Commits · e5be3a6bede495d2a99d99652fc1d58dc86772b6 · Werner Sembach / AndroidSystemSEPolicy

Jan 07, 2014

Fix denials triggered by adb shell screencap. · e5be3a6b

Stephen Smalley authored 11 years ago


Change-Id: Ief925f1f49a6579d5a7a1035f3732834238fa590
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

e5be3a6b

merge in master-release history after reset to master · edf57800
The Android Automerger authored 11 years ago

edf57800

Revert "Make ping enforcing." · 028e0565

Nick Kralevich authored 11 years ago

Causing adbd to run at 100% cpu utilization when the following
sequence of commands are run:

1) Run the command "adb shell ping -c 1 -w 5 www.google.com" for 5 times
2) Run "adb shell top -m 5"

The following denial occurs:

<5>[   20.647559] type=1400 audit(1389054327.861:21): avc:  denied  { sigchld } for  pid=1989 comm="adbd" scontext=u:r:ping:s0 tcontext=u:r:adbd:s0 tclass=process

Reverting for now.

This reverts commit 1b556c32.

Bug: 12251052
Change-Id: I1b9920624f49b0aed2226c41a45005aff228d9e8

028e0565

am 7b5da7bd: am a6f88c73: Revert "Make ping enforcing." · 9cad3272
Nick Kralevich authored 11 years ago
```
* commit '7b5da7bd':
  Revert "Make ping enforcing."
```
9cad3272

fix mediaserver selinux denials. · 740ce654

Nick Kralevich authored 11 years ago

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074

740ce654

surfaceflinger: fix bugreport screenshot functionality · 8decca39

Nick Kralevich authored 11 years ago

When a bugreport is triggered using the device keys,
it generates a screenshot and places it into
/data/data/com.android.shell/files/bugreports. SELinux is denying
those writes.

Addresses the following denials:

<5> type=1400 audit(1389047451.385:23): avc:  denied  { call } for  pid=267 comm="Binder_1" scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=binder
<5> type=1400 audit(1389046083.780:37): avc:  denied  { write } for  pid=4191 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-06-14-07-35.txt.tmp" dev="mmcblk0p28" ino=81874 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Bug: 12416329
Change-Id: I318145591cda500094d98103d30b784df48a67be

8decca39

am a6f88c73: Revert "Make ping enforcing." · 7b5da7bd
Nick Kralevich authored 11 years ago
```
* commit 'a6f88c73':
  Revert "Make ping enforcing."
```
7b5da7bd

Revert "Make ping enforcing." · a6f88c73

Nick Kralevich authored 11 years ago

Causing adbd to run at 100% cpu utilization when the following
sequence of commands are run:

1) Run the command "adb shell ping -c 1 -w 5 www.google.com" for 5 times
2) Run "adb shell top -m 5"

The following denial occurs:

<5>[   20.647559] type=1400 audit(1389054327.861:21): avc:  denied  { sigchld } for  pid=1989 comm="adbd" scontext=u:r:ping:s0 tcontext=u:r:adbd:s0 tclass=process

Reverting for now.

This reverts commit 1b556c32.

Bug: 12251052
Change-Id: I1b9920624f49b0aed2226c41a45005aff228d9e8

a6f88c73

am 5be58ab1: am b8ac06f3: Revert "Make mediaserver enforcing." · f083014a
Nick Kralevich authored 11 years ago
```
* commit '5be58ab1':
  Revert "Make mediaserver enforcing."
```
f083014a
Revert "Make mediaserver enforcing." · f7b72d61
Nick Kralevich authored 11 years ago
```
Too many bugs.

This reverts commit cc964543.
```
f7b72d61
am b8ac06f3: Revert "Make mediaserver enforcing." · 5be58ab1
Nick Kralevich authored 11 years ago
```
* commit 'b8ac06f3':
  Revert "Make mediaserver enforcing."
```
5be58ab1
Revert "Make mediaserver enforcing." · b8ac06f3
Nick Kralevich authored 11 years ago
```
Too many bugs.

This reverts commit cc964543.
```
b8ac06f3

Jan 06, 2014

am a8e9391a: am 3d770d25: surfaceflinger: fix bugreport screenshot functionality · d16dccc4
Nick Kralevich authored 11 years ago
```
* commit 'a8e9391a':
  surfaceflinger: fix bugreport screenshot functionality
```
d16dccc4
am 3d770d25: surfaceflinger: fix bugreport screenshot functionality · a8e9391a
Nick Kralevich authored 11 years ago
```
* commit '3d770d25':
  surfaceflinger: fix bugreport screenshot functionality
```
a8e9391a

surfaceflinger: fix bugreport screenshot functionality · 3d770d25

Nick Kralevich authored 11 years ago

When a bugreport is triggered using the device keys,
it generates a screenshot and places it into
/data/data/com.android.shell/files/bugreports. SELinux is denying
those writes.

Addresses the following denials:

<5> type=1400 audit(1389047451.385:23): avc:  denied  { call } for  pid=267 comm="Binder_1" scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=binder
<5> type=1400 audit(1389046083.780:37): avc:  denied  { write } for  pid=4191 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-06-14-07-35.txt.tmp" dev="mmcblk0p28" ino=81874 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Bug: 12416329
Change-Id: I318145591cda500094d98103d30b784df48a67be

3d770d25

am 35e41610: am 37339c76: fix mediaserver selinux denials. · 5361c45e
Nick Kralevich authored 11 years ago
```
* commit '35e41610':
  fix mediaserver selinux denials.
```
5361c45e
am 37339c76: fix mediaserver selinux denials. · 35e41610
Nick Kralevich authored 11 years ago
```
* commit '37339c76':
  fix mediaserver selinux denials.
```
35e41610

fix mediaserver selinux denials. · 37339c76

Nick Kralevich authored 11 years ago

mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074

37339c76

am e58a42f8: am a4e28f2e: Merge "Allow dumpstate to write shell files" · 5e220874
Nick Kralevich authored 11 years ago
```
* commit 'e58a42f8':
  Allow dumpstate to write shell files
```
5e220874
am 53c03f1b: am a730e50b: Don\'t allow zygote init:binder call · 97bc7239
Nick Kralevich authored 11 years ago
```
* commit '53c03f1b':
  Don't allow zygote init:binder call
```
97bc7239
am badf49d0: am ed1648a4: Merge "Address adb backup/restore denials." · a2f1e48d
Nick Kralevich authored 11 years ago
```
* commit 'badf49d0':
  Address adb backup/restore denials.
```
a2f1e48d
am a4e28f2e: Merge "Allow dumpstate to write shell files" · e58a42f8
Nick Kralevich authored 11 years ago
```
* commit 'a4e28f2e':
  Allow dumpstate to write shell files
```
e58a42f8
am a730e50b: Don\'t allow zygote init:binder call · 53c03f1b
Nick Kralevich authored 11 years ago
```
* commit 'a730e50b':
  Don't allow zygote init:binder call
```
53c03f1b
Merge "Allow dumpstate to write shell files" · a4e28f2e
Nick Kralevich authored 11 years ago

a4e28f2e

Allow dumpstate to write shell files · bfa3cd51

Nick Kralevich authored 11 years ago

Allow the bugreport service to create files in
/data/data/com.android.shell/files/bugreports/bugreport .

Addresses the following denials:

<5>[31778.629368] type=1400 audit(1388876199.162:230): avc:  denied  { write } for  pid=19092 comm="dumpstate" name="bugreports" dev="mmcblk0p28" ino=1565709 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[31778.629493] type=1400 audit(1388876199.162:231): avc:  denied  { add_name } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[31778.629622] type=1400 audit(1388876199.162:232): avc:  denied  { create } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[31778.629779] type=1400 audit(1388876199.162:233): avc:  denied  { write open } for  pid=19092 comm="dumpstate" name="bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[31778.629977] type=1400 audit(1388876199.162:234): avc:  denied  { getattr } for  pid=19092 comm="dumpstate" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-04-14-56-39.txt.tmp" dev="mmcblk0p28" ino=1566628 scontext=u:r:dumpstate:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I080613e8a2c989a7b50fde914271967a814c4ff4

bfa3cd51

Jan 04, 2014

Don't allow zygote init:binder call · a730e50b

Nick Kralevich authored 11 years ago

init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50

a730e50b

am ed1648a4: Merge "Address adb backup/restore denials." · badf49d0
Nick Kralevich authored 11 years ago
```
* commit 'ed1648a4':
  Address adb backup/restore denials.
```
badf49d0
Merge "Address adb backup/restore denials." · ed1648a4
Nick Kralevich authored 11 years ago

ed1648a4

Jan 03, 2014
- Address adb backup/restore denials. · c4021ceb
  Stephen Smalley authored 11 years ago
  
  Resolves the following denials seen during an adb backup and restore sequence. <5>[ 90.247039] type=1400 audit(1388759567.693:16): avc: denied { getopt } for pid=3503 comm="Thread-149" scontext=u:r:system_server:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket <5>[ 90.249176] type=1400 audit(1388759567.703:17): avc: denied { getopt } for pid=2334 comm="app_process" scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket Change-Id: I1f6f90f29eecc32ee692764b04b812988f099cde Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
  c4021ceb
- am 91811dba : am 301e61e7 : Merge "Make mediaserver enforcing." · 23a1a0ee
  Nick Kralevich authored 11 years ago
  
  * commit '91811dba': Make mediaserver enforcing.
  23a1a0ee
- am 79ec510b : am 14a7764d : Merge "Make media_app enforcing." · b339240f
  Nick Kralevich authored 11 years ago
  
  * commit '79ec510b': Make media_app enforcing.
  b339240f
- am bc15519a : am af288172 : Merge "Make nfc enforcing." · caa928fb
  Nick Kralevich authored 11 years ago
  
  * commit 'bc15519a': Make nfc enforcing.
  caa928fb
- am 301e61e7 : Merge "Make mediaserver enforcing." · 91811dba
  Nick Kralevich authored 11 years ago
  
  * commit '301e61e7': Make mediaserver enforcing.
  91811dba
- am 14a7764d : Merge "Make media_app enforcing." · 79ec510b
  Nick Kralevich authored 11 years ago
  
  * commit '14a7764d': Make media_app enforcing.
  79ec510b
- Merge "Make mediaserver enforcing." · 301e61e7
  Nick Kralevich authored 11 years ago
  
  301e61e7
- am af288172 : Merge "Make nfc enforcing." · bc15519a
  Nick Kralevich authored 11 years ago
  
  * commit 'af288172': Make nfc enforcing.
  bc15519a
- Merge "Make media_app enforcing." · 14a7764d
  Nick Kralevich authored 11 years ago
  
  14a7764d
- Merge "Make nfc enforcing." · af288172
  Nick Kralevich authored 11 years ago
  
  af288172
- am d5e316e3 : am 782af9ea : Merge "Make radio enforcing." · d85d8ebb
  Nick Kralevich authored 11 years ago
  
  * commit 'd5e316e3': Make radio enforcing.
  d85d8ebb
- am 15aa74f4 : am ee3cfd25 : Merge "Make bluetooth enforcing." · 689e9554
  Nick Kralevich authored 11 years ago
  
  * commit '15aa74f4': Make bluetooth enforcing.
  689e9554