Commits · 740ce6543a90552ff5ca82636abf08b0d92f10dc · Werner Sembach / AndroidSystemSEPolicy

Jan 07, 2014

fix mediaserver selinux denials. · 740ce654

Nick Kralevich authored 11 years ago

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074

740ce654

surfaceflinger: fix bugreport screenshot functionality · 8decca39

Nick Kralevich authored 11 years ago

When a bugreport is triggered using the device keys,
it generates a screenshot and places it into
/data/data/com.android.shell/files/bugreports. SELinux is denying
those writes.

Addresses the following denials:

<5> type=1400 audit(1389047451.385:23): avc:  denied  { call } for  pid=267 comm="Binder_1" scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=binder
<5> type=1400 audit(1389046083.780:37): avc:  denied  { write } for  pid=4191 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-06-14-07-35.txt.tmp" dev="mmcblk0p28" ino=81874 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Bug: 12416329
Change-Id: I318145591cda500094d98103d30b784df48a67be

8decca39

Revert "Make mediaserver enforcing." · f7b72d61
Nick Kralevich authored 11 years ago
```
Too many bugs.

This reverts commit cc964543.
```
f7b72d61

Jan 03, 2014
- am 91811dba : am 301e61e7 : Merge "Make mediaserver enforcing." · 23a1a0ee
  Nick Kralevich authored 11 years ago
  
  * commit '91811dba': Make mediaserver enforcing.
  23a1a0ee
- am 79ec510b : am 14a7764d : Merge "Make media_app enforcing." · b339240f
  Nick Kralevich authored 11 years ago
  
  * commit '79ec510b': Make media_app enforcing.
  b339240f
- am bc15519a : am af288172 : Merge "Make nfc enforcing." · caa928fb
  Nick Kralevich authored 11 years ago
  
  * commit 'bc15519a': Make nfc enforcing.
  caa928fb
- am 301e61e7 : Merge "Make mediaserver enforcing." · 91811dba
  Nick Kralevich authored 11 years ago
  
  * commit '301e61e7': Make mediaserver enforcing.
  91811dba
- am 14a7764d : Merge "Make media_app enforcing." · 79ec510b
  Nick Kralevich authored 11 years ago
  
  * commit '14a7764d': Make media_app enforcing.
  79ec510b
- Merge "Make mediaserver enforcing." · 301e61e7
  Nick Kralevich authored 11 years ago
  
  301e61e7
- am af288172 : Merge "Make nfc enforcing." · bc15519a
  Nick Kralevich authored 11 years ago
  
  * commit 'af288172': Make nfc enforcing.
  bc15519a
- Merge "Make media_app enforcing." · 14a7764d
  Nick Kralevich authored 11 years ago
  
  14a7764d
- Merge "Make nfc enforcing." · af288172
  Nick Kralevich authored 11 years ago
  
  af288172
- am d5e316e3 : am 782af9ea : Merge "Make radio enforcing." · d85d8ebb
  Nick Kralevich authored 11 years ago
  
  * commit 'd5e316e3': Make radio enforcing.
  d85d8ebb
- am 15aa74f4 : am ee3cfd25 : Merge "Make bluetooth enforcing." · 689e9554
  Nick Kralevich authored 11 years ago
  
  * commit '15aa74f4': Make bluetooth enforcing.
  689e9554
- am 782af9ea : Merge "Make radio enforcing." · d5e316e3
  Nick Kralevich authored 11 years ago
  
  * commit '782af9ea': Make radio enforcing.
  d5e316e3
- am ee3cfd25 : Merge "Make bluetooth enforcing." · 15aa74f4
  Nick Kralevich authored 11 years ago
  
  * commit 'ee3cfd25': Make bluetooth enforcing.
  15aa74f4
- Merge "Make radio enforcing." · 782af9ea
  Nick Kralevich authored 11 years ago
  
  782af9ea
- Merge "Make bluetooth enforcing." · ee3cfd25
  Nick Kralevich authored 11 years ago
  
  ee3cfd25
- am c66ea87f : am aef19ebf : Merge "Make surfaceflinger domain enforcing." · 1c250cba
  Nick Kralevich authored 11 years ago
  
  * commit 'c66ea87f': Make surfaceflinger domain enforcing.
  1c250cba
- am aef19ebf : Merge "Make surfaceflinger domain enforcing." · c66ea87f
  Nick Kralevich authored 11 years ago
  
  * commit 'aef19ebf': Make surfaceflinger domain enforcing.
  c66ea87f
- Merge "Make surfaceflinger domain enforcing." · aef19ebf
  Nick Kralevich authored 11 years ago
  
  aef19ebf
Jan 02, 2014

am 50fd2eed: am 4e39317c: Merge "Confine adbd but leave it permissive for now." · debd47f4
Nick Kralevich authored 11 years ago
```
* commit '50fd2eed':
  Confine adbd but leave it permissive for now.
```
debd47f4
am 4e39317c: Merge "Confine adbd but leave it permissive for now." · 50fd2eed
Nick Kralevich authored 11 years ago
```
* commit '4e39317c':
  Confine adbd but leave it permissive for now.
```
50fd2eed
Merge "Confine adbd but leave it permissive for now." · 4e39317c
Nick Kralevich authored 11 years ago

4e39317c
am 3d706559: am e7ec2f52: Only allow PROT_EXEC for ashmem where required. · 566eaa93
Stephen Smalley authored 11 years ago
```
* commit '3d706559':
  Only allow PROT_EXEC for ashmem where required.
```
566eaa93
am 5d9913c6: am ad7df7bb: Remove execmem permission from domain, add to appdomain. · da26d7dd
Stephen Smalley authored 11 years ago
```
* commit '5d9913c6':
  Remove execmem permission from domain, add to appdomain.
```
da26d7dd
am e7ec2f52: Only allow PROT_EXEC for ashmem where required. · 3d706559
Stephen Smalley authored 11 years ago
```
* commit 'e7ec2f52':
  Only allow PROT_EXEC for ashmem where required.
```
3d706559
am ad7df7bb: Remove execmem permission from domain, add to appdomain. · 5d9913c6
Stephen Smalley authored 11 years ago
```
* commit 'ad7df7bb':
  Remove execmem permission from domain, add to appdomain.
```
5d9913c6
am 411d940e: am 527316a2: Allow use of art as the Android runtime. · db9dd501
Stephen Smalley authored 11 years ago
```
* commit '411d940e':
  Allow use of art as the Android runtime.
```
db9dd501
am 527316a2: Allow use of art as the Android runtime. · 411d940e
Stephen Smalley authored 11 years ago
```
* commit '527316a2':
  Allow use of art as the Android runtime.
```
411d940e

Only allow PROT_EXEC for ashmem where required. · e7ec2f52

Stephen Smalley authored 11 years ago


tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions.  execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains.  Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.

Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.

Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

e7ec2f52

Remove execmem permission from domain, add to appdomain. · ad7df7bb

Stephen Smalley authored 11 years ago


execmem permission controls the ability to make an anonymous
mapping executable or to make a private file mapping writable
and executable.  Remove this permission from domain (i.e.
all domains) by default, and add it explicitly to app domains.
It is already allowed in other specific .te files as required.
There may be additional cases in device-specific policy where
it is required for proprietary binaries.

Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

ad7df7bb

Allow use of art as the Android runtime. · 527316a2

Stephen Smalley authored 11 years ago

system_server and app domains need to map dalvik-cache files with PROT_EXEC.

type=1400 msg=audit(13574814.073:132): avc: denied { execute } for pid=589 comm="system_server" path="/data/dalvik-cache/system@priv-app@SettingsProvider.apk@classes.dex" dev="mmcblk0p30" ino=684132 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

Apps need to map cached dex files with PROT_EXEC. We already allow this
for untrusted_app to support packaging of shared objects as assets
but not for the platform app domains.

type=1400 audit(1387810571.697:14): avc: denied { execute } for pid=7822 comm="android.youtube" path="/data/data/com.google.android.youtube/cache/ads1747714305.dex" dev="mmcblk0p30" ino=603259 scontext=u:r:platform_app:s0 tcontext=u:object_r:platform_app_data_file:s0 tclass=file

Change-Id: I309907d591ea6044e3e6aeb57bde7508e426c033
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

527316a2

Confine adbd but leave it permissive for now. · 81e74b1c

Stephen Smalley authored 11 years ago


Will likely want to split into adbd_user.te vs adbd.te before
going enforcing to support adb root and adb remount on non-user builds.
Possibly take all common rules to an adbdcommon.te.

Change-Id: I63040c7f5f0fca10b3df682572c51c05e74738a7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

81e74b1c

am f3988de8: am 588bb5c7: Merge "Confine sdcardd, but leave it permissive for now." · 454adddd
Nick Kralevich authored 11 years ago
```
* commit 'f3988de8':
  Confine sdcardd, but leave it permissive for now.
```
454adddd
am 7fa9a4ab: am c48fd77b: Confine dhcp, but leave it permissive for now. · 4696e96e
Stephen Smalley authored 11 years ago
```
* commit '7fa9a4ab':
  Confine dhcp, but leave it permissive for now.
```
4696e96e
am 588bb5c7: Merge "Confine sdcardd, but leave it permissive for now." · f3988de8
Nick Kralevich authored 11 years ago
```
* commit '588bb5c7':
  Confine sdcardd, but leave it permissive for now.
```
f3988de8
am c48fd77b: Confine dhcp, but leave it permissive for now. · 7fa9a4ab
Stephen Smalley authored 11 years ago
```
* commit 'c48fd77b':
  Confine dhcp, but leave it permissive for now.
```
7fa9a4ab
Merge "Confine sdcardd, but leave it permissive for now." · 588bb5c7
Nick Kralevich authored 11 years ago

588bb5c7

Dec 24, 2013

Confine dhcp, but leave it permissive for now. · c48fd77b

Stephen Smalley authored 11 years ago


Change-Id: I11b185ff539915174bd2da53bfaa2cad87173008
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

c48fd77b