69270e53c0b74da49df6159548dfc3103862c737 |
|
22-Jul-2016 |
Eric Bae <eric.bae@lge.com> |
allow policy to create a file by vfat (fs_type) for a case using sdcardfs am: 320a0f54a1 Change-Id: I6aec72f8175839f4fefeb50f86fedc4202c776b8
|
320a0f54a14ef992bacaa9d399cf3b54ced66ac7 |
|
19-Jul-2016 |
Eric Bae <eric.bae@lge.com> |
allow policy to create a file by vfat (fs_type) for a case using sdcardfs Change-Id: Ia938d73b1a49b9ba4acf906df37095d21edee22e
/system/sepolicy/untrusted_app.te
|
77a15a173759adba089e5c7e59b72d70567460f7 |
|
15-Jul-2016 |
Amith Yamasani <yamasani@google.com> |
Merge "Allow apps to read preloaded photos" into nyc-mr1-dev
|
e01654f98258461448d1761914e32bdad491ec6f |
|
06-Jul-2016 |
Amith Yamasani <yamasani@google.com> |
Allow apps to read preloaded photos For Retail Demo mode, we need to preload photos in /data/preloads and allow regular apps to access the photos returned by the media provider from the preloads directory. Bug: 29940807 Change-Id: Ic1061dac55ace1b125ae04b5b0c70aae9aa0c732
/system/sepolicy/untrusted_app.te
|
addd3c9fba67b8df998a3aa61113b4a0c5cffdf9 |
|
13-Jul-2016 |
dcashman <dcashman@google.com> |
Grant untrusted_app dir access to asec_apk_file. untrusted_app lost all of the domain_deprecated permissions in N, including the ability to read asec_apk_file dirs. This is used for forward locked apps. Addresses the following denials: avc: denied { search } for name="asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0 avc: denied { getattr } for path="/mnt/asec" dev="tmpfs" ino=9298 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir permissive=0 Bug: 30082229 Change-Id: I44119f218433b9009cf8d09d0ee5f8a13cc15dd9
/system/sepolicy/untrusted_app.te
|
f77bc233ad7d3c7d3792d58ae96da1a522aeb73b |
|
16-Apr-2016 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Further restrict socket ioctls available to apps" into nyc-dev
|
32333536032bf1d133e56fe4156175b76b7a1779 |
|
15-Apr-2016 |
Jeff Vander Stoep <jeffv@google.com> |
Further restrict socket ioctls available to apps (cherry picked from commit 6ba383c575985d56752e006d6e65ba7a49abd52e) Restrict unix_dgram_socket and unix_stream_socket to a whitelist. Disallow all ioctls for netlink_selinux_socket and netlink_route_socket. Neverallow third party app use of all ioctls other than unix_dgram_socket, unix_stream_socket, netlink_selinux_socket, netlink_route_socket, tcp_socket, udp_socket and rawip_socket. Bug: 28171804 Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
/system/sepolicy/untrusted_app.te
|
0e61a7a96d76ea46c65286d64474bb7ba301d1d6 |
|
25-Mar-2016 |
Nick Kralevich <nnk@google.com> |
neverallow /data/anr access for isolated/untrusted apps Add a neverallow rule (compile time assertion + CTS test) that isolated_apps and untrusted_apps can't do anything else but append to /data/anr/traces.txt. In particular, assert that they can't read from the file, or overwrite other data which may already be in the file. Bug: 18340553 Bug: 27853304 (cherry picked from commit 369cf8cde5f69e6d6b752e250edfba80289b9c83) Change-Id: Ib33e7ea0342ad28e5a89dfffdd9bc16fe54d8b3d
/system/sepolicy/untrusted_app.te
|
cf8719e7bad53d6c38b2825b736c27c3f37dbf4e |
|
22-Mar-2016 |
Daniel Rosenberg <drosen@google.com> |
Merge "sepolicy: Add policy for sdcardfs and configfs" into nyc-dev
|
027ec20696a46ee9e5fd0d89a8d98a89ca916a2f |
|
14-Mar-2016 |
dcashman <dcashman@google.com> |
Mark batteryproperties service as app_api_service. Applications do not explicitly request handles to the batteryproperties service, but the BatteryManager obtains a reference to it and uses it for its underlying property queries. Mark it as an app_api_service so that all applications may use this API. Also remove the batterypropreg service label, as this does not appear to be used and may have been a duplication of batteryproperties. As a result, remove the healthd_service type and replace it with a more specific batteryproperties_service type. (cherry-picked from commit: 9ed71eff4bed91653cba393ea6cb42f041d4e257) Bug: 27442760 Change-Id: I537c17c09145b302728377bf856c1147e4cc37e9
/system/sepolicy/untrusted_app.te
|
85c0f8affa4d3aa3c50331e272327e360eb8bed9 |
|
12-Mar-2016 |
dcashman <dcashman@google.com> |
Create sysfs_hwrandom type. HwRngTest needs access to the hwrandom sysfs files, but untrused_app does not have access to sysfs. Give these files their own label and allow the needed read access. Bug: 27263241 Change-Id: I718ba485e9e6627bac6e579f746658d85134b24b
/system/sepolicy/untrusted_app.te
|
47fb4b9fc46fe2675b509874da340797fc43a947 |
|
02-Mar-2016 |
Daniel Rosenberg <drosen@google.com> |
sepolicy: Add policy for sdcardfs and configfs Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff Bug: 19160983
/system/sepolicy/untrusted_app.te
|
6e4bcbe6daa3c959fceb86ae97a8a267e6e9212a |
|
07-Mar-2016 |
Nick Kralevich <nnk@google.com> |
DO NOT MERGE: untrusted_app: drop /proc auditallow It's unlikely we'll get /proc locked down for the N release, so delete the auditallow to avoid spamming the logs. Mark this commit as DO NOT MERGE so we can continue to make progress on this for future Android releases. Change-Id: Ibf27bc5cb1b23c21e123aae8a4f190560d0ac2dc
/system/sepolicy/untrusted_app.te
|
837bc42f5f52760c511140b5ae146898ea75cba8 |
|
23-Feb-2016 |
Calin Juravle <calin@google.com> |
Add SElinux policies to allow foreign dex usage tracking. This is a special profile folder where apps will leave profile markers for the dex files they load and don't own. System server will read the markers and decide which apk should be fully compiled instead of profile guide compiled. Apps need only to be able to create (touch) files in this directory. System server needs only to be able to check wheter or not a file with a given name exists. Bug: 27334750 Bug: 26080105 Change-Id: I2256e4aba1ec0e5117de6497123223b9a74f404e
/system/sepolicy/untrusted_app.te
|
ba12da95726e08c1c72ff3e6533899a062131d39 |
|
29-Feb-2016 |
Nick Kralevich <nnk@google.com> |
Allow bluetooth access to the tun device. Bluetooth uses the tun device for tethering. Allow access. STEPS TO REPRODUCE: 0. Have two devices to test on, say Device A and Device B 1. On Device A, Go to settings ->Bluetooth . 2. Turn on the Bluetooth . 3. Pair it with device B 4. Tap on the paired device OBSERVED RESULTS: -Bluetooth share crash is observed with "Bluetooth share has stopped" error message -Unable to use Bluetooth tethering due to this issue EXPECTED RESULTS: No crash and Bluetooth devices should be able to connect for tethering Addresses the following denial: com.android.bluetooth: type=1400 audit(0.0:131): avc: denied { open } for comm=425420536572766963652043616C6C path="/dev/tun" dev="tmpfs" ino=12340 scontext=u:r:bluetooth:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0 Bug: 27372573 (cherry picked from commit 9a1347eee668990a8fb357d0d088beb430a61c27) Change-Id: Ibd16e48c09fe80ebb4f3779214de3b4806c12497
/system/sepolicy/untrusted_app.te
|
971aeeda2138b27e3f8850f2fd7c95f60508154c |
|
24-Feb-2016 |
dcashman <dcashman@google.com> |
Label /proc/meminfo. Address the following denial: m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file Bug: 22032619 Chromium Bug: 586021 Change-Id: I584345c84d870c313da69ec97a0b1e54c0eb9ee1
/system/sepolicy/untrusted_app.te
|
89625c9a6488d01466e5b21856f8fdede047f128 |
|
01-Feb-2016 |
Calin Juravle <calin@google.com> |
Update permissions for the dedicated profile folders Bug: 26719109 Bug: 26563023 Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995
/system/sepolicy/untrusted_app.te
|
0d5bac13e1a98a942689f3b2183ed6f7ff66b976 |
|
12-Feb-2016 |
Jeff Tinker <jtinker@google.com> |
Add mediadrm service Part of media security hardening This is an intermediate step toward moving mediadrm to a new service separate from mediaserver. This first step allows mediadrmservice to run based on the system property media.mediadrmservice.enable so it can be selectively enabled on devices that support using native_handles for secure buffers. bug: 22990512 Change-Id: I2208c1e87a6bd8d5bfaed06b1fdcb0509c11cff2
/system/sepolicy/untrusted_app.te
|
a8a1faae7b36ab6ffd23900ca97f342afaf27702 |
|
11-Feb-2016 |
dcashman <dcashman@google.com> |
Auditallow untrusted_app procfs access. Access to proc is being removed but there are still some consumers. Add an auditallow to identify them and adjust labels appropriately before removal. Change-Id: I853b79bf0f22a71ea5c6c48641422c2daf247df5
/system/sepolicy/untrusted_app.te
|
d21987702eab571efc94540ca33152f0ad645a82 |
|
10-Feb-2016 |
Marco Nelissen <marcone@google.com> |
Merge "selinux rules for codec process" into nyc-dev
|
c3ba2e5130d28a0025f798f8b739ee86084fe9da |
|
03-Feb-2016 |
Marco Nelissen <marcone@google.com> |
selinux rules for codec process Bug: 22775369 Change-Id: Ic6abe3d0e18ba6f7554d027e0ec05fd19011709b
/system/sepolicy/untrusted_app.te
|
db664c9ed37f933753bc29c335b70cee7e707caa |
|
09-Feb-2016 |
William Roberts <william.c.roberts@intel.com> |
untrusted_app: confine filesystem creation to sandbox untrusted_apps could be allowed to create/unlink files in world accessible /data locations. These applications could create files in a way that would need cap dac_override to remove from the system when they are uninstalled and/or leave orphaned data behind. Keep untrusted_app file creation to sandbox, sdcard and media locations. Signed-off-by: William Roberts <william.c.roberts@intel.com> (cherry picked from commit bd0768cc93e6c934ccec62e521228fecddb5d61b) Change-Id: Ideb275f696606882d8a5d8fdedb48545a34de887
/system/sepolicy/untrusted_app.te
|
b1bf83fd794c5863289edf459c8c05a906dac9f7 |
|
28-Jan-2016 |
Marco Nelissen <marcone@google.com> |
Revert "selinux rules for codec process" This reverts commit 2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd. Change-Id: Ie2ba8d86f9c7078f970afbb06230f9573c28e0ed
/system/sepolicy/untrusted_app.te
|
e0378303b5ec8a4440fcdea38cca7ebf695dc2b3 |
|
04-Dec-2015 |
Chien-Yu Chen <cychen@google.com> |
selinux: Update policies for cameraserver Update policies for cameraserver so it has the same permissions as mediaserver. Bug: 24511454 Change-Id: I1191e2ac36c00b942282f8dc3db9903551945adb
/system/sepolicy/untrusted_app.te
|
87a79cf9dd5e677b9ae51a4196dec27d480b9b69 |
|
27-Jan-2016 |
Marco Nelissen <marcone@google.com> |
Merge "selinux rules for codec process"
|
e458f9abd4f4d0a4785a5c150bdc6477080be442 |
|
27-Jan-2016 |
dcashman <dcashman@google.com> |
Restore untrusted_app proc_net access. am: 5833e3f5ca am: a321dde852 * commit 'a321dde852731f320e24f93347f39278bcf0b58b': Restore untrusted_app proc_net access.
|
5833e3f5ca04e88629e3bd76331fa0ab42d568f4 |
|
27-Jan-2016 |
dcashman <dcashman@google.com> |
Restore untrusted_app proc_net access. Address the following denial: type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0 Bug: 26806629 Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4
/system/sepolicy/untrusted_app.te
|
ee25c98428f449837f12df52eb8bbe09bfeda04e |
|
23-Jan-2016 |
dcashman <dcashman@google.com> |
Remove domain_deprecated from untrusted_app. am: cbf7ba18db am: b768bd4642 * commit 'b768bd4642afb99f5ffaad46833e47c785667e3e': Remove domain_deprecated from untrusted_app.
|
0503a405700df69788e65be1af16438113b56138 |
|
23-Jan-2016 |
dcashman <dcashman@google.com> |
Temporarily allow untrusted_app to read proc files. am: 2193f766bc am: d7ff314ada * commit 'd7ff314adabc5646e77b844335408201811412d9': Temporarily allow untrusted_app to read proc files.
|
cbf7ba18db3c607834d3f8d0745dae99f3e2a4ec |
|
23-Jan-2016 |
dcashman <dcashman@google.com> |
Remove domain_deprecated from untrusted_app. Bug: 22032619 Change-Id: Iaa192f98df3128da5e11ce1fd3cf9d1a597fedf5
/system/sepolicy/untrusted_app.te
|
2193f766bc1c7f997906a365238eb80839eb2617 |
|
23-Jan-2016 |
dcashman <dcashman@google.com> |
Temporarily allow untrusted_app to read proc files. Address the following denial: 01-22 09:15:53.998 5325 5325 W ChildProcessMai: type=1400 audit(0.0:44): avc: denied { read } for name="meminfo" dev="proc" ino=4026535444 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Change-Id: Id2db5ba09dc9de58e6da7c213d4aa4657c6e655c
/system/sepolicy/untrusted_app.te
|
2afb217b681d05d3fe2cc2f1377e71c0d67b6ebd |
|
17-Dec-2015 |
Marco Nelissen <marcone@google.com> |
selinux rules for codec process Bug: 22775369 Change-Id: I9733457b85dbaeb872b8f4aff31d0b8808fa7d44
/system/sepolicy/untrusted_app.te
|
02863a7ca749a090a427ac663fd3c8f998ec9187 |
|
09-Jan-2016 |
Jeff Vander Stoep <jeffv@google.com> |
grant appdomain rw perms to tun_device am: 2b935cd78d am: 43412f6514 * commit '43412f6514a97572622e009e13f76a61c9d5f987': grant appdomain rw perms to tun_device
|
2b935cd78dae5db5035808f79b00c71be0e32b43 |
|
09-Jan-2016 |
Jeff Vander Stoep <jeffv@google.com> |
grant appdomain rw perms to tun_device Previously granted to only untrusted_app, allow all apps except isolated_app read write permissions to tun_device. avc: denied { read write } for path="/dev/tun" dev="tmpfs" ino=8906 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:tun_device:s0 tclass=chr_file Bug: 26462997 Change-Id: Id6f5b09cda26dc6c8651eb76f6791fb95640e4c7
/system/sepolicy/untrusted_app.te
|
39e29b6f29966961026a113f2e4b29ca443e505e |
|
08-Jan-2016 |
Johan Redestig <johan.redestig@sonymobile.com> |
Neverallow isolated and untrusted apps to write system properties am: 0d8e9adf49 am: fc3b0dd350 * commit 'fc3b0dd350598fb8a9219b296f15ec241fbcdbb2': Neverallow isolated and untrusted apps to write system properties
|
0d8e9adf49a1db942ad3c556d87d25bde94e0df5 |
|
08-Jan-2016 |
Johan Redestig <johan.redestig@sonymobile.com> |
Neverallow isolated and untrusted apps to write system properties and as a consequence open up for other appdomains (e.g. platform_app) to write system properties. Change-Id: Ie6ad4d17247165564456e5b0d78f705a82cdcde7
/system/sepolicy/untrusted_app.te
|
ef0b7b1ae541275f80a188fb91af196261a62051 |
|
06-Jan-2016 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "app: expand socket ioctl restrictions to all apps"
|
bb1ece494ffb160690e045fb383c93140f471a77 |
|
06-Jan-2016 |
Jeff Vander Stoep <jeffv@google.com> |
app: expand socket ioctl restrictions to all apps Exempt bluetooth which has net_admin capability. Allow Droidguard to access the MAC address - droidguard runs in priv_app domain. Change-Id: Ia3cf07f4a96353783b2cfd7fc4506b7034daa2f1
/system/sepolicy/untrusted_app.te
|
4eb8d39db66973c447fd689f688629026530922f |
|
06-Jan-2016 |
Jeff Vander Stoep <jeffv@google.com> |
untrusted_app: remove mtp_device perms am: 956ca4c504 am: e139b40f0c * commit 'e139b40f0c339654bdfa92f04f11fc6ed326b2fa': untrusted_app: remove mtp_device perms
|
956ca4c504889bcb06e8c07ce7580449dc014ef3 |
|
06-Jan-2016 |
Jeff Vander Stoep <jeffv@google.com> |
untrusted_app: remove mtp_device perms No longer necessary after android.process.media moved to the priv_app domain. Verified no new denials via audit2allow rule. Bug: 25085347 Change-Id: I2d9498d5d92e79ddabd002b4a5c6f918e1eb9bcc
/system/sepolicy/untrusted_app.te
|
a8d89c31025caa594dae28d528f8a97cfbc3cc79 |
|
05-Jan-2016 |
Jeff Vander Stoep <jeffv@google.com> |
expand scope of priv_sock_ioctls neverallows From self to domain Change-Id: I97aeea67a6b66bc307715a050cf7699e5be9715e
/system/sepolicy/untrusted_app.te
|
e97bd887ca353ae02dd1641687431786d7d60cd6 |
|
05-Jan-2016 |
Felipe Leme <felipeal@google.com> |
Creates a new permission for /cache/recovery am: 549ccf77e3 am: b16fc899d7 * commit 'b16fc899d718f91935932fb9b15de0a0b82835c8': Creates a new permission for /cache/recovery
|
549ccf77e3fd23bb6c690da7023441c1007c4fd8 |
|
22-Dec-2015 |
Felipe Leme <felipeal@google.com> |
Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
/system/sepolicy/untrusted_app.te
|
06d10f6062d10ff5471676406353e6b9fe0c26e2 |
|
18-Dec-2015 |
Nick Kralevich <nnk@google.com> |
neverallow debugfs access am: 96b1c9ca6f am: 0abe8cdbe0 * commit '0abe8cdbe0343edf547dfa4e71b6f09b4afa6f2a': neverallow debugfs access
|
96b1c9ca6f72f3adfa7f6051568efeb450c3756c |
|
18-Dec-2015 |
Nick Kralevich <nnk@google.com> |
neverallow debugfs access Don't allow access to the generic debugfs label. Instead, force relabeling to a more specific type. system_server and dumpstate are excluded from this until I have time to fix them. Tighten up the neverallow rules for untrusted_app. It should never be reading any file on /sys/kernel/debug, regardless of the label. Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
/system/sepolicy/untrusted_app.te
|
e02e6c03a59d1f60f07affa8540b74aca077a6c8 |
|
11-Dec-2015 |
Andy Hung <hunga@google.com> |
Merge "Add rules for running audio services in audioserver"
|
3a0ce49b8623299ac7458306b30bda6adda12383 |
|
07-Dec-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Migrate to upstream policy version 30 Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow priv_sock_perms to disallow access to MAC address and ESSID. Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/untrusted_app.te
|
4f9107df8f691164c56f86fa1d352c63b28bd02b |
|
08-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Migrate to upstream policy version 30" This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584. Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/untrusted_app.te
|
5ca5696e8b656466a9d46b13d7ab18a13d8c1bba |
|
08-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Revert "Migrate to upstream policy version 30" This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584. Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca
/system/sepolicy/untrusted_app.te
|
e0bc1627c44668c763d0562c12eceebd1aa37da9 |
|
08-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Migrate to upstream policy version 30" am: 9a3d490edd am: 862e4ab15f am: af56999ec2 * commit 'af56999ec2eef1b21b50b10c0292367b55ff15c2': Migrate to upstream policy version 30
|
862e4ab15ff6b2a47d30ad6a5782f3687035f7a6 |
|
08-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Migrate to upstream policy version 30" am: 9a3d490edd * commit '9a3d490edd843e544084c487422aa54f39080876': Migrate to upstream policy version 30
|
2ea23a6e1ade883ba81f58b364109c4da94ba584 |
|
07-Dec-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Migrate to upstream policy version 30 Grant untrusted_app and isolated_app unpriv_sock_perms, neverallow priv_sock_perms to disallow access to MAC address and ESSID. Change-Id: Idac3b657a153e7d7fdc647ff34b876a325d759b3
/system/sepolicy/untrusted_app.te
|
b03831fe58be86cfd94c31b91def6ae53ebd614f |
|
09-Sep-2015 |
Marco Nelissen <marcone@google.com> |
Add rules for running audio services in audioserver audioserver has the same rules as mediaserver so there is no loss of rights or permissions. media.log moves to audioserver. TBD: Pare down permissions. Bug: 24511453 Change-Id: I0fff24c14b712bb3d498f75e8fd66c2eb795171d
/system/sepolicy/untrusted_app.te
|
e759543568599e5419767cdeff5278454079c002 |
|
04-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Further restrict access to tun_device" am: 98c3f9971f am: cd47828c12 am: 1484b0c369 * commit '1484b0c3690ec23729a160e5f3a1468a4816ab4d': Further restrict access to tun_device
|
cd47828c128230c589327570fb15a617f14eb943 |
|
04-Dec-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
Merge "Further restrict access to tun_device" am: 98c3f9971f * commit '98c3f9971f4b551fd5578c63f77fa9111bed94ad': Further restrict access to tun_device
|
e555f4b971c6bb34633dd2edbe3dd950a052ec41 |
|
04-Dec-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Further restrict access to tun_device Remove bluetooth's access to tun_device. Auditallow rule demonstrates that it's not used. Strengthen the neverallow on opening tun_device to include all Apps. Bug: 24744295 Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
/system/sepolicy/untrusted_app.te
|
d20a46ef175079d210da8320d8c8ce32cbe8207f |
|
04-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Create attribute for moving perms out of domain am: d22987b4da am: e2280fbcdd am: b476b95488 * commit 'b476b954882a48bf2c27da0227209c197dcfb666': Create attribute for moving perms out of domain
|
e2280fbcdd5553c61870420d1ffd46b72e6412d0 |
|
04-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Create attribute for moving perms out of domain am: d22987b4da * commit 'd22987b4daf02a8dae5bb10119d9ec5ec9f637cf': Create attribute for moving perms out of domain
|
d22987b4daf02a8dae5bb10119d9ec5ec9f637cf |
|
03-Nov-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
/system/sepolicy/untrusted_app.te
|
0f754edf7b72582ed28d062a9c8f1b911d57a6f3 |
|
22-Sep-2015 |
Marco Nelissen <marcone@google.com> |
Update selinux policies for mediaextractor process Change-Id: If761e0370bf9731a2856d0de2c6a6af1671143bd
/system/sepolicy/untrusted_app.te
|
ad32785689beec1939f215e1947bac0ee12b099d |
|
23-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
audit untrusted_app access to mtp_device am: 7b8f9f153e am: 775dda1fb3 * commit '775dda1fb3641e3ea2be4124a9a77cb236648d6f': audit untrusted_app access to mtp_device
|
4b1c3de99ae22ce98da97266bc1903f71e285571 |
|
23-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Temporarily downgrade to policy version number am: 0fc831c3b0 am: 312c2511f7 * commit '312c2511f7dfbebf110f1372db55d811bc1ad29f': Temporarily downgrade to policy version number
|
775dda1fb3641e3ea2be4124a9a77cb236648d6f |
|
23-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
audit untrusted_app access to mtp_device am: 7b8f9f153e * commit '7b8f9f153edf7c8bbefe3d472c86419d8048e5dd': audit untrusted_app access to mtp_device
|
312c2511f7dfbebf110f1372db55d811bc1ad29f |
|
23-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Temporarily downgrade to policy version number am: 0fc831c3b0 * commit '0fc831c3b0b8d9a4e10d0931131a0eed06cd4275': Temporarily downgrade to policy version number
|
7b8f9f153edf7c8bbefe3d472c86419d8048e5dd |
|
20-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
audit untrusted_app access to mtp_device android.process.media moved to priv_app. Add audit rule to test if untrusted_app still requires access or if some/all permissions may be removed. Bug: 25085347 Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d
/system/sepolicy/untrusted_app.te
|
0fc831c3b0b8d9a4e10d0931131a0eed06cd4275 |
|
29-Jul-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Temporarily downgrade to policy version number Temporarily move from policy version 30 to 29 until device kernels and prebuilts are all upgraded to the accepted upstream version of the selinux ioctl command whitelisting code. (cherry picked from commit 89765083f7da758ff5a5910027ea48ce065fe2fd) Bug: 22846070 Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
/system/sepolicy/untrusted_app.te
|
2736e7d6f97fb39ac33a4ef620ab4fdadcec17ed |
|
19-Oct-2015 |
Nick Kralevich <nnk@google.com> |
am 40367ad8: Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev am: 6ab438dc8b * commit '40367ad87e084f78e310b33963aa3da4309442e8': untrusted_apps: Allow untrusted apps to find healthd_service.
|
6ab438dc8b4c8b661c8209ecfb66b626b8bdc532 |
|
19-Oct-2015 |
Nick Kralevich <nnk@google.com> |
Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev
|
ac8b5750b08edf4d476b490dcbeef3159b7b7ea1 |
|
19-Oct-2015 |
Ruchi Kandoi <kandoiruchi@google.com> |
untrusted_apps: Allow untrusted apps to find healthd_service. This allows apps to find the healthd service which is used to query battery properties. Bug: 24759218 Change-Id: I72ce5a28b2ffd57aa424faeb2d039b6c92f9597d Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
/system/sepolicy/untrusted_app.te
|
5f34265c5af472042c338780a39145661cca0e09 |
|
19-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
am a910a287: Remove untrusted_app access to tmp apk files * commit 'a910a287d81bf5e9885af9e5be60ed444964a86a': Remove untrusted_app access to tmp apk files
|
e9aaae4ffbe6f549aa724891affb176b2f7b465e |
|
19-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
resolved conflicts for f1203bf0 to stage-aosp-master Change-Id: I7f17a87595a05967879ccc33326eb80d7bd00251
|
a910a287d81bf5e9885af9e5be60ed444964a86a |
|
19-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Remove untrusted_app access to tmp apk files Verifier has moved to the priv_app domain. Neverallow app domain access to tmp apk files with exceptions for platform and priv app domains. Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d
/system/sepolicy/untrusted_app.te
|
68748c2166847469a06347e6d22e20d8e35107d8 |
|
16-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Remove untrusted_app access to cache neverallow access to untrusted_app and isolated app Access to cache is a system|signature permission. Only priv/system/platform apps should be allowed access. Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
/system/sepolicy/untrusted_app.te
|
b3af06305c84790c729eac1415f62e7a0d14cbc8 |
|
14-Oct-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am d62fac7d: Merge "Remove permissions for untrusted_app" * commit 'd62fac7d0989f242204bc24622f392dbe110fd7e': Remove permissions for untrusted_app
|
0d186fcf89729015d8015c54f20b36b85e353ff8 |
|
05-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Remove permissions for untrusted_app Privileged apps now run in the priv_app domain. Remove permissions from untrusted_app that were originaly added for GMS core, Finsky, and Play store. Bug: 22033466 Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be
/system/sepolicy/untrusted_app.te
|
f57e2fd77c49594286dd2ba04f477b18cf504e14 |
|
14-Oct-2015 |
Nick Kralevich <nnk@google.com> |
am de11f501: Remove ptrace from app.te * commit 'de11f5017c53aabba212425406962d21148fd2f6': Remove ptrace from app.te
|
de11f5017c53aabba212425406962d21148fd2f6 |
|
14-Oct-2015 |
Nick Kralevich <nnk@google.com> |
Remove ptrace from app.te Remove ptrace from app.te, and only add it to the app domains which explicitly require it. Change-Id: I327aabd154ae07ce90e3529dee2b324ca125dd16
/system/sepolicy/untrusted_app.te
|
694e2bfbafdd5ef40db0dedfb573f117a402e3a2 |
|
07-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
am de53051a: Do not allow untrusted_app to open tun_device * commit 'de53051a8282ec59fdd21667850997bc4096f8d2': Do not allow untrusted_app to open tun_device
|
de53051a8282ec59fdd21667850997bc4096f8d2 |
|
06-Oct-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Do not allow untrusted_app to open tun_device Third party vpn apps must receive open tun fd from the framework for device traffic. neverallow untrusted_app open perm and auditallow bluetooth access to see if the neverallow rule can be expanded to include all of appdomain. Bug: 24677682 Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
/system/sepolicy/untrusted_app.te
|
cdce1f04b60c8a8e26c87b75981784e6d8b8b507 |
|
12-Sep-2015 |
dcashman <dcashman@google.com> |
am 887fd5d1: am 0b764ae9: Allow untrusted_app to list services. * commit '887fd5d1d148a84991998c0f7654d108072d6084': Allow untrusted_app to list services.
|
0b764ae98a7fe452690616b7d722a63bb7cd5fa8 |
|
09-Sep-2015 |
dcashman <dcashman@google.com> |
Allow untrusted_app to list services. CTS relies on the ability to see all services on the system to make sure the dump permission is properly enforced on all services. Allow this. Bug: 23476772 Change-Id: I144b825c3a637962aaca59565c9f567953a866e8
/system/sepolicy/untrusted_app.te
|
cd68c3a84eaa019434d0adebef0bc46b585e9d02 |
|
29-Jul-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am 6f7de297: Merge "Do not allow apps to access network address file" * commit '6f7de297b3e67942cdc525b6f626a811ddf5132e': Do not allow apps to access network address file
|
278658c2d8a80cf15ca016affbecf17297a234d6 |
|
29-Jul-2015 |
Jeffrey Vander Stoep <jeffv@google.com> |
am 6f7de297: Merge "Do not allow apps to access network address file" * commit '6f7de297b3e67942cdc525b6f626a811ddf5132e': Do not allow apps to access network address file
|
e45cad770c6ffcc46ca834320d7892d744d0693b |
|
24-Jul-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Do not allow apps to access network address file Bug: 18068520 Bug: 21852542 Change-Id: I876b37ac31dd44201ea1c1400a7c2c16c6a10049
/system/sepolicy/untrusted_app.te
|
de9b5301a14abf388589b06e819bb001d69e0cf1 |
|
06-Jun-2015 |
Jeff Vander Stoep <jeffv@google.com> |
restrict app access to socket ioctls Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
/system/sepolicy/untrusted_app.te
|
6e1f405c8b8b5d91a350ff14d1100930d7bff844 |
|
19-May-2015 |
Jeff Sharkey <jsharkey@android.com> |
Allow MediaProvider to traverse /mnt/media_rw. As an optimization, platform components like MediaProvider may choose to shortcut past the FUSE daemon and return open file descriptors directly pointing at the underlying storage device. Now that we have a specific label for /mnt/media_rw, we need to grant search access to untrusted apps like MediaProvider. The actual access control is still managed by POSIX permissions on that directory. avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0 Bug: 21017105 Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
/system/sepolicy/untrusted_app.te
|
929c85870a7aba08963ad0c592bd66f4aea9bedc |
|
16-May-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Merge "Allow tty and wireless extensions ioctls" into mnc-dev
|
a0fbeb97c0476891e177fb04953367aae90fc8a9 |
|
16-May-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Allow tty and wireless extensions ioctls Allow tty ioctls TIOCOUTQ 0x5411 and FIOCLEX 0x5451. Allow/audit all wireless extension ioctls. Bug: 21120188 Change-Id: Icd447ee40351c615c236f041931d210751e0f0c3
/system/sepolicy/untrusted_app.te
|
f6d12c6979128843a0bddee8de8f61f8ed1b646f |
|
14-May-2015 |
Nick Kralevich <nnk@google.com> |
dontaudit untrusted_app exec_type:file getattr Programs routinely scan through /system, looking at the files there. Don't generate an SELinux denial when it happens. Bug: 21120228 Change-Id: I85367406e7ffbb3e24ddab6f97448704df990603
/system/sepolicy/untrusted_app.te
|
34a468fad2c0b624b0cf383671384d0452dd83e6 |
|
06-May-2015 |
Dehao Chen <dehao@google.com> |
Update sepolicy to add label for /data/misc/perfprofd. Bug: 19483574 (cherry picked from commit 7d66f783c2ddea4dd5f9fcd91b2589ab74e30f8a) Change-Id: If617e29b6fd36c88c157941bc9e11cf41329da48
/system/sepolicy/untrusted_app.te
|
7d66f783c2ddea4dd5f9fcd91b2589ab74e30f8a |
|
06-May-2015 |
Dehao Chen <dehao@google.com> |
Update sepolicy to add label for /data/misc/perfprofd. Bug: 19483574 Change-Id: I7e4c0cf748d2b216dcb3aede3803883552b58b64
/system/sepolicy/untrusted_app.te
|
86f30cb16a8aa2ea337b1c36071bfa833f798c96 |
|
06-May-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Deny untrusted app ioctl access to MAC addr MAC address access is no longer allowed via the java API. Deny access from native code. Bug: 17787238 Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf
/system/sepolicy/untrusted_app.te
|
ab5cf6687397bf2b80ecc11cba92876cef7417c9 |
|
29-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Expand access to gatekeeperd. This enables access to gatekeeperd for anybody who invokes Android framework APIs. This is necessary because the AndroidKeyStore abstraction offered by the framework API occasionally communicates with gatekeeperd from the calling process. (cherry picked from commit effcac7d7eddded5fa31d294dfe3fd1757de51c7) Bug: 20526234 Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13
/system/sepolicy/untrusted_app.te
|
effcac7d7eddded5fa31d294dfe3fd1757de51c7 |
|
29-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Expand access to gatekeeperd. This enables access to gatekeeperd for anybody who invokes Android framework APIs. This is necessary because the AndroidKeyStore abstraction offered by the framework API occasionally communicates with gatekeeperd from the calling process. Bug: 20526234 Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
/system/sepolicy/untrusted_app.te
|
367757d2ef0ee5c8edc47ce8203a0d3369774e9c |
|
18-Apr-2015 |
Nick Kralevich <nnk@google.com> |
gatekeeperd: use more specific label for /data file Use a more specific label for /data/misc/gatekeeper Rearrange some other rules. Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
/system/sepolicy/untrusted_app.te
|
bd7f5803f924b0ca318c1d426b683c3f658754f9 |
|
09-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
/system/sepolicy/untrusted_app.te
|
03a6f64f9568e2c58eb043463a5b4ff1cf10bef6 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: network_management network_score notification package permission persistent power print processinfo procstats Bug: 18106000 Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
/system/sepolicy/untrusted_app.te
|
91b7c67d1647b2a88b1547cc57b69fc685bbac18 |
|
08-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: jobscheduler launcherapps location lock_settings media_projection media_router media_session mount netpolicy netstats Bug: 18106000 Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
/system/sepolicy/untrusted_app.te
|
3cc6fc5ffbd6e3d647f8c425e5298912d3733e45 |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: diskstats display dreams dropbox ethernet fingerprint graphicstats hardware hdmi_control input_method input_service Bug: 18106000 Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
/system/sepolicy/untrusted_app.te
|
d4c78f4b3fed1ca77aa9f13e757644aca3ed2b21 |
|
07-Apr-2015 |
dcashman <dcashman@google.com> |
Enforce more specific service access. Move the following services from tmp_system_server_service to appropriate attributes: battery bluetooth_manager clipboard commontime_management connectivity content country_detector device_policy deviceidle Bug: 18106000 Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
/system/sepolicy/untrusted_app.te
|
4cdea7fc40ea29c8cf4134a71b67808d143ec9dc |
|
04-Apr-2015 |
dcashman <dcashman@google.com> |
Assign app_api_service attribute to services. Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services the appropriate service access levels and move into enforcing. Bug: 18106000 Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
/system/sepolicy/untrusted_app.te
|
b075338d0e335eb2dbd786ae4f8e033e78eeca37 |
|
03-Apr-2015 |
dcashman <dcashman@google.com> |
Assign app_api_service attribute to services. Move accessibility, account, appops and activity services into enforcing with app_api_service level of access, with additional grants to mediaserver and isolated app. Bug: 18106000 Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
/system/sepolicy/untrusted_app.te
|
d12993f0846744ae8188a299cb1bb135014f626a |
|
03-Apr-2015 |
dcashman <dcashman@google.com> |
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
/system/sepolicy/untrusted_app.te
|
8af4e9cb0032244b0a356eb236ea97379956fa52 |
|
01-Apr-2015 |
dcashman <dcashman@google.com> |
Record observed service accesses. Get ready to switch system_server service lookups into enforcing. Bug: 18106000 Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
/system/sepolicy/untrusted_app.te
|
e8064afb5e8adc96d1becc7b31a8a92f77e284d9 |
|
23-Mar-2015 |
John Reck <jreck@google.com> |
Add graphicsstats service Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
/system/sepolicy/untrusted_app.te
|
85ce2c706e95f96c95b3af418b7bda0bfe9918f4 |
|
27-Mar-2015 |
Nick Kralevich <nnk@google.com> |
Don't grant hard link capabilities by default. Modify create_file_perms and create_dir_perms so it doesn't have the "link" permission. This permission controls whether hard links are allowed or not on the given file label. Hard links are a common source of security bugs, and isn't something we want to support by default. Get rid of link_file_perms and move the necessary permissions into create_file_perms and create_dir_perms. Nobody is using this macro, so it's pointless to keep it around. Get rid of unlink on directories. It returns EISDIR if you attempt to do it, independent of SELinux permissions. SELinux domains which have a need for hard linking for a particular file type can add it back to their permission set on an as-needed basis. Add a compile time assertion (neverallow rule) for untrusted_app. It's particularly dangerous for untrusted_app to ever have hard link capabilities, and the neverallow rule will prevent regressions. Bug: 19953790 Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0
/system/sepolicy/untrusted_app.te
|
eaece936f297e1c77939c0ff0ad4d741de6990b4 |
|
13-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
neverallow untrusted_app as a mlstrustedsubject. Assigning mlstrustedsubject to untrusted_app would undermine the per-user isolation model being enforced via levelFrom=user in seapp_contexts and the mls constraints. There is no direct way to specify a neverallow on attribute assignment, but this makes use of a particular property of the fork permission to prevent ever adding mlstrustedsubject to untrusted_app. A similar restriction for app_data_file and mlstrustedobject is also important for the same reason, but cannot be expressed as a neverallow. Change-Id: I5170cadc55cc614aef0cd5f6491de8f69a4fa2a0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
b8caf7fdd4dcf531900a2f8ab4e762e58eb0e0f9 |
|
13-Mar-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
Move allow rules before neverallow rules. There were a few instances where allow rules were appended after the neverallow rules stanza in the .te file. Also there were some regular allow rules inserted into the CTS-specific rules section of app.te. Just move the rules as appropriate. Should be no change in policy. Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
bb3cef4488b86ea815bc9b35c528f62e47377f5d |
|
06-Mar-2015 |
dcashman <dcashman@google.com> |
Record observed bluetooth service access. Bug: 18106000 Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4
/system/sepolicy/untrusted_app.te
|
1aafc4c7d34b30870ab985a8c33f9c87e16fd73c |
|
04-Dec-2014 |
Nick Kralevich <nnk@google.com> |
allow untrusted_app read /data/anr/traces.txt The GMS core feedback agent runs as untrusted_app, and needs the ability to read /data/anr/traces.txt to report ANR information. Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core can access it. Longer term, we need to move GMS core into it's own domain, but that's a longer term change. Addresses the following denial: W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file (cherrypick from commit e2547c3bffbbd03d6512de145a7f563d83d6fb9e) Bug: 18504118 Bug: 18340553 Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8
/system/sepolicy/untrusted_app.te
|
8be3e77986e573751cb74634f58c4fbacb0bcd11 |
|
06-Mar-2015 |
Nick Kralevich <nnk@google.com> |
move untrusted_app statement to the correct file. Change-Id: I5ae9606023ef7f3489f44e6657766e922160c470
/system/sepolicy/untrusted_app.te
|
23f336156daf61ba07c024af2fe96994605f46eb |
|
03-Mar-2015 |
dcashman <dcashman@google.com> |
Record observed system_server servicemanager service requests. Also formally allow dumpstate access to all services and grant system_server access to address the following non-system_server_service entries: avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager Bug: 18106000 Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
/system/sepolicy/untrusted_app.te
|
6a2451b580487a07a7e9919efa3ea5289f3ed696 |
|
02-Mar-2015 |
dcashman <dcashman@google.com> |
Allow platform_app access to keystore. Encountered when certinstaller tries to talk to keystore: ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference Address the following denial: avc: denied { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager Bug: 19347232 Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
/system/sepolicy/untrusted_app.te
|
d31936f89c49bc5c54b84bd5095f3c417da14935 |
|
29-Jan-2015 |
Nick Kralevich <nnk@google.com> |
appdomain: relax netlink_socket neverallow rule Relax the neverallow netlink restrictions for app domains. In particular, some non-AOSP app domains may use netlink sockets to communicate with a kernel driver. Continue to neverallow generic netlink sockets for untrusted_app. The intention here is that only app domains which explicitly need this functionality should be able to request it. This change does not add or remove any SELinux rules. Rather, it just changes SELinux compile time assertions, as well as allowing this behavior in CTS. Modify other neverallow rules to use "domain" instead of "self". Apps shouldn't be able to handle netlink sockets, even those created in other SELinux domains. Change-Id: I40de0ae28134ce71e808e5ef4a39779b71897571
/system/sepolicy/untrusted_app.te
|
566e8fe2580ce7d6a8ef76ffce6b457b4e71dd63 |
|
17-Jan-2015 |
dcashman <dcashman@google.com> |
Record service accesses. Reduce logspam and record further observed service connections. Bug: 18106000 Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
/system/sepolicy/untrusted_app.te
|
c631ede7dc7cb131b1bdd03ce296eeac53dc9add |
|
16-Jan-2015 |
dcashman <dcashman@google.com> |
Remove known system_server service accesses from auditing. Address observed audit logs of the form: granted { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager in order to record existing relationships with services. Bug: 18106000 Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
/system/sepolicy/untrusted_app.te
|
4a89cdfa89448c8660308a31bfcb517fffaa239e |
|
17-Dec-2014 |
dcashman <dcashman@google.com> |
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
/system/sepolicy/untrusted_app.te
|
cd82557d4069c20bda8e18aa7f72fc0521a3ae32 |
|
12-Dec-2014 |
dcashman <dcashman@google.com> |
Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
/system/sepolicy/untrusted_app.te
|
c06ed8f7b26af01132db6d09ebf69807d09aa8bf |
|
11-Dec-2014 |
Pawit Pornkitprasan <p.pawit@gmail.com> |
sepolicy: allow system apps to access ASEC Required for Settings to show name/icon of apps on sd card (permission copied from untrusted_app) Also removed duplicate permission (from domain) in untrusted_app Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
/system/sepolicy/untrusted_app.te
|
8c6dba90a570608a600184741a4a59bf4db1230d |
|
15-Oct-2014 |
Nick Kralevich <nnk@google.com> |
fix whitespace Change-Id: I2911d2b5d1931c6f6245cc54465458a8a3c2b2bb
/system/sepolicy/untrusted_app.te
|
642b80427ec2e95eb13cf03a74d814f240813e71 |
|
22-Sep-2014 |
Nick Kralevich <nnk@google.com> |
relax neverallow rules on NETLINK_KOBJECT_UEVENT sockets Netlink uevent sockets are used by the kernel to inform userspace when certain events occur, for example, when new hardware is added or removed. This allows userspace to take some action based on those messages. Relax the neverallow rule for NETLINK_KOBJECT_UEVENT sockets. Certain device specific app domains, such as system_app, may have a need to receive messages from this socket type. Continue to neverallow NETLINK_KOBJECT_UEVENT sockets for untrusted_app. These sockets have been the source of rooting attacks in Android in the past, and it doesn't make sense to expose this to untrusted_apps. No new SELinux rules are introduced by this change. This is an adjustment of compile time assertions only. Bug: 17525863 Change-Id: I3e538dc8096dc23b9678bcd20e3c1e742c21c967
/system/sepolicy/untrusted_app.te
|
fbbe9e9117bd55c46ee971577f2fdd64993eb64a |
|
07-Aug-2014 |
dcashman <dcashman@google.com> |
Allow untrusted_app access to temporary apk files. Before actual installation, apks are put in a staging area where they are scanned by a verifier before completing the install flow. This verifier runs as a priv-app, which is in the untrusted_app domain. Allow untrusted_app read-access to these files. Bug: 16515815 Change-Id: Ifedc12a33b1f53b62f45013e7b253dbc79b02a4e
/system/sepolicy/untrusted_app.te
|
603bc2050959dd353154bf33fa0c2b0612da9c6e |
|
18-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Further refined service_manager auditallow statements. Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
/system/sepolicy/untrusted_app.te
|
af8d7ca9e9ddf2601f0d8c0399dcf343db11657d |
|
16-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Remove radio_service from untrusted_app auditallow. Change untrusted_app to not auditallow radio_service find requests to cut down on log spam. Change-Id: I65d4a60ea1c7e81425937d5f1908e764fdec417f
/system/sepolicy/untrusted_app.te
|
b8511e0d98880a683c276589ab7d8d7666b7f8c1 |
|
07-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
/system/sepolicy/untrusted_app.te
|
f58356661632d4c08870122f2cf944ea4edfe810 |
|
10-Jul-2014 |
Nick Kralevich <nnk@google.com> |
Don't use don't Single quotes sometimes mess up m4 parsing Change-Id: Ic53cf0f9b45b2173cbea5c96048750f6a582a535
/system/sepolicy/untrusted_app.te
|
99d86c7a77d402a106a1b3fe57af06dbb231c750 |
|
10-Jul-2014 |
Nick Kralevich <nnk@google.com> |
ensure that untrusted_app can't set properties Bug: 10243159 Change-Id: I9409fe8898c446a33515f1bee2990f36a2e11535
/system/sepolicy/untrusted_app.te
|
76206abc9f5140e85da2d4e4845eca2c4f3a6ad5 |
|
07-Jul-2014 |
Riley Spahn <rileyspahn@google.com> |
Add neverallow rules further restricing service_manager. Add a neverallow rule that prevents domain from adding a default_android_service. Add a neverallow rule that prevents untrusted_app from ever adding a service through servicemanager. Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156
/system/sepolicy/untrusted_app.te
|
78706f9ef6d917fe2ec85ecb6b0f47fbc5efde57 |
|
02-Jun-2014 |
Nick Kralevich <nnk@google.com> |
add execmod to various app domains NDK r8c and below induced text relocations into every NDK compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203). For compatibility, we need to support shared libraries with text relocations in them. Addresses the following error / denial: 06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix. <4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Steps to reproduce: 1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air) 2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd) 3) Attempt to run Play & Learn app Expected: App runs Actual: App crashes with error above. Bug: 15388851 Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
/system/sepolicy/untrusted_app.te
|
4bdd13e4c3632587c72b487a16d6c71a7a30714f |
|
13-May-2014 |
Nick Kralevich <nnk@google.com> |
untrusted_app: neverallow debugfs Too many leaky files in that directory. It's a security best practice to not mount this filesystem, however, we need it mounted for tracing support. Even though it's mounted, make sure the files aren't readable. Bug: 11635985 Change-Id: I6f116c0a03a567a8107a8e07135ce025e51458dd
/system/sepolicy/untrusted_app.te
|
3a4eb96b2a462dd68636c749cec47723fd8dc51f |
|
01-May-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Make the untrusted_app domain enforcing. Change-Id: I4811da972f7e23ef86e04d05400169422fbaca35 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
9ba844fea12a0b08770e870d63f3d3c375c7c9b5 |
|
04-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Coalesce shared_app, media_app, release_app into untrusted_app. This change folds the shared_app, media_app, and release_app domains into untrusted_app, reducing the set of app domains down to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth, nfc, radio), a single domain for apps signed by the platform key (platform_app), and a single domain for all other apps (untrusted_app). Thus, SELinux only distinguishes when already distinguished by a predefined Android ID (AID) or by the platform certificate (which get the signature-only Android permissions and thus may require special OS-level accesses). It is still possible to introduce specific app domains for specific apps by adding signer and package stanzas to mac_permissions.xml, but this can be done on an as-needed basis for specialized apps that require particular OS-level permissions outside the usual set. As there is now only a single platform app domains, get rid of the platformappdomain attribute and platform_app_domain() macro. We used to add mlstrustedsubject to those domains but drop this since we are not using MLS in AOSP presently; we can revisit which domains need it if/when we use MLS. Since we are dropping the shared, media, and release seinfo entries from seapp_contexts, drop them from mac_permissions.xml as well. However, we leave the keys.conf entries in case someone wants to add a signer entry in the future for specific apps signed by those keys to mac_permissions.xml. Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
b0db712bf048dc634363b658a647b1f1897d8433 |
|
06-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Clean up, unify, and deduplicate app domain rules. Coalesce a number of allow rules replicated among multiple app domains. Get rid of duplicated rules already covered by domain, appdomain, or platformappdomain rules. Split the platformappdomain rules to their own platformappdomain.te file, document them more fully, and note the inheritance in each of the relevant *_app.te files. Generalize isolated app unix_stream_socket rules to all app domains to resolve denials such as: avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket Change-Id: I770d7d51d498b15447219083739153265d951fe5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
1eb94035cd6f1671ea74141f57b430f64eaf42e0 |
|
24-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Remove redundant socket rules. These same permissions are already allowed via net_domain() and the rules in net.te. Change-Id: I4681fb9993258b4ad668333ad7d7102e983b5c2b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
d823f83e5466b53521b098c0865b89c7f12025fa |
|
21-Feb-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Clarify meaning of untrusted_app and app domain assignment logic. The current inline documentation is not entirely accurate and caused user confusion, e.g. see: https://groups.google.com/d/msg/android-security-discuss/javBrPT8ius/C4EVEFUu4ZoJ Try to clarify the meaning of untrusted_app, how app domains are assigned, and how to move other system apps out of untrusted_app into a different domain. Change-Id: I98d344dd078fe9e2738b68636adaabda1f4b3c3a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
48b18832c476f0bd8fcb8ee3e308258392f36aaf |
|
04-Feb-2014 |
Robert Craig <rpcraig@tycho.ncsc.mil> |
Introduce asec_public_file type. This new type will allow us to write finer-grained policy concerning asec containers. Some files of these containers need to be world readable. Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
/system/sepolicy/untrusted_app.te
|
623975fa5aece708032aaf29689d73e1f3a615e7 |
|
11-Jan-2014 |
Nick Kralevich <nnk@google.com> |
Support forcing permissive domains to unconfined. Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
/system/sepolicy/untrusted_app.te
|
65317124a0bb7db4829f78e74c7bfe18e27f1c43 |
|
11-Dec-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Allow untrusted apps to execute binaries from their sandbox directories. Various third party apps come with their own binaries that they write out to their sandbox directories and then execute, e.g.: audit(1386527439.462:190): avc: denied { execute_no_trans } for pid=1550 comm="Thread-79" path="/data/data/com.cisco.anyconnect.vpn.android.avf/app_bin/busybox" dev="mmcblk0p23" ino=602891 scontext=u:r:untrusted_app:s0:c39,c256 tcontext=u:object_r:app_data_file:s0:c39,c256 tclass=file While this is not ideal from a security POV, it seems necessary to support for compatibility with Android today. Split out the execute-related permissions to a separate allow rule as it only makes sense for regular files (class file) not other kinds of files (e.g. fifos, sockets, symlinks), and use the rx_file_perms macro. Move the rule to untrusted_app only so that we do not permit system apps to execute files written by untrusted apps. Change-Id: Ic9bfe80e9b14f2c0be14295c70f23f09691ae66c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
2dc4acf33b78284f514fe9a6c5102cc783c4309f |
|
27-Sep-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Isolate untrusted app ptys from other domains. Add a create_pty() macro that allows a domain to create and use its own ptys, isolated from the ptys of any other domain, and use that macro for untrusted_app. This permits the use of a pty by apps without opening up access to ptys created by any other domain on the system. Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/system/sepolicy/untrusted_app.te
|
2f40a17a42d19b6d92944c78c1d6a9c9517a725b |
|
05-Sep-2013 |
Nick Kralevich <nnk@google.com> |
Revert "Add the ability to write shell files to the untrusted_app domain." At this point, we still don't understand the root cause of bug 10290009, or if it's even a real bug. Rollback 29d0d40668e686adc91cdfbf0d083e71ed82bac6 so we an get a device in this state and figure out the root cause of this problem. This reverts commit 29d0d40668e686adc91cdfbf0d083e71ed82bac6. Bug: 10290009
/system/sepolicy/untrusted_app.te
|
29d0d40668e686adc91cdfbf0d083e71ed82bac6 |
|
17-Aug-2013 |
Geremy Condra <gcondra@google.com> |
Add the ability to write shell files to the untrusted_app domain. Bug: 10290009 Change-Id: Ic794299261672b36a2b630893b65ab176c3eee6b (cherry picked from commit eaa4e844e4c8549c9b4808a1272876a6995ca5a7)
/system/sepolicy/untrusted_app.te
|
7cda86eb46021cff20a08dcde56c1a15291fa582 |
|
16-Jul-2013 |
Alex Klyubin <klyubin@google.com> |
Permit apps to bind TCP/UDP sockets to a hostname Change-Id: Ided2cf793e94bb58529789c3075f8480c0d0cf4e
/system/sepolicy/untrusted_app.te
|
24617fc3b8de501d3e6197e21d058496f400db07 |
|
16-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Move isolated_app.te / untrusted_app.te into permissive OTAs aren't properly labeling /system, which is causing SELinux breakage. Temporarily put isolated_app.te and untrusted_app.te into permissive. Bug: 9878561 Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c
/system/sepolicy/untrusted_app.te
|
59faed058de762f3920cd0a6219c68e5f16844bd |
|
16-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Allow apps to create listening ports Bug: 9872463 Change-Id: I47eabeace3387afd24c0fd4bee70e77c0a3586d5
/system/sepolicy/untrusted_app.te
|
8a2ebe3477837b21b728135cd8780ffd528696af |
|
16-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Temporarily allow untrusted apps to read shell data files. This is needed to support "Verify App" functionality. During side loading, the Verify App functionality reads the APK to determine if it's safe to install. Bug: 9863154 Change-Id: I33f6b0fd012f6cb194e253d5d92cf6189d6aa222
/system/sepolicy/untrusted_app.te
|
6634a1080e6617854d0b29bc65bb1c852ad3d5b6 |
|
13-Jul-2013 |
Nick Kralevich <nnk@google.com> |
untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
/system/sepolicy/untrusted_app.te
|
748fdef626d1dda2a0a727ea35d85d04363f5307 |
|
13-Jul-2013 |
Nick Kralevich <nnk@google.com> |
Move *_app into their own file app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
/system/sepolicy/untrusted_app.te
|