- Nov 26, 2016
-
-
Nick Kralevich authored
No denials showing up in collected audit logs. Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: I5a0d4f3c51d296bfa04e71fc226a01dcf5b5b508
-
Treehugger Robot authored
-
- Nov 23, 2016
-
-
Nick Kralevich authored
In particular, get rid of TIOCSTI, which is only ever used for exploits. http://www.openwall.com/lists/oss-security/2016/09/26/14 Bug: 33073072 Bug: 7530569 Test: "adb shell" works Test: "adb install package" works Test: jackpal terminal emulator from https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en works Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf
-
Treehugger Robot authored
-
- Nov 22, 2016
-
-
Treehugger Robot authored
-
Tao Bao authored
recovery (update_binary) may need to set up cpufreq during an update. avc: denied { write } for pid=335 comm="update_binary" name="scaling_max_freq" dev="sysfs" ino=7410 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 Bug: 32463933 Test: Build a recovery image and apply an OTA package that writes to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. Change-Id: Ia90af9dd15e162dd94bcd4722b66aa296e3058c5
-
Nick Kralevich authored
Lock in the gains we've made so far in restricting access to generically labeled /proc files. There's more we can do here, but let's avoid inadvertent regressions. Test: policy compiles. Only compile time assertions added. Bug: 26813932 Change-Id: If354c2ddc1c59beed7f0eb4bcbd3f0d9971c3b8a
-
Nick Kralevich authored
/data/bugreports is moving to /bugreports Bug: 27262109 Bug: 27204904 Bug: 32799236 Test: new symlink is in /bugreports and is labeled correctly Change-Id: Ib6a492fba8388bf43debad28cfc851679f8c6151
-
- Nov 21, 2016
-
-
Nick Kralevich authored
Description stolen from https://github.com/torvalds/linux/commit/42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Test: policy compiles and no boot errors (marlin) Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
-
Treehugger Robot authored
-
Jorge Lucangeli Obes authored
|WITH_DEXPREOPT_PIC = false| will still cause code to be loaded from /data. Bug: 32970029 Test: On HiKey and Marlin: Test: Add |WITH_DEXPREOPT_PIC = false|, see SELinux denial. Test: Apply this CL, no SELinux denials. Change-Id: I0a1d39eeb4d7f75d84c1908b879d9ea1ccffba74
-
Nick Kralevich authored
urandom_device and random_device have the exact same security properties. Collapse them into one type. Test: device boots and /dev/urandom is labeled correctly. Change-Id: I12da30749291bc5e37d99bc9422bb86cb58cec41
-
- Nov 20, 2016
-
-
Nick Kralevich authored
auditallows have been in place for quite a while now, and nothing has triggered. Let's do some cleanup! Bug: 28760354 Test: device boots and no new denials Test: SELinux denials collection has seen no instances of these permissions Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f
-
Daniel Micay authored
The other domains either don't have the same backwards compatibility issues (isolated_app) or are privileged components that are pretty much part of the platform and can be expected to meet a higher standard. It would be possible to expose a build option for disabling the ART JIT, allowing conditional removal of execmem from some of these domains too (ones not ever using the WebView, until that's always in isolated_app). Bug: 20013628 Change-Id: Ic22513157fc8b958b2a3d60381be0c07b5252fa5
-
- Nov 18, 2016
-
-
Jorge Lucangeli Obes authored
-
Jorge Lucangeli Obes authored
When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
-
dcashman authored
HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
-
Treehugger Robot authored
-
Connor O'Brien authored
This reverts commit 1f329465. Bug: 32973182 Change-Id: Ic0277b38b0249710a4f1fc362e777f3880ff096b
-
- Nov 17, 2016
-
-
Max Bires authored
-
Max authored
Test: Device boots Change-Id: I151c5fb6f56850eaa215e1a917ac9ad609dbdd4a
-
Connor O'Brien authored
-
- Nov 16, 2016
-
-
Nick Kralevich authored
external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started having dmesg use /dev/kmsg, which is unreadable to the unprivileged shell user. Revoke syslog(2) to the shell user for consistency. The kernel dmesg log is a source of kernel pointers, which can leak kASLR information from the kernel. Restricting access to kernel information will make attacks against Android more difficult. Having said that, dmesg information is still available from "adb bugreport", so this change doesn't completely shutdown kernel info leaks. This change essentially reverts us to the state we were in between Nov 8 2011 and May 27 2014. During that almost 3 year period, the unprivileged shell user was unable to access dmesg, and there was only one complaint during that time. References: * https://android.googlesource.com/platform/system/core/+/f9557fb * https://android.googlesource.com/platform/system/sepolicy/+/f821b5a TODO: Further unify /dev/kmsg permissions with syslog_read permissions. Test: policy compiles, no dmesg output Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
-
- Nov 15, 2016
-
-
Alex Deymo authored
Grant boot_control_hal permissions to the hal_boot service; update_engine and update_verifier can call that service rather than using those permissions themselves. Bug: 31864052 Test: `bootctl set-active-boot-slot 1` Change-Id: I5188bc32e7933d4a0f5135b3246df119d3523d69
-
Treehugger Robot authored
-
Nick Kralevich authored
su is an appdomain, and as such, any auditallow statements applicable to appdomain also apply to su. However, su is never enforced, so generating SELinux denials for such domains is pointless. Exclude su from ion_device auditallow rules. Addresses the following auditallow spam: avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs" ino=10230 ioctlcmd=4906 scontext=u:r:su:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file Test: policy compiles Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16
-
Nick Kralevich authored
Allow isolated apps to read/write/append/lock already open sdcard file descriptors passed to it by normal app processes. isolated_apps are used by processes like Google drive when handling untrusted content. Addresses the following denial: audit(0.0:1508): avc: denied { read } for path="/storage/emulated/0/Download/02-corejava.pdf" dev="fuse" ino=310 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:fuse:s0 tclass=file permissive=0 This partially reverts the tightening added in ce4b5eea. Add a TODO to consider removing isolated_apps ability to write or append to files on the sdcard. This limits the damage that can occur should the isolated_app process be compromised. Bug: 32896414 Test: Policy compiles. Rule add only, so no possibility of breakage. Change-Id: Ia128569608fc9c872c90e6c380106b7c81eb7b6f
-
Daichi Hirono authored
Bug: 29970149 Test: None Change-Id: I59f49f3bf20d93effde5e1a9a3c1ed64fbecb7a8
-
- Nov 14, 2016
-
-
Treehugger Robot authored
-
Connor O'Brien authored
-
Chad Brubaker authored
Test: Verify that HTTP and HTTPS connections from ephemeral apps do not cause denials. Change-Id: I0ce25602906e63ec55d5b5869445f2aec10900cb
-
Chia-I Wu authored
Allow SurfaceFlinger to call into IComposer, and vice versa for IComposerCallback. Specifically, hwbinder_use(...) for avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 binder_call(..., surfaceflinger) for avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=binder permissive=1 allow ... gpu_device:chr_file rw_file_perms for avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 allow ... ion_device:chr_file r_file_perms for avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 allow ... graphics_device ... for avc: denied { ioctl } for path="/dev/graphics/fb0" dev="tmpfs" ino=15121 ioctlcmd=5380 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1 allow ... ...:fd use for avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hal_graphics_allocator_service:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:bootanim:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=fd permissive=1 binder_call(surfaceflinger, ...) for avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 ioctlcmd=3e02 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1 allow bootanim ...:fd use for avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=11947 scontext=u:r:bootanim:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1 Bug: 32021609 Test: make bootimage Change-Id: I036cdbebf0c619fef7559f294f1865f381b17588
-
Chia-I Wu authored
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access IAllocator's fd. Specifically, hwbinder_use(...) for avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 allow ... ion_device:chr_file r_file_perms for avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 allow ... gpu_device:chr_file rw_file_perms; for avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 binder_call(surfaceflinger, ...) for avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1 allow ... ...:fd use for avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1 Bug: 32021161 Test: make bootimage Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
-
- Nov 12, 2016
-
-
Chad Brubaker authored
Fixes: 32061937 Test: install/uninstall and verified no denials Change-Id: I487727b6b32b1a0fb06ce66ed6dd69db43c8d536
-
- Nov 11, 2016
-
-
Nick Kralevich authored
This property is never used. Test: policy compiles Change-Id: I43ace92950e1221754db28548031fbbfc0437d7a
-
Treehugger Robot authored
-
Robert Sesek authored
The webview_zygote is a new unprivileged zygote and has its own sockets for listening to fork requests. However the webview_zygote does not run as root (though it does require certain capabilities) and only allows dyntransition to the isolated_app domain. Test: m Test: angler boots Bug: 21643067 Change-Id: I89a72ffe6dcb983c4a44048518efd7efb7ed8e83
-
Nick Kralevich authored
Sort the entries in property.te. This will make it slightly easier to read, and avoids merge conflicts by discouraging the common practice of adding entries to the bottom of this file. Test: policy compiles. Change-Id: I87ae96b33156dba73fb7eafc0f9a2a961b689853
-
- Nov 10, 2016
-
-
Jason Monk authored
Allow the system_server to change. Allow the zygote to read it as well. Test: Have system_server set a property Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
-
- Nov 09, 2016
-
-
Connor O'Brien authored
Test: Flashed device and verified no update_verifier permission denials Change-Id: I5de063c202aefef399645b153f68ff7909989eba Signed-off-by:
Connor O'Brien <connoro@google.com>
-