Commits · eb3480b70fdf0d9ea539b0834dd7d39443fc55e4 · Werner Sembach / AndroidSystemSEPolicy

Feb 05, 2016

Allow domain to read proc dirs. · eb3480b7
dcashman authored 9 years ago
```
am: abf31acb

* commit 'abf31acb':
  Allow domain to read proc dirs.
```
eb3480b7

Allow domain to read proc dirs. · abf31acb

dcashman authored 9 years ago

Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc. Many processes try
to read proc dirs, though. Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.

Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0

Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3

abf31acb

Replace "neverallow domain" by "neverallow *" · 8f611b6e
Nick Kralevich authored 9 years ago
```
am: 35a14514

* commit '35a14514':
  Replace "neverallow domain" by "neverallow *"
```
8f611b6e

Replace "neverallow domain" by "neverallow *" · 35a14514

Nick Kralevich authored 9 years ago

Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf

35a14514

Feb 04, 2016
- persist.mmc.* only set in init · 47f95192
  Mark Salyzyn authored 9 years ago
  
  am: d1435604 * commit 'd1435604': persist.mmc.* only set in init
  47f95192
- persist.mmc.* only set in init · d1435604
  Mark Salyzyn authored 9 years ago
  
  Bug: 26976972 Change-Id: I0e44bfc6774807a3bd2ba05637a432675d855118
  d1435604
- Merge "Fix SELinux warning when passing fuse FD from system server." · f9065c89
  Daichi Hirono authored 9 years ago
  
  am: 4c42a0dc * commit '4c42a0dc': Fix SELinux warning when passing fuse FD from system server.
  f9065c89
- Merge "Fix SELinux warning when passing fuse FD from system server." · 4c42a0dc
  Daichi Hirono authored 9 years ago
  
  4c42a0dc
Feb 03, 2016

Fix SELinux warning when passing fuse FD from system server. · 59e3d7b4

Daichi Hirono authored 9 years ago

Before applying the CL, Android shows the following error when passing
FD of /dev/fuse.

> Binder_2: type=1400 audit(0.0:38): avc: denied { getattr } for
> path="/dev/fuse" dev="tmpfs" ino=9300 scontext=u:r:system_server:s0
> tcontext=u:object_r:fuse_device:s0 tclass=chr_file permissive=0

Change-Id: I59dec819d79d4e2e1a8e42523b6f521481cb2afd

59e3d7b4

Feb 01, 2016
- Merge "init: allow to access console-ramoops with newer kernels" · fa335306
  Jeffrey Vander Stoep authored 9 years ago
  
  am: 84fbd53a * commit '84fbd53a': init: allow to access console-ramoops with newer kernels
  fa335306
- Merge "init: allow to access console-ramoops with newer kernels" · 84fbd53a
  Jeffrey Vander Stoep authored 9 years ago
  
  84fbd53a
Jan 28, 2016

Merge "mediaserver: grant perms from domain_deprecated" · 15decd69
Jeffrey Vander Stoep authored 9 years ago
```
am: 3d8391e7

* commit '3d8391e7':
  mediaserver: grant perms from domain_deprecated
```
15decd69
Merge "logd: grant perms from domain_deprecated" · e02124ff
Jeffrey Vander Stoep authored 9 years ago
```
am: 61e93860

* commit '61e93860':
  logd: grant perms from domain_deprecated
```
e02124ff
Merge "kernel: grant perms from domain_deprecated" · d9fcee9d
Jeffrey Vander Stoep authored 9 years ago
```
am: e48ab784

* commit 'e48ab784':
  kernel: grant perms from domain_deprecated
```
d9fcee9d
Merge "mediaserver: grant perms from domain_deprecated" · 3d8391e7
Jeffrey Vander Stoep authored 9 years ago

3d8391e7
Merge "logd: grant perms from domain_deprecated" · 61e93860
Jeffrey Vander Stoep authored 9 years ago

61e93860
Merge "kernel: grant perms from domain_deprecated" · e48ab784
Jeffrey Vander Stoep authored 9 years ago

e48ab784

mediaserver: grant perms from domain_deprecated · 72e78bfc

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { getattr } for path="/proc/self" dev="proc" ino=4026531841 scontext=u:r:mediaserver:s0 tcontext=u:object_r:proc:s0 tclass=lnk_file permissive=1
avc: denied { read } for name="mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1
avc: denied { open } for path="/vendor/lib/mediadrm" dev="mmcblk0p24" ino=209 scontext=u:r:mediaserver:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=1

Change-Id: Ibffa0c9a31316b9a2f1912ae68a8dcd3a4e671b7

72e78bfc

logd: grant perms from domain_deprecated · 2f3979a7

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1
avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1
avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1

Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02

2f3979a7

kernel: grant perms from domain_deprecated · bc2b76b0

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1
avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1
avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1

Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3

bc2b76b0

Allow apps to check attrs of /cache · a38af1a9
dcashman authored 9 years ago
```
am: 0e591bd2

* commit '0e591bd2':
  Allow apps to check attrs of /cache
```
a38af1a9

Jan 27, 2016

Merge "vold: grant perms from domain_deprecated" · 9001f6f8
Jeffrey Vander Stoep authored 9 years ago
```
am: 1cf93217

* commit '1cf93217':
  vold: grant perms from domain_deprecated
```
9001f6f8

Allow apps to check attrs of /cache · 0e591bd2

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(0.0:261): avc: denied { getattr } for path="/cache" dev="mmcblk0p27" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0 tclass=dir permissive=0

Bug: 26823157
Change-Id: I937046969e92d96f2d31feceddd9ebe7c59bd3e6

0e591bd2

Merge "vold: grant perms from domain_deprecated" · 1cf93217
Jeffrey Vander Stoep authored 9 years ago

1cf93217
Merge "healthd: grant perms from domain_deprecated" · e3291403
Jeffrey Vander Stoep authored 9 years ago
```
am: f33507df

* commit 'f33507df':
  healthd: grant perms from domain_deprecated
```
e3291403
Merge "remove access_kmsg macro, because it to be more explicit." · 07ae9d5d
Daniel Cashman authored 9 years ago
```
am: fea9ad7c

* commit 'fea9ad7c':
  remove access_kmsg macro, because it to be more explicit.
```
07ae9d5d
Merge "healthd: grant perms from domain_deprecated" · f33507df
Jeffrey Vander Stoep authored 9 years ago

f33507df
Merge "remove access_kmsg macro, because it to be more explicit." · fea9ad7c
Daniel Cashman authored 9 years ago

fea9ad7c
Merge "zygote: grant perms from domain_deprecated" · fde8ca53
Jeffrey Vander Stoep authored 9 years ago
```
am: eecaa0b5

* commit 'eecaa0b5':
  zygote: grant perms from domain_deprecated
```
fde8ca53
Merge "zygote: grant perms from domain_deprecated" · eecaa0b5
Jeffrey Vander Stoep authored 9 years ago

eecaa0b5

vold: grant perms from domain_deprecated · 9306072c

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { open } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: denied { getattr } for path="/fstab.flounder" dev="rootfs" ino=4729 scontext=u:r:vold:s0 tcontext=u:object_r:rootfs:s0 tclass=file

avc: denied { read } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { open } for path="/cache" dev="mmcblk0p30" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: denied { ioctl } for path="/cache" dev="mmcblk0p30" ino=2 ioctlcmd=5879 scontext=u:r:vold:s0 tcontext=u:object_r:cache_file:s0 tclass=dir

avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir
avc: denied { open } for path="/proc" dev="proc" ino=1 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=dir

avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/157/net/psched" dev="proc" ino=4026536519 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: I8af7edc5b06675a9a2d62bf86e1c22dbb5d74370
avc: denied { read } for name="block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { open } for path="/sys/block" dev="sysfs" ino=2582 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs:s0 tclass=dir

9306072c

healthd: grant perms from domain_deprecated · 12401b8d

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: denied { open } for path="/sys/devices/platform/htc_battery_max17050.8/power_supply/flounder-battery/present" dev="sysfs" ino=5003 scontext=u:r:healthd:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: Iaee5b79a45aedad98e08c670addbf444c984165e

12401b8d

zygote: grant perms from domain_deprecated · cee6a0e7

Jeff Vander Stoep authored 9 years ago

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2

cee6a0e7

Allow sdcardd tmpfs read access. · 555f14c2
dcashman authored 9 years ago
```
am: db559a34

* commit 'db559a34':
  Allow sdcardd tmpfs read access.
```
555f14c2
Merge "Revert "zygote: grant perms from domain_deprecated"" · 7d3e5467
Jeffrey Vander Stoep authored 9 years ago
```
am: 98f60e5c

* commit '98f60e5c':
  Revert "zygote: grant perms from domain_deprecated"
```
7d3e5467

Allow sdcardd tmpfs read access. · db559a34

dcashman authored 9 years ago

Address the following denial:
type=1400 audit(1453854842.899:7): avc: denied { search } for pid=1512 comm="sdcard" name="/" dev="tmpfs" ino=7547 scontext=u:r:sdcardd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0

vold: EmulatedVolume calls sdcard to mount on /storage/emulated.

Bug: 26807309
Change-Id: Ifdd7c356589f95165bba489dd06282a4087e9aee

db559a34

Merge "Revert "zygote: grant perms from domain_deprecated"" · 98f60e5c
Jeffrey Vander Stoep authored 9 years ago

98f60e5c
Revert "zygote: grant perms from domain_deprecated" · b898360e
Jeffrey Vander Stoep authored 9 years ago
```
This reverts commit e52fff83.

Change-Id: Ieafb5214940585d63ff6f0b4802d8c7d1c126174
```
b898360e
Merge "zygote: grant perms from domain_deprecated" · 299e1d5a
Jeffrey Vander Stoep authored 9 years ago
```
am: 4115beae

* commit '4115beae':
  zygote: grant perms from domain_deprecated
```
299e1d5a
Merge "zygote: grant perms from domain_deprecated" · 4115beae
Jeffrey Vander Stoep authored 9 years ago

4115beae