Commits · abf31acb01f85ade4b97b05f9893d270b915b7b6 · Werner Sembach / AndroidSystemSEPolicy

Feb 05, 2016

Allow domain to read proc dirs. · abf31acb

dcashman authored 9 years ago

Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc. Many processes try
to read proc dirs, though. Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3

abf31acb

Replace "neverallow domain" by "neverallow *" · 35a14514

Nick Kralevich authored 9 years ago

Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf

35a14514

Feb 04, 2016
- persist.mmc.* only set in init · d1435604
  Mark Salyzyn authored 9 years ago
  
  Bug: 26976972 Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118
  d1435604
- Merge "Fix SELinux warning when passing fuse FD from system server." · 4c42a0dc
  Daichi Hirono authored 9 years ago
  
  4c42a0dc
Feb 03, 2016

Fix SELinux warning when passing fuse FD from system server. · 59e3d7b4

Daichi Hirono authored 9 years ago

Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd

59e3d7b4

Feb 01, 2016
- Merge "init: allow to access console-ramoops with newer kernels" · 84fbd53a
  Jeffrey Vander Stoep authored 9 years ago
  
  84fbd53a
Jan 28, 2016

Merge "mediaserver: grant perms from domain_deprecated" · 3d8391e7
Jeffrey Vander Stoep authored 9 years ago

3d8391e7
Merge "logd: grant perms from domain_deprecated" · 61e93860
Jeffrey Vander Stoep authored 9 years ago

61e93860
Merge "kernel: grant perms from domain_deprecated" · e48ab784
Jeffrey Vander Stoep authored 9 years ago

e48ab784

mediaserver: grant perms from domain_deprecated · 72e78bfc

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7

72e78bfc

logd: grant perms from domain_deprecated · 2f3979a7

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02

2f3979a7

kernel: grant perms from domain_deprecated · bc2b76b0

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1

Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3

bc2b76b0

Jan 27, 2016

Allow apps to check attrs of /cache · 0e591bd2

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6

0e591bd2

Merge "vold: grant perms from domain_deprecated" · 1cf93217
Jeffrey Vander Stoep authored 9 years ago

1cf93217
Merge "healthd: grant perms from domain_deprecated" · f33507df
Jeffrey Vander Stoep authored 9 years ago

f33507df
Merge "remove access_kmsg macro, because it to be more explicit." · fea9ad7c
Daniel Cashman authored 9 years ago

fea9ad7c
Merge "zygote: grant perms from domain_deprecated" · eecaa0b5
Jeffrey Vander Stoep authored 9 years ago

eecaa0b5

vold: grant perms from domain_deprecated · 9306072c

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { open } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { getattr } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file

avc: denied { read } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { open } for path="/cache" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { ioctl } for path="/cache" dev="mmcblk0p30" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir

avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { open } for path="/proc" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir

avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I8af7edc5b06675a9a2d62bf86e1c22dbb5d74370
avc: denied { read } for name="block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { open } for path="/sys/block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir

9306072c

healthd: grant perms from domain_deprecated · 12401b8d

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: denied { open } for path="/sys/devices/platform/htc_battery_max17050.8/power_supply/flounder-battery/present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Iaee5b79a45aedad98e08c670addbf444c984165e

12401b8d

zygote: grant perms from domain_deprecated · cee6a0e7

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2

cee6a0e7

Allow sdcardd tmpfs read access. · db559a34

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(1453854842.899:7): avc: denied { search } for pid=1512 comm="sdcard" name="/" dev="tmpfs" ino=7547 scontext=u:r:sdcardd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0

vold: EmulatedVolume calls sdcard to mount on /storage/emulated.

Bug: 26807309
Change-Id: Ifdd7c356589f95165bba489dd06282a4087e9aee

db559a34

Merge "Revert "zygote: grant perms from domain_deprecated"" · 98f60e5c
Jeffrey Vander Stoep authored 9 years ago

98f60e5c
Revert "zygote: grant perms from domain_deprecated" · b898360e
Jeffrey Vander Stoep authored 9 years ago
```
This reverts commit e52fff83.

Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
```
b898360e
Merge "zygote: grant perms from domain_deprecated" · 4115beae
Jeffrey Vander Stoep authored 9 years ago

4115beae

zygote: grant perms from domain_deprecated · e52fff83

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Change-Id: I5b505ad386a445113bc0a1bb35d4f88f7761c048

e52fff83

init: allow to access console-ramoops with newer kernels · 9a28f90d

Sylvain Chouleur authored 9 years ago


Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.

sepolicy must be adapted to this new requirement.

Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>

9a28f90d

Merge "Revert "Remove domain_deprecated from sdcard domains"" · c4121add
Narayan Kamath authored 9 years ago

c4121add
Revert "Remove domain_deprecated from sdcard domains" · f4d7eef7
Narayan Kamath authored 9 years ago
```
This reverts commit 0c7bc58e.

bug: 26807309

Change-Id: I8a7b0e56a0d6f723508d0fddceffdff76eb0459a
```
f4d7eef7

domain: grant write perms to cgroups · be0616ba

Jeff Vander Stoep authored 9 years ago

Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53

be0616ba

Restore untrusted_app proc_net access. · 5833e3f5

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4

5833e3f5

Jan 26, 2016

remove access_kmsg macro, because it to be more explicit. · 001b10bd
SimHyunYong authored 9 years ago
```
This macro does not give us anything to it.

Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
```
001b10bd

Using r_dir_file macro in domain.te · 093ea6fb

SimHyunYong authored 9 years ago

r_dir_file(domain, self)

allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file r_file_perms;

te_macros
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

Change-Id: I7338f63a1eaa8ca52cd31b51ce841e3dbe46ad4f

093ea6fb

Merge "Remove domain_deprecated from sdcard domains" · cdae042a
Jeffrey Vander Stoep authored 9 years ago

cdae042a
Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." · ae29dea8
James Hawkins authored 9 years ago

ae29dea8

bootstat: Fix the SELinux policy after removing domain_deprecated. · 2e8d71c3

James Hawkins authored 9 years ago

* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804

2e8d71c3

Delete policy it is alread included in binder_call macros. · 7171232c

SimHyunYong authored 9 years ago

define(`binder_call', `
allow $1 $2:binder { call transfer };
allow $2 $1:binder transfer;
allow $1 $2:fd use;
')

binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)

it is alread include these policy.. so I can delete these policy!
allow surfaceflinger appdomain:fd use;
allow surfaceflinger bootanim:fd use;

7171232c

Merge "Delete duplicated policy, it is already include in app.te." · 0220b345
Jeffrey Vander Stoep authored 9 years ago

0220b345
Merge "Allow update_engine to use Binder IPC." · 6899e0a3
Tao Bao authored 9 years ago

6899e0a3
Delete duplicated policy, it is already include in app.te. · 5ba9af23
SimHyunYong authored 9 years ago
```
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
```
5ba9af23

Allow update_engine to use Binder IPC. · dce317cf

Tao Bao authored 9 years ago

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c

dce317cf