Commits · 1cf93217fa578b3439b37b7f5a3b5045a97ec5d4 · Werner Sembach / AndroidSystemSEPolicy

Jan 27, 2016

Merge "vold: grant perms from domain_deprecated" · 1cf93217
Jeffrey Vander Stoep authored 9 years ago

1cf93217
Merge "healthd: grant perms from domain_deprecated" · f33507df
Jeffrey Vander Stoep authored 9 years ago

f33507df
Merge "remove access_kmsg macro, because it to be more explicit." · fea9ad7c
Daniel Cashman authored 9 years ago

fea9ad7c
Merge "zygote: grant perms from domain_deprecated" · eecaa0b5
Jeffrey Vander Stoep authored 9 years ago

eecaa0b5

vold: grant perms from domain_deprecated · 9306072c

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { open } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { getattr } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file

avc: denied { read } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { open } for path="/cache" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { ioctl } for path="/cache" dev="mmcblk0p30" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir

avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { open } for path="/proc" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir

avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I8af7edc5b06675a9a2d62bf86e1c22dbb5d74370
avc: denied { read } for name="block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { open } for path="/sys/block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir

9306072c

healthd: grant perms from domain_deprecated · 12401b8d

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: denied { open } for path="/sys/devices/platform/htc_battery_max17050.8/power_supply/flounder-battery/present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Iaee5b79a45aedad98e08c670addbf444c984165e

12401b8d

zygote: grant perms from domain_deprecated · cee6a0e7

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2

cee6a0e7

Allow sdcardd tmpfs read access. · db559a34

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(1453854842.899:7): avc: denied { search } for pid=1512 comm="sdcard" name="/" dev="tmpfs" ino=7547 scontext=u:r:sdcardd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0

vold: EmulatedVolume calls sdcard to mount on /storage/emulated.

Bug: 26807309
Change-Id: Ifdd7c356589f95165bba489dd06282a4087e9aee

db559a34

Merge "Revert "zygote: grant perms from domain_deprecated"" · 98f60e5c
Jeffrey Vander Stoep authored 9 years ago

98f60e5c
Revert "zygote: grant perms from domain_deprecated" · b898360e
Jeffrey Vander Stoep authored 9 years ago
```
This reverts commit e52fff83.

Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
```
b898360e
Merge "zygote: grant perms from domain_deprecated" · 4115beae
Jeffrey Vander Stoep authored 9 years ago

4115beae

zygote: grant perms from domain_deprecated · e52fff83

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Change-Id: I5b505ad386a445113bc0a1bb35d4f88f7761c048

e52fff83

Merge "Revert "Remove domain_deprecated from sdcard domains"" · c4121add
Narayan Kamath authored 9 years ago

c4121add
Revert "Remove domain_deprecated from sdcard domains" · f4d7eef7
Narayan Kamath authored 9 years ago
```
This reverts commit 0c7bc58e.

bug: 26807309

Change-Id: I8a7b0e56a0d6f723508d0fddceffdff76eb0459a
```
f4d7eef7

domain: grant write perms to cgroups · be0616ba

Jeff Vander Stoep authored 9 years ago

Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53

be0616ba

Restore untrusted_app proc_net access. · 5833e3f5

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4

5833e3f5

Jan 26, 2016

remove access_kmsg macro, because it to be more explicit. · 001b10bd
SimHyunYong authored 9 years ago
```
This macro does not give us anything to it.

Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
```
001b10bd

Using r_dir_file macro in domain.te · 093ea6fb

SimHyunYong authored 9 years ago

r_dir_file(domain, self)

allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file r_file_perms;

te_macros
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

Change-Id: I7338f63a1eaa8ca52cd31b51ce841e3dbe46ad4f

093ea6fb

Merge "Remove domain_deprecated from sdcard domains" · cdae042a
Jeffrey Vander Stoep authored 9 years ago

cdae042a
Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." · ae29dea8
James Hawkins authored 9 years ago

ae29dea8

bootstat: Fix the SELinux policy after removing domain_deprecated. · 2e8d71c3

James Hawkins authored 9 years ago

* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804

2e8d71c3

Delete policy it is alread included in binder_call macros. · 7171232c

SimHyunYong authored 9 years ago

define(`binder_call', `
allow $1 $2:binder { call transfer };
allow $2 $1:binder transfer;
allow $1 $2:fd use;
')

binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)

it is alread include these policy.. so I can delete these policy!
allow surfaceflinger appdomain:fd use;
allow surfaceflinger bootanim:fd use;

7171232c

Merge "Delete duplicated policy, it is already include in app.te." · 0220b345
Jeffrey Vander Stoep authored 9 years ago

0220b345
Merge "Allow update_engine to use Binder IPC." · 6899e0a3
Tao Bao authored 9 years ago

6899e0a3
Delete duplicated policy, it is already include in app.te. · 5ba9af23
SimHyunYong authored 9 years ago
```
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
```
5ba9af23

Allow update_engine to use Binder IPC. · dce317cf

Tao Bao authored 9 years ago

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c

dce317cf

Add adbd socket perms to system_server. · b037a6c9

dcashman authored 9 years ago

Commit 2fdeab37 added ability to debug
over adbd for zygote-spawned apps, required by removal of domain_deprecated
from untrusted_app.  This functionality is a core debugabble component
of the android runtime, so it is needed by system_server as well.

Bug: 26458796
Change-Id: I29f5390122b3644449a5c3dcf4db2d0e969f6a9a

b037a6c9

Jan 25, 2016

app: connect to adbd · 2fdeab37

Jeff Vander Stoep authored 9 years ago

Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496

2fdeab37

domain: allow dir search in selinuxfs · 45517a75

Jeff Vander Stoep authored 9 years ago

Domain is already allowed to stat selinuxfs, it also needs
dir search.

Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir

Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07

45517a75

Merge "watchdog: remove domain_deprecated" · c1b0ffcf
Jeffrey Vander Stoep authored 9 years ago

c1b0ffcf
watchdog: remove domain_deprecated · 1eeaa47e
Jeff Vander Stoep authored 9 years ago
```
Change-Id: I60d66da98a8da9cd7a9d0130862242e09b7dccf1
```
1eeaa47e

Jan 23, 2016

app.te: grant /system dir/file/symlink read · 5c8854ab

Nick Kralevich authored 9 years ago

Renderscript needs the ability to read directories on
/system. Allow it and file/symlink read access.

Addresses the following denials:
  RenderScript: Invoking /system/bin/ld.mc with args '/system/bin/ld.mc -shared -nostdlib
    /system/lib64/libcompiler_rt.so -mtriple=aarch64-none-linux-gnueabi
    --library-path=/system/vendor/lib64 --library-path=/system/lib64
    -lRSDriver -lm -lc
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/primitives.o
    -o
    /data/user/0/com.android.rs.test/code_cache/com.android.renderscript.cache/librs.primitives.so'
  ld.mc   : type=1400 audit(0.0:1340): avc: denied { read } for name="lib64" dev="mmcblk0p24" ino=212 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  ld.mc   : type=1400 audit(0.0:1341): avc: denied { read } for name="lib64" dev="mmcblk0p29" ino=1187 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
  RenderScript: Child process "/system/bin/ld.mc" terminated with status 256

Change-Id: I9fb989f66975ed553dbc0c49e9c5b5e5bc45b3c3

5c8854ab

Jan 22, 2016

Remove domain_deprecated from untrusted_app. · cbf7ba18
dcashman authored 9 years ago
```
Bug: 22032619
Change-Id: Iaa192f98df3128da5e11ce1fd3cf9d1a597fedf5
```
cbf7ba18

Temporarily allow untrusted_app to read proc files. · 2193f766

dcashman authored 9 years ago

Address the following denial:
01-22 09:15:53.998 5325 5325 W ChildProcessMai: type=1400 audit(0.0:44): avc: denied { read } for name="meminfo" dev="proc" ino=4026535444 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Change-Id: Id2db5ba09dc9de58e6da7c213d4aa4657c6e655c

2193f766

Merge "bootstat: Implement the SELinux policy to allow reading/writing to /data/misc/bootstat." · 447041a9
James Hawkins authored 9 years ago

447041a9

Allow access to /dev/ion and proc_net dir. · 8666bf25

dcashman authored 9 years ago

Address the following:
01-21 13:35:41.147 5896 5896 W ndroid.music:ui: type=1400 audit(0.0:22): avc: denied { read } for name="ion" dev="tmpfs" ino=1237 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=0
01-21 13:35:41.152 5896 5896 E qdmemalloc: open_device: Failed to open ion device - Permission denied
01-21 13:35:41.152 5896 5896 E qdgralloc: Could not mmap handle 0x7f827d7260, fd=55 (Permission denied)
01-21 13:35:41.152 5896 5896 E qdgralloc: gralloc_register_buffer: gralloc_map failed

and

01-22 08:58:47.667 7572 7572 W Thread-23: type=1400 audit(0.0:186): avc: denied { search } for name="xt_qtaguid" dev="proc" ino=4026535741 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=dir permissive=0
01-22 08:58:47.671 7498 7572 I qtaguid : Untagging socket 68 failed errno=-13
01-22 08:58:47.671 7498 7572 W NetworkManagementSocketTagger: untagSocket(68) failed with errno -13

Change-Id: Id4e253879fe0f6daadd04d148a257a10add68d38

8666bf25

bootstat: Implement the SELinux policy to allow reading/writing to · 39c198ac
James Hawkins authored 9 years ago
```
/data/misc/bootstat.

BUG: 21724738
Change-Id: I2789f57cc8182af1a7c33672ef82297f32f54e2e
```
39c198ac
Merge "Allow domains to stat filesystems." · e1224de0
Jeffrey Vander Stoep authored 9 years ago

e1224de0

Remove domain_deprecated from sdcard domains · 0c7bc58e

Jeff Vander Stoep authored 9 years ago

Remove from blkid, blkid_untrusted, fsck, fsck_untrusted, sdcardd and
sgdisk.

Tested by adding external sdcard with and without
"adb shell sm set-force-adoptable true" command.

Address the following denials:
avc: denied { read } for name="swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { read } for name="filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file

Change-Id: I097e2ba5205e43f8ee613dae063f773a35ce3d73

0c7bc58e

Jan 21, 2016
- vold launched e2fsck must run in fsck domain · 67d9932c
  Jeff Vander Stoep authored 9 years ago
  
  Bug: 22821100 Change-Id: I549abfd31f7286ad50be3adeadaf559816c0ee38
  67d9932c