Skip to content
Snippets Groups Projects
Select Git revision
  • android-7.1.2_r28_klist
  • master default protected
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
40 results
Search by author
  • Any Author
  • Werner Sembach Matombo
  • dex dex dex
2 authors
  1. Oct 07, 2015
    • Nick Kralevich's avatar
      delete procrank SELinux domain. · 9e6effa1
      Nick Kralevich authored 
      Simplify SELinux policy by deleting the procrank SELinux domain.
procrank only exists on userdebug/eng builds, and anyone wanting
to run procrank can just su to root.

Bug: 18342188
Change-Id: I71adc86a137c21f170d983e320ab55be79457c16
      9e6effa1
    • David Zeuthen's avatar
      Move update_engine policy to AOSP. · a10f789d
      David Zeuthen authored 
      The update_engine daemon from Brillo is expected to be used also in
Android so move its selinux policy to AOSP.

Put update_engine in the whitelist (currently only has the recovery
there) allowing it to bypass the notallow for writing to partititions
labeled as system_block_device.

Also introduce the misc_block_device dev_type as update_engine in some
configurations may need to read/write the misc partition. Start
migrating uncrypt to use this instead of overly broad
block_device:blk_file access.

Bug: 23186405
Test: Manually tested with Brillo build.

Change-Id: Icf8cdb4133d4bbdf14bacc6c0fa7418810ac307a
      a10f789d
  3. Oct 06, 2015
    • Nick Kralevich's avatar
      remove "allow vold block_device:blk_file create_file_perms;" · 7e86e19d
      Nick Kralevich authored 
      vold hasn't use the generic "block_device" label since
commit 273d7ea4 (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.

Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.

Thanks to jorgelo for reminding me about this.

Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9
      7e86e19d
  5. Sep 22, 2015
  7. Aug 25, 2015
    • Stephen Smalley's avatar
      Only allow toolbox exec where /system exec was already allowed. · a3c97a76
      Stephen Smalley authored 
      
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      a3c97a76
  9. Aug 24, 2015
  11. Aug 22, 2015
  13. Aug 15, 2015
    • Nick Kralevich's avatar
      allow domain adbd:unix_stream_socket ioctl; · f4d39ca1
      Nick Kralevich authored 
      https://android-review.googlesource.com/166419 changed the handling
of non-interactive adb shells to use a socket instead of a PTY.
When the stdin/stdout/stderr socket is received by /system/bin/sh,
the code runs isatty() (ioctl TCGETS) to determine how to handle the
file descriptor. This is denied by SELinux.

Allow it for all domains.

Addresses the following denial:

  avc: denied { ioctl } for pid=4394 comm="sh" path="socket:[87326]" dev="sockfs" ino=87326 ioctlcmd=5401 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0

TODO: When kernels are publicly available which support SELinux ioctl
filtering, limit this just to ioctl 5401 (TCGETS) instead of all ioctls.

Bug: 21215503
Change-Id: I5c9394f27b8f198d96df14eac4b0c46ecb9b0898
      f4d39ca1
  15. Aug 14, 2015
    • Nick Kralevich's avatar
      mediaserver: remove /system/bin/toolbox exec access · bf65c7ef
      Nick Kralevich authored 
      In Android 5.1, mediaserver couldn't execute any file on
/system. This slightly regressed due to
8a0c25ef, which granted mediaserver
access to execute /system/bin/toolbox and /system/bin/toybox

Revoke that unneeded access and add a neverallow rule to prevent
regressions.

TODO: Remove toolbox_exec:file execute permissions from domain.te
and add it back to the specific domains that need it.

Change-Id: Ia7bc6028a9ffb723d4623d91cbe15c8c1bbb2eb9
      bf65c7ef
  17. Aug 03, 2015
  19. Aug 02, 2015
    • Nick Kralevich's avatar
      init.te: delete kernel load policy support · 356df327
      Nick Kralevich authored 
      Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: Id98b5e09d79254816d920b92003efe8dcbe6cd2e
      356df327
  21. Jul 27, 2015
  23. Jul 14, 2015
    • Nick Kralevich's avatar
      neverallow service_manager / service_manager_type · f2c4e128
      Nick Kralevich authored 
      Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
      f2c4e128
  25. Jul 13, 2015
    • dcashman's avatar
      Allow domains to read tmpfs symlinks. · 301555e6
      dcashman authored 
      Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

(cherry-pick of commit: 2b0b8299)

Bug: 20755029
Change-Id: Iaa5dc278b34faf33473d3e49f92d8766ae5563c0
      301555e6
    • dcashman's avatar
      Allow domains to read tmpfs symlinks. · 2b0b8299
      dcashman authored 
      Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

Bug: 20755029
Change-Id: I0268eb00e0eb43feb2d5bca1723b87b7a44f31a9
      2b0b8299
  27. Jul 08, 2015
    • William Roberts's avatar
      neverallow: domain execute data_file_type · 7028bdcc
      William Roberts authored 
      
To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: default avatarWilliam Roberts <william.c.roberts@intel.com>
      7028bdcc
  29. Jun 23, 2015
    • Stephen Smalley's avatar
      neverallow PROT_EXEC stack or heap. · 5328d974
      Stephen Smalley authored 
      
Despite removing these from AOSP policy they seem to still be
present in device policies.  Prohibit them via neverallow.

We would also like to minimize execmem to only app domains
and others using ART, but that will first require eliminating it
from device-specific service domains (which may only have it
due to prior incorrect handling of text relocations).

Change-Id: Id1f49566779d9877835497d8ec7537abafadadc4
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      5328d974
    • Jeff Vander Stoep's avatar
      Fix grouper build by allowing mknod in recovery · 9c7570ef
      Jeff Vander Stoep authored 
      Change-Id: I2aef01ba72cae028d5e05deddbdeff674f9a534d
      9c7570ef
    • Nick Kralevich's avatar
      Allow /dev/klog access, drop mknod and __null__ access · 31d88a70
      Nick Kralevich authored 
      Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

(cherry picked from e2651972)

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
      31d88a70
  31. Jun 18, 2015
  33. Jun 16, 2015
  35. Jun 08, 2015
    • Nick Kralevich's avatar
      Allow /dev/klog access, drop mknod and __null__ access · e2651972
      Nick Kralevich authored 
      Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
      e2651972
  37. Jun 05, 2015
  39. Jun 04, 2015
  41. May 29, 2015
  43. May 15, 2015
  45. May 14, 2015
  47. May 13, 2015
  49. May 06, 2015
  51. May 01, 2015
    • Stephen Smalley's avatar
      Ensure that domain and appdomain attributes are assigned. · 3c242caf
      Stephen Smalley authored 
      
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.

Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.

Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      3c242caf
    • Stephen Smalley's avatar
      Ensure that domain and appdomain attributes are assigned. · 4a12d963
      Stephen Smalley authored 
      
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.

Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.

Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      4a12d963
  53. Apr 28, 2015