Remove bluetooth's access to tun_device. Auditallow rule demonstrates
that it's not used.
Strengthen the neverallow on opening tun_device to include all Apps.
Bug: 24744295
Change-Id: Iba85ba016b1e24c6c12d5b33e46fe8232908aac1
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
android.process.media moved to priv_app. Add audit rule to test if
untrusted_app still requires access or if some/all permissions may
be removed.
Bug: 25085347
Change-Id: I13bae9c09bd1627b2c06ae84b069778984f9bd5d
Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.
(cherry picked from commit 89765083f7)
Bug: 22846070
Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
Verifier has moved to the priv_app domain. Neverallow app domain
access to tmp apk files with exceptions for platform and priv app
domains.
Change-Id: I68a2fa39ebc7dc0bfa278fe7d092655f21a5225d
neverallow access to untrusted_app and isolated app
Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.
Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
Privileged apps now run in the priv_app domain. Remove permissions
from untrusted_app that were originaly added for GMS core, Finsky, and
Play store.
Bug: 22033466
Change-Id: Ibdce72ad629bfab47de92ac19542e8902e02c8be
Third party vpn apps must receive open tun fd from the framework
for device traffic.
neverallow untrusted_app open perm and auditallow bluetooth
access to see if the neverallow rule can be expanded to include
all of appdomain.
Bug: 24677682
Change-Id: I68685587228a1044fe1e0f96d4dc08c2adbebe78
CTS relies on the ability to see all services on the system to make sure
the dump permission is properly enforced on all services. Allow this.
Bug: 23476772
Change-Id: I144b825c3a637962aaca59565c9f567953a866e8
Create a macro of unprivileged ioctls including
- All common socket ioctls except MAC address
- All wireless extensions ioctls except get/set ESSID
- Some commonly used tty ioctls
Bug: 21657002
Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
As an optimization, platform components like MediaProvider may choose
to shortcut past the FUSE daemon and return open file descriptors
directly pointing at the underlying storage device.
Now that we have a specific label for /mnt/media_rw, we need to grant
search access to untrusted apps like MediaProvider. The actual
access control is still managed by POSIX permissions on that
directory.
avc: denied { search } for name="media_rw" dev="tmpfs" ino=4150 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0
Bug: 21017105
Change-Id: I6d51939668b39b43b91b1f0c24c98bc2205bf511
Programs routinely scan through /system, looking at the files there.
Don't generate an SELinux denial when it happens.
Bug: 21120228
Change-Id: I85367406e7ffbb3e24ddab6f97448704df990603
MAC address access is no longer allowed via the java API. Deny access
from native code.
Bug: 17787238
Change-Id: Ia337317d5927349b243bbbd5c2cf393911771cdf
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.
(cherry picked from commit effcac7d7e)
Bug: 20526234
Change-Id: I450242cd085259b3f82f36f359ee65ff27bebd13
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.
Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
Move the following services from tmp_system_server_service to appropriate
attributes:
network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats
Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
Move the following services from tmp_system_server_service to appropriate
attributes:
jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats
Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.
Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.
Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
System services differ in designed access level. Add attributes reflecting this
distinction and label services appropriately. Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute. Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.
Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
Modify create_file_perms and create_dir_perms so it doesn't have
the "link" permission. This permission controls whether hard links
are allowed or not on the given file label. Hard links are a common
source of security bugs, and isn't something we want to support by
default.
Get rid of link_file_perms and move the necessary permissions into
create_file_perms and create_dir_perms. Nobody is using this macro,
so it's pointless to keep it around.
Get rid of unlink on directories. It returns EISDIR if you attempt to
do it, independent of SELinux permissions.
SELinux domains which have a need for hard linking for a particular
file type can add it back to their permission set on an as-needed basis.
Add a compile time assertion (neverallow rule) for untrusted_app.
It's particularly dangerous for untrusted_app to ever have hard
link capabilities, and the neverallow rule will prevent regressions.
Bug: 19953790
Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0
Assigning mlstrustedsubject to untrusted_app would undermine
the per-user isolation model being enforced via levelFrom=user
in seapp_contexts and the mls constraints. There is no direct
way to specify a neverallow on attribute assignment, but this
makes use of a particular property of the fork permission to
prevent ever adding mlstrustedsubject to untrusted_app.
A similar restriction for app_data_file and mlstrustedobject
is also important for the same reason, but cannot be expressed
as a neverallow.
Change-Id: I5170cadc55cc614aef0cd5f6491de8f69a4fa2a0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file. Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te. Just move the rules as appropriate.
Should be no change in policy.
Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.
Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.
Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.
Addresses the following denial:
W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file
(cherrypick from commit e2547c3bff)
Bug: 18504118
Bug: 18340553
Change-Id: I8b472b6ab7dfe2a73154033e0a088b8e26396fa8
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference
Address the following denial:
avc: denied { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager
Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d