Skip to content
Snippets Groups Projects
  1. Dec 05, 2016
    • Nick Kralevich's avatar
      Prevent ptrace of logd on user builds · cb5f4a3d
      Nick Kralevich authored
      system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later
      amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd
      doesn't want it's memory accessible by anyone else. Unfortunately,
      setting DUMPABLE isn't sufficient against a root level process such with
      ptrace. Only one such process exists, "debuggerd".
      
      Block debuggerd from accessing logd's memory on user builds. Userdebug
      and eng builds are unaffected.  Add a neverallow rule (compile time
      assertion + CTS test) to prevent regressions.
      
      Bug: 32450474
      Test: Policy compiles.
      Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
      cb5f4a3d
  2. Nov 08, 2016
    • Nick Kralevich's avatar
      profman/debuggerd: allow libart_file:file r_file_perms · 364fd197
      Nick Kralevich authored
      Addresses the following auditallow spam:
      
      avc: granted { read open } for comm="profman"
      path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
      tcontext=u:object_r:libart_file:s0 tclass=file
      
      avc: granted { read open } for comm="debuggerd64"
      path="/system/lib64/libart.so" dev="dm-0" ino=1897
      scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
      
      avc: granted { getattr } for comm="debuggerd64"
      path="/system/lib64/libart.so" dev="dm-0" ino=1837
      scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
      
      Test: Policy compiles. Not a tightening of rules.
      Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
      364fd197
  3. Oct 06, 2016
    • dcashman's avatar
      Split general policy into public and private components. · cc39f637
      dcashman authored
      Divide policy into public and private components.  This is the first
      step in splitting the policy creation for platform and non-platform
      policies.  The policy in the public directory will be exported for use
      in non-platform policy creation.  Backwards compatibility with it will
      be achieved by converting the exported policy into attribute-based
      policy when included as part of the non-platform policy and a mapping
      file will be maintained to be included with the platform policy that
      maps exported attributes of previous versions to the current platform
      version.
      
      Eventually we would like to create a clear interface between the
      platform and non-platform device components so that the exported policy,
      and the need for attributes is minimal.  For now, almost all types and
      avrules are left in public.
      
      Test: Tested by building policy and running on device.
      
      Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
      cc39f637
  4. Sep 15, 2016
    • Janis Danisevskis's avatar
      Allow debuggerd execmem on debuggable domains · 071b935d
      Janis Danisevskis authored
      In anticipation of fixing a loophole in the Linux kernel that allows
      circumventing the execmem permission by using the ptrace interface,
      this patch grants execmem permission on debuggable domains to
      debuggerd. This will be required for setting software break points
      once the kernel has been fixed.
      
      Bug: 31000401
      Change-Id: I9b8d5853b643d24b94d36e2adbcb135dbaef8b1e
      071b935d
  5. Sep 10, 2016
  6. Aug 29, 2016
  7. May 13, 2016
  8. Apr 27, 2016
    • Nick Kralevich's avatar
      don't allow debuggerd to ptrace itself. · 2d6fa723
      Nick Kralevich authored
      It doesn't make any sense for debuggerd to ever attempt to ptrace
      itself. A debuggerd crash can't be debugged via debuggerd.
      
      Bug: 28399663
      Change-Id: I710d474e89d121385ef423b7bed9673a90e0759b
      2d6fa723
  9. Apr 14, 2016
  10. Mar 11, 2016
  11. Mar 10, 2016
  12. Mar 09, 2016
  13. Jan 27, 2016
  14. Jan 05, 2016
  15. Dec 08, 2015
  16. Nov 03, 2015
    • Jeff Vander Stoep's avatar
      Create attribute for moving perms out of domain · d22987b4
      Jeff Vander Stoep authored
      Motivation: Domain is overly permissive. Start removing permissions
      from domain and assign them to the domain_deprecated attribute.
      Domain_deprecated and domain can initially be assigned to all
      domains. The goal is to not assign domain_deprecated to new domains
      and to start removing domain_deprecated where it is not required or
      reassigning the appropriate permissions to the inheriting domain
      when necessary.
      
      Bug: 25433265
      Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
      d22987b4
  17. Jan 20, 2015
    • Christopher Ferris's avatar
      Allow debuggerd to redirect requests. · b51c4dd3
      Christopher Ferris authored
      On 64 bit systems, all requests will first go to the 64 bit debuggerd
      which will redirect to the 32 bit debuggerd if necessary. This avoids
      any permissions problems where a java process needs to be able to
      read the elf data for executables. Instead the permissions are granted
      to debuggerd instead.
      
      Also remove the permissions to read the /system/bin executables from
      dumpstate since they aren't necessary any more.
      
      Bug: https://code.google.com/p/android/issues/detail?id=97024
      Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
      b51c4dd3
  18. Aug 19, 2014
    • dcashman's avatar
      DO NOT MERGE. Allow debuggerd read access to shared_relro files. · 85f255b8
      dcashman authored
      Addresses the following denial when debuggerd attempts to stat Webview mmap'd
      shared relro files on process crash.  Full read permissions may not be necessary:
      
      W/debuggerd(  185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir
      
      Bug: 17101854
      Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
      85f255b8
    • dcashman's avatar
      Allow debuggerd read access to shared_relro files. · cd10eb95
      dcashman authored
      Addresses the following denial when debuggerd attempts to stat Webview mmap'd
      shared relro files on process crash.  Full read permissions may not be necessary:
      
      W/debuggerd(  185): type=1400 audit(0.0:97): avc: denied { search } for name="shared_relro" dev="mmcblk0p28" ino=618955 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shared_relro_file:s0 tclass=dir
      
      Bug: 17101854
      Change-Id: I11eea85668ba033c554e5aab99b70a454fb75164
      cd10eb95
  19. Jul 24, 2014
  20. May 20, 2014
    • Nick Kralevich's avatar
      Don't allow ptrace on keystore · 8aa754c9
      Nick Kralevich authored
      keystore may hold sensitive information in it's memory. Don't
      allow anyone to ptrace keystore.
      
      Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f
      8aa754c9
  21. May 17, 2014
  22. May 09, 2014
  23. Mar 18, 2014
    • Nick Kralevich's avatar
      debuggerd: Allow "debug.db.uid" usage · 77aa370c
      Nick Kralevich authored
      Allow the use of debug.db.uid on userdebug / eng builds.
      Setting this property allows debuggerd to suspend a process
      if it detects a crash.
      
      Make debug.db.uid only accessible to the su domain. This should
      not be used on a user build.
      
      Only support reading user input on userdebug / eng builds.
      
      Steps to reproduce with the "crasher" program:
      
        adb root
        adb shell setprop debug.db.uid 20000
        mmm system/core/debuggerd
        adb sync
        adb shell crasher
      
      Addresses the following denials:
      
      <5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
      <5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
      <5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
      <5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
      <5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
      
      Bug: 12532622
      Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
      
      Conflicts:
      	debuggerd.te
      77aa370c
  24. Feb 18, 2014
    • Nick Kralevich's avatar
      debuggerd: Allow "debug.db.uid" usage · 116a20fd
      Nick Kralevich authored
      Allow the use of debug.db.uid on userdebug / eng builds.
      Setting this property allows debuggerd to suspend a process
      if it detects a crash.
      
      Make debug.db.uid only accessible to the su domain. This should
      not be used on a user build.
      
      Only support reading user input on userdebug / eng builds.
      
      Steps to reproduce with the "crasher" program:
      
        adb root
        adb shell setprop debug.db.uid 20000
        mmm system/core/debuggerd
        adb sync
        adb shell crasher
      
      Addresses the following denials:
      
      <5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
      <5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
      <5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
      <5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
      <5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
      
      Bug: 12532622
      Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
      116a20fd
  25. Feb 04, 2014
    • Mark Salyzyn's avatar
      sepolicy: Add write_logd, read_logd & control_logd · 8ed750e9
      Mark Salyzyn authored
      - Add write_logd, read_logd and control_logd macros added along
        with contexts for user space logd.
      - Specify above on domain wide, or service-by-service basis
      - Add logd rules.
      - deprecate access_logcat as unused.
      - 'allow <domain> zygote:unix_dgram_socket write;' rule added to
        deal with fd inheritance. ToDo: investigate means to allow
        references to close, and reopen in context of application
        or call setsockcreatecon() to label them in child context.
      
      Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
      8ed750e9
  26. Dec 09, 2013
    • Stephen Smalley's avatar
      Restrict ptrace access by debuggerd and unconfineddomain. · 95e0842e
      Stephen Smalley authored
      
      Remove init, ueventd, watchdogd, healthd and adbd from the set of
      domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
      handlers for all dynamically linked programs in Android but this
      should not apply for statically linked programs.
      
      Exclude ptrace access from unconfineddomain.
      
      Prohibit ptrace access to init via neverallow.
      
      Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      95e0842e
  27. Dec 06, 2013
  28. Oct 29, 2013
  29. Oct 21, 2013
    • Nick Kralevich's avatar
      Move unconfined domains out of permissive mode. · 353c72e3
      Nick Kralevich authored
      This change removes the permissive line from unconfined
      domains. Unconfined domains can do (mostly) anything, so moving
      these domains into enforcing should be a no-op.
      
      The following domains were deliberately NOT changed:
      1) kernel
      2) init
      
      In the future, this gives us the ability to tighten up the
      rules in unconfined, and have those tightened rules actually
      work.
      
      When we're ready to tighten up the rules for these domains,
      we can:
      
      1) Remove unconfined_domain and re-add the permissive line.
      2) Submit the domain in permissive but NOT unconfined.
      3) Remove the permissive line
      4) Wait a few days and submit the no-permissive change.
      
      For instance, if we were ready to do this for adb, we'd identify
      a list of possible rules which allow adbd to work, re-add
      the permissive line, and then upload those changes to AOSP.
      After sufficient testing, we'd then move adb to enforcing.
      We'd repeat this for each domain until everything is enforcing
      and out of unconfined.
      
      Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
      353c72e3
  30. Sep 27, 2013
  31. Jul 12, 2013
    • Nick Kralevich's avatar
      debuggerd.te: Fix relabelto policy denial · 08f01a33
      Nick Kralevich authored
      In 0c9708b2, we removed relabelto
      from unconfined.te.  This broke debuggerd.  Fixed.
      
      type=1400 audit(1373668537.550:5): avc:  denied  { relabelto } for  pid=44 comm="debuggerd" name="tombstones" dev="mtdblock1" ino=71 scontext=u:r:debuggerd:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
      
      Change-Id: Ic025cbc030d6e776d9d87b1df3240fdc5f0b53d5
      08f01a33
  32. May 20, 2013
    • repo sync's avatar
      Make all domains unconfined. · 77d4731e
      repo sync authored
      This prevents denials from being generated by the base policy.
      Over time, these rules will be incrementally tightened to improve
      security.
      
      Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
      77d4731e
  33. May 15, 2013
  34. Apr 05, 2013
    • William Roberts's avatar
      Give domains read access to security_file domain. · 7bb2a55c
      William Roberts authored
      /data/security is another location that policy
      files can reside. In fact, these policy files
      take precedence over their rootfs counterparts
      under certain circumstances. Give the appropriate
      players the rights to read these policy files.
      
      Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
      7bb2a55c
    • Stephen Smalley's avatar
      Allow all domains to read the log devices. · 81fe5f7c
      Stephen Smalley authored
      
      Read access to /dev/log/* is no longer restricted.
      Filtering on reads is performed per-uid by the kernel logger driver.
      
      Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      81fe5f7c
    • William Roberts's avatar
      Give domains read access to security_file domain. · 6c4c27e6
      William Roberts authored
      /data/security is another location that policy
      files can reside. In fact, these policy files
      take precedence over their rootfs counterparts
      under certain circumstances. Give the appropriate
      players the rights to read these policy files.
      
      Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
      6c4c27e6
  35. Apr 04, 2013
  36. Aug 10, 2012
Loading