- May 14, 2014
-
-
Stephen Smalley authored
This just adds a neverallow rule to ensure we never add an allow rule permitting such mappings. Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- May 13, 2014
-
-
Nick Kralevich authored
-
Nick Kralevich authored
-
Nick Kralevich authored
-
Nick Kralevich authored
-
Nick Kralevich authored
-
Stephen Smalley authored
Change-Id: If6b85fbb2332f7a03b603f2d46bd2f73c778ecf9 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Resolves denials such as: avc: denied { read write } for path="socket:[33571]" dev="sockfs" ino=33571 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=unix_dgram_socket Change-Id: Icb1ee00d8513179039bfb738647f49480e836f25 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Resolves denials such as: avc: denied { getattr } for path="pipe:[167684]" dev="pipefs" ino=167684 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file Change-Id: I1120c8b130a592e40992c5233650345640a23a87 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Drop rules on data_file_type attribute and replace with rules on specific types under /data. Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Nick Kralevich authored
-
Nick Kralevich authored
I didn't fix unpublished denials before switching this into enforcing. Need to revert. This reverts commit ae505511. Bug: 14844424 Change-Id: I01408b77a67ad43a8fb20be213d3ffbace658616
-
- May 12, 2014
-
-
Nick Kralevich authored
Kernel userspace helpers may be spawned running in the kernel SELinux domain. Those userspace helpers shouldn't be able to turn SELinux off. This change revisits the discussion in https://android-review.googlesource.com/#/c/71184/ At the time, we were debating whether or not to have an allow rule, or a dontaudit rule. Both have the same effect, as at the time we switch to enforcing mode, the kernel is in permissive and the operation will be allowed. Change-Id: If335a5cf619125806c700780fcf91f8602083824
-
Stephen Smalley authored
Report any attempts by zygote to create/write files in system_data_file so that we can ultimately move any such cases to their own type and reduce this to read-only access. Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
installd creates /data/.layout_version. Introduce a separate type for this file (and any other file created by installd under a directory labeled system_data_file) so that we can allow create/write access by installd without allowing it to any system data files created by other processes. This prevents installd from overwriting other system data files, and ensure that any files it creates will require explicit rules in order to access. Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Change-Id: I29202292a78f0d2ae3b5da235c1783298f14bed8 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- May 10, 2014
-
-
Stephen Smalley authored
Change-Id: Ib4b4ebda74a9ebf08f38d73521d67bf98cd0ee67 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Change-Id: Ib4cbaee280628845d026e827d7e16f347594fc26 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- May 09, 2014
-
-
Stephen Smalley authored
Drop rules on data_file_type attribute and replace with rules on specific types, coalescing with existing rules where appropriate. Reorganize the rules and try to annotate the reason for the different rules. Change-Id: I2d07e7c276a9c29677f67db0ebecfc537c084965 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
This was originally to limit the ability to relabel files to particular types given the ability of all domains to relabelfrom unlabeled files. Since the latter was removed by Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves any purpose. Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Nick Kralevich authored
91a4f8d4 created system_app_data_file, and assigned all system_apps to use this file type. For testing purposes, our automated testing infrastructure sideloads shared system UID apks. Installd does not have permission to create the lib symlink, so the installation fails. Allow installd to create this symlink. repro: adb install AppLaunch.apk 276 KB/s (8414 bytes in 0.029s) pkg: /data/local/tmp/AppLaunch.apk Failure [INSTALL_FAILED_INTERNAL_ERROR] logcat: 05-08 23:16:36.336 605 637 I PackageManager: Copying native libraries to /data/app-lib/vmdl609237490 05-08 23:16:36.338 605 637 W asset : Installing empty resources in to table 0x5e89a368 05-08 23:16:36.359 193 193 W installd: type=1400 audit(0.0:29): avc: denied { create } for name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=lnk_file 05-08 23:16:36.363 193 193 E installd: couldn't symlink directory '/data/data/com.android.tests.applaunch/lib' -> '/data/app-lib/com.android.tests.applaunch-1': Permission denied 05-08 23:16:36.364 605 637 W PackageManager: Failed linking native library dir (user=0) 05-08 23:16:36.364 605 637 W PackageManager: Package couldn't be installed in /data/app/com.android.tests.applaunch-1.apk Bug: 14659632 Change-Id: Iac4890302cd070aa3f71553af217f343ed7b8bc3
-
Nick Kralevich authored
Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
-
- May 08, 2014
-
-
Nick Kralevich authored
-
Nick Kralevich authored
-
Stephen Smalley authored
As per the discussion in: https://android-review.googlesource.com/#/c/92903/ Add sysfs_type attribute to sysfs type so that it is included in rules on sysfs_type, allow setattr to all sysfs_type for ueventd for chown/chmod, and get rid of redundant rules. Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Should no longer be required due to restorecon_recursive of /data by init.rc (covers everything outside of /data/data) and due to restorecon_recursive of /data/data by installd (covers /data/data directories). Move the neverallow rule on relabelto to the neverallow section. We could potentially drop this altogether, along with the relabelto_domain macro and its callers, since its motivation was to provide some safeguard in spite of allowing relabelfrom to unlabeled files for all domains and this change removes relabelfrom. unconfined still retains rw access to unlabeled, as do specific domains that are explicitly allowed it. Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Should no longer be required due to restorecon_recursive of /data by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to restorecon_recursive of /data/data by installd (covers /data/data directories). Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- May 07, 2014
-
-
Greg Hackmann authored
ADF is a modern replacement for fbdev. ADF's device nodes (/dev/adf[X]), interface nodes (/dev/adf-interface[X].[Y]), and overlay engine nodes (/dev/adf-overlay-engine[X].[Y]) are collectively used in similar contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and healthd will need to send R/W ioctls to these nodes to prepare and update the display. Ordinary apps should not talk to ADF directly. Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343 Signed-off-by:
Greg Hackmann <ghackmann@google.com>
-
Stephen Smalley authored
Not sure what denial originally motivated adding this access, but drop it and see if it resurfaces. platform_app is still permissive_or_unconfined() so this should not break anything. Change-Id: Ia4418080e3477346fa48d23b4bb5d53396ed5593 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
See if we can remove these allow rules by auditing any granting of these permissions. These rules may be a legacy of older Android or some board where the gpu device lived under /dev/graphics too. Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
We were using system_data_file for the /data/data directories of system UID apps to match the DAC ownership of system UID shared with other system files. However, we are seeing cases where files created in these directories must be writable by other apps, and we would like to avoid allowing write to system data files outside of these directories. So introduce a separate system_app_data_file type and assign it. This should also help protect against arbitrary writes by system UID apps to other system data directories. This resolves the following denial when cropping or taking a user photo for secondary users: avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 14604553 Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- May 05, 2014
-
-
Nick Kralevich authored
-
Nick Kralevich authored
-
Stephen Smalley authored
Otherwise it is treated as a regex and matches any character. Change-Id: I9e23f01b0e104d3ef57993fd1a3d9a5b13201910 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Nick Kralevich authored
Commit 3fbc536d allowed untrusted app to read radio data files passed via binder, but didn't allow write access. Write access is needed when sending MMS messages. Steps to reproduce: 1) have some photos on the device 2) Launch messaging app 3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..) 4) Send EXPECTED RESULTS: No crash OBSERVED RESULTS: - Messaging crashes on sending MMS - messages are stuck in sending state Additional details: 05-05 10:14:01.196 2457 2457 W Binder_3: type=1400 audit(0.0:20): avc: denied { write } for path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file 05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!! 05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream. 05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966) 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:674) 05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:650) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82) 05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228) 05-05 10:14:01.203 27809 28219 E PduPersister: at java.lang.Thread.run(Thread.java:818) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS 05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809 05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at android.content.ContentUris.parseId(ContentUris.java:85) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228) 05-05 10:14:01.221 27809 28219 E AndroidRuntime: at java.lang.Thread.run(Thread.java:818) 05-05 10:14:01.222 659 5253 W ActivityManager: Force finishing activity com.android.mms/.ui.ComposeMessageActivity Bug: 14562421 Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9
-
dcashman authored
-
- May 03, 2014
-
-
dcashman authored
specifycapabilities is no longer specified by the zygote userspace manager. It was removed in commit: 42a4bb5730266f80585e67262c73505d0bfffbf8. Remove this permission from policy. Change-Id: I866a25b590a375a68de6eec9af1b3ef779889985
-
- May 02, 2014
-
-
Sreeram Ramachandran authored
Change-Id: Ied6e6eba4895524cf8b442694cc48ef2d6f9a811
-
- May 01, 2014
-
-
Ruchi Kandoi authored
Need this for changing max_cpufreq for the low power mode. Denials: type=1400 audit(1398818907.151:48): avc: denied { relabelfrom } for pid=129 comm="ueventd" name="scaling_max_freq" dev="sysfs" ino=19866 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs:s0 tclass=file type=1400 audit(118521.050:11): avc: denied { setattr } for pid=130 comm="ueventd" name="scaling_min_freq" dev="sysfs" ino=9178 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file Change required for Change-Id: Ibe0b4aaf3db555ed48e89a7fcd0c5fd3a18cf233 Change-Id: I93feee65b1535ac048acf3bc7fba9f5d1bdb2bd2 Signed-off-by:
Ruchi Kandoi <kandoiruchi@google.com>
-
Stephen Smalley authored
Change-Id: I4811da972f7e23ef86e04d05400169422fbaca35 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-