Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Jan 05, 2015
    • Nick Kralevich's avatar
      uncrypt: fix OTAs · eb4e2ab1
      Nick Kralevich authored 
      uncrypt needs to be able to read OTA files in GMS core's home
directory, which is protected with MLS. Mark uncrypt as an
mlstrustedsubject so that it can read the files.

Addresses the following denial (and probably others):

  uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Remove the auditallow line for uncrypt. Per dd053a9b,
the auditallow line was added to confirm that uncrypt was actually
accessing the userdata block device. The access to the userdata block
device is definitely occurring, and auditing it doesn't add any value.
Remove the auditing.

Eliminates the following unnecessary audit lines:

  avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file
  avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file

Tighten up userdata block access to write-only. uncrypt never reads
directly from the block device.

Testing:

  1) Create the file /cache/recovery/command with a line like:
  --update_package=/data/data/com.google.android.gms/foo.zip
  2) Create the file /data/data/com.google.android.gms/foo.zip
  (contents not important)
  3) Run "setprop ctl.start pre-recovery"

Expected: No SELinux denials.
Actual: SELinux denials

Bug: 18875451
Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d
      eb4e2ab1
  3. Sep 20, 2014
    • Stephen Smalley's avatar
      Define types for userdata and cache block devices. · dd053a9b
      Stephen Smalley authored 
      
Introduce separate types for the userdata and cache block
devices so that we can assign them and allow access to them
in device-specific policy without allowing access to any other
block device (e.g. system).  These types will only be used if
assigned to device node paths in the device-specific file_contexts
configuration.  Otherwise, this change will have no impact - the
userdata and cache block devices will continue to default to block_device
type.

To avoid breakage when these new types are assigned to the userdata
block device, allow access by vold and uncrypt, but auditallow
these accesses to confirm that these are required.

Change-Id: I99d24f06506f51ebf1d186d9c393b3cad60e98d7
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      dd053a9b
  5. Feb 28, 2014
    • Nick Kralevich's avatar
      uncrypt: allow /dev/block directory access. · ef220cba
      Nick Kralevich authored 
      Uncrypt needs search in /dev/block to open block devices.
Allow it.

Addresses the following denial:

[11105.601711] type=1400 audit(1393550350.528:30): avc:  denied  { search } for  pid=14597 comm="uncrypt" name="block" dev="tmpfs" ino=7200 scontext=u:r:uncrypt:s0 tcontext=u:object_r:block_device:s0 tclass=dir

Change-Id: I4592784135a04ff5bff2715e1250661744f12aa1
      ef220cba
    • Nick Kralevich's avatar
      uncrypt: allow /dev/block directory access. · 0a5f561c
      Nick Kralevich authored 
      Uncrypt needs search in /dev/block to open block devices.
Allow it.

Addresses the following denial:

[11105.601711] type=1400 audit(1393550350.528:30): avc:  denied  { search } for  pid=14597 comm="uncrypt" name="block" dev="tmpfs" ino=7200 scontext=u:r:uncrypt:s0 tcontext=u:object_r:block_device:s0 tclass=dir

Change-Id: I4592784135a04ff5bff2715e1250661744f12aa1
      0a5f561c
  7. Feb 22, 2014
    • Nick Kralevich's avatar
      uncrypt: move into enforcing · 5a983043
      Nick Kralevich authored 
      Move the uncrypt domain into SELinux enforcing mode. This will
start enforcing SELinux rules; security policy violations will
return EPERM.

Bug: 13083922
Change-Id: I4805662d8b336e2bfd891237cc916c57179ebf12
      5a983043
  9. Feb 20, 2014
  11. Feb 19, 2014
    • Nick Kralevich's avatar
      initial policy for uncrypt. · 96eeb1ec
      Nick Kralevich authored 
      Add initial support for uncrypt, started via the
pre-recovery service in init.rc. On an encrypted device,
uncrypt reads an OTA zip file on /data, opens the underlying
block device, and writes the unencrypted blocks on top of the
encrypted blocks. This allows recovery, which can't normally
read encrypted partitions, to reconstruct the OTA image and apply
the update as normal.

Add an exception to the neverallow rule for sys_rawio. This is
needed to support writing to the raw block device.

Add an exception to the neverallow rule for unlabeled block devices.
The underlying block device for /data varies between devices
within the same family (for example, "flo" vs "deb"), and the existing
per-device file_context labeling isn't sufficient to cover these
differences. Until I can resolve this problem, allow access to any
block devices.

Bug: 13083922
Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
      96eeb1ec