commit 'a5119ee7900d511278b12d04f436ed25110556cf': Record service accesses.
|
566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63 |
|
17-Jan-2015 |
dcashman <dcashman@google.com> |
Record service accesses. Reduce logspam and record further observed service connections. Bug: 18106000 Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
/system/sepolicy/system_server.te
|
6ca7a15ad212c62b591cf906169b200155407c2a |
|
16-Jan-2015 |
dcashman <dcashman@google.com> |
am 7dc1417b: am c1142451: am 0d16b5ac: Merge "Remove known system_server service accesses from auditing." * commit '7dc1417b628d017b79848c62b450078834e7c612': Remove known system_server service accesses from auditing.
|
1267d6674581e60901184030c3a9c77828ab91fb |
|
16-Jan-2015 |
Nick Kralevich <nnk@google.com> |
am 5585c30a: am acf209e8: am 99940d1a: remove /proc/net read access from domain.te * commit '5585c30ace954b880b8099e2847f3f860bc7b9e3': remove /proc/net read access from domain.te
|
7dc1417b628d017b79848c62b450078834e7c612 |
|
16-Jan-2015 |
dcashman <dcashman@google.com> |
am c1142451: am 0d16b5ac: Merge "Remove known system_server service accesses from auditing." * commit 'c1142451d9d91fba3f4f3910ecbfd0b2263c445d': Remove known system_server service accesses from auditing.
|
c631ede7dc7cb131b1bdd03ce296eeac53dc9add |
|
16-Jan-2015 |
dcashman <dcashman@google.com> |
Remove known system_server service accesses from auditing. Address observed audit logs of the form: granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager in order to record existing relationships with services. Bug: 18106000 Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
/system/sepolicy/system_server.te
|
5585c30ace954b880b8099e2847f3f860bc7b9e3 |
|
15-Jan-2015 |
Nick Kralevich <nnk@google.com> |
am acf209e8: am 99940d1a: remove /proc/net read access from domain.te * commit 'acf209e8c38e2a2ed7510551961a5812f63a4935': remove /proc/net read access from domain.te
|
3c2e91f325225323e1414a27a94e2279d94e26ba |
|
15-Jan-2015 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 61e82a2c to master Change-Id: Iab9f024f046ca5393e3625267d1cedfbdd74e8e7
|
61e82a2cfc5483fb89d5b210db0495627d758150 |
|
15-Jan-2015 |
dcashman <dcashman@google.com> |
resolved conflicts for merge of e55f2b81 to lmp-mr1-dev-plus-aosp Change-Id: If8473c40d1b3da93d1f0f74d24f40633b2209f5e
|
99940d1af5719f1622fa2a17f8daf6cb21de3ad1 |
|
14-Jan-2015 |
Nick Kralevich <nnk@google.com> |
remove /proc/net read access from domain.te SELinux domains wanting read access to /proc/net need to explicitly declare it. TODO: fixup the ListeningPortsTest cts test so that it's not broken. Bug: 9496886 Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
/system/sepolicy/system_server.te
|
4a89cdfa89448c8660308a31bfcb517fffaa239e |
|
17-Dec-2014 |
dcashman <dcashman@google.com> |
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
/system/sepolicy/system_server.te
|
880938af90019a600b10baf8ce225cb371e9473b |
|
17-Dec-2014 |
dcashman <dcashman@google.com> |
am 49e7e0c2: am d8800a10: am cd82557d: Restrict service_manager find and list access. * commit '49e7e0c24846468fe6ed408ef00b8182058fb30f': Restrict service_manager find and list access.
|
49e7e0c24846468fe6ed408ef00b8182058fb30f |
|
17-Dec-2014 |
dcashman <dcashman@google.com> |
am d8800a10: am cd82557d: Restrict service_manager find and list access. * commit 'd8800a10fa987bac8234d87f1d4ff83d90966053': Restrict service_manager find and list access.
|
cd82557d4069c20bda8e18aa7f72fc0521a3ae32 |
|
12-Dec-2014 |
dcashman <dcashman@google.com> |
Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
/system/sepolicy/system_server.te
|
fba17fd2f413e8fc376752d9c9ef6d7d924bd6a4 |
|
15-Nov-2014 |
Mike Lockwood <lockwood@google.com> |
Add support for MIDI service Change-Id: If7241659a8252d65187673f0d8e87150d5dfb72d
/system/sepolicy/system_server.te
|
6eabeb20f9e5aff2cd46c219903ea4479cc9f3e5 |
|
19-Nov-2014 |
Nick Kralevich <nnk@google.com> |
am c230c292: am c48971f6: allow system_server to set ro.build.fingerprint * commit 'c230c2926d7ce3ca7348a391ad15adb55d5c74f3': allow system_server to set ro.build.fingerprint
|
c48971f69fa07c98e62b9a8b0a2ba171846fbea1 |
|
18-Nov-2014 |
Nick Kralevich <nnk@google.com> |
allow system_server to set ro.build.fingerprint Some devices leave "ro.build.fingerprint" undefined at build time, since they need to build it from the components at runtime. See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8 for details. Allow system_server to set ro.build.fingerprint Addresses the following denial/error: avc: denied { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service init: sys_prop: permission denied uid:1000 name:ro.build.fingerprint Bug: 18188956 Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29
/system/sepolicy/system_server.te
|
0ff85767a30885a65a61aa9b854c8b929cc6b33e |
|
29-Oct-2014 |
Nick Kralevich <nnk@google.com> |
am 4d9648e3: am b519949d: system_server: assert app data files never opened directly * commit '4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9': system_server: assert app data files never opened directly
|
4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9 |
|
28-Oct-2014 |
Nick Kralevich <nnk@google.com> |
am b519949d: system_server: assert app data files never opened directly * commit 'b519949df150ebe4fc9bf3db52542bb5d9238d4e': system_server: assert app data files never opened directly
|
8526aced7551291a2a8d9d1fca3f8a719d9ecb24 |
|
25-Oct-2014 |
Nick Kralevich <nnk@google.com> |
am 491c5368: am 2d1650f4: allow system_server to set kernel scheduling priority * commit '491c5368f7cdae8f7b94ed620706ed61c092e8d1': allow system_server to set kernel scheduling priority
|
2d1650f4075db4f4f458de4c1a4cb5869c44b936 |
|
24-Oct-2014 |
Nick Kralevich <nnk@google.com> |
allow system_server to set kernel scheduling priority Addresses the following denial: avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0 It's not clear why system_server is adjusting the scheduling priority of kernel processes (ps -Z | grep kernel). For now, allow the operation, although this is likely a kernel bug. Maybe fix bug 18085992. Bug: 18085992 Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855
/system/sepolicy/system_server.te
|
b519949df150ebe4fc9bf3db52542bb5d9238d4e |
|
23-Oct-2014 |
Nick Kralevich <nnk@google.com> |
system_server: assert app data files never opened directly Add a compile time assertion that app data files are never directly opened by system_server. Instead, system_server always expects files to be passed via file descriptors. This neverallow rule will help prevent accidental regressions and allow us to perform other security tightening, for example bug 7208882 - Make an application's home directory 700 Bug: 7208882 Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d
/system/sepolicy/system_server.te
|
255d40927631a9fb71b068db5022bd969562b49a |
|
16-Oct-2014 |
Robin Lee <rgl@google.com> |
resolved conflicts for merge of bdec09b9 to lmp-mr1-dev-plus-aosp Change-Id: I9f1dd4fd401df73006f79205557daa17313d36f4
|
5871d1bc18f32b4411c731c1bd9c8d3974691eab |
|
16-Oct-2014 |
Robin Lee <rgl@google.com> |
resolved conflicts for merge of 51bfecf4 to lmp-dev-plus-aosp Change-Id: I8ea400354e33a01d3223b4efced6db76ba00aed6
|
51bfecf49d50982f64aba1fa73bbbdd2e40a444f |
|
13-Oct-2014 |
Robin Lee <rgl@google.com> |
Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
/system/sepolicy/system_server.te
|
86facd93880604879486221e462b4f8a451247a5 |
|
11-Oct-2014 |
Nick Kralevich <nnk@google.com> |
am 0ed8f86e: am 2380d05f: allow system_server oemfs read access * commit '0ed8f86eba294cfc76c283852d0da6542c631c31': allow system_server oemfs read access
|
7fe94a1c79b4fa0c8049ac23c66ccf77b5b3ad33 |
|
11-Oct-2014 |
Nick Kralevich <nnk@google.com> |
am 2380d05f: allow system_server oemfs read access * commit '2380d05f9791b6789b81e28ca8841df1b8b62c6d': allow system_server oemfs read access
|
2380d05f9791b6789b81e28ca8841df1b8b62c6d |
|
11-Oct-2014 |
Nick Kralevich <nnk@google.com> |
allow system_server oemfs read access Bug: 17954291 Change-Id: Ia904fff65df5142732928561d81ea0ece0c52a8d
/system/sepolicy/system_server.te
|
f37ce3f3e2ad68da61f709567cd166a83316e3f3 |
|
08-Sep-2014 |
dcashman <dcashman@google.com> |
Add support for factory reset protection. Address the following denials: <12>[ 417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 <12>[ 417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 (cherrypick of commit 47bd7300a522fb9c7e233b6d040533ad16708a0e) Bug: 16710840 Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
/system/sepolicy/system_server.te
|
72acd6bbbe65f8d776028a4097c427fd1dad235b |
|
27-Aug-2014 |
Robin Lee <rgl@google.com> |
Allow system reset_uid, sync_uid, password_uid Permits the system server to change keystore passwords for users other than primary. (cherrypicked from commit de08be8aa006c313e5025ba5f032abf786a39f71) Bug: 16233206 Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
/system/sepolicy/system_server.te
|
43b8bc53ab177296f88fbc6fc8c3c8b225f13bca |
|
09-Sep-2014 |
dcashman <dcashman@google.com> |
resolved conflicts for merge of 47bd7300 to lmp-dev-plus-aosp Change-Id: I9631fb1774893d2eeccd7f1f5a867cb5dd98d53d
|
47bd7300a522fb9c7e233b6d040533ad16708a0e |
|
08-Sep-2014 |
dcashman <dcashman@google.com> |
Add support for factory reset protection. Address the following denials: <12>[ 417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 <12>[ 417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 Bug: 16710840 Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
/system/sepolicy/system_server.te
|
f9ea564a9ee3d80c92d198bf52e28eed7dac509d |
|
30-Aug-2014 |
Robin Lee <rgl@google.com> |
am de08be8a: Allow system reset_uid, sync_uid, password_uid * commit 'de08be8aa006c313e5025ba5f032abf786a39f71': Allow system reset_uid, sync_uid, password_uid
|
de08be8aa006c313e5025ba5f032abf786a39f71 |
|
27-Aug-2014 |
Robin Lee <rgl@google.com> |
Allow system reset_uid, sync_uid, password_uid Permits the system server to change keystore passwords for users other than primary. Bug: 16233206 Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
/system/sepolicy/system_server.te
|
bd6d1f385b7d3eec5ba49947c3b01464a809f8d0 |
|
29-Aug-2014 |
Brian Carlstrom <bdc@google.com> |
am 09eae908: Remove system_server create access from /data/dalvik-cache * commit '09eae90890d4a2545358b8ba104e1f2a46df1408': Remove system_server create access from /data/dalvik-cache
|
09eae90890d4a2545358b8ba104e1f2a46df1408 |
|
29-Aug-2014 |
Brian Carlstrom <bdc@google.com> |
Remove system_server create access from /data/dalvik-cache Bug: 16875245 (cherry picked from commit 372d0df796389e2f6295a394492585ed64f0ceca) Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7
/system/sepolicy/system_server.te
|
372d0df796389e2f6295a394492585ed64f0ceca |
|
29-Aug-2014 |
Brian Carlstrom <bdc@google.com> |
Remove system_server create access from /data/dalvik-cache Bug: 16875245 Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a
/system/sepolicy/system_server.te
|
4a518b8bbf1e085fd4984f652209442f39ac0cfe |
|
29-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
am 997461bd: Allow system_server to talk to netlink directly. * commit '997461bda5aaedeabf48021e3291293e48501ef7': Allow system_server to talk to netlink directly.
|
997461bda5aaedeabf48021e3291293e48501ef7 |
|
29-Jul-2014 |
Sreeram Ramachandran <sreeram@google.com> |
Allow system_server to talk to netlink directly. This is needed for http://ag/512212 to work. Bug: 15409819 Change-Id: If91fc6891d7ce04060362c6cde8c57462394c4e8
/system/sepolicy/system_server.te
|
d065f0483c89d18aa92f60646b3e0867072bc8ff |
|
26-Jul-2014 |
Nick Kralevich <nnk@google.com> |
Resync lmp-dev-plus-aosp with master A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp. This is expected, but it's causing unnecessary merge conflicts when handling AOSP contributions. Resolve those conflicts. This is essentially a revert of bf696327246833c9aba55a645e6c433e9f321e27 for lmp-dev-plus-aosp only. Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c
/system/sepolicy/system_server.te
|
7d62aceef4918c1fd08d7774c7a7d4f4562c317b |
|
25-Jul-2014 |
Narayan Kamath <narayan@google.com> |
am aa8e657e: Revert "fix system_server dex2oat exec" * commit 'aa8e657ef09d70d8ea5657b624022925d92f4711': Revert "fix system_server dex2oat exec"
|
aa8e657ef09d70d8ea5657b624022925d92f4711 |
|
25-Jul-2014 |
Narayan Kamath <narayan@google.com> |
Revert "fix system_server dex2oat exec" This reverts commit 10370f5ff47745fe9678d18ff788e51e665bf36e. The underlying issue has been fixed and the system_server will now go via installd to get stuff compiled, if required. bug: 16317188 Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d
/system/sepolicy/system_server.te
|
9d24d52e9742cca22425aa6fbc34dde69b3bd0df |
|
24-Jul-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
am ba992496: Define debuggerd class, permissions, and rules. * commit 'ba992496f01e40a10d9749bb25b6498138e607fb': Define debuggerd class, permissions, and rules.
|
ba992496f01e40a10d9749bb25b6498138e607fb |
|
24-Jul-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Define debuggerd class, permissions, and rules. Define a new class, permissions, and rules for the debuggerd SELinux MAC checks. Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd. Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
bf696327246833c9aba55a645e6c433e9f321e27 |
|
18-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
DO NOT MERGE: Remove service_manager audit_allows. Remove the audit_allow rules from lmp-dev because we will not be tightening any further so these logs will not be useful. Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
/system/sepolicy/system_server.te
|
d26357641d9f85750f63c9e4ec441a506e806389 |
|
16-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Remove auditallow from system_server. system_server auditallow statements were causing logspam and there is not a good way to negate services from specific devices so as a fix we are removing all system_server auditallows. These logs may not be useful anyway because I suspsect that system_server will probe for most all services anyway. (cherry picked from commit 5a25fbf7ca281d2b372def95b92b400a073604b6) Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f
/system/sepolicy/system_server.te
|
5a25fbf7ca281d2b372def95b92b400a073604b6 |
|
16-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Remove auditallow from system_server. system_server auditallow statements were causing logspam and there is not a good way to negate services from specific devices so as a fix we are removing all system_server auditallows. These logs may not be useful anyway because I suspsect that system_server will probe for most all services anyway. Change-Id: I27a05761c14def3a86b0749cdb895190bdcf9d71
/system/sepolicy/system_server.te
|
344fc109e9787f91946ac852bb513c796aab38f6 |
|
07-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. (cherry picked from commit b8511e0d98880a683c276589ab7d8d7666b7f8c1) Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
/system/sepolicy/system_server.te
|
10370f5ff47745fe9678d18ff788e51e665bf36e |
|
15-Jul-2014 |
Nick Kralevich <nnk@google.com> |
fix system_server dex2oat exec Addresses the following denial: W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0 Bug: 16317188 Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
/system/sepolicy/system_server.te
|
81839dfb24094803125f7ac9d4844207b61569ed |
|
15-Jul-2014 |
Ed Heyl <edheyl@google.com> |
reconcile aosp (3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea) after branching. Please do not merge. Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2
/system/sepolicy/system_server.te
|
8395bb4ad005c1a2fc8085715bb3155867b212e5 |
|
15-Jul-2014 |
Nick Kralevich <nnk@google.com> |
fix system_server dex2oat exec Addresses the following denial: W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0 Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d
/system/sepolicy/system_server.te
|
b8511e0d98880a683c276589ab7d8d7666b7f8c1 |
|
07-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
/system/sepolicy/system_server.te
|
3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea |
|
11-Jul-2014 |
Todd Poynor <toddpoynor@google.com> |
Allow oemfs search for system_server and bootanim Address denials in devices that use /oem Change-Id: I80b76bb58bab9b6c54d6550eb801664d82a4d403
/system/sepolicy/system_server.te
|
5d60f04e5d43d084992d59c38a631a034b88e715 |
|
10-Jul-2014 |
Colin Cross <ccross@android.com> |
sepolicy: allow system server to remove cgroups Bug: 15313911 Change-Id: Ib7d39561a0d52632929d063a7ab97b6856f28ffe
/system/sepolicy/system_server.te
|
d8447fdfe1db8571158659bc2daf058335842a06 |
|
10-Jul-2014 |
Andres Morales <anmorales@google.com> |
Typedef+rules for SysSer to access persistent block device Defines new device type persistent_data_block_device This block device will allow storage of data that will live across factory resets. Gives rw and search access to SystemServer. Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e
/system/sepolicy/system_server.te
|
be092af039148e3cadcd49ee7042b8f39c7e95a2 |
|
07-Jul-2014 |
Jeff Sharkey <jsharkey@android.com> |
Rules to allow installing package directories. Earlier changes had extended the rules, but some additional changes are needed. avc: denied { relabelfrom } for name="vmdl-723825123.tmp" dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir Bug: 14975160 Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976
/system/sepolicy/system_server.te
|
d00eff47fe1f0b73dce96241ac348599f7d8e41c |
|
04-Jul-2014 |
Nick Kralevich <nnk@google.com> |
system_server: bring back sdcard_type neverallow rule We had disabled the neverallow rule when system_server was in permissive_or_unconfined(), but forgot to reenable it. Now that system_server is in enforcing/confined, bring it back. Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba
/system/sepolicy/system_server.te
|
596bcc768758f38534a537a3fb54875225417f2c |
|
01-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Remove keystore auditallow statements from system. Remove the auditallow statements related to keystore in system_app and system_server. Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28
/system/sepolicy/system_server.te
|
1196d2a5763c9a99be99ba81a4a29d938a83cc06 |
|
17-Jun-2014 |
Riley Spahn <rileyspahn@google.com> |
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
/system/sepolicy/system_server.te
|
8c6552acfba677442d565a0c7f8e44f5f2af57f2 |
|
25-Jun-2014 |
Nick Kralevich <nnk@google.com> |
Allow system_server to read all /proc files system_server scans through /proc to keep track of process memory and CPU usage. It needs to do this for all processes, not just appdomain processes, to properly account for CPU and memory usage. Allow it. Addresses the following errors which have been showing up in logcat: W/ProcessCpuTracker(12159): Skipping unknown process pid 1 W/ProcessCpuTracker(12159): Skipping unknown process pid 2 W/ProcessCpuTracker(12159): Skipping unknown process pid 3 Bug: 15862412 Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512
/system/sepolicy/system_server.te
|
fee49159e760162b0e8ee5a4590c50a65b8e322f |
|
19-Jun-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
97a2cfdf6618f98fe1da51c5e77d9a5d2765c04e |
|
18-Jun-2014 |
Paul Jensen <pauljensen@google.com> |
Allow Bluetooth app to initiate DHCP service on bt-pan interface. bug:15407087 Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658
/system/sepolicy/system_server.te
|
04e730b635d961f1610886e96622214b9a5e40d4 |
|
19-Jun-2014 |
Nick Kralevich <nnk@google.com> |
system_server: allow open /dev/snd and read files system_server needs to open /dev/snd and access files within that directory. Allow it. system_server need to parse the ALSA card descriptors after a USB device has been inserted. This happens from USBService in system_server. Addresses the following denial: system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir and likely others Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8
/system/sepolicy/system_server.te
|
00b180dfb8195fa559f45e812c9c2a82bdbd9c40 |
|
17-Jun-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Eliminate some duplicated rules. As reported by sepolicy-analyze -D -P /path/to/sepolicy. No semantic difference reported by sediff between the policy before and after this change. Deduplication of selinuxfs read access resolved by taking the common rules to domain.te (and thereby getting rid of the selinux_getenforce macro altogether). Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
fad4d5fb00ddb1f61c22c003429e10f10b046d0d |
|
16-Jun-2014 |
Nick Kralevich <nnk@google.com> |
Fix SELinux policies to allow resource overlays. The following commits added support for runtime resource overlays. New command line tool 'idmap' * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5 Runtime resource overlay, iteration 2 * 48d22323ce39f9aab003dce74456889b6414af55 Runtime resource overlay, iteration 2, test cases * ad6ed950dbfa152c193dd7e49c369d9e831f1591 During SELinux tightening, support for these runtime resource overlays was unknowingly broken. Fix it. This change has been tested by hackbod and she reports that everything is working after this change. I haven't independently verified the functionality. Test cases are available for this by running: * python frameworks/base/core/tests/overlaytests/testrunner.py Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
/system/sepolicy/system_server.te
|
a76d9ddf6bf8f0ee0768a2129fa7606f66b0b510 |
|
14-Jun-2014 |
Nick Kralevich <nnk@google.com> |
system_server profile access Still not fixed. *sigh* Addresses the following denial: <4>[ 40.515398] type=1400 audit(15842931.469:9): avc: denied { read } for pid=814 comm="system_server" name="profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir Change-Id: I705a4cc9c508200ace46780c18b7112b62f27994
/system/sepolicy/system_server.te
|
96d9af423575aec5559bd1a7094203c9e0586347 |
|
13-Jun-2014 |
Nick Kralevich <nnk@google.com> |
allow system_server getattr on /data/dalvik-cache/profiles 867030517724036b64fcaf39deaba1b27f3ca77e wasn't complete. I thought getattr on the directory wasn't needed but I was wrong. Not sure how I missed this. Addresses the following denial: <4>[ 40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6
/system/sepolicy/system_server.te
|
867030517724036b64fcaf39deaba1b27f3ca77e |
|
11-Jun-2014 |
Nick Kralevich <nnk@google.com> |
Remove world-read access to /data/dalvik-cache/profiles Remove /data/dalvik-cache/profiles from domain. Profiling information leaks data about how people interact with apps, so we don't want the data to be available in all SELinux domains. Add read/write capabilities back to app domains, since apps need to read/write profiling data. Remove restorecon specific rules. The directory is now created by init, not installd, so installd doesn't need to set the label. Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
/system/sepolicy/system_server.te
|
f90c41f6e8d5c1266e154f46586a2ceb260f1be6 |
|
06-Jun-2014 |
Riley Spahn <rileyspahn@google.com> |
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
/system/sepolicy/system_server.te
|
13d5886363675915e5115ccc0a95ca5d7776730b |
|
11-Jun-2014 |
Ruchi Kandoi <kandoiruchi@google.com> |
system_server: Adds permission to system_server to write sysfs file Need this for changing the max_cpufreq and min_cpufreq for the low power mode. Denials: type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854 comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8 Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646 Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
/system/sepolicy/system_server.te
|
6bb672e6b3df2fb3dbb49f32e5f30589ff539e6e |
|
26-Nov-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Make the system_server domain enforcing. Change-Id: I1ea20044bd6789dde002da7fc9613cfbf1ee2d23 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
2cc6d63d5d88824527a7fd89a0cacf5702109eae |
|
04-Jun-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow system_server access to /data/media files passed via Binder. Addresses denials such as: avc: denied { read } for comm="Binder_6" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file avc: denied { getattr } for comm="Binder_9" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Change-Id: I5e5744eecf2cbd4fc584db8584be4e9101bcb60c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
f85c1fc293523db241c48d815b165067b8a0f471 |
|
27-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow installd, vold, system_server unlabeled access. The bugs that motivated bringing back the unlabeled allowall rules, https://android-review.googlesource.com/#/c/94971/ should be resolved by the following changes: https://android-review.googlesource.com/#/c/94966/ https://android-review.googlesource.com/#/c/96080/ Beyond those changes, installd needs to be able to remove package directories for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so allow it the permissions required for this purpose. vold needs to be able to chown/chmod/restorecon files in asec containers so allow it the permissions to do so. system_server tries to access all /data/data subdirectories so permit it to do so. installd and system_server read the pkg.apk file before it has been relabeled by vold and therefore need to read unlabeled files. Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
8599e34b95705638034b798c56bc2cc8bb2e6372 |
|
23-May-2014 |
Nick Kralevich <nnk@google.com> |
Introduce wakelock_use() Introduce wakelock_use(). This macro declares that a domain uses wakelocks. Wakelocks require both read-write access to files in /sys/power, and CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and file access are granted at the same time. Still TODO: fix device specific wakelock use. Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
/system/sepolicy/system_server.te
|
a16a59e2c7f1e2f09bf7b750101973a974c972e8 |
|
14-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove graphics_device access. Neither mediaserver nor system_server appear to require direct access to graphics_device, i.e. the framebuffer device. Drop it. Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
782e084dc249ec96a4659c523ffc6a53ee46abb1 |
|
14-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow system_server to read tombstones. Address denials such as: avc: denied { read } for name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir avc: denied { open } for name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir avc: denied { getattr } for path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file avc: denied { read } for name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file avc: denied { open } for name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
538edd3317fd56d6d1871aebe83f0636946fbc94 |
|
12-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Restrict system_server to only the data file types needed. Drop rules on data_file_type attribute and replace with rules on specific types under /data. Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
02dac03a8c7cc79306cf5807f86af3e01f5dc4af |
|
09-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop relabelto_domain() macro and its associated definitions. This was originally to limit the ability to relabel files to particular types given the ability of all domains to relabelfrom unlabeled files. Since the latter was removed by Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves any purpose. Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
cd905ec04e6db7f9116afe05c95c0d5e387e5b15 |
|
09-May-2014 |
Nick Kralevich <nnk@google.com> |
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
/system/sepolicy/system_server.te
|
53cde700cda6caad25ba06092fa850ff51dd2431 |
|
07-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Report graphics_device accesses by system_server or mediaserver. See if we can remove these allow rules by auditing any granting of these permissions. These rules may be a legacy of older Android or some board where the gpu device lived under /dev/graphics too. Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
3f3d6ffb7ee98116404e4a85ad027a98b70c2331 |
|
15-Apr-2014 |
Nick Kralevich <nnk@google.com> |
Allow system_server pstore access. pstore contains /sys/fs/pstore/console-ramoops, which is the replacement for /proc/last_kmsg. Both files are read by system_server on startup. Allow access. Addresses the following denials: <12>[ 53.836838] type=1400 audit(949060020.909:19): avc: denied { search } for pid=1233 comm="Thread-119" name="/" dev="pstore" ino=10296 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir <12>[ 53.856546] type=1400 audit(949060020.909:20): avc: denied { getattr } for pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file <12>[ 53.878425] type=1400 audit(949060020.909:21): avc: denied { read } for pid=1233 comm="Thread-119" name="console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file <12>[ 53.898476] type=1400 audit(949060020.909:22): avc: denied { open } for pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file Change-Id: I7307da751961b242e68adb319da9c00192e77bbb
/system/sepolicy/system_server.te
|
e06e53638808ec0d14aaee701590fdc93cfd3150 |
|
21-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow inputflinger to call system_server. Resolves denials such as: avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { open } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { search } for pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { call } for pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: I099d7dacf7116efa73163245597c3de629d358c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
971b5d7c9f6cd134cfa89ca211cbaabe1ac606a4 |
|
18-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow system_server to set ctl.bugreport property. Resolves denials such as: avc: denied { set } for property=ctl.bugreport scontext=u:r:system_server:s0 tcontext=u:object_r:ctl_bugreport_prop:s0 tclass=property_service Change-Id: I6c3085065157f418fc0cd4d01fa178eecfe334ad Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
bafbf8133015204ac1b9116ccd4235e8a615895c |
|
14-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow system_server to read from log daemon. Addresses denials such as: avc: denied { write } for pid=1797 comm="logcat" name="logdr" dev="tmpfs" ino=7523 scontext=u:r:system_server:s0 tcontext=u:object_r:logdr_socket:s0 tclass=sock_file avc: denied { connectto } for pid=1797 comm="logcat" path="/dev/socket/logdr" scontext=u:r:system_server:s0 tcontext=u:r:logd:s0 tclass=unix_stream_socket Change-Id: Idc4f48519ca3d81125102e8f15f68989500f5e9e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
6fe899a0d1905682c3224f1a3809288dacc0ca3f |
|
13-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Silence /proc/pid denials. system_server components such as ActivityManager and CpuTracker try to access all /proc/pid directories, triggering denials on domains that are not explicitly allowed to the system_server. Silence these denials to avoid filling the logs with noise and overwriting actual useful messages in the kernel ring buffer. Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
c18121811c59335b4b59e8ffc52179ad6049640b |
|
06-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Deduplicate and rationalize system_server /proc/pid access. The system_server has duplicate/overlapping rules regarding /proc/pid access as well as a lack of clarity on the reason for the different rules. Deduplicate the rules and clarify the purpose of different sets of rules. Replace the rules granting /proc/pid access for all domains with specific rules only for domains that we know should be accessible by the system_server, i.e. all apps (appdomain) and the set of native processes listed in com.android.server.Watchdog.NATIVE_STACKS_OF_INTEREST. Change-Id: Idae6fc87e19e1700cdc4bdbde521d35caa046d74 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
d9d9d2f4170b96a674c8222287bbe4cddfc8de3a |
|
05-Mar-2014 |
Nick Kralevich <nnk@google.com> |
temp fix for build breakage. libsepol.check_assertion_helper: neverallow on line 8857 violated by allow system_server sdcard_external:file { ioctl read write getattr lock append open }; Error while expanding policy make: *** [out/target/product/manta/obj/ETC/sepolicy_intermediates/sepolicy] Error 1 Change-Id: I181707ed66bad3db56f9084b3d9ba161d13b34bd
/system/sepolicy/system_server.te
|
d331e00bd8101b5ab63e08822cdad7a223c2a5dd |
|
05-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Do not allow system_server to access SDcard files. As per: https://android-review.googlesource.com/#/c/84130/3/system_server.te@240 it is unsafe to allow such access. Add a neverallow rule to prohibit any rules on sdcard_type in the future. Change-Id: Ife714b65b07144eb6228a048a55ba82181595213 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
3dad7b611a448fa43a678ff760c23a00f387947e |
|
05-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Address system_server denials. Label /proc/sysrq-trigger and allow access. Label /dev/socket/mtpd and allow access. Resolves denials such as: avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv er:s0 tclass=udp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]" dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s 0 tclass=tcp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
28afdd9234236d0b3c510f28255aa14625d11457 |
|
26-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Deduplicate binder_call rules. A number of binder_call rules are duplicated by other rules written in terms of attributes/sets (e.g. appdomain, binderservicedomain). Get rid of the duplicates. Also use binder_use() in racoon.te rather than manually writing the base rule for communicating with the servicemanager. Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
63b98b17e41b74a7595dc80e1958550cf6b887d1 |
|
26-Feb-2014 |
Nick Kralevich <nnk@google.com> |
restore system_server zygote socket rules 1601132086b054adc70e7f8f38ed24574c90bc37 removed the getattr/getopt support for system_server, which is needed to close the zygote socket. See b/12061011 for details. system_server still needs this rule, and it's expected to stay permanently. Restore the rule and remove the comment about it eventually being deleted. Addresses the following denials: <5>[ 86.307639] type=1400 audit(1393376281.530:5): avc: denied { getattr } for pid=656 comm="main" path="socket:[7195]" dev=sockfs ino=7195 scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket <5>[ 86.307945] type=1400 audit(1393376281.530:6): avc: denied { getopt } for pid=656 comm="main" path="/dev/socket/zygote" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket Bug: 12114500 Change-Id: I47033766dea3ba2fdaa8ce9b4251370bd64aea6d
/system/sepolicy/system_server.te
|
37afd3f6c337a6914de36ec8658593b523f32e3d |
|
27-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove system_server and zygote unlabeled execute access. Now that all of /data outside of /data/data should be labeled even on legacy devices as a result of Ib8d9751a47c8e0238cf499fcec61898937945d9d, there should be no reason to permit the system_server or zygote execute access to unlabeled files. This is the only remaining case where a type writable by app domains can be executed by system services, so eliminating it is desirable. That said, I have not specifically tested the non-SE to SE upgrade path to confirm that this causes no problems. Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
0296b9434f3b933b37f67c143788f87cb80b3325 |
|
25-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Move qemud and /dev/qemu policy bits to emulator-specific sepolicy. Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
2c347e0a3676bb50cac796ca94eb6ab53c08fc87 |
|
25-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Drop obsolete keystore_socket type and rules. Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched the keystore to using binder instead of a socket, so this socket type and rules have been unused for a while. The type was only ever assigned to a /dev/socket socket file (tmpfs) so there is no issue with removing the type (no persistent files will have this xattr value). Change-Id: Id584233c58f6276774c3432ea76878aca28d6280 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
1601132086b054adc70e7f8f38ed24574c90bc37 |
|
24-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
335faf2b9b2d68d02223d1aedecf826bb9597f34 |
|
21-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow stat of /sys/module/lowmemorykiller files by system_server. <5>[ 43.929760] type=1400 audit(6342882.819:16): avc: denied { getattr } for pid=779 comm="system_server" path="/sys/module/lowmemorykiller/parameters/adj" dev="sysfs" ino=6048 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=file Change-Id: I48828ca26814c6376c9c71c368f3eff0f7a8f219 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
5467fce636d0cebb86f3684f7a69d883324384ca |
|
13-Feb-2014 |
Nick Kralevich <nnk@google.com> |
initial lmkd policy. * Allow writes to /proc/PID/oom_score_adj * Allow writes to /sys/module/lowmemorykiller/* Addresses the following denials: <5>[ 3.825371] type=1400 audit(9781555.430:5): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 48.874747] type=1400 audit(9781600.639:16): avc: denied { search } for pid=176 comm="lmkd" name="896" dev="proc" ino=9589 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=dir <5>[ 48.874889] type=1400 audit(9781600.639:17): avc: denied { dac_override } for pid=176 comm="lmkd" capability=1 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability <5>[ 48.874982] type=1400 audit(9781600.639:18): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 48.875075] type=1400 audit(9781600.639:19): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 49.409231] type=1400 audit(9781601.169:20): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 209.081990] type=1400 audit(9781760.839:24): avc: denied { search } for pid=176 comm="lmkd" name="1556" dev="proc" ino=10961 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=dir <5>[ 209.082240] type=1400 audit(9781760.839:25): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file <5>[ 209.082498] type=1400 audit(9781760.839:26): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file <5>[ 209.119673] type=1400 audit(9781760.879:27): avc: denied { search } for pid=176 comm="lmkd" name="1577" dev="proc" ino=12708 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=dir <5>[ 209.119937] type=1400 audit(9781760.879:28): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file <5>[ 209.120105] type=1400 audit(9781760.879:29): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file <5>[ 209.235597] type=1400 audit(9781760.999:30): avc: denied { search } for pid=176 comm="lmkd" name="1600" dev="proc" ino=11659 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir <5>[ 209.235798] type=1400 audit(9781760.999:31): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 209.236006] type=1400 audit(9781760.999:32): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 214.297283] type=1400 audit(9781766.059:64): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file <5>[ 214.297415] type=1400 audit(9781766.059:65): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file <5>[ 214.355060] type=1400 audit(9781766.119:66): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file <5>[ 214.355236] type=1400 audit(9781766.119:67): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file <5>[ 214.516920] type=1400 audit(9781766.279:68): avc: denied { search } for pid=176 comm="lmkd" name="1907" dev="proc" ino=11742 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=dir <5>[ 214.678861] type=1400 audit(9781766.439:69): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file <5>[ 214.678992] type=1400 audit(9781766.439:70): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file <5>[ 214.708284] type=1400 audit(9781766.469:71): avc: denied { search } for pid=176 comm="lmkd" name="1765" dev="proc" ino=12851 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir <5>[ 214.708435] type=1400 audit(9781766.469:72): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 214.708648] type=1400 audit(9781766.469:73): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file Change-Id: Ie3c1ab8ce9e77742d0cc3c73f40010afd018ccd4
/system/sepolicy/system_server.te
|
418e2abd39a3c86c4f8c7fcac93a1a7beea7a092 |
|
29-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Label /data/misc/wifi/sockets with wpa_socket. This will ensure that any sockets created in this directory will default to wpa_socket unless a type_transition is defined. Define a type transition for system_server to keep its separate system_wpa_socket type assigned for its socket. Allow wpa to create and unlink sockets in the directory. We leave the already existing rules for wifi_data_file in place for compatibility with existing devices that have wifi_data_file on /data/misc/wifi/sockets. Change-Id: I9e35cc93abf89ce3594860aa3193f84a3b42ea6e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
8ed750e9731e6e3a21785e91e9b1cf7390c16738 |
|
13-Nov-2013 |
Mark Salyzyn <salyzyn@google.com> |
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
/system/sepolicy/system_server.te
|
208deb335719280c11ab0e6aa033bfd33629320a |
|
29-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow dumpstate to run am and shell. See http://code.google.com/p/android/issues/detail?id=65339 Further denials were observed in testing and allowed as well. Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
623975fa5aece708032aaf29689d73e1f3a615e7 |
|
11-Jan-2014 |
Nick Kralevich <nnk@google.com> |
Support forcing permissive domains to unconfined. Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/system/sepolicy/system_server.te
|
959fdaaa25d7dbfad8a1900dfe9575f873cea649 |
|
09-Jan-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove unlabeled execute access from domain, add to appdomain. Otherwise all domains can create/write files that are executable by all other domains. If I understand correctly, this should only be necessary for app domains executing content from legacy unlabeled userdata partitions on existing devices and zygote and system_server mappings of dalvikcache files, so only allow it for those domains. If required for others, add it to the individual domain .te file, not for all domains. Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
c50bf17d4f4ae4615c9f189236f593db5ff21180 |
|
08-Jan-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Address new system server denial. Allow system_server to unlink sockets created by the wpa supplicant. This will resolve the following denial seen across mutliple devices. avc: denied { unlink } for pid=584 comm="WifiStateMachin" name="wlan0" dev=mmcblk0p10 ino=138762 scontext=u:r:system_server:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file Change-Id: If3a8b1f270dfcd3dc6838eb8ac72e3d5004cc36d Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/system_server.te
|
37339c763e9082573fcc86e14a6fb9d2d4b9d20c |
|
06-Jan-2014 |
Nick Kralevich <nnk@google.com> |
fix mediaserver selinux denials. mediaserver needs the ability to read media_rw_data_file files. Allow it. Similarly, this is also needed for drmserver. Addresses the following denials: <5>[ 22.812859] type=1400 audit(1389041093.955:17): avc: denied { read } for pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.813103] type=1400 audit(1389041093.955:18): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.832041] type=1400 audit(1389041093.975:19): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357470] type=1400 audit(1389041123.494:29): avc: denied { read } for pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357717] type=1400 audit(1389041123.494:30): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.382276] type=1400 audit(1389041123.524:31): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Allow anyone who has access to video_device:chr_file to also have read access to video_device:dir. Otherwise, the chracter devices may not be reachable. Bug: 12416198 Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074
/system/sepolicy/system_server.te
|
e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1 |
|
23-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Only allow PROT_EXEC for ashmem where required. tmpfs_domain() macro defines a per-domain type and allows access for tmpfs-backed files, including ashmem regions. execute-related permissions crept into it, thereby allowing write + execute to ashmem regions for most domains. Move the execute permission out of tmpfs_domain() to app_domain() and specific domains as required. Drop execmod for now we are not seeing it. Similarly, execute permission for /dev/ashmem crept into binder_use() as it was common to many binder using domains. Move it out of binder_use() to app_domain() and specific domains as required. Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
527316a21b80c2a70d8ed23351299a4dce0c77bf |
|
23-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow use of art as the Android runtime. system_server and app domains need to map dalvik-cache files with PROT_EXEC. type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file Apps need to map cached dex files with PROT_EXEC. We already allow this for untrusted_app to support packaging of shared objects as assets but not for the platform app domains. type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
13e44ec74d326463213c4c01963c776a699467cb |
|
19-Dec-2013 |
Nick Kralevich <nnk@google.com> |
allow system_server block_suspend I'm only seeing this denial on one device (manta), but it feels like it should be part of the generic policy. I don't understand why it's happening on only one device. Addresses the following denial: 14.711671 type=1400 audit(1387474628.570:6): avc: denied { block_suspend } for pid=533 comm="InputReader" capability=36 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2 Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47
/system/sepolicy/system_server.te
|
c4d7c0d797a9ef48df1d581578a8f84f9a45aac7 |
|
17-Dec-2013 |
Nick Kralevich <nnk@google.com> |
system_server.te: allow getopt/getattr on zygote socket In 61dc35072090f2735af2b39572e39eadb30573eb, I forgot to allow system_server to run getopt/getattr on the zygote socket. Bug: 12061011 Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6
/system/sepolicy/system_server.te
|
3ba9012535d8412d94db4ae9a5ce928b806e26d8 |
|
12-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Move gpu_device type and rules to core policy. Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
2b392fccf35c790bdc55bdce51a196f4953644ce |
|
06-Dec-2013 |
Nick Kralevich <nnk@google.com> |
Move lmkd into it's own domain. lmkd low memory killer daemon The kernel low memory killer logic has been moved to a new daemon called lmkd. ActivityManager communicates with this daemon over a named socket. This is just a placeholder policy, starting off in unconfined_domain. Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10
/system/sepolicy/system_server.te
|
a49ba927e39bb21f18f8340334cf5781e124eb3d |
|
02-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow SELinuxPolicyInstallReceiver to work. Change-Id: I10006f43c142f07168e2ea0f4f5f7af68d03e504 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
af47ebb67aa64d699615693bf4603ec173417175 |
|
04-Nov-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Label /dev/fscklogs and allow system_server access to it. Otherwise you get denials such as: type=1400 audit(1383590310.430:623): avc: denied { getattr } for pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:624): avc: denied { open } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:625): avc: denied { write } for pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { remove_name } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { unlink } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
2a604adf1b8fd887f01bc717d64fd1c8105f4d8e |
|
04-Nov-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Confine healthd, but leave it permissive for now. Remove unconfined_domain() and add the allow rules required for operation of healthd. Restore the permissive declaration until I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4 kernel. Resolves the following denials in 4.4: type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2 type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
cd95e0acf18c940288f4abb8e1cfe6c052bb6543 |
|
01-Nov-2013 |
Nick Kralevich <nnk@google.com> |
Allow system_server to set powerctl_prop Otherwise we break "adb root && adb shell svc power reboot", which has the side effect of killing all of our test automation (oops). Bug: 11477487 Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631
/system/sepolicy/system_server.te
|
dd1ec6d557e80c688f7f1e4aef522b6441e8151a |
|
01-Nov-2013 |
Nick Kralevich <nnk@google.com> |
Give system_server / system_app ability to write some properties Allow writing to persist.sys and debug. This addresses the following denials (which are actually being enforced): <4>[ 131.700473] avc: denied { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service <3>[ 131.700625] init: sys_prop: permission denied uid:1000 name:debug.force_rtl <4>[ 132.630062] avc: denied { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service <3>[ 132.630184] init: sys_prop: permission denied uid:1000 name:persist.sys.dalvik.vm.lib Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
/system/sepolicy/system_server.te
|
1ff644112e260d2aab55e696b32350dcda0a99b8 |
|
29-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Confine system_server, but leave it permissive for now. Change-Id: Ia0de9d739575c34a7391db5f0be24048d89a7bd1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
353c72e3b0b4d7d729af20f0c9a13c976baa8753 |
|
21-Oct-2013 |
Nick Kralevich <nnk@google.com> |
Move unconfined domains out of permissive mode. This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
/system/sepolicy/system_server.te
|
ec7d39ba168a5b620e6bb526f316581acc5c1238 |
|
29-Sep-2013 |
William Roberts <wroberts@tresys.com> |
Introduce controls on wake lock interface Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1
/system/sepolicy/system_server.te
|
8d688315aeb053eadc2606badbe4ce52899bb694 |
|
03-Oct-2013 |
Alex Klyubin <klyubin@google.com> |
Restrict access to /dev/hw_random to system_server and init. /dev/hw_random is accessed only by init and by EntropyMixer (which runs inside system_server). Other domains are denied access because apps/services should be obtaining randomness from the Linux RNG. Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
/system/sepolicy/system_server.te
|
45ba665cfcc5c2fc3242a013e6070c2bed860b0a |
|
27-Sep-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Label and allow access to /data/system/ndebugsocket. Otherwise it defaults to the label of /data/system and cannot be distinguished from any other socket in that directory. Also adds allow rule required for pre-existing wpa_socket transition to function without unconfined_domain. Change-Id: I57179aa18786bd56d247f397347e546cca978e41 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/system_server.te
|
4103b3f27ac0c6fdf16dac918ae791b709b24c6f |
|
17-Sep-2013 |
Alex Klyubin <klyubin@google.com> |
2/2: Rename domain "system" to "system_server". This CL completes the renaming of domain system to system_server by removing the "system" typealias that was temporarily added to avoid breaking the build while the rename CLs are landing. Change-Id: I05d11571f0e3d639026fcb9341c3476d44c54fca
/system/sepolicy/system_server.te
|
1fdee11df2552e29da0c48e3432f26f7a93e3bff |
|
14-Sep-2013 |
Alex Klyubin <klyubin@google.com> |
1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
/system/sepolicy/system_server.te
|