Commits · feb2813041e92d5468e8b8cf924b0f70e7bdd109 · Werner Sembach / AndroidSystemSEPolicy

Jul 11, 2017
- resolve merge conflicts of 72b26547 to stage-aosp-master · feb28130
  Jeff Vander Stoep authored 7 years ago
  
  am: 7f2fb741 Change-Id: I38c91b9f3fc127313918bbd74199013ae7910f2b
  feb28130
- resolve merge conflicts of 72b26547 to stage-aosp-master · 7f2fb741
  Jeff Vander Stoep authored 7 years ago
  
  Test: build Change-Id: Ibb899aa88878f5fc3ade9df0208a8026f2a57b11
  7f2fb741
Jul 10, 2017

domain_deprecated: remove cache access am: 790f4c7e · 664743bd
Jeff Vander Stoep authored 7 years ago
```
am: 3ca77476

Change-Id: Ie9ebd530b380bd61fd62bb3cab171f0f7e27156e
```
664743bd
domain_deprecated: remove cache access · 3ca77476
Jeff Vander Stoep authored 7 years ago
```
am: 790f4c7e

Change-Id: I0dcc870c1280baf37e03b66b244e2ff046fad35d
```
3ca77476

domain_deprecated: remove cgroup access · 72b26547

Logs indicate that all processes that require read access
have already been granted it.

Bug: 28760354
Test: build policy
Merged-In: I5826c45f54af32e3d4296df904c8523bb5df5e62
Change-Id: I5826c45f54af32e3d4296df904c8523bb5df5e62

72b26547

domain_deprecated: remove cache access · 790f4c7e

Jeff Vander Stoep authored 7 years ago

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.
Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e
Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e

790f4c7e

domain_deprecated: remove access to /proc/meminfo am: 3e5bb807 · f9da0cba
Jeff Vander Stoep authored 7 years ago
```
am: 5fbb120b

Change-Id: Idf655a43a2258b56f8c8b1282dd6c430d7771cf6
```
f9da0cba
domain_deprecated: remove access to /proc/meminfo · 5fbb120b
Jeff Vander Stoep authored 7 years ago
```
am: 3e5bb807

Change-Id: I01f99884b0f8b06fa4938a606345c33918d8b295
```
5fbb120b

domain_deprecated: remove access to /proc/meminfo · 3e5bb807

Jeff Vander Stoep authored 7 years ago

Logs indicate that all processes that require access already have it.

Bug: 28760354
Test: build
Merged-In: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8
Change-Id: I3dfa16bf4fba7f653c5f8525e8c565e9e24334a8

3e5bb807

dumpstate: remove domain_deprecated attribute am: 90ae4f6b · d5d98a4d
Jeff Vander Stoep authored 7 years ago
```
am: 77285737

Change-Id: I19c2b7107293fbe903cd6601f36b85aa3d099f80
```
d5d98a4d
Remove dumpstate selinux spam from logs am: f4ce8f6c · 55efefc3
Jeff Vander Stoep authored 7 years ago
```
am: 4e6f67fb

Change-Id: Ia3fe7f33ca0dc2f18040d3128ce84f0878fc8d63
```
55efefc3
dumpstate: remove domain_deprecated attribute · 77285737
Jeff Vander Stoep authored 7 years ago
```
am: 90ae4f6b

Change-Id: Ia793ed369cc05c123fb013fd10e8b19f006d92ff
```
77285737
Remove dumpstate selinux spam from logs · 4e6f67fb
Jeff Vander Stoep authored 7 years ago
```
am: f4ce8f6c

Change-Id: Ie0bc01a5b8acc6b79a3a31d5807f46f1e1df8c6c
```
4e6f67fb

dumpstate: remove domain_deprecated attribute · 90ae4f6b

Jeff Vander Stoep authored 7 years ago

Clean up "granted" logspam. Grant the observered audited permissions
including:

tcontext=cache_file
avc: granted { getattr } for comm="df" path="/cache" dev="mmcblk0p9"
ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { search } for comm="Binder:8559_2" name="cache"
dev="sda13" ino=1654785 scontext=u:r:dumpstate:s0
tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { read } for comm="Binder:8559_2" name="cache" dev="dm-0"
ino=23 scontext=u:r:dumpstate:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

tcontext=proc
avc: granted { getattr } for comm="Binder:14529_2"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=247742
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file
avc: granted { read } for comm="Binder:22671_2" name="cmdline"
dev="proc" ino=4026532100 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for comm="dumpstate"
path="/proc/sys/fs/pipe-max-size" dev="proc" ino=105621
scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0
tclass=file

tcontext=sysfs
avc: granted { read open } for comm="Binder:14459_2"
path="/sys/devices/virtual/block/md0/stat" dev="sysfs" ino=51101
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } for comm="Binder:21377_2"
path="/sys/devices/soc/1da4000.ufshc/host0/target0:0:0/0:0:0:1/block/sdb/sdb1"
dev="sysfs" ino=40888 scontext=u:r:dumpstate:s0
tcontext=u:object_r:sysfs:s0 tclass=dir
avc: granted { getattr } for comm="dumpstate" dev="sysfs" ino=40456
scontext=u:r:dumpstate:s0 tcontext=u:object_r:sysfs:s0 tclass=file

tcontext=proc_meminfo
avc: granted { read } for comm="top" name="meminfo" dev="proc"
ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for comm="top" path="/proc/meminfo"
dev="proc" ino=4026532106 scontext=u:r:dumpstate:s0
tcontext=u:object_r:proc_meminfo:s0 tclass=file

tcontext=rootfs
avc: granted { getattr } for comm="df" path="/" dev="dm-0" ino=2
scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="ip" path="/vendor" dev="rootfs"
ino=99 scontext=u:r:dumpstate:s0 tcontext=u:object_r:rootfs:s0
tclass=lnk_file

tcontext=selinuxfs
avc: granted { getattr } for comm="df" path="/sys/fs/selinux"
dev="selinuxfs" ino=1 scontext=u:r:dumpstate:s0
tcontext=u:object_r:selinuxfs:s0 tclass=dir

tcontext=system_file
avc: granted { read open } for comm="dumpstate" path="/system/lib64/hw"
dev="dm-0" ino=1947 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_file:s0 tclass=dir

tcontext=system_data_file
avc: granted { read } for comm="ip" path="/data/misc/net/rt_tables"
dev="sda10" ino=1458261 scontext=u:r:dumpstate:s0
tcontext=u:object_r:system_data_file:s0 tclass=file
avc: granted { getattr } for comm="ip" path="/data/misc/net/rt_tables"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 28760354
Test: Build policy
Change-Id: Iae69f710d6b6dc6158cf6bb6ff61168c8df11263

90ae4f6b

Remove dumpstate selinux spam from logs · f4ce8f6c

Jeff Vander Stoep authored 7 years ago

Addresses:
avc: granted { read } for name="pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/sys/fs/pipe-max-size" dev="proc" ino=470942 scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc:s0 tclass=file

Test: build policy
Change-Id: I7d8721c73c4f3c51b3885a97c697510e61d1221b
(cherry picked from commit f44002b3)

f4ce8f6c

Jul 06, 2017

domain_deprecated: remove tmpfs dir access am: ca5bb337 · 407e9457
Jeff Vander Stoep authored 7 years ago
```
am: 453f4a51

Change-Id: Iff9292a4a92fdd78eebdf2ec5fab8d571fc755f6
```
407e9457
domain_deprecated: remove tmpfs dir access · 453f4a51
Jeff Vander Stoep authored 7 years ago
```
am: ca5bb337

Change-Id: I185d127216ee72821c64daf31601fdcbe1a9c069
```
453f4a51

domain_deprecated: remove tmpfs dir access · ca5bb337

Jeff Vander Stoep authored 7 years ago

Address "granted" audit messages for dumpstate use of df.

avc: granted { getattr } for comm="df" path="/mnt" dev="tmpfs"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0
tclass=dir
avc: granted { search } for comm="df" name="/" dev="tmpfs"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0
tclass=dir

Bug: 28760354
Test: Build, check logs.
Change-Id: I920948a5f0bce1b4bd2f15779730df8b3b1fea5a

ca5bb337

Jul 03, 2017

resolve merge conflicts of a92d3135 to stage-aosp-master · aa33afc9
Nick Kralevich authored 7 years ago
```
am: b748e652

Change-Id: I4cd3587232e426b2684c77a7cb548b006f6f8647
```
aa33afc9
resolve merge conflicts of a92d3135 to stage-aosp-master · b748e652
Nick Kralevich authored 7 years ago
```
Test: Policy compiles.
Change-Id: Iaa19c64f6b54423dbfa5ae16d288501ab0e64cbc
```
b748e652
Merge "recovery: clean up audit logspam" · a92d3135
Treehugger Robot authored 7 years ago

a92d3135
Merge "Allow installd to delete files via sdcardfs." am: a6f6295c · 6433a09c
Jeff Sharkey authored 7 years ago
```
am: b41291f5

Change-Id: I8e1151461bdd5a47cc81a9be744a8918bb61560a
```
6433a09c
Merge "Allow installd to delete files via sdcardfs." · b41291f5
Jeff Sharkey authored 7 years ago
```
am: a6f6295c

Change-Id: I0c54b62288aa73842a9f0dc8fa0f9a5c8e64bc98
```
b41291f5
Merge "Allow installd to delete files via sdcardfs." · a6f6295c
Treehugger Robot authored 7 years ago

a6f6295c
Merge "Add SEPolicy for new Java-based Broadcast Radio service." am: 6466092f · 739f7598
Jeffrey Vander Stoep authored 7 years ago
```
am: f44267a5

Change-Id: Iea0f7ef8960d89d19451b7a47dc1852155dd3af9
```
739f7598
domain_deprecated: remove ion access am: 88e4be54 · c8338f26
Jeff Vander Stoep authored 7 years ago
```
am: 8745ac43

Change-Id: I6816eea55ad110d7aeea43ec3088452b38b7ccc7
```
c8338f26

recovery: clean up audit logspam · 9bbe420b

Jeff Vander Stoep authored 7 years ago

avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Fixes: 62619253
Test: policy builds, no more "granted" messages in dmesg for recovery.
Merged-In: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3
Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3
(cherry picked from commit ea1d6e7d)

9bbe420b

Merge "Add SEPolicy for new Java-based Broadcast Radio service." · f44267a5
Jeffrey Vander Stoep authored 7 years ago
```
am: 6466092f

Change-Id: I856e01d9d06978dfcaf13fff078430cefbc7a9eb
```
f44267a5
domain_deprecated: remove ion access · 8745ac43
Jeff Vander Stoep authored 7 years ago
```
am: 88e4be54

Change-Id: I064f2becfde44f300ddf9d36802972b35c54e152
```
8745ac43
Merge "Add SEPolicy for new Java-based Broadcast Radio service." · 6466092f
Jeffrey Vander Stoep authored 7 years ago

6466092f

Allow installd to delete files via sdcardfs. · dd57e698

Jeff Sharkey authored 7 years ago

When installd clears cached files on external storage, the sdcardfs
kernel filesystem needs to be kept in the loop to release any cached
dentries that it's holding onto.  (Otherwise the underlying disk
space isn't actually released.)

installd can already delete the underlying files directly (via the
media_rw_data_file rules), so this technically isn't expanding its
capabilities.

avc: granted { search } for name="/" dev="tmpfs" ino=6897 scontext=u:r:installd:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
avc: denied { open } for path="/mnt/runtime/default/emulated/0/Android/data" dev="sdcardfs" ino=589830 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=1
avc: denied { write } for name="com.google.android.inputmethod.japanese" dev="sdcardfs" ino=590040 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { remove_name } for name="cache_r.m" dev="sdcardfs" ino=589868 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=dir permissive=0
avc: denied { getattr } for path="/mnt/runtime/default/emulated/0/Android/data/.nomedia" dev="sdcardfs" ino=589831 scontext=u:r:installd:s0 tcontext=u:object_r:sdcardfs:s0 tclass=file permissive=1

Test: cts-tradefed run commandAndExit cts-dev -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.StorageHostTest
Bug: 37486230
Change-Id: Icfd00a9ba379b1f50c48fe85849304cf9859bcb2
(cherry picked from commit 72f4c619)

dd57e698

domain_deprecated: remove ion access · 88e4be54

Jeff Vander Stoep authored 7 years ago

Logs show that only dumpstate requires access.

avc: granted { read open } for comm="screencap" path="/dev/ion"
dev="tmpfs" ino=14324 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file
avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
ino=14324 ioctlcmd=4906 scontext=u:r:dumpstate:s0
tcontext=u:object_r:ion_device:s0 tclass=chr_file

Grant ion permission to dumpstate which uses it for screencap
feature.

Bug: 28760354
Test: build. Check logs.
Change-Id: I6435b7dbf7656669dac5dcfb205cf0aeda93991b

88e4be54

Jul 01, 2017
- Remove more domain_deprecated permissions am: e39d5c87 · 685db0b2
  Jeff Vander Stoep authored 7 years ago
  
  am: 9ce812fb Change-Id: Ie71e8eb97e3ace63a230fcd70b81961d1a8f4884
  685db0b2
- Remove more domain_deprecated permissions · 9ce812fb
  Jeff Vander Stoep authored 7 years ago
  
  am: e39d5c87 Change-Id: Ibdb49f80b11fca40f5c4de7a92780be26b3280eb
  9ce812fb
- Merge "Allow only system_server to read uid_time_in_state" am: 439364d2 · 3ce2c6f8
  Andres Oportus authored 7 years ago
  
  am: e96aad09 Change-Id: I0742836c6b613afeab2dcf6d59c37dd9787dc91a
  3ce2c6f8
- Merge "Remove adbd tcontexts from domain_deprecated" am: 056710b3 · 1a1cefcc
  Jeff Vander Stoep authored 7 years ago
  
  am: 2af7c84f Change-Id: Id52f1fd3e79a0a36df42abca24c93b28b277c570
  1a1cefcc
- Merge "Allow only system_server to read uid_time_in_state" · e96aad09
  Andres Oportus authored 7 years ago
  
  am: 439364d2 Change-Id: I726672b2e3379e2e53d3c6b26482147f11d06d8e
  e96aad09
- Merge "Remove adbd tcontexts from domain_deprecated" · 2af7c84f
  Jeff Vander Stoep authored 7 years ago
  
  am: 056710b3 Change-Id: Id44e16b03b1b5398bb4fd73bc4950e5da8acd5b7
  2af7c84f
- Remove more domain_deprecated permissions · e39d5c87
  Jeff Vander Stoep authored 7 years ago
  
  Logs indicate no usage of these permissions. Bug: 28760354 Test: check logs. Change-Id: I3d75aea6afd4e326f705274ab2790e5d0bbdb367
  e39d5c87
- Merge "Allow only system_server to read uid_time_in_state" · 439364d2
  Treehugger Robot authored 7 years ago
  
  439364d2