Commits · d1435604455e5e274c88f6ee0308c7881cddaf20 · Werner Sembach / AndroidSystemSEPolicy

Feb 04, 2016
- persist.mmc.* only set in init · d1435604
  Mark Salyzyn authored 9 years ago
  
  Bug: 26976972 Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118
  d1435604
- Merge "Fix SELinux warning when passing fuse FD from system server." · 4c42a0dc
  Daichi Hirono authored 9 years ago
  
  4c42a0dc
Feb 03, 2016

Fix SELinux warning when passing fuse FD from system server. · 59e3d7b4

Daichi Hirono authored 9 years ago

Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd

59e3d7b4

Feb 01, 2016
- Merge "init: allow to access console-ramoops with newer kernels" · 84fbd53a
  Jeffrey Vander Stoep authored 9 years ago
  
  84fbd53a
Jan 28, 2016

Merge "mediaserver: grant perms from domain_deprecated" · 3d8391e7
Jeffrey Vander Stoep authored 9 years ago

3d8391e7
Merge "logd: grant perms from domain_deprecated" · 61e93860
Jeffrey Vander Stoep authored 9 years ago

61e93860
Merge "kernel: grant perms from domain_deprecated" · e48ab784
Jeffrey Vander Stoep authored 9 years ago

e48ab784

mediaserver: grant perms from domain_deprecated · 72e78bfc

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7

72e78bfc

logd: grant perms from domain_deprecated · 2f3979a7

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02

2f3979a7

kernel: grant perms from domain_deprecated · bc2b76b0

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1

Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3

bc2b76b0

Jan 27, 2016

Allow apps to check attrs of /cache · 0e591bd2

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6

0e591bd2

Merge "vold: grant perms from domain_deprecated" · 1cf93217
Jeffrey Vander Stoep authored 9 years ago

1cf93217
Merge "healthd: grant perms from domain_deprecated" · f33507df
Jeffrey Vander Stoep authored 9 years ago

f33507df
Merge "remove access_kmsg macro, because it to be more explicit." · fea9ad7c
Daniel Cashman authored 9 years ago

fea9ad7c
Merge "zygote: grant perms from domain_deprecated" · eecaa0b5
Jeffrey Vander Stoep authored 9 years ago

eecaa0b5

vold: grant perms from domain_deprecated · 9306072c

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { open } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { getattr } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file

avc: denied { read } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { open } for path="/cache" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { ioctl } for path="/cache" dev="mmcblk0p30" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir

avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { open } for path="/proc" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir

avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I8af7edc5b06675a9a2d62bf86e1c22dbb5d74370
avc: denied { read } for name="block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { open } for path="/sys/block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir

9306072c

healthd: grant perms from domain_deprecated · 12401b8d

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: denied { open } for path="/sys/devices/platform/htc_battery_max17050.8/power_supply/flounder-battery/present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Iaee5b79a45aedad98e08c670addbf444c984165e

12401b8d

zygote: grant perms from domain_deprecated · cee6a0e7

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2

cee6a0e7

Allow sdcardd tmpfs read access. · db559a34

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(1453854842.899:7): avc: denied { search } for pid=1512 comm="sdcard" name="/" dev="tmpfs" ino=7547 scontext=u:r:sdcardd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0

vold: EmulatedVolume calls sdcard to mount on /storage/emulated.

Bug: 26807309
Change-Id: Ifdd7c356589f95165bba489dd06282a4087e9aee

db559a34

Merge "Revert "zygote: grant perms from domain_deprecated"" · 98f60e5c
Jeffrey Vander Stoep authored 9 years ago

98f60e5c
Revert "zygote: grant perms from domain_deprecated" · b898360e
Jeffrey Vander Stoep authored 9 years ago
```
This reverts commit e52fff83.

Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
```
b898360e
Merge "zygote: grant perms from domain_deprecated" · 4115beae
Jeffrey Vander Stoep authored 9 years ago

4115beae

zygote: grant perms from domain_deprecated · e52fff83

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Change-Id: I5b505ad386a445113bc0a1bb35d4f88f7761c048

e52fff83

init: allow to access console-ramoops with newer kernels · 9a28f90d

Sylvain Chouleur authored 9 years ago


Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.

sepolicy must be adapted to this new requirement.

Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>

9a28f90d

Merge "Revert "Remove domain_deprecated from sdcard domains"" · c4121add
Narayan Kamath authored 9 years ago

c4121add
Revert "Remove domain_deprecated from sdcard domains" · f4d7eef7
Narayan Kamath authored 9 years ago
```
This reverts commit 0c7bc58e.

bug: 26807309

Change-Id: I8a7b0e56a0d6f723508d0fddceffdff76eb0459a
```
f4d7eef7

domain: grant write perms to cgroups · be0616ba

Jeff Vander Stoep authored 9 years ago

Was moved to domain_deprecated. Move back to domain.

Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.

Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53

be0616ba

Restore untrusted_app proc_net access. · 5833e3f5

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(0.0:853): avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26806629
Change-Id: Ic2ad91aadac00dc04d7e04f7460d5681d81134f4

5833e3f5

Jan 26, 2016

remove access_kmsg macro, because it to be more explicit. · 001b10bd
SimHyunYong authored 9 years ago
```
This macro does not give us anything to it.

Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
```
001b10bd

Using r_dir_file macro in domain.te · 093ea6fb

SimHyunYong authored 9 years ago

r_dir_file(domain, self)

allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:file r_file_perms;

te_macros
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')

Change-Id: I7338f63a1eaa8ca52cd31b51ce841e3dbe46ad4f

093ea6fb

Merge "Remove domain_deprecated from sdcard domains" · cdae042a
Jeffrey Vander Stoep authored 9 years ago

cdae042a
Merge "bootstat: Fix the SELinux policy after removing domain_deprecated." · ae29dea8
James Hawkins authored 9 years ago

ae29dea8

bootstat: Fix the SELinux policy after removing domain_deprecated. · 2e8d71c3

James Hawkins authored 9 years ago

* Allow reading /proc.

type=1400 audit(1453834004.239:7): avc: denied { read } for pid=1305
comm="bootstat" name="uptime" dev="proc" ino=4026536600
scontext=u:r:bootstat:s0 tcontext=u:object_r:proc:s0 tclass=file
permissive=0

* Define domain for the /system/bin/bootstat file.

init: Service exec 4 (/system/bin/bootstat) does not have a SELinux
domain defined.

Bug: 21724738
Change-Id: I4baa2fa7466ac35a1ced79776943c07635ec9804

2e8d71c3

Delete policy it is alread included in binder_call macros. · 7171232c

SimHyunYong authored 9 years ago

define(`binder_call', `
allow $1 $2:binder { call transfer };
allow $2 $1:binder transfer;
allow $1 $2:fd use;
')

binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)

it is alread include these policy.. so I can delete these policy!
allow surfaceflinger appdomain:fd use;
allow surfaceflinger bootanim:fd use;

7171232c

Merge "Delete duplicated policy, it is already include in app.te." · 0220b345
Jeffrey Vander Stoep authored 9 years ago

0220b345
Merge "Allow update_engine to use Binder IPC." · 6899e0a3
Tao Bao authored 9 years ago

6899e0a3
Delete duplicated policy, it is already include in app.te. · 5ba9af23
SimHyunYong authored 9 years ago
```
allow appdomain keychain_data_file:dir r_dir_perms;
allow appdomain keychain_data_file:file r_file_perms;
```
5ba9af23

Allow update_engine to use Binder IPC. · dce317cf

Tao Bao authored 9 years ago

avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:servicemanager:s0 tclass=binder
avc: denied { add } for service=android.os.IUpdateEngine scontext=u:r:update_engine:s0 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager

Also allow priv_app to communicate with update_engine.

avc: denied { find } for service=android.os.IUpdateEngine scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:update_engine_service:s0 tclass=service_manager
avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:update_engine:s0 tclass=binder
avc: denied { call } for scontext=u:r:update_engine:s0 tcontext=u:r:priv_app:s0 tclass=binder

Change-Id: Ib4498717c1a72f5faab5ea04c636924ee4eb412c

dce317cf

Add adbd socket perms to system_server. · b037a6c9

dcashman authored 9 years ago

Commit 2fdeab37 added ability to debug
over adbd for zygote-spawned apps, required by removal of domain_deprecated
from untrusted_app.  This functionality is a core debugabble component
of the android runtime, so it is needed by system_server as well.

Bug: 26458796
Change-Id: I29f5390122b3644449a5c3dcf4db2d0e969f6a9a

b037a6c9

Jan 25, 2016

app: connect to adbd · 2fdeab37

Jeff Vander Stoep authored 9 years ago

Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496

2fdeab37