android_system_sepolicy

PWN-Hunter/android_system_sepolicy

Fork 0

Commit Graph

Author	SHA1	Message	Date
Nick Kralevich	240f50e8b3	Add TCSETS to unpriv_tty_ioctls Addresses the following denial: avc: denied { ioctl } for comm="top" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=5402 scontext=u:r:shell:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 Bug: 33073072 Bug: 7530569 Test: policy compiles. Change-Id: If9178d29f2295be46bb118df00ebf73a6ebc9f81	2016-12-07 15:59:34 -08:00
Nick Kralevich	07c3a5a522	Move to ioctl whitelisting for /dev/pts/* files In particular, get rid of TIOCSTI, which is only ever used for exploits. http://www.openwall.com/lists/oss-security/2016/09/26/14 Bug: 33073072 Bug: 7530569 Test: "adb shell" works Test: "adb install package" works Test: jackpal terminal emulator from https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en works Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf	2016-11-22 18:59:38 -08:00
dcashman	cc39f63773	Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c	2016-10-06 13:09:06 -07:00

Author

SHA1

Message

Date

Nick Kralevich

240f50e8b3

Add TCSETS to unpriv_tty_ioctls

Addresses the following denial:

avc: denied { ioctl } for comm="top" path="/dev/pts/0" dev="devpts"
ino=3 ioctlcmd=5402 scontext=u:r:shell:s0 tcontext=u:object_r:devpts:s0
tclass=chr_file permissive=0

Bug: 33073072
Bug: 7530569
Test: policy compiles.
Change-Id: If9178d29f2295be46bb118df00ebf73a6ebc9f81

2016-12-07 15:59:34 -08:00

Nick Kralevich

07c3a5a522

Move to ioctl whitelisting for /dev/pts/* files

In particular, get rid of TIOCSTI, which is only ever used for exploits.

http://www.openwall.com/lists/oss-security/2016/09/26/14

Bug: 33073072
Bug: 7530569
Test: "adb shell" works
Test: "adb install package" works
Test: jackpal terminal emulator from
      https://play.google.com/store/apps/details?id=jackpal.androidterm&hl=en
      works
Change-Id: I96b5e7059d106ce57ff55ca6e458edf5a4c393bf

2016-11-22 18:59:38 -08:00

dcashman

cc39f63773

Split general policy into public and private components.

Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c

2016-10-06 13:09:06 -07:00

3 Commits