Commits · e03095027456b99acb3764e79b8b850c1c132891 · Werner Sembach / AndroidSystemSEPolicy

Jan 09, 2014

Do not allow zygote to execve dalvikcache files. · 49c995d1

Stephen Smalley authored 11 years ago


x_file_perms and friends allow execve; we only want to permit
mmap/mprotect PROT_EXEC here.

Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

49c995d1

Remove unlabeled execute access from domain, add to appdomain. · 959fdaaa

Stephen Smalley authored 11 years ago


Otherwise all domains can create/write files that are executable
by all other domains.  If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.

If required for others, add it to the individual
domain .te file, not for all domains.

Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

959fdaaa

Jan 04, 2014

Don't allow zygote init:binder call · a730e50b

Nick Kralevich authored 11 years ago

init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50

a730e50b

Sep 23, 2013

zygote.te: fix comment. · e9c4181b

Nick Kralevich authored 11 years ago

per the discussion in https://android-review.googlesource.com/#/c/65063/1/zygote.te
adjust the comment in this file.

Change-Id: I8db31e22ec34493442bc8e86bcd0bc0136b7bae4

e9c4181b

Revert "Give Zygote the ability to write app data files." · 199fc73f

Nick Kralevich authored 11 years ago

This was a mistaken attempt to fix bug 10498304, but it didn't
actually have any impact. Revert.

This reverts commit fc2bd01b.

Bug: 10498304

199fc73f

Sep 17, 2013

Follow-up to rename system to system_server. · 82140be9

Alex Klyubin authored 11 years ago

1fdee11d renamed domain system to
system_server in AOSP. This CL applies the rename to the rules that
weren't in AOSP at the time.

Change-Id: I0e226ddca2e01ed577204ddb4886a71f032a01ed

82140be9

1/2: Rename domain "system" to "system_server". · 1fdee11d

Alex Klyubin authored 11 years ago

This is a follow-up CL to the extraction of "system_app" domain
from the "system" domain which left the "system" domain encompassing
just the system_server.

Since this change cannot be made atomically across different
repositories, it temporarily adds a typealias "server" pointing to
"system_server". Once all other repositories have been switched to
"system_server", this alias will be removed.

Change-Id: I90a6850603dcf60049963462c5572d36de62bc00

1fdee11d

Sep 10, 2013

Backport part of to klp-dev · 9565c5ce

Nick Kralevich authored 11 years ago

Part of d615ef34 hasn't been backported
to klp-dev yet.  Do it now.

Change-Id: Ib4f26c64d376e236fa3f76166f5d78a9f28b79a3

9565c5ce

Fix bug report notification not showing up. · b9bbfeb0
Alex Klyubin authored 11 years ago
```
Bug: 10498304
Change-Id: I74cac92368353694612dbd94f0d072b97ec9878b
```
b9bbfeb0

Sep 09, 2013
- Fix bug report notification not showing up. · a96a05a8
  Nick Kralevich authored 11 years ago
  
  Bug: 10498304 Change-Id: Ic0e30bdf6cc35f9d9e2752f36940e75e7ae37d83
  a96a05a8
- Fix bug report notification not showing up. · d629b87e
  Nick Kralevich authored 11 years ago
  
  Bug: 10498304 Change-Id: Ic0e30bdf6cc35f9d9e2752f36940e75e7ae37d83
  d629b87e
Sep 05, 2013

Give Zygote the ability to write app data files. · ae5927b8

Geremy Condra authored 11 years ago

This fixes another bug encountered while taking bugreports.

Bug: 10498304
Change-Id: Ie33e869ccd28c5461f4f3736c078b2a865aa7cdd

ae5927b8

Sep 04, 2013
- Fix miscellaneous long-tail denials. · d615ef34
  Geremy Condra authored 11 years ago
  
  Change-Id: Ie0947f79c63f962220d3c9316c5d5d82f677821f
  d615ef34
- Give Zygote the ability to write app data files. · 090645b3
  Geremy Condra authored 11 years ago
  
  This fixes another bug encountered while taking bugreports. Bug: 10498304 Change-Id: Ie33e869ccd28c5461f4f3736c078b2a865aa7cdd
  090645b3
Aug 30, 2013
- Give Zygote the ability to write app data files. · fc2bd01b
  Geremy Condra authored 11 years ago
  
  This fixes another bug encountered while taking bugreports. Bug: 10498304 Change-Id: Ie33e869ccd28c5461f4f3736c078b2a865aa7cdd
  fc2bd01b
- Fix denials encountered while getting bugreports. · 81560733
  Geremy Condra authored 11 years ago
  
  Bug: 10498304 Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74
  81560733
Aug 28, 2013
- Add capabilities to Zygote to fix valgrind. · e0362602
  Geremy Condra authored 11 years ago
  
  Bug: 10455872 Change-Id: I98885e8cd1e4f9ab0d3e2af6d79b078a000db539
  e0362602
Jul 10, 2013
- Give zygote the ability to execute dalvik cache files. · aee5a18a
  Geremy Condra authored 11 years ago
  
  Change-Id: I129536c3d9f6359228165d8a5ec373780b312c86
  aee5a18a
Jul 01, 2013

zygote: enable SELinux restrictions · 6aca515c

Nick Kralevich authored 11 years ago

This change enables SELinux security enforcement on zygote
(but not zygote spawned apps).

For the zygote.te file only, this change is equivalent to reverting
the following commits:

* 50e37b93
* 77d4731e

No other changes were required.

Testing: As much as possible, I've tested that zygote properly
starts up, and that there's no problem spawning zygote or zygote
apps. There were no denials in the kernel dmesg log, and
everything appears to work correctly. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.

Bug: 9657732
Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558

6aca515c

May 20, 2013

Make all domains unconfined. · 77d4731e

repo sync authored 11 years ago

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

77d4731e

May 15, 2013
- Move domains into per-domain permissive mode. · 50e37b93
  repo sync authored 11 years ago
  
  Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
  50e37b93
Apr 05, 2013

Give domains read access to security_file domain. · 7bb2a55c

William Roberts authored 11 years ago

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

7bb2a55c

Give domains read access to security_file domain. · 6c4c27e6

William Roberts authored 11 years ago

/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41

6c4c27e6

Mar 29, 2013

Add remount capability to Zygote. · 06575ee4

Geremy Condra authored 12 years ago

This is a consequence of https://googleplex-android-review.googlesource.com/#/c/278069/

Change-Id: I9b310860534a80e7145950f6c632cf5ba0ad56a7

06575ee4

Mar 28, 2013

Add remount capability to Zygote. · 8b80fa89

Geremy Condra authored 12 years ago

This is a consequence of https://googleplex-android-review.googlesource.com/#/c/278069/

Change-Id: I9b310860534a80e7145950f6c632cf5ba0ad56a7

8b80fa89

Mar 27, 2013

Various policy updates. · 65d4f44c

Robert Craig authored 12 years ago


Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

65d4f44c

Mar 23, 2013
- Allow zygote to search tmpfs. · 8b3b4fe7
  rpcraig authored 12 years ago
  
  Change-Id: Ib0bdcbc1a7e45e1d1a046c9fa8aff89183ebfe0d
  8b3b4fe7
Mar 22, 2013

Split internal and external sdcards · c195ec31

William Roberts authored 12 years ago

Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5

c195ec31

Feb 19, 2013

zygote requires setpcap in order to drop from its bounding set. · e468016b

Stephen Smalley authored 12 years ago

I8560fa5ad125bf31f0d13be513431697bc7d22bb changed the zygote
to limit the bounding capability set to CAP_NET_RAW. This triggers
a CAP_SETPCAP check by the kernel, which requires SELinux setpcap permission.

Change-Id: Ib910d97dcf708273e2806e2824f4abe9fc239d6d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

e468016b

Nov 19, 2012

Update policy for Android 4.2 / latest master. · 61c80d5e

Stephen Smalley authored 12 years ago


Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

61c80d5e

Jan 04, 2012
- SE Android policy. · 2dd4e51d
  Stephen Smalley authored 13 years ago
  
  2dd4e51d