Cross Reference: /system/sepolicy/system

History log of /system/sepolicy/system_server.te
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
17cfd3fce72613613a92929ba564ad14d2a50241	14-Jun-2016	dcashman <dcashman@google.com>	Keep pre-existing sysfs write permissions. Commit: b144ebab482891cef32ee84c06dbb0f943823573 added the sysfs_usb type and granted the read perms globally, but did not add write permissions for all domains that previously had them. Add the ability to write to sysfs_usb for all domains that had the ability to write to those files previously (sysfs). Address denials such as: type=1400 audit(1904.070:4): avc: denied { write } for pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0 Bug: 28417852 Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849 /system/sepolicy/system_server.te
d82df3bdb8e544fda0cd8250fa3aa527883db643	02-Jun-2016	Narayan Kamath <narayan@google.com>	sepolicy: broaden system_server access to foreign_dex_data_file. The system_server needs to rename these files when an app is upgraded. bug: 28998083 Change-Id: Idb0c1ae774228faaecc359e4e35603dbb534592a /system/sepolicy/system_server.te
49ac2a3d7a40d998e3b1be0b0172be8f651bc935	20-May-2016	Fyodor Kupolov <fkupolov@google.com>	SELinux policies for /data/preloads directory A new directory is created in user data partition that contains preloaded content such as a retail mode demo video and pre-loaded APKs. The new directory is writable/deletable by system server. It can only be readable (including directory list) by privileged or platform apps Bug: 28855287 Change-Id: I3816cd3a1ed5b9a030965698a66265057214f037 /system/sepolicy/system_server.te
13bdd39cf1c4aa1f86623820aea167abf1b263f2	12-May-2016	Narayan Kamath <narayan@google.com>	sepolicy: broaden system_server access to foreign_dex_data_file{dir}. The system_server needs to clear these markers along with other app data that it's responsible for clearing. bug: 28510916 Change-Id: If9ba8b5b372cccefffd03ffddc51acac8e0b4649 /system/sepolicy/system_server.te
50c2909f23df270f75d23e16de2bb9e5363b54dd	13-May-2016	Andreas Gampe <agampe@google.com>	Merge changes from topic 'dump_bluetooth_through_debuggerd' into nyc-dev * changes: Sepolicy: Allow debuggerd to dump backtraces of Bluetooth Sepolicy: Refactor long lines for debuggerd backtraces
cbfa8ddfb6b9b7441ad2205f54a1914609283bce	13-May-2016	Andreas Gampe <agampe@google.com>	Sepolicy: Allow debuggerd to dump backtraces of Bluetooth Allow to dump traces of the Bluetooth process during ANR and system-server watchdog dumps. Bug: 28658141 Change-Id: Ie78bcb25e94e1ed96ccd75f7a35ecb04e7cb2b82 /system/sepolicy/system_server.te
0983db4aa94b13995b5fbef5f60eb5a07e00378d	12-May-2016	Andreas Gampe <agampe@google.com>	Sepolicy: Refactor long lines for debuggerd backtraces Split single lines in preparation for new additions. Bug: 28658141 Change-Id: I89f6a52bd2d145c53dd6bb39177578f51a352acf /system/sepolicy/system_server.te
95fd38169b867c0e45d11a9dbae698bc65e43a89	12-May-2016	Philip Cuadra <philipcuadra@google.com>	Merge "Add CAP_IPC_LOCK and pinner to system_server" into nyc-dev
96da70eb4f92dcf38b28e4a9854de5b222bb84e6	02-May-2016	Philip Cuadra <philipcuadra@google.com>	Add CAP_IPC_LOCK and pinner to system_server Add pinner service to system_service services. Add CAP_IPC_LOCK permissions to system_server in order to allow system_server to pin more memory than the lockedmem ulimit. bug 28251566 Change-Id: I990c73d25fce4f2cc9a2db0015aa238fa7b0e984 /system/sepolicy/system_server.te
39cfed0b23c542cf4b95e0e2835c1886914f88ce	30-Apr-2016	Christopher Tate <ctate@google.com>	Allow the system to rename wallpaper files Fast system -> lock wallpaper migration wants rename, not copy. Bug 27599080 Change-Id: I4b07dff210fe952afb4675eecba3c5f7bf262e83 /system/sepolicy/system_server.te
8785a647a15a5bf49c64756f59a48e1b4d551be3	22-Apr-2016	TreeHugger Robot <treehugger-gerrit@google.com>	Merge "Selinux: Policies for otapreopt_chroot and postinstall_dexopt" into nyc-dev
e5d8a947bdde4face86b9387b9024faaeb7724c7	30-Mar-2016	Andreas Gampe <agampe@google.com>	Selinux: Policies for otapreopt_chroot and postinstall_dexopt Give mount & chroot permissions to otapreopt_chroot related to postinstall. Add postinstall_dexopt for otapreopt in the B partition. Allow the things installd can do for dexopt. Give a few more rights to dex2oat for postinstall files. Allow postinstall files to call the system server. Bug: 25612095 Change-Id: If7407473d50c9414668ff6ef869c2aadd14264e7 /system/sepolicy/system_server.te
fbb6d2de1cf4d4ce6e86c353b963824b1b98d43b	21-Apr-2016	Mukesh Agrawal <quiche@google.com>	Merge changes I9cdd52a2,Idf00e7a6 into nyc-dev * changes: allow system server to set log.tag.WifiHAL limit shell's access to log.* properties
d9b0a34ad4c0797e7e648c0dfa4ce0866f6d62fe	20-Apr-2016	Christopher Tate <ctate@google.com>	Allow system_server to hard link its own files Specifically, backup of wallpaper imagery needs to use hard links to achieve "real file" access to the large imagery files without rewriting the contents all the time just to stage for backup. They can't be symlinks because the underlying backup mechanisms refuse to act on symbolic links for other security reasons. Bug 25727875 Change-Id: Ic48fba3f94c92a4b16ced27a23646296acf8f3a5 /system/sepolicy/system_server.te
e651f6f4687eff068e73d84f67121ffbc3486f07	15-Apr-2016	mukesh agrawal <quiche@google.com>	allow system server to set log.tag.WifiHAL On eng and userdebug builds (only), allow system server to change the value of log.tag.WifiHAL. WifiStateMachine will set this property to 'D' by default. If/when a user enables "Developer options -> Enable Wi-Fi Verbose Logging", WifiStateMachine change log.tag.WifiHAL to 'V'. BUG=27857554 TEST=manual (see below) Test detail 1. on user build: $ adb shell setprop log.tag.WifiHAL V $ adb shell getprop log.tag.WifiHAL <blank line> $ adb bugreport \| grep log.tag.WifiHAL <11>[ 141.918517] init: avc: denied { set } for property=log.tag.WifiHAL pid=4583 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:wifi_log_prop:s0 tclass=property_service permissive=0 <11>[ 141.918566] init: sys_prop: permission denied uid:2000 name:log.tag.WifiHAL 2. on userdebug build: $ adb shell getprop log.tag.WifiHAL $ <blank line> $ adb shell setprop log.tag.WifiHAL V $ adb shell getprop log.tag.WifiHAL V 3. on userdebug build with modified WifiStateMachine: $ adb shell getprop log.tag.WifiHAL D Change-Id: I9cdd52a2b47a3dd1065262ea8c329130b7b044db /system/sepolicy/system_server.te
f3bfc96b843902ce14650bd70024d952291fac64	14-Apr-2016	Andy Hung <hunga@google.com>	Unify dumped native stack traces Bug: 28179196 Change-Id: I580f0ae2b3d86f9f124195271f6dbb6364e4fade /system/sepolicy/system_server.te
75b25dd1d603e73bb213c1545dba981e0d9d8333	06-Apr-2016	Jeff Sharkey <jsharkey@android.com>	Allow system_server to execute timeout. We've seen evidence that the logcat binary can end up wedged, which means we can eventually starve system_server for FDs. To mitigate this, wrap logcat using the timeout utility to kill and clean up if it takes too long to exit. avc: denied { execute } for name="toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 avc: denied { read open } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 avc: denied { execute_no_trans } for path="/system/bin/toybox" dev="mmcblk0p43" ino=457 scontext=u:r:system_server:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1 Bug: 27994717, 28021719, 28009200 Change-Id: I76d3c7fe5b37fb9a144a3e5dbcc9150dfea495ee /system/sepolicy/system_server.te
b80bdef034b603efc7333f678b2cef2ce26273f6	05-Apr-2016	Daniel Rosenberg <drosen@google.com>	Allow search/getattr access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: system_server, dumpstate, and bluetooth Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27932396 Change-Id: I294cfe23269b7959586252250f5527f13e60529b /system/sepolicy/system_server.te
0b8a181ecdada662cf7f1345efe8d196616adebb	25-Mar-2016	Pierre Imai <imaipi@google.com>	Merge "Remove references to deleted dhcpcd" into nyc-dev
98eff7c3d46abe2db996c0718b7386a3e368f344	24-Mar-2016	dcashman <dcashman@google.com>	Move sysfs_thermal to global policy and grant access. sysfs_thermal nodes are common enough to warrant an entry in global policy and the new HardwarePropertiesManagerService exists explicitly to expose some of this information. Address the following denials: avc: denied { search } for name="thermal" dev="sysfs" ino=17509 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=1 avc: denied { read } for name="temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 avc: denied { getattr } for path="/sys/devices/virtual/thermal/thermal_zone8/temp" dev="sysfs" ino=17848 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=1 Bug: 27809332 Change-Id: I2dbc737971bf37d197adf0d5ff07cb611199300d /system/sepolicy/system_server.te
c585995185eaedf5bb7ae38bc1fd9a084de0e809	23-Mar-2016	Pierre Imai <imaipi@google.com>	Remove references to deleted dhcpcd Change-Id: I0c0bce9cd50a25897f5c4521ee9b4fada6648a59 /system/sepolicy/system_server.te
cf8719e7bad53d6c38b2825b736c27c3f37dbf4e	22-Mar-2016	Daniel Rosenberg <drosen@google.com>	Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
027ec20696a46ee9e5fd0d89a8d98a89ca916a2f	14-Mar-2016	dcashman <dcashman@google.com>	Mark batteryproperties service as app_api_service. Applications do not explicitly request handles to the batteryproperties service, but the BatteryManager obtains a reference to it and uses it for its underlying property queries. Mark it as an app_api_service so that all applications may use this API. Also remove the batterypropreg service label, as this does not appear to be used and may have been a duplication of batteryproperties. As a result, remove the healthd_service type and replace it with a more specific batteryproperties_service type. (cherry-picked from commit: 9ed71eff4bed91653cba393ea6cb42f041d4e257) Bug: 27442760 Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9 /system/sepolicy/system_server.te
ff2745064431351235367b1aeff586afdf3beae3	10-Mar-2016	Nick Kralevich <nnk@google.com>	system_server: clean up duplicate permissions Remove permissions which are already covered by other permissions. Found by running: sepolicy-analyze path/to/sepolicy dups No functional change. Change-Id: I526d1c1111df718b29e8276b024fa0788ad17c71 /system/sepolicy/system_server.te
33fe4784c35b1c33d470e9bdfdf7d0f865561947	25-Feb-2016	Oleksandr Peletskyi <peletskyi@google.com>	Modified security policy to allow user to get their own icon. BUG: 27583869 Change-Id: I0a25bd03f3998d48dba355b91140611e38ce7b0d /system/sepolicy/system_server.te
085c16914cc27f8b23927ca5756f74239f102859	09-Mar-2016	Makoto Onuki <omakoto@google.com>	Allow "shortcut manager" icons to be returned to apps ... and client apps to read them. A full path looks like this: /data/system_ce/[user-id]/shortcut_service/bitmaps/[creator-app-package]/[timestamp].png System server will: - Create/delete the directories. - Write/remove PNG files in them. - Open the PNG files and return file descriptors to client apps Client apps will: - Receive file descriptors and read from them. Bug 27548047 Change-Id: I3d9ac6ab0c92b2953b84c3c5aabe1f653e6bea6b /system/sepolicy/system_server.te
47fb4b9fc46fe2675b509874da340797fc43a947	02-Mar-2016	Daniel Rosenberg <drosen@google.com>	sepolicy: Add policy for sdcardfs and configfs Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff Bug: 19160983 /system/sepolicy/system_server.te
423fd19d91259b19f3460eb4dd5ff9d63731429b	21-May-2015	Stephen Smalley <sds@tycho.nsa.gov>	Update netlink socket classes. Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 01d95c23ab8c14d72e4ce98b3dda64ce81ab6306) Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114 /system/sepolicy/system_server.te
acf4e099994e9dc11946e50f802e6470a18192cd	03-Mar-2016	Tao Bao <tbao@google.com>	Merge "Add /dev/socket/uncrypt." into nyc-dev
c285cad1a6a52763c0faf2faa60a287341e23842	26-Feb-2016	Tao Bao <tbao@google.com>	Add /dev/socket/uncrypt. system_server used to communicate with uncrypt via files (e.g. /cache/recovery/command and /cache/recovery/uncrypt_status). Since A/B devices may not have /cache partitions anymore, we switch to communicate via /dev/socket/uncrypt to allow things like factory reset to keep working. Bug: 27176738 Change-Id: I73b6d6f1ecdf16fd4f3600b5e524da06f35b5bca /system/sepolicy/system_server.te
837bc42f5f52760c511140b5ae146898ea75cba8	23-Feb-2016	Calin Juravle <calin@google.com>	Add SElinux policies to allow foreign dex usage tracking. This is a special profile folder where apps will leave profile markers for the dex files they load and don't own. System server will read the markers and decide which apk should be fully compiled instead of profile guide compiled. Apps need only to be able to create (touch) files in this directory. System server needs only to be able to check wheter or not a file with a given name exists. Bug: 27334750 Bug: 26080105 Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e /system/sepolicy/system_server.te
6fb97cd5473192f4a24fb9c32d2a152482121365	23-Feb-2016	Jeff Sharkey <jsharkey@google.com>	Merge "Offer to cache ringtones in system DE storage." into nyc-dev
62bb52c4d4cce270ef2743a557bfe179813dd928	23-Feb-2016	Jeff Sharkey <jsharkey@android.com>	Offer to cache ringtones in system DE storage. Ringtones often live on shared media, which is now encrypted with CE keys and not available until after the user is unlocked. To improve the user experience while locked, cache the default ringtone, notification sound, and alarm sound in a DE storage area. Also fix bug where wallpaper_file wasn't getting data_file_type. Bug: 26730753 Change-Id: Ib1f08d03eb734c3dce91daab41601d3ed14f4f0d /system/sepolicy/system_server.te
a92c7fe3fb6c0ce9060dbd66b4d52c51d410f663	23-Feb-2016	Lorenzo Colitti <lorenzo@google.com>	Merge "Allow the framework to communicate with netd via a binder service" into nyc-dev
f40afcb1b487724f98e8e33997c11c6c3d4454aa	06-Feb-2016	Sami Tolvanen <samitolvanen@google.com>	Allow logd.auditd to reboot to safe mode Bug: 26902605 Change-Id: Ica825cf2af74f5624cf4091544bd24bb5482dbe7 (cherry picked from commit 9c168711d5f79642a5357cd4c58ad5e88a9795ba) /system/sepolicy/system_server.te
24dcc8b1ce38079cba9c0266389f88699cae88c7	18-Feb-2016	Lorenzo Colitti <lorenzo@google.com>	Allow the framework to communicate with netd via a binder service This will allow us to provide a better interface between Java services (e.g., ConnectivityService) and netd than the current FrameworkListener / NativeDaemonConnector interface which uses text strings over a Unix socket. Bug: 27239233 Change-Id: If40582ae2820e54f1960556b7bf7e88d98c525af /system/sepolicy/system_server.te
0d5bac13e1a98a942689f3b2183ed6f7ff66b976	12-Feb-2016	Jeff Tinker <jtinker@google.com>	Add mediadrm service Part of media security hardening This is an intermediate step toward moving mediadrm to a new service separate from mediaserver. This first step allows mediadrmservice to run based on the system property media.mediadrmservice.enable so it can be selectively enabled on devices that support using native_handles for secure buffers. bug: 22990512 Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2 /system/sepolicy/system_server.te
d2b36b2f3e90902bb16d1f6a825a4d5149666d4b	11-Feb-2016	Chien-Yu Chen <cychen@google.com>	Merge "cameraserver: Build up least privileged policy" into nyc-dev
4541687be516e00492efe3e0ff906f14c8b48910	05-Feb-2016	Jeff Vander Stoep <jeffv@google.com>	cameraserver: Build up least privileged policy Remove all permissions not observed during testing. Remove domain_deprecated. Bug: 26982110 Change-Id: I33f1887c95bdf378c945319494378225b41db215 /system/sepolicy/system_server.te
c3ba2e5130d28a0025f798f8b739ee86084fe9da	03-Feb-2016	Marco Nelissen <marcone@google.com>	selinux rules for codec process Bug: 22775369 Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b /system/sepolicy/system_server.te
fd5b74285020d26e5991d7640ac51373dddd371b	04-Feb-2016	Daichi Hirono <hirono@google.com>	Merge "Fix SELinux warning when passing fuse FD from system server." am: 4c42a0dcc0 am: f9065c89e6 * commit 'f9065c89e6ac9cf601e1e580959b57a31cd256ca': Fix SELinux warning when passing fuse FD from system server.
59e3d7b42dab41a42c37c84ec872a8584c4e7258	28-Jan-2016	Daichi Hirono <hirono@google.com>	Fix SELinux warning when passing fuse FD from system server. Before applying the CL, Android shows the following error when passing FD of /dev/fuse. > Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for > path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0 > tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0 Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd /system/sepolicy/system_server.te
b8104a47dd361050c9ebadcbeabf515a29cf94e4	28-Jan-2016	Christopher Tate <ctate@google.com>	Move staged backup content to a specific cache subdir Also narrowly specify the domain for the local transport's bookkeeping. Bug 26834865 Change-Id: I2eea8a10f29356ffecabd8e102f7afa90123c535 /system/sepolicy/system_server.te
b1bf83fd794c5863289edf459c8c05a906dac9f7	28-Jan-2016	Marco Nelissen <marcone@google.com>	Revert "selinux rules for codec process" This reverts commit 2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd. Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed /system/sepolicy/system_server.te
e0378303b5ec8a4440fcdea38cca7ebf695dc2b3	04-Dec-2015	Chien-Yu Chen <cychen@google.com>	selinux: Update policies for cameraserver Update policies for cameraserver so it has the same permissions as mediaserver. Bug: 24511454 Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb /system/sepolicy/system_server.te
87a79cf9dd5e677b9ae51a4196dec27d480b9b69	27-Jan-2016	Marco Nelissen <marcone@google.com>	Merge "selinux rules for codec process"
d35776053198e67ebdd65971623353038f10c893	26-Jan-2016	dcashman <dcashman@google.com>	Add adbd socket perms to system_server. am: b037a6c94b am: c37fa20383 * commit 'c37fa2038327c8879e297b6fa9b76ba45ddcf67c': Add adbd socket perms to system_server.
b037a6c94b357c9a85d13dde548f5799c592c6ac	26-Jan-2016	dcashman <dcashman@google.com>	Add adbd socket perms to system_server. Commit 2fdeab3789ec6e5ec6f7424abf41a9aaa73564b0 added ability to debug over adbd for zygote-spawned apps, required by removal of domain_deprecated from untrusted_app. This functionality is a core debugabble component of the android runtime, so it is needed by system_server as well. Bug: 26458796 Change-Id: I29f5390122b3644449a5c3dcf4db2d0e969f6a9a /system/sepolicy/system_server.te
2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd	17-Dec-2015	Marco Nelissen <marcone@google.com>	selinux rules for codec process Bug: 22775369 Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44 /system/sepolicy/system_server.te
cdf60cc67e90b8782367c03068f80fdfbd0dc3fe	19-Jan-2016	Rubin Xu <rubinxu@google.com>	Merge "SELinux rule for ro.device_owner and persist.logd.security" am: 65d364b91a am: 06322b1ec4 * commit '06322b1ec491428feb143c150daa95d68f921de2': SELinux rule for ro.device_owner and persist.logd.security
0c8286fe74d878243e850b8c1ec50ea5312b1a48	04-Jan-2016	Rubin Xu <rubinxu@google.com>	SELinux rule for ro.device_owner and persist.logd.security They are introduced for the device owner process logging feature. That is, for enterprise-owned devices with device owner app provisioned, the device owner may choose to turn on additional device-wide logging for auditing and intrusion detection purposes. Logging includes histories of app process startup, commands issued over ADB and lockscreen unlocking attempts. These logs will available to the device owner for analysis, potentially shipped to a remote server if it chooses to. ro.device_owner will be a master switch to turn off logging, if the device has no device owner provisioned. persist.logd.security is a switch that device owner can toggle (via DevicePoliyManager) to enable/disable logging. Writing to both properties should be only allowed by the system server. Bug: 22860162 Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038 /system/sepolicy/system_server.te
e97bd887ca353ae02dd1641687431786d7d60cd6	05-Jan-2016	Felipe Leme <felipeal@google.com>	Creates a new permission for /cache/recovery am: 549ccf77e3 am: b16fc899d7 * commit 'b16fc899d718f91935932fb9b15de0a0b82835c8': Creates a new permission for /cache/recovery
05e68e126917ef243a89844076000a4fac398381	05-Jan-2016	dcashman <dcashman@google.com>	resolve merge conflicts of 8350a7f152 to master. Change-Id: I80109bb0167f06a8d39d8b036b3c487ec2f06124
549ccf77e3fd23bb6c690da7023441c1007c4fd8	22-Dec-2015	Felipe Leme <felipeal@google.com>	Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18 /system/sepolicy/system_server.te
36f255ff5209cb8b13217ec050d8def5472aed23	04-Jan-2016	dcashman <dcashman@google.com>	Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158 /system/sepolicy/system_server.te
6dde20ed4d92d0cdefba65f670d484aeec4b585f	24-Dec-2015	Daichi Hirono <hirono@google.com>	Add new rules for appfuse. am: a20802ddb8 am: 0912601e89 * commit '0912601e897905549292c15445acbf1225938f3d': Add new rules for appfuse.
a20802ddb87befbbd80d19e0a206aeb493528319	02-Dec-2015	Daichi Hirono <hirono@google.com>	Add new rules for appfuse. The new rules are used to allow to mount FUSE file system for priv-app. Change-Id: I5ce2d261be501e2b3fef09b7666f1e5d1cddbe52 /system/sepolicy/system_server.te
47947857650535e8ab4f6b630f7af6e638b2d470	17-Dec-2015	Amith Yamasani <yamasani@google.com>	Add policies for system_server to delete fpdata folder am: 107c55393c am: 899a3e0fcc * commit '899a3e0fcc78330bf1f9060c3e1d29ab4ebc10b0': Add policies for system_server to delete fpdata folder
107c55393c680eb14d5dee11f060b943b8d2e9aa	16-Dec-2015	Amith Yamasani <yamasani@google.com>	Add policies for system_server to delete fpdata folder Bug: 26211308 Change-Id: I8fd2d14ea52d49a33e6cdbcdf90630eea89f7dd0 /system/sepolicy/system_server.te
b03831fe58be86cfd94c31b91def6ae53ebd614f	09-Sep-2015	Marco Nelissen <marcone@google.com>	Add rules for running audio services in audioserver audioserver has the same rules as mediaserver so there is no loss of rights or permissions. media.log moves to audioserver. TBD: Pare down permissions. Bug: 24511453 Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d /system/sepolicy/system_server.te
5e4e731626870b35b357bf81e2d4eb34bdaf08f4	01-Dec-2015	Vinit Deshpande <vinitd@google.com>	Merge "Allow system_server access to system logs"
7ac66bb12d991ef01059ff5d3ffb6b0a7e91d70a	25-Nov-2015	Jeffrey Vander Stoep <jeffv@google.com>	Merge "Populate autoplay_app with minimal set of permissions"
ae72bf241d4fb85685068950e3d4da5d7f4589e3	25-Nov-2015	Jeff Vander Stoep <jeffv@google.com>	Populate autoplay_app with minimal set of permissions Change-Id: Ia90fb531cfd99d49d179921f041dd93c7325ad50 /system/sepolicy/system_server.te
de7d39e435d71a586f7b444515b47675a2fe78b2	24-Nov-2015	Nick Kralevich <nnk@google.com>	Add auditallow for bluetoothdomain rules am: cb835a2852 am: 4eee81382a am: d798e1e503 * commit 'd798e1e50312e46517ce46474e553508bc0e1522': Add auditallow for bluetoothdomain rules
cb835a2852997dde0be2941173f8c879ebbef157	24-Nov-2015	Nick Kralevich <nnk@google.com>	Add auditallow for bluetoothdomain rules Let's see if it's safe to get rid of them. Bug: 25768265 Bug: 25767747 Change-Id: Iaf022b4dafe1cc9eab871c8d7ec5afd3cf20bf96 /system/sepolicy/system_server.te
55b9341fcd2722eec0c0795b998fd37d0aa24d13	20-Nov-2015	Nick Kralevich <nnk@google.com>	system_server: allow restorecon /data/system/users/0/fpdata am: 4fd216060c am: a049bb302f am: 7cb2197f9a * commit '7cb2197f9a919ea67ee2b92f57b522d5a51134a2': system_server: allow restorecon /data/system/users/0/fpdata
4fd216060ceb1353416d9398d30efbb5094dba9f	20-Nov-2015	Nick Kralevich <nnk@google.com>	system_server: allow restorecon /data/system/users/0/fpdata Addresses the following denial: avc: denied { relabelfrom } for pid=9971 comm="system_server" name="fpdata" dev="dm-0" ino=678683 scontext=u:r:system_server:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 Bug: 25801240 Change-Id: I043f48f410505acaee4bb97446945316f656a210 /system/sepolicy/system_server.te
71016f7cc8f595f69a7cd1b8cde4ffdbc2d26bd7	18-Nov-2015	Vinit Deshpande <vinitd@google.com>	Allow system_server access to system logs This is enabled for debugging purposes only. Since kernel buffer for logs is small, this will allow external services to capture a bit of data so it can be reported later. Change-Id: I588eb91159e6aad07ead9afab9759764b8b3520d /system/sepolicy/system_server.te
e485606fba1f4a7f54a5390ed39a9738dc51c185	18-Nov-2015	Calin Juravle <calin@google.com>	Remove handling of dalvik-cache/profiles am: 2469b32e15 am: b67f8d5c94 am: 278350f236 * commit '278350f2361d187021aa291ff363b66a02a3c557': Remove handling of dalvik-cache/profiles
2469b32e15b569fabaeca066ce53b65fa0ee8995	04-Nov-2015	Calin Juravle <calin@google.com>	Remove handling of dalvik-cache/profiles Bug: 24698874 Bug: 17173268 Change-Id: I8c502ae6aad3cf3c13fae81722c367f45d70fb18 /system/sepolicy/system_server.te
4925574d9d0f5a870466a7df11e85c1ef1aa543e	11-Nov-2015	Calin Juravle <calin@google.com>	resolve merge conflicts of 2c353c29e4 to master. Change-Id: I2c5706b0064d099dc728c8032163d6fb1e686533
f255d775fceb18df08011f61560815cd1bfe47fd	10-Nov-2015	Calin Juravle <calin@google.com>	Add SElinux rules for /data/misc/trace The directory is to be used in eng/userdebug build to store method traces (previously stored in /data/dalvik-cache/profiles). Bug: 25612377 Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993 /system/sepolicy/system_server.te
6f4a3ce0296e99fedd7cd38c5570af0fca9fbe19	07-Nov-2015	Nick Kralevich <nnk@google.com>	system_server: clean up stale rules am: 142f97b758 am: 7de86e2c62 am: 22af8da991 * commit '22af8da991978be045d666e9d0e35c93f6a09d5a': system_server: clean up stale rules
142f97b758c232ef0300578371152739d81408a3	07-Nov-2015	Nick Kralevich <nnk@google.com>	system_server: clean up stale rules 979adffd45914bd7b357c404437c64bb59bec51a added an auditallow to see if system_server was relabeling system_data_file. The auditallow rule hasn't triggered, so remove the allow rule. a3c97a7660bae649674e717bf7a9593f0d8370d7 added an auditallow to see if system_server was executing toolbox. The auditallow rule hasn't triggered, so remove the allow rule. AFAIK, system_server never executes ANY file, so further tightening here is feasible. Change-Id: Ia0a93f3833e32c3e2c898463bd8813701a6dd20a /system/sepolicy/system_server.te
d20a46ef175079d210da8320d8c8ce32cbe8207f	04-Nov-2015	Jeff Vander Stoep <jeffv@google.com>	Create attribute for moving perms out of domain am: d22987b4da am: e2280fbcdd am: b476b95488 * commit 'b476b954882a48bf2c27da0227209c197dcfb666': Create attribute for moving perms out of domain
d22987b4daf02a8dae5bb10119d9ec5ec9f637cf	03-Nov-2015	Jeff Vander Stoep <jeffv@google.com>	Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c /system/sepolicy/system_server.te
0f754edf7b72582ed28d062a9c8f1b911d57a6f3	22-Sep-2015	Marco Nelissen <marcone@google.com>	Update selinux policies for mediaextractor process Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd /system/sepolicy/system_server.te
6ea1cc2f56a04731574ea991cb0650ee624d73be	14-Oct-2015	Nick Kralevich <nnk@google.com>	am 56c91f70: am 82bdd796: system_server: (eng builds) remove JIT capabilities * commit '56c91f70b22cf3c5b00278d93cb8b2581684146c': system_server: (eng builds) remove JIT capabilities
82bdd796e1265bd0e4b0497e9bed1d0cafc9883b	14-Oct-2015	Nick Kralevich <nnk@google.com>	system_server: (eng builds) remove JIT capabilities 23cde8776b94ff2228f3a8d845d41052af52319e removed JIT capabilities from system_server for user and userdebug builds. Remove the capability from eng builds to be consistent across build types. Add a neverallow rule (compile time assertion + CTS test) to verify this doesn't regress on our devices or partner devices. Bug: 23468805 Bug: 24915206 Change-Id: Ib2154255c611b8812aa1092631a89bc59a27514b /system/sepolicy/system_server.te
45c2fd690d09f89f58dda7f3ba42f57a865f6f27	09-Sep-2015	Lorenzo Colitti <lorenzo@google.com>	am e3298a7a: am e24aab28: am c3712143: Allow system_server to bind ping sockets. * commit 'e3298a7af681ab4f3fc647d58516cb0d19a1d3d6': Allow system_server to bind ping sockets.
e24aab286a6464904d6688f107c1086e93523fda	09-Sep-2015	Lorenzo Colitti <lorenzo@google.com>	am c3712143: Allow system_server to bind ping sockets. * commit 'c37121436be95ae2ed75cb83605940455446ef4e': Allow system_server to bind ping sockets.
c37121436be95ae2ed75cb83605940455446ef4e	09-Sep-2015	Lorenzo Colitti <lorenzo@google.com>	Allow system_server to bind ping sockets. This allows NetworkDiagnostics to send ping packets from specific source addresses in order to detect reachability problems on the reverse path. This addresses the following denial: [ 209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0 Bug: 23661687 Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2 /system/sepolicy/system_server.te
2af091641f5aaf1a4b2ffe36392a7ddbc06c40dd	02-Sep-2015	Jeff Vander Stoep <jeffv@google.com>	am 1c4e3cb2: am a3aa1db3: am 0243e5cf: system_server.te: remove policy load permissions * commit '1c4e3cb2c4f0cc3b3703228f6afb4f00ce16a6d3': system_server.te: remove policy load permissions
a3aa1db39ce6aad0c43d0854c8a138e6350809f1	02-Sep-2015	Jeff Vander Stoep <jeffv@google.com>	am 0243e5cf: system_server.te: remove policy load permissions * commit '0243e5cf4f8898b7acedc24efd58fdcd163e3048': system_server.te: remove policy load permissions
0243e5cf4f8898b7acedc24efd58fdcd163e3048	02-Sep-2015	Jeff Vander Stoep <jeffv@google.com>	system_server.te: remove policy load permissions Remove system server's permission to dynamically update SELinux policy on the device. 1) This functionality has never been used, so we have no idea if it works or not. 2) If system_server is compromised, this functionality allows a complete bypass of the SELinux policy on the device. In particular, an attacker can force a regression of the following patch * https://android-review.googlesource.com/138510 see also https://code.google.com/p/android/issues/detail?id=181826 3) Dynamic policy update can be used to bypass neverallow protections enforced in CTS, by pushing a policy to the device after certification. Such an updated policy could bring the device out of compliance or deliberately introduce security weaknesses. Bug: 22885422 Bug: 8949824 Change-Id: I3c64d64359060561102e1587531836b69cfeef00 /system/sepolicy/system_server.te
206dea92b9ba01b4deb18fba5f7024845f04ccd5	26-Aug-2015	Nick Kralevich <nnk@google.com>	am c2a138f6: am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed." * commit 'c2a138f657649f030068e60fd1009666ff560f02': Only allow toolbox exec where /system exec was already allowed.
c2a138f657649f030068e60fd1009666ff560f02	26-Aug-2015	Nick Kralevich <nnk@google.com>	am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed." * commit '7af012fc94a34dd42e72d32c246a47140ec2861a': Only allow toolbox exec where /system exec was already allowed.
b08688628c11dbd548dc2d917d36484407767f2c	26-Aug-2015	Nick Kralevich <nnk@google.com>	am 7af012fc: Merge "Only allow toolbox exec where /system exec was already allowed." * commit '7af012fc94a34dd42e72d32c246a47140ec2861a': Only allow toolbox exec where /system exec was already allowed.
a3c97a7660bae649674e717bf7a9593f0d8370d7	25-Aug-2015	Stephen Smalley <sds@tycho.nsa.gov>	Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
ba5a9f13dfeaf0a94b9d3aa630aee75627d1108d	25-Aug-2015	Nick Kralevich <nnk@google.com>	am a847ab53: am 48d98e35: Merge "system_server: remove old dalvik JIT rules on user/userdebug builds" * commit 'a847ab538e158e13be41331c98421faf6ce77ea2': system_server: remove old dalvik JIT rules on user/userdebug builds
a847ab538e158e13be41331c98421faf6ce77ea2	25-Aug-2015	Nick Kralevich <nnk@google.com>	am 48d98e35: Merge "system_server: remove old dalvik JIT rules on user/userdebug builds" * commit '48d98e35419f74fe515ec560277726081c2fd0e3': system_server: remove old dalvik JIT rules on user/userdebug builds
e9ac2d6d5dc7a0b7ee63f1003e5508fc91ec052e	25-Aug-2015	Nick Kralevich <nnk@google.com>	am 48d98e35: Merge "system_server: remove old dalvik JIT rules on user/userdebug builds" * commit '48d98e35419f74fe515ec560277726081c2fd0e3': system_server: remove old dalvik JIT rules on user/userdebug builds
23cde8776b94ff2228f3a8d845d41052af52319e	22-Aug-2015	Nick Kralevich <nnk@google.com>	system_server: remove old dalvik JIT rules on user/userdebug builds On user and userdebug builds, system_server only loads executable content from /data/dalvik_cache and /system. JITing for system_server is only supported on eng builds. Remove the rules for user and userdebug builds. Going forward, the plan of record is that system_server will never use JIT functionality, instead using dex2oat or interpreted mode. Inspired by https://android-review.googlesource.com/98944 Change-Id: I54515acaae4792085869b89f0d21b87c66137510 /system/sepolicy/system_server.te
fa72e49841bef39f13d0be53bdd0c5814e14e771	22-Aug-2015	Nick Kralevich <nnk@google.com>	am 9ee2b23f: am acfd140c: Merge "eliminate some anr_data_file permissions." * commit '9ee2b23fba0de96c21ff1cd9fc3c3a20f3cd51d1': eliminate some anr_data_file permissions.
9ee2b23fba0de96c21ff1cd9fc3c3a20f3cd51d1	22-Aug-2015	Nick Kralevich <nnk@google.com>	am acfd140c: Merge "eliminate some anr_data_file permissions." * commit 'acfd140c045d0bd295389a508ef6952acefb91fc': eliminate some anr_data_file permissions.
4734a636d31a02a2c70d179d8142a78d54e5782e	22-Aug-2015	Nick Kralevich <nnk@google.com>	am acfd140c: Merge "eliminate some anr_data_file permissions." * commit 'acfd140c045d0bd295389a508ef6952acefb91fc': eliminate some anr_data_file permissions.
979adffd45914bd7b357c404437c64bb59bec51a	13-Aug-2015	Nick Kralevich <nnk@google.com>	eliminate some anr_data_file permissions. Init is now responsible for creating /data/anr, so it's unnecessary to grant system_server and dumpstate permissions to relabel this directory. Remove the excess permissions. Leave system_data_file relabelfrom, since it's possible we're still using it somewhere. See commits: https://android-review.googlesource.com/161650 https://android-review.googlesource.com/161477 https://android-review.googlesource.com/161638 Bug: 22385254 Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9 /system/sepolicy/system_server.te
1c5dca43b8b78d64f28ad58505262f39f8b50be0	29-Jul-2015	Jeffrey Vander Stoep <jeffv@google.com>	am 278658c2: am 6f7de297: Merge "Do not allow apps to access network address file" * commit '278658c2d8a80cf15ca016affbecf17297a234d6': Do not allow apps to access network address file
cd68c3a84eaa019434d0adebef0bc46b585e9d02	29-Jul-2015	Jeffrey Vander Stoep <jeffv@google.com>	am 6f7de297: Merge "Do not allow apps to access network address file" * commit '6f7de297b3e67942cdc525b6f626a811ddf5132e': Do not allow apps to access network address file
278658c2d8a80cf15ca016affbecf17297a234d6	29-Jul-2015	Jeffrey Vander Stoep <jeffv@google.com>	am 6f7de297: Merge "Do not allow apps to access network address file" * commit '6f7de297b3e67942cdc525b6f626a811ddf5132e': Do not allow apps to access network address file
e45cad770c6ffcc46ca834320d7892d744d0693b	24-Jul-2015	Jeff Vander Stoep <jeffv@google.com>	Do not allow apps to access network address file Bug: 18068520 Bug: 21852542 Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049 /system/sepolicy/system_server.te
3638c1b4e73ec51d0ef920d598a2e89e821e04e3	24-Jul-2015	Jeff Vander Stoep <jeffv@google.com>	Do not allow apps to access network address file Bug: 18068520 Bug: 21852542 Change-Id: I080547c61cbaacb18e003a9b2366e2392a6521ff /system/sepolicy/system_server.te
75d095a2144a7c365efc35961611e4ccc189ce2c	09-Jul-2015	William Roberts <william.c.roberts@intel.com>	am 7028bdcc: neverallow: domain execute data_file_type * commit '7028bdccd5b3e91928d345990587738212973f1d': neverallow: domain execute data_file_type
ab7764bf821ac0c6409b285cf11d85ce5f538a71	09-Jul-2015	William Roberts <william.c.roberts@intel.com>	am 7028bdcc: neverallow: domain execute data_file_type * commit '7028bdccd5b3e91928d345990587738212973f1d': neverallow: domain execute data_file_type
7028bdccd5b3e91928d345990587738212973f1d	22-Jun-2015	William Roberts <william.c.roberts@intel.com>	neverallow: domain execute data_file_type To help reduce code injection paths, a neverallow is placed to prevent domain, sans untrusted_app and shell, execute on data_file_type. A few data_file_type's are also exempt from this rule as they label files that should be executable. Additional constraints, on top of the above, are placed on domains system_server and zygote. They can only execute data_file_type's of type dalvikcache_data_file. Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02 Signed-off-by: William Roberts <william.c.roberts@intel.com> /system/sepolicy/system_server.te
51b33ac90b9049db6c3d257c83006c33f677750a	21-May-2015	Tao Bao <tbao@google.com>	Allow system server and uncrypt to operate pipe file System server and uncrypt need to communicate with a named pipe on the /cache partition. It will be created and deleted by system server. Bug: 20012567 Bug: 20949086 (cherry picked from commit 70c6dbf06cb06fc46d5143557ea960392849106d) Change-Id: I4ddc523c2a0f4218877dae8f8a9b7fcf3f786625 /system/sepolicy/system_server.te
01898ea4aa2dbd676c2c20a796251285a1671a96	04-Jun-2015	Narayan Kamath <narayan@google.com>	Revert "Allow system_server to link,relabel and create_dir dalvikcache_data_file." This reverts commit e929ad8b524a7e444008b657adaafff97b5dea79. bug: 20889739 Change-Id: I6729f4e26041b481f2442a2d8c3dfb42e2d4144a /system/sepolicy/system_server.te
41f233f4658f20ac36845ed262bfeb8a7a9eea45	14-May-2015	Narayan Kamath <narayan@google.com>	Allow system_server to link,relabel and create_dir dalvikcache_data_file. Required by the installation flow for split APKs. bug: 20889739 Change-Id: I3e14335f3bcfe76d1d24d233f53a728a6d90e8a1 /system/sepolicy/system_server.te
12e8b61bc08da1482a9309e8b2dc1a0670671445	28-May-2015	Tao Bao <tbao@google.com>	Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
70c6dbf06cb06fc46d5143557ea960392849106d	21-May-2015	Tao Bao <tbao@google.com>	Allow system server and uncrypt to operate pipe file System server and uncrypt need to communicate with a named pipe on the /cache partition. It will be created and deleted by system server. Bug: 20012567 Bug: 20949086 Change-Id: I9494a67016c23294e803ca39d377ec321537bca0 /system/sepolicy/system_server.te
83554d2c923b17b6d5ee811c278e2ab0bb65579d	22-May-2015	Jim Miller <jaggies@google.com>	Merge "Selinux: Allow system_server to create fpdata dir." into mnc-dev
a39b131e9db1fed7e5ce90174f19515f465c8739	22-May-2015	Jim Miller <jaggies@google.com>	Selinux: Allow system_server to create fpdata dir. Fixes avc errors; avc: denied { relabelto } for name="fpdata" dev="mmcblk0p28" ino=586465 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0 avc: denied { read } for name="fpdata" dev="mmcblk0p28" ino=586409 scontext=u:r:system_server:s0 tcontext=u:object_r:fingerprintd_data_file:s0 tclass=dir permissive=0 Change-Id: I3ba16af14632d803e09ac1490af9a0b652cba3a6 /system/sepolicy/system_server.te
b3df4389f31b5ae206fc2c1f50f1efe4de1bcf75	21-May-2015	Chad Brubaker <cbrubaker@google.com>	Merge "Rename keystore methods and delete unused permissions" into mnc-dev
264eb6566ae75ba1ae37835f0ba83f951550fe85	13-May-2015	Jim Miller <jaggies@google.com>	Add selinux policy for fingerprintd Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef /system/sepolicy/system_server.te
807d8d0249f196e172f30b96b48699e3b10a3866	18-May-2015	dcashman <dcashman@google.com>	Label /dev/rtc0 as rtc_device. Grant access to system_server, as it is used by AlarmManagerService. (cherry-pick of c7594898dbce021677e6444eb855eb591df1097b) Change-Id: I8b5795cb4739bb7fb6b2673d0b1b12be40db7a7f /system/sepolicy/system_server.te
c7594898dbce021677e6444eb855eb591df1097b	18-May-2015	dcashman <dcashman@google.com>	Label /dev/rtc0 as rtc_device. Grant access to system_server, as it is used by AlarmManagerService. Change-Id: I4f099fe30ba206db07d636dd454d43d3df9d3015 /system/sepolicy/system_server.te
eaa1a1e975627a00b09a84810d0aa77cfde1edd2	13-May-2015	Chad Brubaker <cbrubaker@google.com>	Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. (cherry-picked from commit cbc8f796551151c0d9651500d5d9f116177a07dc) Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3 /system/sepolicy/system_server.te
77a824600bfe80abccc9fdcab8d1566380b43ce4	12-May-2015	Chad Brubaker <cbrubaker@google.com>	Add keystore user_changed permission user_changed will be used for state change methods around android user creation/deletion. (cherry-picked from commit 520bb816b86fe36440767db6e2f05fb4e8a08f3e) Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b /system/sepolicy/system_server.te
cbc8f796551151c0d9651500d5d9f116177a07dc	13-May-2015	Chad Brubaker <cbrubaker@google.com>	Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3 /system/sepolicy/system_server.te
3526a6696fdc2b7d3b7a8fe452ce8b287160c42b	13-May-2015	Adam Lesinski <adamlesinski@google.com>	Allow system_server to read/write /proc/uid_cputime/ module Bug:20182139 Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868 /system/sepolicy/system_server.te
520bb816b86fe36440767db6e2f05fb4e8a08f3e	12-May-2015	Chad Brubaker <cbrubaker@google.com>	Add keystore user_changed permission user_changed will be used for state change methods around android user creation/deletion. Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b /system/sepolicy/system_server.te
2f5a6a96bdc284dc070a2c222243dd8e19edb9ef	05-May-2015	William Roberts <william.c.roberts@linux.intel.com>	Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com> /system/sepolicy/system_server.te
625a3526f1ebaaa014bb563239cc33829f616232	05-May-2015	William Roberts <william.c.roberts@linux.intel.com>	Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com> /system/sepolicy/system_server.te
1301f2b64b91507c6599a8d31fdfd1731aee8a63	10-Apr-2015	Nick Kralevich <nnk@google.com>	am 2a7a4037: am 2234f9ff: gatekeeperd: neverallow non-system_server binder call * commit '2a7a403724370ebe16f05602685a654ca4448d59': gatekeeperd: neverallow non-system_server binder call
2234f9ff579f9e928d868372f5bd7499e2da7bd1	09-Apr-2015	Nick Kralevich <nnk@google.com>	gatekeeperd: neverallow non-system_server binder call The current neverallow rule (compile time assertion) neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find; asserts that no rule is present which allows processes other than system_server from asking servicemanager for a gatekeeperd token. However, if system_server leaks the token to other processes, it may be possible for those processes to access gatekeeperd directly, bypassing servicemanager. Add a neverallow rule to assert that no process other than system_server are allowed to make binder calls to gatekeeperd. Even if another process was to manage to get a binder token to gatekeeperd, it would be useless. Remove binder_service() from gatekeeperd. The original use of the binder_service() macro was to widely publish a binder service. If this macro is present and the calling process has a gatekeeperd binder token, it's implicitly possible for the following processes to make a binder call to gatekeeperd: * all app processes * dumpstate * system_server * mediaserver * surfaceflinger Removing binder_service revokes this implicit access. Add explicit access for system_server to make binder calls to gatekeeperd. Add explicit access for gatekeeperd to make calls to keystore. This was implicitly granted via binder_service() before, but now needs to be explicit. Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66 /system/sepolicy/system_server.te
710c5a2af915c5638a758c083f1295b916239728	09-Apr-2015	dcashman <dcashman@google.com>	am 29f90b1e: am 7f2bb0c1: Merge "Enforce more specific service access." * commit '29f90b1eb7376b39d94cd5d981a15ff8317a5cdb': Enforce more specific service access.
bd7f5803f924b0ca318c1d426b683c3f658754f9	09-Apr-2015	dcashman <dcashman@google.com>	Enforce more specific service access. Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0 /system/sepolicy/system_server.te
2686b6ab808e3c8e26beec9cb40c54655daaf142	09-Apr-2015	dcashman <dcashman@google.com>	am 18867dbb: am 03a6f64f: Enforce more specific service access. * commit '18867dbb42f128db00f6c8ee4f05fd098d9eaaa4': Enforce more specific service access.
746a73c41b19ec6318d565e3f177b1cd00941816	09-Apr-2015	Nick Kralevich <nnk@google.com>	am 2a762352: am 9bef2502: system_server: support hard linking for split APKs * commit '2a762352f34f147cdb83e34bf3591e48a9378425': system_server: support hard linking for split APKs
03a6f64f9568e2c58eb043463a5b4ff1cf10bef6	08-Apr-2015	dcashman <dcashman@google.com>	Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: network_management network_score notification package permission persistent power print processinfo procstats Bug: 18106000 Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c /system/sepolicy/system_server.te
9bef25026b43ccfb656a3a53b74a787ca3376227	08-Apr-2015	Nick Kralevich <nnk@google.com>	system_server: support hard linking for split APKs Commit 85ce2c706e95f96c95b3af418b7bda0bfe9918f4 removed hard link support from create_file_perms, but system_server requires hard link support for split APKs. Allow it. Addresses the following denial: audit(0.0:152): avc: denied { link } for name="base.apk" dev="dm-0" ino=816009 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0 Steps to reproduce: 1) Find the directory "hellogoogle3.splitapk" 2) adb install-multiple -r hellogoogle3_incremental.apk 3) adb install-multiple -r -p com.google.android.samples.hellogoogle3 native.apk Expected: 2nd APK installs successfully. Actual: 2nd APK fails to install. Change-Id: Ib69fc70dd1c7cd158590db3fd117d6b05acf1cf7 /system/sepolicy/system_server.te
d20c61af723ae194a2c47ac5a03ec607438e5c66	08-Apr-2015	Nick Kralevich <nnk@google.com>	am 63b07909: am 8a06c077: Allow system_server to collect app heapdumps (debug builds only) * commit '63b0790965be39da4ee1aee13ae1ab029d6d02ae': Allow system_server to collect app heapdumps (debug builds only)
5fd66b3cb84aa88df58ce60bc7d2a2880d0a5674	08-Apr-2015	dcashman <dcashman@google.com>	am 0bc36ada: am 91b7c67d: Enforce more specific service access. * commit '0bc36adada7421b0e8ec05565617b7a8a6cef794': Enforce more specific service access.
6e4143558793ae063c1b205f33c788f8ea2ec4f4	08-Apr-2015	dcashman <dcashman@google.com>	am b1a13728: am 3cc6fc5f: Enforce more specific service access. * commit 'b1a137280e6e8f282469f91b0f58df6c95919d18': Enforce more specific service access.
8a06c07724ad538d6c2f1d703fec88929c118894	08-Apr-2015	Nick Kralevich <nnk@google.com>	Allow system_server to collect app heapdumps (debug builds only) On debuggable builds, system_server can request app heap dumps by running something similar to the following commands: % adb shell am set-watch-heap com.android.systemui 1048576 % adb shell dumpsys procstats --start-testing which will dump the app's heap to /data/system/heapdump. See framework/base commit b9a5e4ad30c9add140fd13491419ae66e947809d. Allow this behavior. Addresses the following denial: avc: denied { write } for path="/data/system/heapdump/javaheap.bin" dev="dm-0" ino=150747 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 Bug: 20073185 Change-Id: I4b925033a5456867caf2697de6c2d683d0743540 /system/sepolicy/system_server.te
91b7c67d1647b2a88b1547cc57b69fc685bbac18	08-Apr-2015	dcashman <dcashman@google.com>	Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: jobscheduler launcherapps location lock_settings media_projection media_router media_session mount netpolicy netstats Bug: 18106000 Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1 /system/sepolicy/system_server.te
3cc6fc5ffbd6e3d647f8c425e5298912d3733e45	07-Apr-2015	dcashman <dcashman@google.com>	Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: diskstats display dreams dropbox ethernet fingerprint graphicstats hardware hdmi_control input_method input_service Bug: 18106000 Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095 /system/sepolicy/system_server.te
8a439726b9d61cef77c7e3858eee0f28ddc1d766	07-Apr-2015	Fyodor Kupolov <fkupolov@google.com>	am 26ef3bbc: am 3af8c9d0: Allow system_server to read oat dir * commit '26ef3bbc8759fb67ad5a71facfdf4f5611621f84': Allow system_server to read oat dir
d0c06a7051f3199e95bc27d2058b864eb2e6ac27	07-Apr-2015	dcashman <dcashman@google.com>	am 86501cde: am d4c78f4b: Enforce more specific service access. * commit '86501cde107f4208b2afb82f2e21647dab70e4ef': Enforce more specific service access.
3af8c9d0ef0e4385f69a1a50dd04a010a76c6b19	07-Apr-2015	Fyodor Kupolov <fkupolov@google.com>	Allow system_server to read oat dir Required for PackageManagerService to perform restorecon recursively on a staging dir. Addresses the following denial: avc: denied { open } for name="oat" dev="mmcblk0p28" ino=163027 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir Bug: 19550105 Bug: 20087446 Change-Id: I0f6ebb79745091ecb4d6d3dbe92f65606b7469da /system/sepolicy/system_server.te
d4c78f4b3fed1ca77aa9f13e757644aca3ed2b21	07-Apr-2015	dcashman <dcashman@google.com>	Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: battery bluetooth_manager clipboard commontime_management connectivity content country_detector device_policy deviceidle Bug: 18106000 Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2 /system/sepolicy/system_server.te
abef255597c0bd45b41832acdd9cb4dde383cd49	07-Apr-2015	Jeff Sharkey <jsharkey@android.com>	am 8a6ac553: am 73d9c2a9: Initial policy for expanded storage. * commit '8a6ac553b5f64f002177790823d0e15e8ff74030': Initial policy for expanded storage.
73d9c2a97b232389ab1dd179ac72c2fbefc5482b	07-Apr-2015	Jeff Sharkey <jsharkey@android.com>	Initial policy for expanded storage. Expanded storage supports a subset of the features of the internal data partition. Mirror that policy for consistency. vold is also granted enough permissions to prepare initial directories. avc: denied { write } for name="ext" dev="tmpfs" ino=3130 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { add_name } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { create } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { mounton } for path="/mnt/ext/57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=7243 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/mnt/ext" dev="tmpfs" ino=3130 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_ext_file:s0 tclass=dir permissive=1 avc: denied { setattr } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=4471 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1 avc: denied { getattr } for path="/mnt/expand/57f8f4bc-abf4-655f-bf67-946fc0f9f25b/media" dev="dm-0" ino=145153 scontext=u:r:vold:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 avc: denied { rmdir } for name="57f8f4bc-abf4-655f-bf67-946fc0f9f25b" dev="tmpfs" ino=6380 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=1 avc: denied { create } for name="tmp" scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 avc: denied { setattr } for name="tmp" dev="dm-0" ino=72578 scontext=u:r:vold:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 Bug: 19993667 Change-Id: I73c98b36e7c066f21650a9e16ea82c5a0ef3d6c5 /system/sepolicy/system_server.te
151a02a9bc4a9ce22bed2bc4310bb91a986c564f	07-Apr-2015	Andres Morales <anmorales@google.com>	am 258ea8ed: am e207986e: SELinux permissions for gatekeeper TEE proxy * commit '258ea8ed2e199855b4384ce11d7861fb7ae84683': SELinux permissions for gatekeeper TEE proxy
e207986ea08feebd04f32cd2beff0b1602d08074	04-Apr-2015	Andres Morales <anmorales@google.com>	SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e /system/sepolicy/system_server.te
593c1dbd03c03e181b6e306d954295b86969b12e	07-Apr-2015	dcashman <dcashman@google.com>	am 2e45bba5: am 4cdea7fc: Assign app_api_service attribute to services. * commit '2e45bba5a89348febd99ce0e820a3d4f4f4f5a58': Assign app_api_service attribute to services.
4cdea7fc40ea29c8cf4134a71b67808d143ec9dc	04-Apr-2015	dcashman <dcashman@google.com>	Assign app_api_service attribute to services. Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services the appropriate service access levels and move into enforcing. Bug: 18106000 Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7 /system/sepolicy/system_server.te
ad5720c3e5430c61733e2bd6a6ae48d9769fc34f	04-Apr-2015	dcashman <dcashman@google.com>	am b40dd46a: am b075338d: Assign app_api_service attribute to services. * commit 'b40dd46a6b9dd60817a178ae929566ca471dcd8a': Assign app_api_service attribute to services.
b075338d0e335eb2dbd786ae4f8e033e78eeca37	03-Apr-2015	dcashman <dcashman@google.com>	Assign app_api_service attribute to services. Move accessibility, account, appops and activity services into enforcing with app_api_service level of access, with additional grants to mediaserver and isolated app. Bug: 18106000 Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd /system/sepolicy/system_server.te
117ba9e2f92e63b5167c60d8dbfc0c84cdb8edfc	02-Apr-2015	dcashman <dcashman@google.com>	am e83172c5: am 1598b52b: Merge "Remove obsolete system_server auditallow logging." * commit 'e83172c5731a7d9272a3ef0e11c72673134f192b': Remove obsolete system_server auditallow logging.
73c06a9b009fd4e0b166c334f1c016cf70bd0c1c	02-Apr-2015	dcashman <dcashman@google.com>	am c8197153: am 59abf4cc: Merge "Record observed service accesses." * commit 'c819715336f06f11b50af521d56998da9e9000de': Record observed service accesses.
513d77b5cb976af0052b0e152cddf0ccb001d9f2	01-Apr-2015	dcashman <dcashman@google.com>	Remove obsolete system_server auditallow logging. system_server no longer has universal service_manager_type permissions and so no longer needs the auditallow rules therewith associated. Change-Id: I1e6584c120f6fc464a4bf6b377d9d7ea90441477 /system/sepolicy/system_server.te
8af4e9cb0032244b0a356eb236ea97379956fa52	01-Apr-2015	dcashman <dcashman@google.com>	Record observed service accesses. Get ready to switch system_server service lookups into enforcing. Bug: 18106000 Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf /system/sepolicy/system_server.te
6cc74a4745acb6cd67fd141e9c66cd9288442729	01-Apr-2015	Chad Brubaker <cbrubaker@google.com>	am 0a913546: am 66cc49c1: Merge "Add keystore add_auth" * commit '0a913546f605fd04824750997996b492643fbe22': Add keystore add_auth
8927772caa421f1c9ccc80337527e039353d65dd	31-Mar-2015	Chad Brubaker <cbrubaker@google.com>	Add keystore add_auth This is for the new addAuthToken keystore method from I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to authorize keymaster operations. The tokens are HMAC'd and so shouldn't be fakeable but this is still limited to system_server only. Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47 /system/sepolicy/system_server.te
cab251ed1e4dc37bd824aa33d6a7e1ad1103f823	31-Mar-2015	Jeff Sharkey <jsharkey@android.com>	am 8d6a1000: am f063f461: Updated policy for external storage. * commit '8d6a100067affcea330e97b2294960d32b94ae3d': Updated policy for external storage.
f063f461a9e5b6049f3516e48806b6a87848ac1a	27-Mar-2015	Jeff Sharkey <jsharkey@android.com>	Updated policy for external storage. An upcoming platform release is redesigning how external storage works. At a high level, vold is taking on a more active role in managing devices that dynamically appear. This change also creates further restricted domains for tools doing low-level access of external storage devices, including sgdisk and blkid. It also extends sdcardd to be launchable by vold, since launching by init will eventually go away. For compatibility, rules required to keep AOSP builds working are marked with "TODO" to eventually remove. Slightly relax system_server external storage rules to allow calls like statfs(). Still neverallow open file descriptors, since they can cause kernel to kill us. Here are the relevant violations that this CL is designed to allow: avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1 /system/sepolicy/system_server.te
08c224f597771048b13ab05b5c980b9af28d5d72	30-Mar-2015	John Reck <jreck@google.com>	am a8c74889: am ec4008ec: Merge "Add graphicsstats service" * commit 'a8c74889a0349cc896c41fdd360e4661ff0cb742': Add graphicsstats service
e8064afb5e8adc96d1becc7b31a8a92f77e284d9	23-Mar-2015	John Reck <jreck@google.com>	Add graphicsstats service Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df /system/sepolicy/system_server.te
323d741f1c6c68f7274f007a8480d687af5b9737	14-Mar-2015	Nick Kralevich <nnk@google.com>	am a5649f32: am 6ece49c3: Merge "Revert "allow system_server to set kernel scheduling priority"" * commit 'a5649f328a0ccf6edf746be3750563e2d3646442': Revert "allow system_server to set kernel scheduling priority"
39f082f8826ec781c98c2ee89a8db6ab403093f0	13-Mar-2015	Nick Kralevich <nnk@google.com>	am b9d7c2c6: am 5434a8a9: Merge "system_server: neverallow blk_file read/write" * commit 'b9d7c2c650805850370b4c40613d624afcfb485b': system_server: neverallow blk_file read/write
cd14eb443e18d94f3248da77089155c888d8720e	12-Mar-2015	Nick Kralevich <nnk@google.com>	Revert "allow system_server to set kernel scheduling priority" Periodically, SELinux denials of the form: type=1400 audit(0.0:8574): avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0 are being generated. These denials come from system_server and other processes. There's no reason why system_server should be calling sched_setscheduler() on a kernel thread. Current belief is that these SELinux denials are a bug in the kernel, and are being inappropriately triggered. Revert 2d1650f4075db4f4f458de4c1a4cb5869c44b936. The original reason for accepting this change was to see if it would fix bug 18085992. Unfortunately, even after the commit, the bug was still present. The change had no impact on the bug. Don't inappropriately grant system_server the ability to minipulate the scheduling priority of kernel threads. This reverts commit 2d1650f4075db4f4f458de4c1a4cb5869c44b936. Change-Id: I59bdf26ad247a02b741af2fa58a18e7e83ef44d8 /system/sepolicy/system_server.te
3e1a7a4c4f9af3c284e680ead43d2fc96b1e674e	12-Mar-2015	Nick Kralevich <nnk@google.com>	am cbfe9d57: am c01f7fd1: system_server: remove appdomain:file write * commit 'cbfe9d5733c0f52449e81cc450a3a7edd93db9f4': system_server: remove appdomain:file write
acc0842c4bed8690fe29858070215d7a74f4a44b	11-Mar-2015	Nick Kralevich <nnk@google.com>	system_server: neverallow blk_file read/write With the exception of the factory reset protection block device, don't allow system_server to read or write to any other block devices. This helps protect against a system->root escalation when system_server has the ability to directly minipulate raw block devices / partitions / partition tables. This change adds a neverallow rule, which is a compile time assertion that no SELinux policy is written which allows this access. No new rules are added or removed. Change-Id: I388408423097ef7cf4950197b79d4be9d666362c /system/sepolicy/system_server.te
c01f7fd1c1569a0649703d24747ad1ddd857bc93	10-Mar-2015	Nick Kralevich <nnk@google.com>	system_server: remove appdomain:file write system_server no longer writes to /proc/pid/oom_adj_score. This is handled exclusively by lmkd now. See the following commits: Kernel 3.18: * https://android-review.googlesource.com/139083 * https://android-review.googlesource.com/139082 Kernel 3.14: * https://android-review.googlesource.com/139081 * https://android-review.googlesource.com/139080 Kernel 3.10: * https://android-review.googlesource.com/139071 * https://android-review.googlesource.com/139671 Kernel 3.4: * https://android-review.googlesource.com/139061 * https://android-review.googlesource.com/139060 Bug: 19636629 Change-Id: Ib79081365bcce4aa1190de037861a87b55c15db9 /system/sepolicy/system_server.te
7b2d879b33e7a660fb59e36c94f71dd430216239	10-Mar-2015	dcashman <dcashman@google.com>	am 1193bdf4: am 6843a793: am 8f81dcad: Only allow system_server to send commands to zygote. * commit '1193bdf4ae1498581b4d5c3e964db963e79622dc': Only allow system_server to send commands to zygote.
6843a7932a9b48a549143b5ad8bf79659ebeb328	09-Mar-2015	dcashman <dcashman@google.com>	am 8f81dcad: Only allow system_server to send commands to zygote. * commit '8f81dcad5bb322a75bc61c8b42f8287e2afeaddc': Only allow system_server to send commands to zygote.
8f81dcad5bb322a75bc61c8b42f8287e2afeaddc	09-Mar-2015	dcashman <dcashman@google.com>	Only allow system_server to send commands to zygote. Add neverallow rules to ensure that zygote commands are only taken from system_server. Also remove the zygote policy class which was removed as an object manager in commit: ccb3424639821b5ef85264bc5836451590e8ade7 Bug: 19624279 Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f /system/sepolicy/system_server.te
c2b3ff7f7f740fbb8fccf167960dadbb0c2266fa	09-Mar-2015	Nick Kralevich <nnk@google.com>	am 3e616ee8: am b41eb698: am 0560e75e: system_server: allow handling app generated unix_stream_sockets * commit '3e616ee8982251921da22c0ea0f9afaf45212374': system_server: allow handling app generated unix_stream_sockets
b41eb698ee1bf2f3cf52f23161226475fe6ffff0	09-Mar-2015	Nick Kralevich <nnk@google.com>	am 0560e75e: system_server: allow handling app generated unix_stream_sockets * commit '0560e75e4f03e4637637de8512a4718fe7870df8': system_server: allow handling app generated unix_stream_sockets
0560e75e4f03e4637637de8512a4718fe7870df8	09-Mar-2015	Nick Kralevich <nnk@google.com>	system_server: allow handling app generated unix_stream_sockets Allow system server to handle already open app unix_stream_sockets. This is needed to support system_server receiving a socket created using socketpair(AF_UNIX, SOCK_STREAM) and socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android functionality. Addresses the following denial: type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0 Bug: 19648474 Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39 /system/sepolicy/system_server.te
f3a6abbb889f567d32df41577db7760714e957ae	06-Mar-2015	Nick Kralevich <nnk@google.com>	am f42b8dbc: am efb4bdb9: am 92b10ddb: Eliminate CAP_SYS_MODULE from system_server * commit 'f42b8dbc3066c70c1cf9a5722f699b4ac00a0306': Eliminate CAP_SYS_MODULE from system_server
efb4bdb9f49d19f4ea9a7348eb019ed8d77955e4	05-Mar-2015	Nick Kralevich <nnk@google.com>	am 92b10ddb: Eliminate CAP_SYS_MODULE from system_server * commit '92b10ddb47caa4c80a626e6c70330439feb4aa30': Eliminate CAP_SYS_MODULE from system_server
92b10ddb47caa4c80a626e6c70330439feb4aa30	05-Mar-2015	Nick Kralevich <nnk@google.com>	Eliminate CAP_SYS_MODULE from system_server Right now, the system_server has the CAP_SYS_MODULE capability. This allows the system server to install kernel modules. Effectively, system_server is one kernel module load away from full root access. Most devices don't need this capability. Remove this capability from the core SELinux policy. For devices which require this capability, they can add it to their device-specific SELinux policy without making any framework code changes. In particular, most Nexus devices ship with monolithic kernels, so this capability isn't needed on those devices. Bug: 7118228 Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3 /system/sepolicy/system_server.te
e5d81d1434d187c0de9624b5a3a1cd8a5bb63ba0	03-Mar-2015	dcashman <dcashman@google.com>	am 40af9962: am 31a8511a: am 23f33615: Record observed system_server servicemanager service requests. * commit '40af996297e7c07dd396fdba9a8f4bce90338e6f': Record observed system_server servicemanager service requests.
31a8511a79aca6954abe04afb8c7a364863ca5a9	03-Mar-2015	dcashman <dcashman@google.com>	am 23f33615: Record observed system_server servicemanager service requests. * commit '23f336156daf61ba07c024af2fe96994605f46eb': Record observed system_server servicemanager service requests.
23f336156daf61ba07c024af2fe96994605f46eb	03-Mar-2015	dcashman <dcashman@google.com>	Record observed system_server servicemanager service requests. Also formally allow dumpstate access to all services and grant system_server access to address the following non-system_server_service entries: avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager Bug: 18106000 Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602 /system/sepolicy/system_server.te
7939f440f5deb51f4e195bc064c83f25b2d06145	26-Feb-2015	Nick Kralevich <nnk@google.com>	am ca77ce09: am cd31111d: am d99ea5a8: Merge "Revert /proc/net related changes" * commit 'ca77ce09878196a8958eac3786cb13bf3426520a': Revert /proc/net related changes
cd31111d5e941fe67264b985b4e2ca2841e91e2b	26-Feb-2015	Nick Kralevich <nnk@google.com>	am d99ea5a8: Merge "Revert /proc/net related changes" * commit 'd99ea5a8af11216fb3e2e315c6310d2af4f02afc': Revert /proc/net related changes
5cf3994d8ab039f9ba47164ef9d13e2ddb5e7acd	25-Feb-2015	Nick Kralevich <nnk@google.com>	Revert /proc/net related changes Revert the tightening of /proc/net access. These changes are causing a lot of denials, and I want additional time to figure out a better solution. Addresses the following denials (and many more): avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file This reverts commit 0f0324cc826afb9beefda802d496befe823a081e and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 Bug: 9496886 Bug: 19034637 Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868 /system/sepolicy/system_server.te
ffbc3de99f3e7a4f2d0c51bb91dd48a5db62ae4e	30-Jan-2015	Nick Kralevich <nnk@google.com>	am f4c0a09b: am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec * commit 'f4c0a09bd3c77486faf53eb0c89fdc720dd10353': system_server: neverallow dex2oat exec
f4c0a09bd3c77486faf53eb0c89fdc720dd10353	30-Jan-2015	Nick Kralevich <nnk@google.com>	am 437f7139: am 361cdaff: system_server: neverallow dex2oat exec * commit '437f713936148eb0cf3eb277eab72b07a1d533ca': system_server: neverallow dex2oat exec
361cdaff3096fafc16bbe88b84d6f99f7944def7	30-Jan-2015	Nick Kralevich <nnk@google.com>	system_server: neverallow dex2oat exec system_server should never be executing dex2oat. This is either a bug (for example, bug 16317188), or represents an attempt by system server to dynamically load a dex file, something we don't want to allow. This change adds a compile time assertion which will detect if an allow rule granting this access is ever added. No new rules are added or deleted as a result of this change. This neverallow rule is automatically enforced via CTS. Bug: 16317188 Change-Id: Id783e05d9f48d48642dbb89d9c78be4aae8af70c /system/sepolicy/system_server.te
63168cc8d7be62d34a02cd0cb157b13c35ff4049	20-Jan-2015	dcashman <dcashman@google.com>	am 854ad128: am a5119ee7: am 566e8fe2: Record service accesses. * commit '854ad128c9de75aae66ca8868f317a133974e4a8': Record service accesses.
854ad128c9de75aae66ca8868f317a133974e4a8	20-Jan-2015	dcashman <dcashman@google.com>	am a5119ee7: am 566e8fe2: Record service accesses. * commit 'a5119ee7900d511278b12d04f436ed25110556cf': Record service accesses.
566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63	17-Jan-2015	dcashman <dcashman@google.com>	Record service accesses. Reduce logspam and record further observed service connections. Bug: 18106000 Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8 /system/sepolicy/system_server.te
6ca7a15ad212c62b591cf906169b200155407c2a	16-Jan-2015	dcashman <dcashman@google.com>	am 7dc1417b: am c1142451: am 0d16b5ac: Merge "Remove known system_server service accesses from auditing." * commit '7dc1417b628d017b79848c62b450078834e7c612': Remove known system_server service accesses from auditing.
1267d6674581e60901184030c3a9c77828ab91fb	16-Jan-2015	Nick Kralevich <nnk@google.com>	am 5585c30a: am acf209e8: am 99940d1a: remove /proc/net read access from domain.te * commit '5585c30ace954b880b8099e2847f3f860bc7b9e3': remove /proc/net read access from domain.te
7dc1417b628d017b79848c62b450078834e7c612	16-Jan-2015	dcashman <dcashman@google.com>	am c1142451: am 0d16b5ac: Merge "Remove known system_server service accesses from auditing." * commit 'c1142451d9d91fba3f4f3910ecbfd0b2263c445d': Remove known system_server service accesses from auditing.
c631ede7dc7cb131b1bdd03ce296eeac53dc9add	16-Jan-2015	dcashman <dcashman@google.com>	Remove known system_server service accesses from auditing. Address observed audit logs of the form: granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager in order to record existing relationships with services. Bug: 18106000 Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4 /system/sepolicy/system_server.te
5585c30ace954b880b8099e2847f3f860bc7b9e3	15-Jan-2015	Nick Kralevich <nnk@google.com>	am acf209e8: am 99940d1a: remove /proc/net read access from domain.te * commit 'acf209e8c38e2a2ed7510551961a5812f63a4935': remove /proc/net read access from domain.te
3c2e91f325225323e1414a27a94e2279d94e26ba	15-Jan-2015	Brian Carlstrom <bdc@google.com>	resolved conflicts for merge of 61e82a2c to master Change-Id: Iab9f024f046ca5393e3625267d1cedfbdd74e8e7
61e82a2cfc5483fb89d5b210db0495627d758150	15-Jan-2015	dcashman <dcashman@google.com>	resolved conflicts for merge of e55f2b81 to lmp-mr1-dev-plus-aosp Change-Id: If8473c40d1b3da93d1f0f74d24f40633b2209f5e
99940d1af5719f1622fa2a17f8daf6cb21de3ad1	14-Jan-2015	Nick Kralevich <nnk@google.com>	remove /proc/net read access from domain.te SELinux domains wanting read access to /proc/net need to explicitly declare it. TODO: fixup the ListeningPortsTest cts test so that it's not broken. Bug: 9496886 Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4 /system/sepolicy/system_server.te
4a89cdfa89448c8660308a31bfcb517fffaa239e	17-Dec-2014	dcashman <dcashman@google.com>	Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef /system/sepolicy/system_server.te
880938af90019a600b10baf8ce225cb371e9473b	17-Dec-2014	dcashman <dcashman@google.com>	am 49e7e0c2: am d8800a10: am cd82557d: Restrict service_manager find and list access. * commit '49e7e0c24846468fe6ed408ef00b8182058fb30f': Restrict service_manager find and list access.
49e7e0c24846468fe6ed408ef00b8182058fb30f	17-Dec-2014	dcashman <dcashman@google.com>	am d8800a10: am cd82557d: Restrict service_manager find and list access. * commit 'd8800a10fa987bac8234d87f1d4ff83d90966053': Restrict service_manager find and list access.
cd82557d4069c20bda8e18aa7f72fc0521a3ae32	12-Dec-2014	dcashman <dcashman@google.com>	Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a /system/sepolicy/system_server.te
fba17fd2f413e8fc376752d9c9ef6d7d924bd6a4	15-Nov-2014	Mike Lockwood <lockwood@google.com>	Add support for MIDI service Change-Id: If7241659a8252d65187673f0d8e87150d5dfb72d /system/sepolicy/system_server.te
6eabeb20f9e5aff2cd46c219903ea4479cc9f3e5	19-Nov-2014	Nick Kralevich <nnk@google.com>	am c230c292: am c48971f6: allow system_server to set ro.build.fingerprint * commit 'c230c2926d7ce3ca7348a391ad15adb55d5c74f3': allow system_server to set ro.build.fingerprint
c48971f69fa07c98e62b9a8b0a2ba171846fbea1	18-Nov-2014	Nick Kralevich <nnk@google.com>	allow system_server to set ro.build.fingerprint Some devices leave "ro.build.fingerprint" undefined at build time, since they need to build it from the components at runtime. See https://android.googlesource.com/platform/frameworks/base/+/5568772e8161205b86905d815783505fd3d461d8 for details. Allow system_server to set ro.build.fingerprint Addresses the following denial/error: avc: denied { set } for property=build.fingerprint scontext=u:r:system_server:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service init: sys_prop: permission denied uid:1000 name:ro.build.fingerprint Bug: 18188956 Change-Id: I98b25773904a7be3e3d2926daa82c1d08f9bcc29 /system/sepolicy/system_server.te
0ff85767a30885a65a61aa9b854c8b929cc6b33e	29-Oct-2014	Nick Kralevich <nnk@google.com>	am 4d9648e3: am b519949d: system_server: assert app data files never opened directly * commit '4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9': system_server: assert app data files never opened directly
4d9648e3e4bb2f3796d28f9cc95c6d3abd6075a9	28-Oct-2014	Nick Kralevich <nnk@google.com>	am b519949d: system_server: assert app data files never opened directly * commit 'b519949df150ebe4fc9bf3db52542bb5d9238d4e': system_server: assert app data files never opened directly
8526aced7551291a2a8d9d1fca3f8a719d9ecb24	25-Oct-2014	Nick Kralevich <nnk@google.com>	am 491c5368: am 2d1650f4: allow system_server to set kernel scheduling priority * commit '491c5368f7cdae8f7b94ed620706ed61c092e8d1': allow system_server to set kernel scheduling priority
2d1650f4075db4f4f458de4c1a4cb5869c44b936	24-Oct-2014	Nick Kralevich <nnk@google.com>	allow system_server to set kernel scheduling priority Addresses the following denial: avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0 It's not clear why system_server is adjusting the scheduling priority of kernel processes (ps -Z \| grep kernel). For now, allow the operation, although this is likely a kernel bug. Maybe fix bug 18085992. Bug: 18085992 Change-Id: Ic10a4da63a2c392d90084eb1106bc5b42f95b855 /system/sepolicy/system_server.te
b519949df150ebe4fc9bf3db52542bb5d9238d4e	23-Oct-2014	Nick Kralevich <nnk@google.com>	system_server: assert app data files never opened directly Add a compile time assertion that app data files are never directly opened by system_server. Instead, system_server always expects files to be passed via file descriptors. This neverallow rule will help prevent accidental regressions and allow us to perform other security tightening, for example bug 7208882 - Make an application's home directory 700 Bug: 7208882 Change-Id: I49c725982c4af0b8c76601b2a5a82a5c96df025d /system/sepolicy/system_server.te
255d40927631a9fb71b068db5022bd969562b49a	16-Oct-2014	Robin Lee <rgl@google.com>	resolved conflicts for merge of bdec09b9 to lmp-mr1-dev-plus-aosp Change-Id: I9f1dd4fd401df73006f79205557daa17313d36f4
5871d1bc18f32b4411c731c1bd9c8d3974691eab	16-Oct-2014	Robin Lee <rgl@google.com>	resolved conflicts for merge of 51bfecf4 to lmp-dev-plus-aosp Change-Id: I8ea400354e33a01d3223b4efced6db76ba00aed6
51bfecf49d50982f64aba1fa73bbbdd2e40a444f	13-Oct-2014	Robin Lee <rgl@google.com>	Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547 /system/sepolicy/system_server.te
86facd93880604879486221e462b4f8a451247a5	11-Oct-2014	Nick Kralevich <nnk@google.com>	am 0ed8f86e: am 2380d05f: allow system_server oemfs read access * commit '0ed8f86eba294cfc76c283852d0da6542c631c31': allow system_server oemfs read access
7fe94a1c79b4fa0c8049ac23c66ccf77b5b3ad33	11-Oct-2014	Nick Kralevich <nnk@google.com>	am 2380d05f: allow system_server oemfs read access * commit '2380d05f9791b6789b81e28ca8841df1b8b62c6d': allow system_server oemfs read access
2380d05f9791b6789b81e28ca8841df1b8b62c6d	11-Oct-2014	Nick Kralevich <nnk@google.com>	allow system_server oemfs read access Bug: 17954291 Change-Id: Ia904fff65df5142732928561d81ea0ece0c52a8d /system/sepolicy/system_server.te
f37ce3f3e2ad68da61f709567cd166a83316e3f3	08-Sep-2014	dcashman <dcashman@google.com>	Add support for factory reset protection. Address the following denials: <12>[ 417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 <12>[ 417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 (cherrypick of commit 47bd7300a522fb9c7e233b6d040533ad16708a0e) Bug: 16710840 Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53 /system/sepolicy/system_server.te
72acd6bbbe65f8d776028a4097c427fd1dad235b	27-Aug-2014	Robin Lee <rgl@google.com>	Allow system reset_uid, sync_uid, password_uid Permits the system server to change keystore passwords for users other than primary. (cherrypicked from commit de08be8aa006c313e5025ba5f032abf786a39f71) Bug: 16233206 Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e /system/sepolicy/system_server.te
43b8bc53ab177296f88fbc6fc8c3c8b225f13bca	09-Sep-2014	dcashman <dcashman@google.com>	resolved conflicts for merge of 47bd7300 to lmp-dev-plus-aosp Change-Id: I9631fb1774893d2eeccd7f1f5a867cb5dd98d53d
47bd7300a522fb9c7e233b6d040533ad16708a0e	08-Sep-2014	dcashman <dcashman@google.com>	Add support for factory reset protection. Address the following denials: <12>[ 417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 <12>[ 417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 Bug: 16710840 Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53 /system/sepolicy/system_server.te
f9ea564a9ee3d80c92d198bf52e28eed7dac509d	30-Aug-2014	Robin Lee <rgl@google.com>	am de08be8a: Allow system reset_uid, sync_uid, password_uid * commit 'de08be8aa006c313e5025ba5f032abf786a39f71': Allow system reset_uid, sync_uid, password_uid
de08be8aa006c313e5025ba5f032abf786a39f71	27-Aug-2014	Robin Lee <rgl@google.com>	Allow system reset_uid, sync_uid, password_uid Permits the system server to change keystore passwords for users other than primary. Bug: 16233206 Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e /system/sepolicy/system_server.te
bd6d1f385b7d3eec5ba49947c3b01464a809f8d0	29-Aug-2014	Brian Carlstrom <bdc@google.com>	am 09eae908: Remove system_server create access from /data/dalvik-cache * commit '09eae90890d4a2545358b8ba104e1f2a46df1408': Remove system_server create access from /data/dalvik-cache
09eae90890d4a2545358b8ba104e1f2a46df1408	29-Aug-2014	Brian Carlstrom <bdc@google.com>	Remove system_server create access from /data/dalvik-cache Bug: 16875245 (cherry picked from commit 372d0df796389e2f6295a394492585ed64f0ceca) Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7 /system/sepolicy/system_server.te
372d0df796389e2f6295a394492585ed64f0ceca	29-Aug-2014	Brian Carlstrom <bdc@google.com>	Remove system_server create access from /data/dalvik-cache Bug: 16875245 Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a /system/sepolicy/system_server.te
4a518b8bbf1e085fd4984f652209442f39ac0cfe	29-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	am 997461bd: Allow system_server to talk to netlink directly. * commit '997461bda5aaedeabf48021e3291293e48501ef7': Allow system_server to talk to netlink directly.
997461bda5aaedeabf48021e3291293e48501ef7	29-Jul-2014	Sreeram Ramachandran <sreeram@google.com>	Allow system_server to talk to netlink directly. This is needed for http://ag/512212 to work. Bug: 15409819 Change-Id: If91fc6891d7ce04060362c6cde8c57462394c4e8 /system/sepolicy/system_server.te
d065f0483c89d18aa92f60646b3e0867072bc8ff	26-Jul-2014	Nick Kralevich <nnk@google.com>	Resync lmp-dev-plus-aosp with master A DO NOT MERGE change merged from lmp-dev to lmp-dev-plus-aosp. This is expected, but it's causing unnecessary merge conflicts when handling AOSP contributions. Resolve those conflicts. This is essentially a revert of bf696327246833c9aba55a645e6c433e9f321e27 for lmp-dev-plus-aosp only. Change-Id: Icc66def7113ab45176ae015f659cb442d53bce5c /system/sepolicy/system_server.te
7d62aceef4918c1fd08d7774c7a7d4f4562c317b	25-Jul-2014	Narayan Kamath <narayan@google.com>	am aa8e657e: Revert "fix system_server dex2oat exec" * commit 'aa8e657ef09d70d8ea5657b624022925d92f4711': Revert "fix system_server dex2oat exec"
aa8e657ef09d70d8ea5657b624022925d92f4711	25-Jul-2014	Narayan Kamath <narayan@google.com>	Revert "fix system_server dex2oat exec" This reverts commit 10370f5ff47745fe9678d18ff788e51e665bf36e. The underlying issue has been fixed and the system_server will now go via installd to get stuff compiled, if required. bug: 16317188 Change-Id: I77a07748a39341f7082fb9fc9792c4139c90516d /system/sepolicy/system_server.te
9d24d52e9742cca22425aa6fbc34dde69b3bd0df	24-Jul-2014	Stephen Smalley <sds@tycho.nsa.gov>	am ba992496: Define debuggerd class, permissions, and rules. * commit 'ba992496f01e40a10d9749bb25b6498138e607fb': Define debuggerd class, permissions, and rules.
ba992496f01e40a10d9749bb25b6498138e607fb	24-Jul-2014	Stephen Smalley <sds@tycho.nsa.gov>	Define debuggerd class, permissions, and rules. Define a new class, permissions, and rules for the debuggerd SELinux MAC checks. Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd. Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
bf696327246833c9aba55a645e6c433e9f321e27	18-Jul-2014	Riley Spahn <rileyspahn@google.com>	DO NOT MERGE: Remove service_manager audit_allows. Remove the audit_allow rules from lmp-dev because we will not be tightening any further so these logs will not be useful. Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9 /system/sepolicy/system_server.te
d26357641d9f85750f63c9e4ec441a506e806389	16-Jul-2014	Riley Spahn <rileyspahn@google.com>	Remove auditallow from system_server. system_server auditallow statements were causing logspam and there is not a good way to negate services from specific devices so as a fix we are removing all system_server auditallows. These logs may not be useful anyway because I suspsect that system_server will probe for most all services anyway. (cherry picked from commit 5a25fbf7ca281d2b372def95b92b400a073604b6) Change-Id: Ibadf1ce5e66f279fc49fd8fa20dfc64c960dd57f /system/sepolicy/system_server.te
5a25fbf7ca281d2b372def95b92b400a073604b6	16-Jul-2014	Riley Spahn <rileyspahn@google.com>	Remove auditallow from system_server. system_server auditallow statements were causing logspam and there is not a good way to negate services from specific devices so as a fix we are removing all system_server auditallows. These logs may not be useful anyway because I suspsect that system_server will probe for most all services anyway. Change-Id: I27a05761c14def3a86b0749cdb895190bdcf9d71 /system/sepolicy/system_server.te
344fc109e9787f91946ac852bb513c796aab38f6	07-Jul-2014	Riley Spahn <rileyspahn@google.com>	Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. (cherry picked from commit b8511e0d98880a683c276589ab7d8d7666b7f8c1) Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15 /system/sepolicy/system_server.te
10370f5ff47745fe9678d18ff788e51e665bf36e	15-Jul-2014	Nick Kralevich <nnk@google.com>	fix system_server dex2oat exec Addresses the following denial: W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0 Bug: 16317188 Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d /system/sepolicy/system_server.te
81839dfb24094803125f7ac9d4844207b61569ed	15-Jul-2014	Ed Heyl <edheyl@google.com>	reconcile aosp (3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea) after branching. Please do not merge. Change-Id: Ic8ee83ed6ffef02bddd17e1175416fc2481db7b2 /system/sepolicy/system_server.te
8395bb4ad005c1a2fc8085715bb3155867b212e5	15-Jul-2014	Nick Kralevich <nnk@google.com>	fix system_server dex2oat exec Addresses the following denial: W/system_server( 2697): type=1400 audit(0.0:9): avc: denied { execute } for name="dex2oat" dev="mmcblk0p31" ino=118 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file permissive=0 Change-Id: I168842b3e281efcb0632049632ed3817c2025e4d /system/sepolicy/system_server.te
b8511e0d98880a683c276589ab7d8d7666b7f8c1	07-Jul-2014	Riley Spahn <rileyspahn@google.com>	Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964 /system/sepolicy/system_server.te
3a8c5dc05fb7696dd81b8a7c1b2524224154e8ea	11-Jul-2014	Todd Poynor <toddpoynor@google.com>	Allow oemfs search for system_server and bootanim Address denials in devices that use /oem Change-Id: I80b76bb58bab9b6c54d6550eb801664d82a4d403 /system/sepolicy/system_server.te
5d60f04e5d43d084992d59c38a631a034b88e715	10-Jul-2014	Colin Cross <ccross@android.com>	sepolicy: allow system server to remove cgroups Bug: 15313911 Change-Id: Ib7d39561a0d52632929d063a7ab97b6856f28ffe /system/sepolicy/system_server.te
d8447fdfe1db8571158659bc2daf058335842a06	10-Jul-2014	Andres Morales <anmorales@google.com>	Typedef+rules for SysSer to access persistent block device Defines new device type persistent_data_block_device This block device will allow storage of data that will live across factory resets. Gives rw and search access to SystemServer. Change-Id: I298eb40f9a04c16e90dcc1ad32d240ca84df3b1e /system/sepolicy/system_server.te
be092af039148e3cadcd49ee7042b8f39c7e95a2	07-Jul-2014	Jeff Sharkey <jsharkey@android.com>	Rules to allow installing package directories. Earlier changes had extended the rules, but some additional changes are needed. avc: denied { relabelfrom } for name="vmdl-723825123.tmp" dev="mmcblk0p28" ino=162910 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir Bug: 14975160 Change-Id: I875cfc3538d4b098d27c7c7b756d1868a54cc976 /system/sepolicy/system_server.te
d00eff47fe1f0b73dce96241ac348599f7d8e41c	04-Jul-2014	Nick Kralevich <nnk@google.com>	system_server: bring back sdcard_type neverallow rule We had disabled the neverallow rule when system_server was in permissive_or_unconfined(), but forgot to reenable it. Now that system_server is in enforcing/confined, bring it back. Change-Id: I6f74793d4889e3da783361c4d488b25f804ac8ba /system/sepolicy/system_server.te
596bcc768758f38534a537a3fb54875225417f2c	01-Jul-2014	Riley Spahn <rileyspahn@google.com>	Remove keystore auditallow statements from system. Remove the auditallow statements related to keystore in system_app and system_server. Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28 /system/sepolicy/system_server.te
1196d2a5763c9a99be99ba81a4a29d938a83cc06	17-Jun-2014	Riley Spahn <rileyspahn@google.com>	Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc /system/sepolicy/system_server.te
8c6552acfba677442d565a0c7f8e44f5f2af57f2	25-Jun-2014	Nick Kralevich <nnk@google.com>	Allow system_server to read all /proc files system_server scans through /proc to keep track of process memory and CPU usage. It needs to do this for all processes, not just appdomain processes, to properly account for CPU and memory usage. Allow it. Addresses the following errors which have been showing up in logcat: W/ProcessCpuTracker(12159): Skipping unknown process pid 1 W/ProcessCpuTracker(12159): Skipping unknown process pid 2 W/ProcessCpuTracker(12159): Skipping unknown process pid 3 Bug: 15862412 Change-Id: I0a75314824404e060c6914c06a371f2ff2e80512 /system/sepolicy/system_server.te
fee49159e760162b0e8ee5a4590c50a65b8e322f	19-Jun-2014	Stephen Smalley <sds@tycho.nsa.gov>	Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
97a2cfdf6618f98fe1da51c5e77d9a5d2765c04e	18-Jun-2014	Paul Jensen <pauljensen@google.com>	Allow Bluetooth app to initiate DHCP service on bt-pan interface. bug:15407087 Change-Id: I3dea9c1110583f11f093d048455a1cc739d05658 /system/sepolicy/system_server.te
04e730b635d961f1610886e96622214b9a5e40d4	19-Jun-2014	Nick Kralevich <nnk@google.com>	system_server: allow open /dev/snd and read files system_server needs to open /dev/snd and access files within that directory. Allow it. system_server need to parse the ALSA card descriptors after a USB device has been inserted. This happens from USBService in system_server. Addresses the following denial: system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir and likely others Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8 /system/sepolicy/system_server.te
00b180dfb8195fa559f45e812c9c2a82bdbd9c40	17-Jun-2014	Stephen Smalley <sds@tycho.nsa.gov>	Eliminate some duplicated rules. As reported by sepolicy-analyze -D -P /path/to/sepolicy. No semantic difference reported by sediff between the policy before and after this change. Deduplication of selinuxfs read access resolved by taking the common rules to domain.te (and thereby getting rid of the selinux_getenforce macro altogether). Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
fad4d5fb00ddb1f61c22c003429e10f10b046d0d	16-Jun-2014	Nick Kralevich <nnk@google.com>	Fix SELinux policies to allow resource overlays. The following commits added support for runtime resource overlays. New command line tool 'idmap' * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5 Runtime resource overlay, iteration 2 * 48d22323ce39f9aab003dce74456889b6414af55 Runtime resource overlay, iteration 2, test cases * ad6ed950dbfa152c193dd7e49c369d9e831f1591 During SELinux tightening, support for these runtime resource overlays was unknowingly broken. Fix it. This change has been tested by hackbod and she reports that everything is working after this change. I haven't independently verified the functionality. Test cases are available for this by running: * python frameworks/base/core/tests/overlaytests/testrunner.py Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40 /system/sepolicy/system_server.te
a76d9ddf6bf8f0ee0768a2129fa7606f66b0b510	14-Jun-2014	Nick Kralevich <nnk@google.com>	system_server profile access Still not fixed. sigh Addresses the following denial: <4>[ 40.515398] type=1400 audit(15842931.469:9): avc: denied { read } for pid=814 comm="system_server" name="profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir Change-Id: I705a4cc9c508200ace46780c18b7112b62f27994 /system/sepolicy/system_server.te
96d9af423575aec5559bd1a7094203c9e0586347	13-Jun-2014	Nick Kralevich <nnk@google.com>	allow system_server getattr on /data/dalvik-cache/profiles 867030517724036b64fcaf39deaba1b27f3ca77e wasn't complete. I thought getattr on the directory wasn't needed but I was wrong. Not sure how I missed this. Addresses the following denial: <4>[ 40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6 /system/sepolicy/system_server.te
867030517724036b64fcaf39deaba1b27f3ca77e	11-Jun-2014	Nick Kralevich <nnk@google.com>	Remove world-read access to /data/dalvik-cache/profiles Remove /data/dalvik-cache/profiles from domain. Profiling information leaks data about how people interact with apps, so we don't want the data to be available in all SELinux domains. Add read/write capabilities back to app domains, since apps need to read/write profiling data. Remove restorecon specific rules. The directory is now created by init, not installd, so installd doesn't need to set the label. Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3 /system/sepolicy/system_server.te
f90c41f6e8d5c1266e154f46586a2ceb260f1be6	06-Jun-2014	Riley Spahn <rileyspahn@google.com>	Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d /system/sepolicy/system_server.te
13d5886363675915e5115ccc0a95ca5d7776730b	11-Jun-2014	Ruchi Kandoi <kandoiruchi@google.com>	system_server: Adds permission to system_server to write sysfs file Need this for changing the max_cpufreq and min_cpufreq for the low power mode. Denials: type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854 comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8 Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646 Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com> /system/sepolicy/system_server.te
6bb672e6b3df2fb3dbb49f32e5f30589ff539e6e	26-Nov-2013	Stephen Smalley <sds@tycho.nsa.gov>	Make the system_server domain enforcing. Change-Id: I1ea20044bd6789dde002da7fc9613cfbf1ee2d23 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
2cc6d63d5d88824527a7fd89a0cacf5702109eae	04-Jun-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow system_server access to /data/media files passed via Binder. Addresses denials such as: avc: denied { read } for comm="Binder_6" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file avc: denied { getattr } for comm="Binder_9" path="/data/media/0/zedge/ringtone/love_tone_2014-ringtone-1665292.mp3" dev="mmcblk0p28" ino=1534267 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Change-Id: I5e5744eecf2cbd4fc584db8584be4e9101bcb60c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
f85c1fc293523db241c48d815b165067b8a0f471	27-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow installd, vold, system_server unlabeled access. The bugs that motivated bringing back the unlabeled allowall rules, https://android-review.googlesource.com/#/c/94971/ should be resolved by the following changes: https://android-review.googlesource.com/#/c/94966/ https://android-review.googlesource.com/#/c/96080/ Beyond those changes, installd needs to be able to remove package directories for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so allow it the permissions required for this purpose. vold needs to be able to chown/chmod/restorecon files in asec containers so allow it the permissions to do so. system_server tries to access all /data/data subdirectories so permit it to do so. installd and system_server read the pkg.apk file before it has been relabeled by vold and therefore need to read unlabeled files. Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
8599e34b95705638034b798c56bc2cc8bb2e6372	23-May-2014	Nick Kralevich <nnk@google.com>	Introduce wakelock_use() Introduce wakelock_use(). This macro declares that a domain uses wakelocks. Wakelocks require both read-write access to files in /sys/power, and CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and file access are granted at the same time. Still TODO: fix device specific wakelock use. Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115 /system/sepolicy/system_server.te
a16a59e2c7f1e2f09bf7b750101973a974c972e8	14-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Remove graphics_device access. Neither mediaserver nor system_server appear to require direct access to graphics_device, i.e. the framebuffer device. Drop it. Change-Id: Ie9d1be3f9071584155cddf248ea85e174b7e50a6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
782e084dc249ec96a4659c523ffc6a53ee46abb1	14-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow system_server to read tombstones. Address denials such as: avc: denied { read } for name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir avc: denied { open } for name="tombstones" dev="dm-0" ino=765537 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir avc: denied { getattr } for path="/data/tombstones/tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file avc: denied { read } for name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file avc: denied { open } for name="tombstone_00" dev="dm-0" ino=765538 scontext=u:r:system_server:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=file Change-Id: Iae5a10bed9483589660b84a88b6b9f8f8e9a8f5c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
538edd3317fd56d6d1871aebe83f0636946fbc94	12-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Restrict system_server to only the data file types needed. Drop rules on data_file_type attribute and replace with rules on specific types under /data. Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
02dac03a8c7cc79306cf5807f86af3e01f5dc4af	09-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Drop relabelto_domain() macro and its associated definitions. This was originally to limit the ability to relabel files to particular types given the ability of all domains to relabelfrom unlabeled files. Since the latter was removed by Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves any purpose. Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
cd905ec04e6db7f9116afe05c95c0d5e387e5b15	09-May-2014	Nick Kralevich <nnk@google.com>	Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf /system/sepolicy/system_server.te
53cde700cda6caad25ba06092fa850ff51dd2431	07-May-2014	Stephen Smalley <sds@tycho.nsa.gov>	Report graphics_device accesses by system_server or mediaserver. See if we can remove these allow rules by auditing any granting of these permissions. These rules may be a legacy of older Android or some board where the gpu device lived under /dev/graphics too. Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
3f3d6ffb7ee98116404e4a85ad027a98b70c2331	15-Apr-2014	Nick Kralevich <nnk@google.com>	Allow system_server pstore access. pstore contains /sys/fs/pstore/console-ramoops, which is the replacement for /proc/last_kmsg. Both files are read by system_server on startup. Allow access. Addresses the following denials: <12>[ 53.836838] type=1400 audit(949060020.909:19): avc: denied { search } for pid=1233 comm="Thread-119" name="/" dev="pstore" ino=10296 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir <12>[ 53.856546] type=1400 audit(949060020.909:20): avc: denied { getattr } for pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file <12>[ 53.878425] type=1400 audit(949060020.909:21): avc: denied { read } for pid=1233 comm="Thread-119" name="console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file <12>[ 53.898476] type=1400 audit(949060020.909:22): avc: denied { open } for pid=1233 comm="Thread-119" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=10297 scontext=u:r:system_server:s0 tcontext=u:object_r:pstorefs:s0 tclass=file Change-Id: I7307da751961b242e68adb319da9c00192e77bbb /system/sepolicy/system_server.te
e06e53638808ec0d14aaee701590fdc93cfd3150	21-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow inputflinger to call system_server. Resolves denials such as: avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { open } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { search } for pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { call } for pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: I099d7dacf7116efa73163245597c3de629d358c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
971b5d7c9f6cd134cfa89ca211cbaabe1ac606a4	18-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow system_server to set ctl.bugreport property. Resolves denials such as: avc: denied { set } for property=ctl.bugreport scontext=u:r:system_server:s0 tcontext=u:object_r:ctl_bugreport_prop:s0 tclass=property_service Change-Id: I6c3085065157f418fc0cd4d01fa178eecfe334ad Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
bafbf8133015204ac1b9116ccd4235e8a615895c	14-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow system_server to read from log daemon. Addresses denials such as: avc: denied { write } for pid=1797 comm="logcat" name="logdr" dev="tmpfs" ino=7523 scontext=u:r:system_server:s0 tcontext=u:object_r:logdr_socket:s0 tclass=sock_file avc: denied { connectto } for pid=1797 comm="logcat" path="/dev/socket/logdr" scontext=u:r:system_server:s0 tcontext=u:r:logd:s0 tclass=unix_stream_socket Change-Id: Idc4f48519ca3d81125102e8f15f68989500f5e9e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
6fe899a0d1905682c3224f1a3809288dacc0ca3f	13-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Silence /proc/pid denials. system_server components such as ActivityManager and CpuTracker try to access all /proc/pid directories, triggering denials on domains that are not explicitly allowed to the system_server. Silence these denials to avoid filling the logs with noise and overwriting actual useful messages in the kernel ring buffer. Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
c18121811c59335b4b59e8ffc52179ad6049640b	06-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Deduplicate and rationalize system_server /proc/pid access. The system_server has duplicate/overlapping rules regarding /proc/pid access as well as a lack of clarity on the reason for the different rules. Deduplicate the rules and clarify the purpose of different sets of rules. Replace the rules granting /proc/pid access for all domains with specific rules only for domains that we know should be accessible by the system_server, i.e. all apps (appdomain) and the set of native processes listed in com.android.server.Watchdog.NATIVE_STACKS_OF_INTEREST. Change-Id: Idae6fc87e19e1700cdc4bdbde521d35caa046d74 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
d9d9d2f4170b96a674c8222287bbe4cddfc8de3a	05-Mar-2014	Nick Kralevich <nnk@google.com>	temp fix for build breakage. libsepol.check_assertion_helper: neverallow on line 8857 violated by allow system_server sdcard_external:file { ioctl read write getattr lock append open }; Error while expanding policy make: *** [out/target/product/manta/obj/ETC/sepolicy_intermediates/sepolicy] Error 1 Change-Id: I181707ed66bad3db56f9084b3d9ba161d13b34bd /system/sepolicy/system_server.te
d331e00bd8101b5ab63e08822cdad7a223c2a5dd	05-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Do not allow system_server to access SDcard files. As per: https://android-review.googlesource.com/#/c/84130/3/system_server.te@240 it is unsafe to allow such access. Add a neverallow rule to prohibit any rules on sdcard_type in the future. Change-Id: Ife714b65b07144eb6228a048a55ba82181595213 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
3dad7b611a448fa43a678ff760c23a00f387947e	05-Mar-2014	Stephen Smalley <sds@tycho.nsa.gov>	Address system_server denials. Label /proc/sysrq-trigger and allow access. Label /dev/socket/mtpd and allow access. Resolves denials such as: avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv er:s0 tclass=udp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]" dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s 0 tclass=tcp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
28afdd9234236d0b3c510f28255aa14625d11457	26-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Deduplicate binder_call rules. A number of binder_call rules are duplicated by other rules written in terms of attributes/sets (e.g. appdomain, binderservicedomain). Get rid of the duplicates. Also use binder_use() in racoon.te rather than manually writing the base rule for communicating with the servicemanager. Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
63b98b17e41b74a7595dc80e1958550cf6b887d1	26-Feb-2014	Nick Kralevich <nnk@google.com>	restore system_server zygote socket rules 1601132086b054adc70e7f8f38ed24574c90bc37 removed the getattr/getopt support for system_server, which is needed to close the zygote socket. See b/12061011 for details. system_server still needs this rule, and it's expected to stay permanently. Restore the rule and remove the comment about it eventually being deleted. Addresses the following denials: <5>[ 86.307639] type=1400 audit(1393376281.530:5): avc: denied { getattr } for pid=656 comm="main" path="socket:[7195]" dev=sockfs ino=7195 scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket <5>[ 86.307945] type=1400 audit(1393376281.530:6): avc: denied { getopt } for pid=656 comm="main" path="/dev/socket/zygote" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=unix_stream_socket Bug: 12114500 Change-Id: I47033766dea3ba2fdaa8ce9b4251370bd64aea6d /system/sepolicy/system_server.te
37afd3f6c337a6914de36ec8658593b523f32e3d	27-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Remove system_server and zygote unlabeled execute access. Now that all of /data outside of /data/data should be labeled even on legacy devices as a result of Ib8d9751a47c8e0238cf499fcec61898937945d9d, there should be no reason to permit the system_server or zygote execute access to unlabeled files. This is the only remaining case where a type writable by app domains can be executed by system services, so eliminating it is desirable. That said, I have not specifically tested the non-SE to SE upgrade path to confirm that this causes no problems. Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
0296b9434f3b933b37f67c143788f87cb80b3325	25-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Move qemud and /dev/qemu policy bits to emulator-specific sepolicy. Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
2c347e0a3676bb50cac796ca94eb6ab53c08fc87	25-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Drop obsolete keystore_socket type and rules. Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched the keystore to using binder instead of a socket, so this socket type and rules have been unused for a while. The type was only ever assigned to a /dev/socket socket file (tmpfs) so there is no issue with removing the type (no persistent files will have this xattr value). Change-Id: Id584233c58f6276774c3432ea76878aca28d6280 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
1601132086b054adc70e7f8f38ed24574c90bc37	24-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
335faf2b9b2d68d02223d1aedecf826bb9597f34	21-Feb-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow stat of /sys/module/lowmemorykiller files by system_server. <5>[ 43.929760] type=1400 audit(6342882.819:16): avc: denied { getattr } for pid=779 comm="system_server" path="/sys/module/lowmemorykiller/parameters/adj" dev="sysfs" ino=6048 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_lowmemorykiller:s0 tclass=file Change-Id: I48828ca26814c6376c9c71c368f3eff0f7a8f219 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
5467fce636d0cebb86f3684f7a69d883324384ca	13-Feb-2014	Nick Kralevich <nnk@google.com>	initial lmkd policy. * Allow writes to /proc/PID/oom_score_adj * Allow writes to /sys/module/lowmemorykiller/* Addresses the following denials: <5>[ 3.825371] type=1400 audit(9781555.430:5): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 48.874747] type=1400 audit(9781600.639:16): avc: denied { search } for pid=176 comm="lmkd" name="896" dev="proc" ino=9589 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=dir <5>[ 48.874889] type=1400 audit(9781600.639:17): avc: denied { dac_override } for pid=176 comm="lmkd" capability=1 scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability <5>[ 48.874982] type=1400 audit(9781600.639:18): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 48.875075] type=1400 audit(9781600.639:19): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=8942 scontext=u:r:lmkd:s0 tcontext=u:r:system_server:s0 tclass=file <5>[ 49.409231] type=1400 audit(9781601.169:20): avc: denied { write } for pid=176 comm="lmkd" name="minfree" dev="sysfs" ino=6056 scontext=u:r:lmkd:s0 tcontext=u:object_r:sysfs:s0 tclass=file <5>[ 209.081990] type=1400 audit(9781760.839:24): avc: denied { search } for pid=176 comm="lmkd" name="1556" dev="proc" ino=10961 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=dir <5>[ 209.082240] type=1400 audit(9781760.839:25): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file <5>[ 209.082498] type=1400 audit(9781760.839:26): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11654 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=file <5>[ 209.119673] type=1400 audit(9781760.879:27): avc: denied { search } for pid=176 comm="lmkd" name="1577" dev="proc" ino=12708 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=dir <5>[ 209.119937] type=1400 audit(9781760.879:28): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file <5>[ 209.120105] type=1400 audit(9781760.879:29): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11657 scontext=u:r:lmkd:s0 tcontext=u:r:release_app:s0 tclass=file <5>[ 209.235597] type=1400 audit(9781760.999:30): avc: denied { search } for pid=176 comm="lmkd" name="1600" dev="proc" ino=11659 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir <5>[ 209.235798] type=1400 audit(9781760.999:31): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 209.236006] type=1400 audit(9781760.999:32): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11667 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 214.297283] type=1400 audit(9781766.059:64): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file <5>[ 214.297415] type=1400 audit(9781766.059:65): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=11211 scontext=u:r:lmkd:s0 tcontext=u:r:untrusted_app:s0 tclass=file <5>[ 214.355060] type=1400 audit(9781766.119:66): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file <5>[ 214.355236] type=1400 audit(9781766.119:67): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12907 scontext=u:r:lmkd:s0 tcontext=u:r:system_app:s0 tclass=file <5>[ 214.516920] type=1400 audit(9781766.279:68): avc: denied { search } for pid=176 comm="lmkd" name="1907" dev="proc" ino=11742 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=dir <5>[ 214.678861] type=1400 audit(9781766.439:69): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file <5>[ 214.678992] type=1400 audit(9781766.439:70): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12915 scontext=u:r:lmkd:s0 tcontext=u:r:media_app:s0 tclass=file <5>[ 214.708284] type=1400 audit(9781766.469:71): avc: denied { search } for pid=176 comm="lmkd" name="1765" dev="proc" ino=12851 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=dir <5>[ 214.708435] type=1400 audit(9781766.469:72): avc: denied { write } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file <5>[ 214.708648] type=1400 audit(9781766.469:73): avc: denied { open } for pid=176 comm="lmkd" name="oom_score_adj" dev="proc" ino=12870 scontext=u:r:lmkd:s0 tcontext=u:r:shared_app:s0 tclass=file Change-Id: Ie3c1ab8ce9e77742d0cc3c73f40010afd018ccd4 /system/sepolicy/system_server.te
418e2abd39a3c86c4f8c7fcac93a1a7beea7a092	29-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Label /data/misc/wifi/sockets with wpa_socket. This will ensure that any sockets created in this directory will default to wpa_socket unless a type_transition is defined. Define a type transition for system_server to keep its separate system_wpa_socket type assigned for its socket. Allow wpa to create and unlink sockets in the directory. We leave the already existing rules for wifi_data_file in place for compatibility with existing devices that have wifi_data_file on /data/misc/wifi/sockets. Change-Id: I9e35cc93abf89ce3594860aa3193f84a3b42ea6e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
8ed750e9731e6e3a21785e91e9b1cf7390c16738	13-Nov-2013	Mark Salyzyn <salyzyn@google.com>	sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 /system/sepolicy/system_server.te
208deb335719280c11ab0e6aa033bfd33629320a	29-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Allow dumpstate to run am and shell. See http://code.google.com/p/android/issues/detail?id=65339 Further denials were observed in testing and allowed as well. Change-Id: I54e56bf5650b50b61e092a6dac45c971397df60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
623975fa5aece708032aaf29689d73e1f3a615e7	11-Jan-2014	Nick Kralevich <nnk@google.com>	Support forcing permissive domains to unconfined. Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858 /system/sepolicy/system_server.te
959fdaaa25d7dbfad8a1900dfe9575f873cea649	09-Jan-2014	Stephen Smalley <sds@tycho.nsa.gov>	Remove unlabeled execute access from domain, add to appdomain. Otherwise all domains can create/write files that are executable by all other domains. If I understand correctly, this should only be necessary for app domains executing content from legacy unlabeled userdata partitions on existing devices and zygote and system_server mappings of dalvikcache files, so only allow it for those domains. If required for others, add it to the individual domain .te file, not for all domains. Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
c50bf17d4f4ae4615c9f189236f593db5ff21180	08-Jan-2014	Robert Craig <rpcraig@tycho.ncsc.mil>	Address new system server denial. Allow system_server to unlink sockets created by the wpa supplicant. This will resolve the following denial seen across mutliple devices. avc: denied { unlink } for pid=584 comm="WifiStateMachin" name="wlan0" dev=mmcblk0p10 ino=138762 scontext=u:r:system_server:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file Change-Id: If3a8b1f270dfcd3dc6838eb8ac72e3d5004cc36d Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil> /system/sepolicy/system_server.te
37339c763e9082573fcc86e14a6fb9d2d4b9d20c	06-Jan-2014	Nick Kralevich <nnk@google.com>	fix mediaserver selinux denials. mediaserver needs the ability to read media_rw_data_file files. Allow it. Similarly, this is also needed for drmserver. Addresses the following denials: <5>[ 22.812859] type=1400 audit(1389041093.955:17): avc: denied { read } for pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.813103] type=1400 audit(1389041093.955:18): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 22.832041] type=1400 audit(1389041093.975:19): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357470] type=1400 audit(1389041123.494:29): avc: denied { read } for pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.357717] type=1400 audit(1389041123.494:30): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file <5>[ 52.382276] type=1400 audit(1389041123.524:31): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file Allow anyone who has access to video_device:chr_file to also have read access to video_device:dir. Otherwise, the chracter devices may not be reachable. Bug: 12416198 Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074 /system/sepolicy/system_server.te
e7ec2f5258550a2cc0cb8c76ef24fc100a6b2cf1	23-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Only allow PROT_EXEC for ashmem where required. tmpfs_domain() macro defines a per-domain type and allows access for tmpfs-backed files, including ashmem regions. execute-related permissions crept into it, thereby allowing write + execute to ashmem regions for most domains. Move the execute permission out of tmpfs_domain() to app_domain() and specific domains as required. Drop execmod for now we are not seeing it. Similarly, execute permission for /dev/ashmem crept into binder_use() as it was common to many binder using domains. Move it out of binder_use() to app_domain() and specific domains as required. Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
527316a21b80c2a70d8ed23351299a4dce0c77bf	23-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Allow use of art as the Android runtime. system_server and app domains need to map dalvik-cache files with PROT_EXEC. type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file Apps need to map cached dex files with PROT_EXEC. We already allow this for untrusted_app to support packaging of shared objects as assets but not for the platform app domains. type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
13e44ec74d326463213c4c01963c776a699467cb	19-Dec-2013	Nick Kralevich <nnk@google.com>	allow system_server block_suspend I'm only seeing this denial on one device (manta), but it feels like it should be part of the generic policy. I don't understand why it's happening on only one device. Addresses the following denial: 14.711671 type=1400 audit(1387474628.570:6): avc: denied { block_suspend } for pid=533 comm="InputReader" capability=36 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=capability2 Change-Id: If4b28b6f42ca92c0e2cacfad75c8cbe023b0fa47 /system/sepolicy/system_server.te
c4d7c0d797a9ef48df1d581578a8f84f9a45aac7	17-Dec-2013	Nick Kralevich <nnk@google.com>	system_server.te: allow getopt/getattr on zygote socket In 61dc35072090f2735af2b39572e39eadb30573eb, I forgot to allow system_server to run getopt/getattr on the zygote socket. Bug: 12061011 Change-Id: I14f8fc98c1b08dfd3c2188d562e594547dba69e6 /system/sepolicy/system_server.te
3ba9012535d8412d94db4ae9a5ce928b806e26d8	12-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Move gpu_device type and rules to core policy. Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
2b392fccf35c790bdc55bdce51a196f4953644ce	06-Dec-2013	Nick Kralevich <nnk@google.com>	Move lmkd into it's own domain. lmkd low memory killer daemon The kernel low memory killer logic has been moved to a new daemon called lmkd. ActivityManager communicates with this daemon over a named socket. This is just a placeholder policy, starting off in unconfined_domain. Change-Id: Ia3f9a18432c2ae37d4f5526850e11432fd633e10 /system/sepolicy/system_server.te
a49ba927e39bb21f18f8340334cf5781e124eb3d	02-Dec-2013	Stephen Smalley <sds@tycho.nsa.gov>	Allow SELinuxPolicyInstallReceiver to work. Change-Id: I10006f43c142f07168e2ea0f4f5f7af68d03e504 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
af47ebb67aa64d699615693bf4603ec173417175	04-Nov-2013	Stephen Smalley <sds@tycho.nsa.gov>	Label /dev/fscklogs and allow system_server access to it. Otherwise you get denials such as: type=1400 audit(1383590310.430:623): avc: denied { getattr } for pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:624): avc: denied { open } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file type=1400 audit(1383590310.430:625): avc: denied { write } for pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { remove_name } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir type=1400 audit(1383590310.430:625): avc: denied { unlink } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
2a604adf1b8fd887f01bc717d64fd1c8105f4d8e	04-Nov-2013	Stephen Smalley <sds@tycho.nsa.gov>	Confine healthd, but leave it permissive for now. Remove unconfined_domain() and add the allow rules required for operation of healthd. Restore the permissive declaration until I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4 kernel. Resolves the following denials in 4.4: type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2 type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
cd95e0acf18c940288f4abb8e1cfe6c052bb6543	01-Nov-2013	Nick Kralevich <nnk@google.com>	Allow system_server to set powerctl_prop Otherwise we break "adb root && adb shell svc power reboot", which has the side effect of killing all of our test automation (oops). Bug: 11477487 Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631 /system/sepolicy/system_server.te
dd1ec6d557e80c688f7f1e4aef522b6441e8151a	01-Nov-2013	Nick Kralevich <nnk@google.com>	Give system_server / system_app ability to write some properties Allow writing to persist.sys and debug. This addresses the following denials (which are actually being enforced): <4>[ 131.700473] avc: denied { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service <3>[ 131.700625] init: sys_prop: permission denied uid:1000 name:debug.force_rtl <4>[ 132.630062] avc: denied { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service <3>[ 132.630184] init: sys_prop: permission denied uid:1000 name:persist.sys.dalvik.vm.lib Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6 /system/sepolicy/system_server.te
1ff644112e260d2aab55e696b32350dcda0a99b8	29-Oct-2013	Stephen Smalley <sds@tycho.nsa.gov>	Confine system_server, but leave it permissive for now. Change-Id: Ia0de9d739575c34a7391db5f0be24048d89a7bd1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
353c72e3b0b4d7d729af20f0c9a13c976baa8753	21-Oct-2013	Nick Kralevich <nnk@google.com>	Move unconfined domains out of permissive mode. This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245 /system/sepolicy/system_server.te
ec7d39ba168a5b620e6bb526f316581acc5c1238	29-Sep-2013	William Roberts <wroberts@tresys.com>	Introduce controls on wake lock interface Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1 /system/sepolicy/system_server.te
8d688315aeb053eadc2606badbe4ce52899bb694	03-Oct-2013	Alex Klyubin <klyubin@google.com>	Restrict access to /dev/hw_random to system_server and init. /dev/hw_random is accessed only by init and by EntropyMixer (which runs inside system_server). Other domains are denied access because apps/services should be obtaining randomness from the Linux RNG. Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f /system/sepolicy/system_server.te
45ba665cfcc5c2fc3242a013e6070c2bed860b0a	27-Sep-2013	Stephen Smalley <sds@tycho.nsa.gov>	Label and allow access to /data/system/ndebugsocket. Otherwise it defaults to the label of /data/system and cannot be distinguished from any other socket in that directory. Also adds allow rule required for pre-existing wpa_socket transition to function without unconfined_domain. Change-Id: I57179aa18786bd56d247f397347e546cca978e41 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> /system/sepolicy/system_server.te
4103b3f27ac0c6fdf16dac918ae791b709b24c6f	17-Sep-2013	Alex Klyubin <klyubin@google.com>	2/2: Rename domain "system" to "system_server". This CL completes the renaming of domain system to system_server by removing the "system" typealias that was temporarily added to avoid breaking the build while the rename CLs are landing. Change-Id: I05d11571f0e3d639026fcb9341c3476d44c54fca /system/sepolicy/system_server.te
1fdee11df2552e29da0c48e3432f26f7a93e3bff	14-Sep-2013	Alex Klyubin <klyubin@google.com>	1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00 /system/sepolicy/system_server.te