Commits · 1c983327cf7e841183da15934c7ba2e99d0979c0 · Werner Sembach / AndroidSystemSEPolicy

Mar 11, 2016

Leftovers of SELinux policy reload mechanism · 1c983327

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

1c983327

Mar 09, 2016
- Allow debuggerd to send SIGKILL. · 48141c36
  Josh Gao authored 9 years ago
  
  Bug: http://b/27367422 Change-Id: I936c16281e06214b35f8d245da8f619dc92ff15f
  48141c36
Jan 05, 2016
- debuggerd.te: allow debuggerd to drop root. · 2b93db77
  Josh Gao authored 9 years ago
  
  Bug: http://b/25195825 Change-Id: I70257d5e40332f315020547baaa77a92fdfc58b0
  2b93db77
Nov 03, 2015

Create attribute for moving perms out of domain · d22987b4

Jeff Vander Stoep authored 9 years ago

Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c

d22987b4

Jan 20, 2015

Allow debuggerd to redirect requests. · b51c4dd3

Christopher Ferris authored 10 years ago

On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.

Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.

Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808

b51c4dd3

Aug 19, 2014

DO NOT MERGE. Allow debuggerd read access to shared_relro files. · 85f255b8

dcashman authored 10 years ago

Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash. Full read permissions may not be necessary:

W/debuggerd( 185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir

Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164

85f255b8

Allow debuggerd read access to shared_relro files. · cd10eb95

dcashman authored 10 years ago

Addresses the following denial when debuggerd attempts to stat Webview mmap'd
shared relro files on process crash. Full read permissions may not be necessary:

W/debuggerd( 185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir

Bug: 17101854
Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164

cd10eb95

Jul 24, 2014

Define debuggerd class, permissions, and rules. · ba992496

Stephen Smalley authored 10 years ago


Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.

Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.

Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

ba992496

May 20, 2014

Don't allow ptrace on keystore · 8aa754c9

Nick Kralevich authored 10 years ago

keystore may hold sensitive information in it's memory. Don't
allow anyone to ptrace keystore.

Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f

8aa754c9

May 17, 2014
- Allow readlink(2) of /proc from debuggerd. · 38138c24
  Elliott Hughes authored 10 years ago
  
  Bug: 15021938 Change-Id: Id815640302efde3ae089da33ff8e2cb7daee8bfd
  38138c24
May 09, 2014

Drop relabelto_domain() macro and its associated definitions. · 02dac03a

Stephen Smalley authored 10 years ago


This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

02dac03a

Mar 18, 2014

debuggerd: Allow "debug.db.uid" usage · 77aa370c

Nick Kralevich authored 11 years ago

Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

Conflicts:
	debuggerd.te

77aa370c

Feb 18, 2014

debuggerd: Allow "debug.db.uid" usage · 116a20fd

Nick Kralevich authored 11 years ago

Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1

116a20fd

Feb 04, 2014

sepolicy: Add write_logd, read_logd & control_logd · 8ed750e9

Mark Salyzyn authored 11 years ago

- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8

8ed750e9

Dec 09, 2013

Restrict ptrace access by debuggerd and unconfineddomain. · 95e0842e

Stephen Smalley authored 11 years ago


Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

95e0842e

Dec 06, 2013

Make debuggerd enforcing. · a1618401

Stephen Smalley authored 11 years ago


Change-Id: If5b7206192cf93d9989b734304db0374429c04d5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

a1618401

Oct 29, 2013

Confine debuggerd, but leave it permissive for now. · 258cb17a

Stephen Smalley authored 11 years ago


Change-Id: I09932cdd59f9d3a38e69df9fcfc34cc9cec1d8cd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

258cb17a

Oct 21, 2013

Move unconfined domains out of permissive mode. · 353c72e3

Nick Kralevich authored 11 years ago

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

353c72e3

Sep 27, 2013

Label and allow access to /data/system/ndebugsocket. · 45ba665c

Stephen Smalley authored 11 years ago


Otherwise it defaults to the label of /data/system and
cannot be distinguished from any other socket in that directory.
Also adds allow rule required for pre-existing wpa_socket transition
to function without unconfined_domain.

Change-Id: I57179aa18786bd56d247f397347e546cca978e41
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

45ba665c

Jul 12, 2013

debuggerd.te: Fix relabelto policy denial · 08f01a33

Nick Kralevich authored 11 years ago

In 0c9708b2, we removed relabelto
from unconfined.te. This broke debuggerd. Fixed.

type=1400 audit(1373668537.550:5): avc: denied { relabelto } for pid=44 comm="debuggerd" name="tombstones" dev="mtdblock1" ino=71 scontext=u:r:debuggerd:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir

Change-Id: Ic025cbc030d6e776d9d87b1df3240fdc5f0b53d5

08f01a33

May 20, 2013

Make all domains unconfined. · 77d4731e

repo sync authored 11 years ago

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

77d4731e

May 15, 2013
- Move domains into per-domain permissive mode. · 50e37b93
  repo sync authored 11 years ago
  
  Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
  50e37b93
Apr 05, 2013

Give domains read access to security_file domain. · 7bb2a55c

William Roberts authored 11 years ago

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

7bb2a55c

Allow all domains to read the log devices. · 81fe5f7c

Stephen Smalley authored 11 years ago


Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

81fe5f7c

Give domains read access to security_file domain. · 6c4c27e6

William Roberts authored 11 years ago

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

6c4c27e6

Apr 04, 2013

Allow all domains to read the log devices. · 2b732237

Stephen Smalley authored 11 years ago


Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

2b732237

Aug 10, 2012
- Additions for grouper/JB · abd977a7
  rpcraig authored 12 years ago
  
  abd977a7
Jul 31, 2012
- Allow debuggerd to restorecon the tombstone directory. · 5f9917c1
  Stephen Smalley authored 12 years ago
  
  5f9917c1
Mar 07, 2012
- Policy changes to support running the latest CTS. · c83d0087
  Stephen Smalley authored 13 years ago
  
  c83d0087
Jan 04, 2012
- SE Android policy. · 2dd4e51d
  Stephen Smalley authored 13 years ago
  
  2dd4e51d