- Dec 05, 2016
-
-
Nick Kralevich authoredam: 4868f377 Change-Id: I3c57e833dd736ac87718d9e95e0a02e3048de979
-
Treehugger Robot authored
-
Robert Sesek authored
am: 2c222c1e Change-Id: I89d6c56ce6d29dfb184f9eb95aaaa49909e25b44
-
Treehugger Robot authored
-
Nick Kralevich authored
By default, files created in /dev are labeled with the "device" label unless a different label has been assigned. The direct use of this generic label is discouraged (and in many cases neverallowed) because rules involving this label tend to be overly broad and permissive. Today, generically labeled character devices can only be opened, read, or written to by init and ueventd. $ sesearch --allow -t device -c chr_file -p open,read,write out/target/product/marlin/root/sepolicy allow init device:chr_file { setattr read lock getattr write ioctl open append }; allow ueventd device:chr_file { read lock getattr write ioctl open append }; this is enforced by the following SELinux neverallow rule (compile time assertion + CTS test): neverallow { domain -init -ueventd } device:chr_file { open read write }; Start auditallowing ueventd access to /dev character device files with the default SELinux label. This doesn't appear to be used, but let's prove it. While ueventd is expected to create files in /dev, it has no need to open most of the files it creates. Note, however, that because ueventd has mknod + setfscreate permissions, a malicious or compromised ueventd can always create a device node under an incorrect label, and gain access that way. The goal of this change is to prove that no process other than init are accessing generically labeled files in /dev. While I'm here, tighten up the compile time assertion for device:chr_file to include more permissions. Test: policy compiles + device boots with no granted messages. Change-Id: Ic98b0ddc631b49b09e58698d9f40738ccedd1fd0 -
Daniel Micay authored
am: a24d7f53 Change-Id: Ia27cb54e53bbd755adaf588fb4bb2f948ba3d255
-
Treehugger Robot authored
-
-
Max authored
Only init and ueventd have any access to /dev/port, and neither should have any use for it. As it stands, leaving port in just represents additional attack surface with no useful functionality, so it should be removed if possible, not only from Pixel devices, but from all Android devices. Test: The phone boots successfully Bug:33301618 Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
-
Daniel Micay authored
In general, apps shouldn't be executing data from their writable data directories. Allowing this is a security risk and use cases for this are almost always anti-patterns where saner alternatives are available such as using one of the standard systems for shipping libraries (extracted by the package manager or aligned/uncompressed in the apk) or using the existing package system to handle plugins. It's reasonable for the untrusted_app domain to have this (not just for backwards compatibility) for priv_app should be held to a higher standard. Ideally, untrusted apps would be able to opt-in to disabling this and then the default could then be switched at a new API level. It could do more than just hardening apps not requiring it by having documentation explain the risks and offer alternatives to reduce 'legitimate' use. The base system could disable it for all of the bundled untrusted apps. Change-Id: I4efcfaf01c6b6c33c39e98c22a1934e8892e2147
-
- Dec 04, 2016
-
-
Amit Mahajan authored
am: 65ad9bc1 Change-Id: I46623679450cd1fd1302698c1ea8a1f290bc6d16
-
Treehugger Robot authored
-
Amit Mahajan authored
Test: none Bug: 32020264 Change-Id: If5f22dad672895b3684b8e44209c5a1eae16ba47
-
- Dec 03, 2016
-
-
Ray Essick authored
am: 090f4a4d Change-Id: Ib9481c4abc8cd9b5b58f87067e9d5803651d73c1
-
Jeff Sharkey authored
am: 17c675b3 Change-Id: I9b04ff4503a197e25538f0f77dc6b24888240a2c
-
Ray Essick authored
media framework analytics are gathered in a separate service. define a context for this new service, allow various media-related services and libraries to access this new service. Bug: 30267133 Test: ran media CTS, watched for selinux denials. Change-Id: I5aa5aaa5aa9e82465b8024f87ed32d6ba4db35ca
-
- Dec 02, 2016
-
-
Robert Sesek authored
Test: m Test: angler boots Bug: 21643067 Change-Id: I7530120385766506405a318caac8ef143e71cce7
-
Jeff Sharkey authored
Historically we pushed all system_server SD card interactions through DefaultContainerService to avoid holding open FDs, but it's safe to measure disk usage for internal emulated storage when looking directly at /data/media, since there is no risk of unsafe ejection. These rule changes give us just enough access to measure statistics. avc: denied { getattr } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1 avc: denied { open } for path="/data/media/0/DCIM/.thumbnails" dev="sda35" ino=589892 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0:c512,c768 tclass=dir permissive=1 avc: denied { read } for name="0" dev="sda35" ino=589827 scontext=u:r:system_server:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 Test: builds, boots, and access allowed Bug: 33298975 Change-Id: I9748608a5c1169d542e763c5a8f79c4f26f7a382
-
- Dec 01, 2016
-
-
-
Treehugger Robot authored
-
Nick Kralevich authored
am: dd649da8 Change-Id: I648e8b2869b4b2d95255575e257f07f11153865d
-
- Nov 30, 2016
-
-
Nick Kralevich authored
Remove /proc/net access to domain_deprecated. Add it to domains where it was missing before. Other than these domains, SELinux denial monitoring hasn't picked up any denials related to /proc/net Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a
-
Steven Moreland authored
am: 839c7ded Change-Id: Ibbbc3e8e51cbe6a5e2f1e5be7839a1cc3341b33c
-
Max authored
Vold shouldn't have this selinux permission, so this will be left in for a few weeks to keep track of if removing it would be an issue to any other processes. If not, then a follow-up CL will remove both the rule and the auditallow Test: This CL is a test in itself, auditallow rules shouldn't change behavior of SELinux policy by themselves Bug: 26901147 Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5
-
- Nov 29, 2016
-
-
Steven Moreland authored
Bug: 33067126 Test: Dumpstate vibrator works. Change-Id: I46ff453218ba77f156e13b448e3cba9a291df0e7
-
Daniel Rosenberg authored
am: 7b6dbd73 Change-Id: I5ba0baabf29c67d6de10b673ae9948fdab7b78bd
-
Treehugger Robot authored
-
Connor O'Brien authored
am: 280ba8b7 Change-Id: I40ea119e77002f6d71a1b0125c9420c24fc54d49
-
Connor O'Brien authored
-
Daniel Rosenberg authored
Sdcardfs now supports bind mounts and remounts instead of needing several separate mounts bug: 30954918 Test: Enable Sdcardfs, verify mounts Change-Id: Id94713752a08ceeb6aea7d3c29a29d3293a9b0c8
-
- Nov 28, 2016
-
-
William Roberts authored
am: a8340521 Change-Id: I0dc7cdaacd65f027f8615e5201f9357001e5b40b
-
Treehugger Robot authored
-
Nick Kralevich authored
am: 49e35884 Change-Id: Ib96dbc7f6467e55d595426242c59b9551e9ae75f
-
Nick Kralevich authored
Addresses the following denials and auditallows: avc: denied { read } for pid=561 comm="hwservicemanage" name="hw" dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0" ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: granted { read open } for pid=735 comm="fingerprintd" path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0 tcontext=u:object_r:system_file:s0 tclass=dir Test: no denials on boot Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f -
Nick Kralevich authored
am: 8fe7b8d2 Change-Id: I904920227113f9b8e43182a4b3ba22b191cceb64
-
Nick Kralevich authored
am: 2affae65 Change-Id: I9f5c692674c60b526b0ed7ac2bc46610b9e3c5ab
-
Nick Kralevich authored
am: fae2794e Change-Id: Iba87329c6ae3de6ad95868a9237eec83fd76da05
-
Treehugger Robot authored
-
Treehugger Robot authored
-
Treehugger Robot authored
-