Commits · bc4484b2c29b7cc1598b6d09328888e5fe696913 · Werner Sembach / AndroidSystemSEPolicy

Nov 12, 2013
- am bc1388d3 : Merge "Make kernel / init enforcing" · bc4484b2
  Nick Kralevich authored 11 years ago
  
  * commit 'bc1388d3': Make kernel / init enforcing
  bc4484b2
- am 56f39193 : Merge "Confine debuggerd, but leave it permissive for now." · 14f95109
  Nick Kralevich authored 11 years ago
  
  * commit '56f39193': Confine debuggerd, but leave it permissive for now.
  14f95109
- Merge "Make kernel / init enforcing" · bc1388d3
  Nick Kralevich authored 11 years ago
  
  bc1388d3
- Merge "Confine debuggerd, but leave it permissive for now." · 56f39193
  Nick Kralevich authored 11 years ago
  
  56f39193
Nov 11, 2013

am af47ebb6: Label /dev/fscklogs and allow system_server access to it. · a9ccd7dc
Stephen Smalley authored 11 years ago
```
* commit 'af47ebb6':
  Label /dev/fscklogs and allow system_server access to it.
```
a9ccd7dc

Label /dev/fscklogs and allow system_server access to it. · af47ebb6

Stephen Smalley authored 11 years ago

Otherwise you get denials such as:
type=1400 audit(1383590310.430:623): avc: denied { getattr } for pid=1629 comm="Thread-78" path="/dev/fscklogs/log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:624): avc: denied { open } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file
type=1400 audit(1383590310.430:625): avc: denied { write } for pid=1629 comm="Thread-78" name="fscklogs" dev="tmpfs" ino=1628 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc: denied { remove_name } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=dir
type=1400 audit(1383590310.430:625): avc: denied { unlink } for pid=1629 comm="Thread-78" name="log" dev="tmpfs" ino=1642 scontext=u:r:system_server:s0 tcontext=u:object_r:device:s0 tclass=file

Change-Id: Ia7ae06a6d4cc5d2a59b8b85a5fb93cc31074fd37
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

af47ebb6

am 00739e3d: Make the ueventd domain enforcing. · c1468d45
Nick Kralevich authored 11 years ago
```
* commit '00739e3d':
  Make the ueventd domain enforcing.
```
c1468d45

Nov 08, 2013

Make kernel / init enforcing · b1d81645

Nick Kralevich authored 11 years ago

Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.

Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6

b1d81645

Make the ueventd domain enforcing. · 00739e3d

Nick Kralevich authored 11 years ago

All (known) denials have been addressed.

Change-Id: Ic12ed190a2efb7f20be589137a27b95d03dde25a

00739e3d

am a7716718: Label /data/misc/media and allow mediaserver access to it. · b53788de
Stephen Smalley authored 11 years ago
```
* commit 'a7716718':
  Label /data/misc/media and allow mediaserver access to it.
```
b53788de

Label /data/misc/media and allow mediaserver access to it. · a7716718

Stephen Smalley authored 11 years ago

Otherwise we get denials like these on 4.4:

type=1400 audit(1383590170.360:29): avc: denied { write } for pid=61 comm="mediaserver" name="media" dev="mtdblock1" ino=6416 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc: denied { add_name } for pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
type=1400 audit(1383590170.360:29): avc: denied { create } for pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590170.360:29): avc: denied { write open } for pid=61 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc: denied { write } for pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
type=1400 audit(1383590255.100:231): avc: denied { open } for pid=832 comm="mediaserver" name="emulator.camera.hotplug.0" dev="mtdblock1" ino=6431 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Change-Id: Ic374488f8b62bd4f8b3c90f30da0e8d1ed1a7343
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

a7716718

am ddf98fa8: Neverallow access to the kmem device from userspace. · eac6e590
Geremy Condra authored 11 years ago
```
* commit 'ddf98fa8':
  Neverallow access to the kmem device from userspace.
```
eac6e590
Neverallow access to the kmem device from userspace. · ddf98fa8
Geremy Condra authored 11 years ago
```
Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
```
ddf98fa8

Nov 07, 2013

am 0ea4ac8a: Merge "Move goldfish-specific rules to their own directory." · 7bc576d5
Nick Kralevich authored 11 years ago
```
* commit '0ea4ac8a':
  Move goldfish-specific rules to their own directory.
```
7bc576d5
Merge "Move goldfish-specific rules to their own directory." · 0ea4ac8a
Nick Kralevich authored 11 years ago

0ea4ac8a
am 842a1111: Merge "Confine healthd, but leave it permissive for now." · 289fe68b
Nick Kralevich authored 11 years ago
```
* commit '842a1111':
  Confine healthd, but leave it permissive for now.
```
289fe68b
Merge "Confine healthd, but leave it permissive for now." · 842a1111
Nick Kralevich authored 11 years ago

842a1111
am fec3c5ad: Merge "Make the keystore domain enforcing." · 6b754790
Nick Kralevich authored 11 years ago
```
* commit 'fec3c5ad':
  Make the keystore domain enforcing.
```
6b754790
Merge "Make the keystore domain enforcing." · fec3c5ad
Nick Kralevich authored 11 years ago

fec3c5ad
am aaac2468: /system/bin/ash and /system/bin/mksh are dead. · 1e38a555
Elliott Hughes authored 11 years ago
```
* commit 'aaac2468':
  /system/bin/ash and /system/bin/mksh are dead.
```
1e38a555
/system/bin/ash and /system/bin/mksh are dead. · aaac2468
Elliott Hughes authored 11 years ago
```
Long live /system/bin/sh!

Change-Id: I5af63c1bdc3585835ee273ed9995d8fac14792da
```
aaac2468

Confine healthd, but leave it permissive for now. · 2a604adf

Stephen Smalley authored 11 years ago

Remove unconfined_domain() and add the allow rules required for
operation of healthd. Restore the permissive declaration until
I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4
kernel.

Resolves the following denials in 4.4:
type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file
type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2
type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder
type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

2a604adf

am f232f25b: Merge "Move audio_firmware_file and /data/misc/audio entry to core sepolicy." · a74edc15
Nick Kralevich authored 11 years ago
```
* commit 'f232f25b':
  Move audio_firmware_file and /data/misc/audio entry to core sepolicy.
```
a74edc15

Nov 06, 2013
- Merge "Move audio_firmware_file and /data/misc/audio entry to core sepolicy." · f232f25b
  Nick Kralevich authored 11 years ago
  
  f232f25b
- Make the keystore domain enforcing. · 870c4e5e
  Stephen Smalley authored 11 years ago
  
  Change-Id: I7ef479ac1806b0a52bb0145a82d6d4265edc1f3e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Bug: 11518274
  870c4e5e
- am 2d8dcb73 : Revert "Make the keystore domain enforcing." · ca056dce
  Nick Kralevich authored 11 years ago
  
  * commit '2d8dcb73': Revert "Make the keystore domain enforcing."
  ca056dce
- Move audio_firmware_file and /data/misc/audio entry to core sepolicy. · a7c8ea86
  Stephen Smalley authored 11 years ago
  
  Change-Id: Ib8c96ab9e19d34e8e34a4c859528345763be4906 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
  a7c8ea86
- Move goldfish-specific rules to their own directory. · 2e0b4a14
  Stephen Smalley authored 11 years ago
  
  Change-Id: I1bdd80f641db05fef4714654515c1e1fbb259794 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
  2e0b4a14
Nov 05, 2013

Revert "Make the keystore domain enforcing." · 2d8dcb73

Nick Kralevich authored 11 years ago

This is causing runtime restarts on flo/deb when uninstalling
some APKs. Revert while I investigate it.

11-04 21:52:41.487 687 704 I ActivityManager: Force stopping com.android.development appid=10078 user=-1: uninstall pkg
11-04 21:52:41.487 687 712 W PackageManager: Couldn't delete native library directory /data/app-lib/com.android.development
11-04 21:52:41.557 687 712 W dalvikvm: threadid=20: thread exiting with uncaught exception (group=0x959dfae8)
11-04 21:52:41.557 687 712 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: PackageManager
11-04 21:52:41.557 687 712 E AndroidRuntime: java.lang.NullPointerException
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.security.KeyStore.clearUid(KeyStore.java:327)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.removeKeystoreDataIfNeeded(PackageManagerService.java:9787)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.removePackageDataLI(PackageManagerService.java:9384)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deleteInstalledPackageLI(PackageManagerService.java:9503)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deletePackageLI(PackageManagerService.java:9612)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.deletePackageX(PackageManagerService.java:9239)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService.access$4100(PackageManagerService.java:178)
11-04 21:52:41.557 687 712 E AndroidRuntime: at com.android.server.pm.PackageManagerService$7.run(PackageManagerService.java:9173)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Handler.handleCallback(Handler.java:733)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Handler.dispatchMessage(Handler.java:95)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.Looper.loop(Looper.java:136)
11-04 21:52:41.557 687 712 E AndroidRuntime: at android.os.HandlerThread.run(HandlerThread.java:61)
11-04 21:52:41.567 687 712 I Process : Sending signal. PID: 687 SIG: 9

and

[ 7.324554] type=1400 audit(1383601030.823:5): avc: denied { read write } for pid=192 comm="keystore" name="qseecom" dev="tmpfs" ino=7521 scontext=u:r:keystore:s0 tcontext=u:object_r:device:s0 tclass=chr_file

This reverts commit 709d7183.

Bug: 11518274

2d8dcb73

Nov 04, 2013
- am 7316b18a : README: recommend concatenation vs assignment · 3cedab40
  Nick Kralevich authored 11 years ago
  
  * commit '7316b18a': README: recommend concatenation vs assignment
  3cedab40
Nov 01, 2013

README: recommend concatenation vs assignment · 7316b18a

Nick Kralevich authored 11 years ago

Recommend using concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This will allow
sepolicy to exist in the vendor directory.

Change-Id: If982217fcb3645d9c6b37a341755b5b65f26fc5f

7316b18a

am cd95e0ac: Allow system_server to set powerctl_prop · ed06d204
Nick Kralevich authored 11 years ago
```
* commit 'cd95e0ac':
  Allow system_server to set powerctl_prop
```
ed06d204

Allow system_server to set powerctl_prop · cd95e0ac

Nick Kralevich authored 11 years ago

Otherwise we break "adb root && adb shell svc power reboot",
which has the side effect of killing all of our test automation
(oops).

Bug: 11477487
Change-Id: I199b0a3a8c47a4830fe8c872dae9ee3a5a0cb631

cd95e0ac

am dd1ec6d5: Give system_server / system_app ability to write some properties · 74ae46a0
Nick Kralevich authored 11 years ago
```
* commit 'dd1ec6d5':
  Give system_server / system_app ability to write some properties
```
74ae46a0

Give system_server / system_app ability to write some properties · dd1ec6d5

Nick Kralevich authored 11 years ago

Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[  131.700473] avc:  denied  { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[  131.700625] init: sys_prop: permission denied uid:1000  name:debug.force_rtl
<4>[  132.630062] avc:  denied  { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[  132.630184] init: sys_prop: permission denied uid:1000  name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6

dd1ec6d5

am 58da198a: Merge "Confine system_server, but leave it permissive for now." · 4358866a
Nick Kralevich authored 11 years ago
```
* commit '58da198a':
  Confine system_server, but leave it permissive for now.
```
4358866a
am 98f8b27f: Merge "Confine hci_attach, but leave it permissive for now." · 20f4ed47
Nick Kralevich authored 11 years ago
```
* commit '98f8b27f':
  Confine hci_attach, but leave it permissive for now.
```
20f4ed47
am 893cbcfd: Merge "Confine surfaceflinger, but leave it permissive for now." · 63f32e72
Nick Kralevich authored 11 years ago
```
* commit '893cbcfd':
  Confine surfaceflinger, but leave it permissive for now.
```
63f32e72
Merge "Confine system_server, but leave it permissive for now." · 58da198a
Nick Kralevich authored 11 years ago

58da198a
Merge "Confine hci_attach, but leave it permissive for now." · 98f8b27f
Nick Kralevich authored 11 years ago

98f8b27f