- Jan 14, 2015
-
-
dcashman authoredTemporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
-
Mark Salyzyn authored
Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
-
- Jan 13, 2015
-
-
dcashman authored
-
- Jan 07, 2015
-
-
Nick Kralevich authored
Commit 92dfa31f added "seinfo=platform" to all fixed UID domains. However, that caused problems for shared_relro. shared_relro runs like an isolated app, and doesn't have an seinfo field associated with it. This causes a crash when system_server attempts to start shared_relro. W art : PreZygoteFork called when we already have a zygote space. E SELinux : seapp_context_lookup: No match for app with uid 1037, seinfo (null), name WebViewLoader-armeabi-v7a E SELinux : selinux_android_setcontext: Error setting context for app with uid 1037, seinfo (null): Success E Zygote : selinux_android_setcontext(1037, 0, "(null)", "WebViewLoader-armeabi-v7a") failed F art : art/runtime/jni_internal.cc:508] JNI FatalError called: RuntimeAbort I ActivityManager: Start proc WebViewLoader-armeabi-v7a [android.webkit.WebViewFactory$RelroFileCreator] for : pid=2717 uid=1037 gids={} abi=armeabi-v7a W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process W libbacktrace: virtual bool BacktraceThread::Unwind(size_t, ucontext_t*): tgkill 1176 failed: No such process F art : art/runtime/runtime.cc:331] Runtime aborting... F art : art/runtime/runtime.cc:331] Aborting thread: F art : art/runtime/runtime.cc:331] "main" prio=5 tid=1 Native F art : art/runtime/runtime.cc:331] | group="" sCount=0 dsCount=0 obj=0x7298f000 self=0xb4827800 F art : art/runtime/runtime.cc:331] | sysTid=1176 nice=0 cgrp=default sched=0/0 handle=0xb6f22d80 F art : art/runtime/runtime.cc:331] | state=? schedstat=( 0 0 0 ) utm=0 stm=0 core=0 HZ=100 F art : art/runtime/runtime.cc:331] | stack=0xbe39d000-0xbe39f000 stackSize=8MB F art : art/runtime/runtime.cc:331] | held mutexes= "abort lock" "mutator lock"(shared held) F art : art/runtime/runtime.cc:331] kernel: (couldn't read /proc/self/task/1176/stack) F art : art/runtime/runtime.cc:331] native: (backtrace::Unwind failed for thread 1176) F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.nativeForkAndSpecialize(Native method) F art : art/runtime/runtime.cc:331] at com.android.internal.os.Zygote.forkAndSpecialize(Zygote.java:91) F art : art/runtime/runtime.cc:331] at com.android.internal.os.ZygoteConnection.runOnce(ZygoteConnection.java:227) removing seinfo=platform from shared_relro fixed this bug, but then revealed two new SELinux denials: E SELinux : avc: denied { find } for service=webviewupdate scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager E SELinux : avc: denied { find } for service=activity scontext=u:r:shared_relro:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager Add the needed SELinux rule. Change-Id: I4372ccfe2e9f3d982796d2c0dc79259aa8a31810
-
Nick Kralevich authored
-
dcashman authored
Address the following denial: SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:system_app:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager Change-Id: I6bd5d2490c7d4aa06a645c1ee293f2b3db21968b
-
- Jan 06, 2015
-
-
Nick Kralevich authored
The su domain is always permissive, and will always be permissive. It never makes sense to show su related denials, as they just cause a false sense of alarm. Suppress service_manager related denials. For example: SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager SELinux : avc: denied { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager While I'm here, suppress other recent additionsl to security_classes as well (keystore_key, debuggerd, drmservice) Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9 -
Nick Kralevich authored
-
- Jan 05, 2015
-
-
Nick Kralevich authored
Commit 0d08d472 added two auditallow statements. The intented purpose of the auditallow statement was: auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. As currently written, the auditallow rules aren't actionable. It's not a problem by itself for init to access a /dev file or chr_file. Rather, we care about when other domains access such files. Currently, this generates a number of (expected) audit statements on boot, which causes unnecessary confusion and makes people believe that something is broken. Remove the unactionable auditallow statements. Change-Id: Ibfe33976505a7dc3f8d15c9eb203c044a39da426
-
Nick Kralevich authored
uncrypt needs to be able to read OTA files in GMS core's home directory, which is protected with MLS. Mark uncrypt as an mlstrustedsubject so that it can read the files. Addresses the following denial (and probably others): uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Remove the auditallow line for uncrypt. Per dd053a9b, the auditallow line was added to confirm that uncrypt was actually accessing the userdata block device. The access to the userdata block device is definitely occurring, and auditing it doesn't add any value. Remove the auditing. Eliminates the following unnecessary audit lines: avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file Tighten up userdata block access to write-only. uncrypt never reads directly from the block device. Testing: 1) Create the file /cache/recovery/command with a line like: --update_package=/data/data/com.google.android.gms/foo.zip 2) Create the file /data/data/com.google.android.gms/foo.zip (contents not important) 3) Run "setprop ctl.start pre-recovery" Expected: No SELinux denials. Actual: SELinux denials Bug: 18875451 Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d -
Nick Kralevich authored
-
Nick Kralevich authored
-
- Dec 30, 2014
-
-
dcashman authored
Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
-
- Dec 24, 2014
-
-
Nick Kralevich authored
On the Nexus 9, init.rc creates the /vendor -> /system/vendor symlink, then a bit later removes the symlink, creates a proper directory, and mounts /vendor on the directory. The current permissive SELinux policy doesn't allow init to remove the /vendor symlink, which eventually causes the following errors: avc: denied { unlink } for pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered There was an attempt to reorder some of these operations so we didn't have to create / delete the symlink, but it doesn't seem to have gone well. https://android.googlesource.com/platform/system/core/+/f67d6bd3c0fb41d167c675b9d2b5d377b6f38a74 Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
-
- Dec 23, 2014
-
-
dcashman authored
-
Nick Kralevich authored
-
Nick Kralevich authored
-
dcashman authored
platform_app. Address the following denials: SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:nfc:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manage SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager Bug: 18831075 Change-Id: I2c162f58f4adae9f6c544f9d9c6a9300877b4f36
-
- Dec 22, 2014
-
-
dcashman authored
-
dcashman authored
Commit dc0ab516f11d8e2c413315e733e25a41ba468e4f changed the libsepol structures on which sepolicy-analyze relies so that it could be compiled as a C++ library. Reflect this change in sepolicy-analyze. Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
-
dcashman authored
Shell domain needs to be able to access system_server_services, e.g. when running the pm command. Addresses the following denials: 10-07 00:59:26.901 178 178 E SELinux : avc: denied { find } for service=user scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager 10-07 00:59:26.903 178 178 E SELinux : avc: denied { find } for service=package scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager Change-Id: I4cc2f31809a2615ba781e2ecfe2ca7d6f5226b73
-
- Dec 20, 2014
-
-
William Roberts authored
It's beneficial to be able to overide this in a device makefile if you need to get the domains into an unconfined state to keep the logs from filling up on kernel entries without having to add rules into device specific policy. Change-Id: I7778be01256ac601f247e4d6e12573d0d23d12a1
-
Nick Kralevich authored
No obvious denials on flounder, the only device where swap is used. Change-Id: I5747ad2fd267cb71cbc1f69ffaec6b1e7db9ec1f
-
Nick Kralevich authored
needed to get to the swap device. Addresses the following denial: avc: denied { search } for pid=149 comm="mkswap" name="block" dev="tmpfs" ino=9947 scontext=u:r:toolbox:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0 Change-Id: I0c897540f1c7950738622a013121a050a1f32b2f -
Nick Kralevich authored
Bluetooth can receive bugreport data for beaming to another device. This comes across as an open file descriptor. Allow bluetooth access to bugreports. Addresses the following denial: avc: denied { read } for path="/data/data/com.android.shell/files/bugreports/bugreport-2014-12-19-15-35-32.txt" dev="dm-0" ino=662738 scontext=u:r:bluetooth:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0 Change-Id: I7be2ce2e0e48323c1e8f932be17b434b89daf085 -
Nick Kralevich authored
Addresses the following denials: avc: denied { getattr } for pid=148 comm="mkswap" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:toolbox:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for pid=148 comm="mkswap" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:toolbox:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=1 Change-Id: I88c88493cd5f523b5b26a8028b421b3565aa5751
-
- Dec 18, 2014
-
-
Elliott Hughes authored
-
Elliott Hughes authored
When toolbox completely disappears, we can worry about whether we want to rename this context. Change-Id: I359b6b2b21bb9452352e700f6ac37c137200ac77
-
- Dec 15, 2014
-
-
dcashman authored
All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
-
- Dec 12, 2014
-
-
Nick Kralevich authored
-
Pawit Pornkitprasan authored
Required for Settings to show name/icon of apps on sd card (permission copied from untrusted_app) Also removed duplicate permission (from domain) in untrusted_app Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
-
- Dec 11, 2014
-
-
Stephen Smalley authored
Addresses denials such as: type=1400 : avc: denied { lock } for comm="PushCheckSendS" path="socket:[1834573]" dev="sockfs" ino=X scontext=u:r:untrusted_app:s0 tcontext=u:r:untrusted_app:s0 tclass=tcp_socket Change-Id: Idbf6120cca9df634e2f8a876fd1cd836551e5ad7 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Dec 10, 2014
-
-
Brian Carlstrom authored
Bug: 18485243 Change-Id: Ic17baa0767ee1f1a27a3338558b86482ca92765e
-
-
- Dec 09, 2014
-
-
- Dec 05, 2014
-
-
dcashman authored
Change-Id: Ie7c2bf623dcfe246fa5e60b0775b6bb38869d8cb
-
- Dec 02, 2014
-
-
Daniel Cashman authored
-
Stephen Smalley authored
Only allow it to read/write/stat already open app data files received via Binder or local socket IPC. Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
-
- Dec 01, 2014
-
-
William Roberts authored
host C: sepolicy-analyze <= external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c: In function 'usage': external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: error: 'for' loop initial declarations are only allowed in C99 mode external/sepolicy/tools/sepolicy-analyze/sepolicy-analyze.c:30:5: note: use option -std=c99 or -std=gnu99 to compile your code make: *** [out/host/linux-x86/obj/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1 Change-Id: I9222e447b032d051c251c9718e2b8d5ffb9e9c35
-
- Nov 26, 2014
-
-