- Mar 12, 2015
-
-
Stephen Smalley authoredGenerate general forms of the remaining *_contexts files with only the device-independent entries for use in CTS testing. Change-Id: I2bf0e41db8a73c26754cedd92cbc3783ff03d6b5 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov> -
Stephen Smalley authored
Generate a general_seapp_contexts file with only the device-independent entries, similar to general_sepolicy.conf. This is for use by CTS tests to compare with the prefix of device seapp_contexts. Change-Id: If8d1456afff5347adff7157411c6a160484e0b39 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov> -
Nick Kralevich authored
-
Stephen Smalley authored
Instead of displaying the boolean count, display a list of booleans defined in the policy, if any. This makes sepolicy-analyze booleans consistent with sepolicy-analyze permissive and allows automated tests to simply check whether there was any output at all. Change-Id: I221b60d94e6e7f6d80399bf0833887af3747fe83 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
-
- Mar 11, 2015
-
-
Mark Salyzyn authored
- allow access for /data/system/packages.xml. - deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging) - allow access to /dev/socket/logd for 'logd --reinit' Bug: 19681572 Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
-
Nick Kralevich authored
-
Nick Kralevich authored
-
Stephen Smalley authored
Implement the booleans test in sepolicy-analyze so that we can move the no-booleans check from the SELinuxTest to the SELinuxHostTest along with the other policy checks. Change-Id: I95d7ad34da10c354470f43734d34a6ec631a7b4e Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov> -
Nick Kralevich authored
With the exception of the factory reset protection block device, don't allow system_server to read or write to any other block devices. This helps protect against a system->root escalation when system_server has the ability to directly minipulate raw block devices / partitions / partition tables. This change adds a neverallow rule, which is a compile time assertion that no SELinux policy is written which allows this access. No new rules are added or removed. Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
-
Nick Kralevich authored
system_server no longer writes to /proc/pid/oom_adj_score. This is handled exclusively by lmkd now. See the following commits: Kernel 3.18: * https://android-review.googlesource.com/139083 * https://android-review.googlesource.com/139082 Kernel 3.14: * https://android-review.googlesource.com/139081 * https://android-review.googlesource.com/139080 Kernel 3.10: * https://android-review.googlesource.com/139071 * https://android-review.googlesource.com/139671 Kernel 3.4: * https://android-review.googlesource.com/139061 * https://android-review.googlesource.com/139060 Bug: 19636629 Change-Id: Ib79081365bcce4aa1190de037861a87b55c15db9
-
- Mar 09, 2015
-
-
-
dcashman authored
Add neverallow rules to ensure that zygote commands are only taken from system_server. Also remove the zygote policy class which was removed as an object manager in commit: ccb3424639821b5ef85264bc5836451590e8ade7 Bug: 19624279 Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
-
Nick Kralevich authored
* commit '0560e75e': system_server: allow handling app generated unix_stream_sockets
-
Nick Kralevich authored
Allow system server to handle already open app unix_stream_sockets. This is needed to support system_server receiving a socket created using socketpair(AF_UNIX, SOCK_STREAM) and socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android functionality. Addresses the following denial: type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0 Bug: 19648474 Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39
-
- Mar 07, 2015
-
-
Nick Kralevich authored
* commit '0d0d5aa9': installd: drop noatsecure for dex2oat
-
Nick Kralevich authored
Ensure that AT_SECURE=1 is set when installd executes dex2oat. LD_PRELOAD is no longer set by init, and installd couldn't see LD_PRELOAD anyway due to https://android-review.googlesource.com/129971 . Drop it. Continuation of commit b00a0379 Change-Id: Icaf08768b3354c6a99dd0f77fef547a706cc96e9
-
-
- Mar 06, 2015
-
-
dcashman authored
Bug: 18106000 Change-Id: I80b574f73d53439dd710ccdb8f05cc2f9e9a10b4
-
Nick Kralevich authored
* commit '1aafc4c7': allow untrusted_app read /data/anr/traces.txt
-
Nick Kralevich authored
The GMS core feedback agent runs as untrusted_app, and needs the ability to read /data/anr/traces.txt to report ANR information. Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core can access it. Longer term, we need to move GMS core into it's own domain, but that's a longer term change. Addresses the following denial: W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file (cherrypick from commit e2547c3b) Bug: 18504118 Bug: 18340553 Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8 -
Nick Kralevich authored
Change-Id: I3b402e3a0f55b236c48dc9f4be1973cbfc0af8a4
-
- Mar 05, 2015
-
-
Nick Kralevich authored
Change-Id: I5ae9606023ef7f3489f44e6657766e922160c470
-
Nick Kralevich authored
* commit 'ee66ba8c': update isolated_app service_manager rules
-
Nick Kralevich authored
* commit 'b76966d6': recovery: remove auditallow for exec_type:dir writes
-
Nick Kralevich authored
-
Nick Kralevich authored
With the move to block based OTAs, we're never going to fix this bug. Remove the auditallow statement to avoid SELinux log spam. Bug: 15575013 Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd
-
Nick Kralevich authored
* commit '92b10ddb': Eliminate CAP_SYS_MODULE from system_server
-
Nick Kralevich authored
Right now, the system_server has the CAP_SYS_MODULE capability. This allows the system server to install kernel modules. Effectively, system_server is one kernel module load away from full root access. Most devices don't need this capability. Remove this capability from the core SELinux policy. For devices which require this capability, they can add it to their device-specific SELinux policy without making any framework code changes. In particular, most Nexus devices ship with monolithic kernels, so this capability isn't needed on those devices. Bug: 7118228 Change-Id: I7f96cc61da8b2476f45ba9570762145778d68cb3
-
Nick Kralevich authored
isolated apps should only be able to access 2 services. Remove access permissions for services inappropriately added, and add a neverallow rule to prevent regressions. Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
-
Sami Tolvanen authored
* commit '723e31ef': Allow init to set up dm-verity
-
Sami Tolvanen authored
-
Sami Tolvanen authored
Allow init to 1. Access device mapper to set up dm-verity devices avc: denied { write } for pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0 2. Access the metadata partition to load and store dm-verity state avc: denied { write } for pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered by dm-verity avc: denied { getattr } for pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0 These can be reproduced using the following steps: 1. Add fs_mgr flag verify to the system partition in fstab 2. Add a device specific init.rc handler for the init action that calls the built-in command verity_load_state. Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba -
-
dcashman authored
This reverts commit 27042f6d. Managed profiles are represented by new android users which have the ability to communicate across profiles as governed by an IntentFilter provisioned by the DevicePolicyManager. This communication includes reading and writing content URIs, which is currently obstructed by the mls separation between an owning user and its managed profile. Bug: 19444116 Bug: 19525465 Bug: 19540297 Bug: 19592525 Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b
-
- Mar 03, 2015
-
-
-
dcashman authored
Also formally allow dumpstate access to all services and grant system_server access to address the following non-system_server_service entries: avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager Bug: 18106000 Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602 -
Nick Kralevich authored
* commit '3e113edf': neverallow ueventd to set properties
-
Nick Kralevich authored
Add a compile time assertion that no SELinux rules exist which allow ueventd to set properties, or even connect to the property socket. See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 for details. Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32
-
- Mar 02, 2015
-
-
-
dcashman authored
-