Use the getline API correctly: keep a single buffer as long as
possible, and let the callee handle re-allocation. Move the final
free out of the loop.
Release the head of the linked list.
Bug: 37757586
Test: ASAN_OPTIONS= SANITIZE_HOST=address mmma system/sepolicy
Change-Id: I42424acba7cd68c1b9a7a43e916a421ac3e253f7
This was accidentally omitted from all_untrusted_app
While I'm here, split across mutiple lines and alphabetize.
Test: policy compiles.
Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51
These were missing when the sepolicy was migrated.
Addresses denials:
E SELinux : avc: denied { find } for service=drm.drmManager pid=11769
uid=10018 scontext=u:r:mediaprovider:s0:c512,c768
tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for
path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg"
dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0
tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0
Bug: 37685394
Bug: 37686255
Test: Sync files
Test: Open downloaded file
Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d
iptables recently changed its behavior to strictly require xtables.lock.
dumpstate selinux policy must be updated to allow access.
Bug: 37648320
Test: dumpstate succeeds with no avc: denied ... xtables.lock messages
Change-Id: Ic7e243739f375a60fa14fe67fac910d31d978ffd
(cherry picked from commit ca0979792f)
Bluetooth needs the capability to set audio-related threads to be RT
scheduled. Grant it sys_nice.
system_server needs to set priority for the Bluetooth HAL. Allow it.
Bug 37518404
Test: Play Bluetooth audio, confirm RT scheduling with systrace
Change-Id: Iaf7b85a11a51883744d72a50addfd320b6fbbc2f
Remove neverallow exemption allowing other processes to run in
the bluetooth app's selinux domain.
The bluetooth domain is intended to host the zygote spawned
bluetooth app. It is not intended to host other bluetooth related
processes. Please define new domains for these processes.
Test: build Marlin
Change-Id: I1fd3dd0fe85f73457d77b63a65b4307821cbd41c
Allow the shell user to run tzdatacheck, which is required
to enable a new host side test.
This change also adds some additional checks to
tzdatacheck.te to ensure that OEMs opening up permissions
further don't accidentally create a security hole.
Bug: 31008728
Test: Ran CTS
Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36
The PackageManager now passes previous code paths to dex2oat as shared
libraries. dex2oat needs extra permissions in order to access and open
the oat files of these libraries (if they were compiled).
Part of a multi-project change.
Bug: 34169257
Test: cts-tradefed run singleCommand cts -d --module
CtsAppSecurityHostTestCases -t android.appsecurity.cts.SplitTests
Merged-In: I7b9cfd7f3c3509f3e41f0590ab650bd85faab340
(cherry-picked from commit 1103f963a7)
Change-Id: I6d69d463af7a0a93391dd4b7edd5b700012ba58c
This could be useful in diffs between policy versions.
Bug: 37357742
Test: sepolicy-analyze lists all attributes in precompiled_policy.
Change-Id: I6532a93d4102cf9cb12b73ee8ed86ece368f9131
MediaProvider requires permissions that diverge from those
of a typical priv_app. This create a new domain and removes
Mtp related permissions from priv_app.
Bug: 33574909
Test: Connect with MTP, download apps and files, select ringtones
Test: DownloadProvider instrument tests, CtsProviderTestCases
Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
Remove domain_deprecated from bluetooth. This removes some unnecessarily
permissive rules.
Bug: 25433265
Test: All of the permissions being removed were being audited. Verify
that no audited (granted) avc messages for bluetooth exist in
in the logs.
Change-Id: Ifa12a0f1533edcb623bbb9631f88f1ff1d6d7085
These were previously in device specific sepolicies.
They should be in core sepolicy to reflect their
use by a core init file, init.usb.configfs.rc.
Addresses denial:
init : type=1400 audit(0.0:135): avc: denied { unlink } for name="f1"
dev="configfs" ino=10923 scontext=u:r:init:s0
tcontext=u:object_r:configfs:s0 tclass=lnk_file permissive=0
Test: denial addressed
Change-Id: I869892f9d0c311b727462fb380f4160feb986215
These permissions allow the system server to create and
bind a UDP socket such that it gains the SOCK_BINDPORT_LOCK.
(ref: af_inet.c - inet_bind()) This prevents the user from
disconnecting the socket, which would create a security
vulnerability. The user may then use the provided socket,
which is always IPv4/UDP, for IKE negotiation. Thus, an
un-trusted user app must be able to use the socket for
communication.
-ALLOW: read, write, connect, sendto, and recvfrom.
-NEVERALLOW: anything else
Bug: 30984788
Test: CTS tested via IpSecManagerTest:testUdpEncapsulationSocket
Change-Id: I045ba941797ac12fd14a0cce42efdd2abc4d67e0
This was marked deprecated in 2014 and removed in 2015, let's remove
the sepolicy now too.
Test: see that logging still works on bullhead
Change-Id: I4caa0dbf77956fcbc61a07897242b951c275b502
With build/core eaa9d88cf, system_server should not be loading code
from /data. Add an auditallow rule to report violations.
Bug: 37214733
Test: Boot marlin, no SELinux audit lines for system_server.
Change-Id: I2e25eb144503274025bd4fc9bb519555851f6521
Create PLATFORM_SEPOLICY_VERSION, which is a version string to represent
the platform sepolicy of the form "NN.m" where "NN" mirrors the
PLATFORM_SDK_VERSION and "m" is a policy-based minor version that is
incremented with every policy change that requires a new backward-compatible
mapping file to be added to allow for future-proofing vendor policy against
future platform policy.
(cherry-pick of commit 6f14f6b7d9)
Bug: 36783775
Test: Device boots when sha256 doesn't match and compilation is forced.
Change-Id: I4edb29824f2050a5a6e1bc078c100cf42e45c303
The sepolicy version takes SDK_INT.<minor> format. Make sure our
'current' policy version reflects the format and make it '100000.0'.
This ensures any vendor.img compiled with this will never work with
a production framework image either.
Make version_policy replace the '.' in version by '_' so secilc is
happy too.
This unblocks libvintf from giving out a runtme API to check vendor's
sepolicy version. The PLAT_PUBLIC_SEPOLICY_CURRENT_VERSION will
eventually be picked up from the build system.
(cherry-pick of commit 42f95984b5)
Bug: 35217573
Test: Build and boot sailfish.
Boot sailfish with sepolicy compilation on device.
Signed-off-by: Sandeep Patil <sspatil@google.com>
Change-Id: Ic8b6687c4e71227bf9090018999149cd9e11d63b
This is a necessary first step to finalizing the SELinux policy build
process. The mapping_sepolicy.cil file is required to provide backward
compatibility with the indicated vendor-targeted version.
This still needs to be extended to provide N mapping files and corresponding
SHA256 outputs, one for each of the N previous platform versions with which
we're backward-compatible.
(cherry-pick of commit: 0e9c47c0af)
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
Change-Id: I5692fb87c7ec0f3ae9ca611f76847ccff9182375
Add /dev/kmsg_debug on userdebug devices, to allow crash_dump to log
crashes to dmesg when logd isn't up yet (or is the one crashing).
Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I249e11291c58fee77098dec3fd3271ea23363ac9
Currently update_verifier only verifies the blocks when dm-verity is in
'enforcing' mode; and dm-verity will reboot the device upon detection of
errors. However, sometimes the verity mode is not guaranteed to be
correct. When mode is 'eio' for example, dm-verity will not trigger
a reboot but rather fail the read. So update_verifier need to take the
responsibility to reboot the device. Otherwise the device will continue
to boot without setting the flag "isSlotMarkedSuccessful".
Denial message:
update_verifier: type=1400 audit(0.0:18): avc: denied { write } for
name="property_service" dev="tmpfs" ino=14678 scontext=u:r:update_verifier:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=0
Bug: 36260064
Test: powerctl property sets successfully
Change-Id: I7431f87e2d61be1425397732aebb369d4ad4c26c
logcatd is the same as logcat, except that the -L flag, if supplied,
runs once, then the command re-runs itself without the -L flag with
the same argument set. By introducing a logcatd daemon executable
we can solve the problem of the longish reads from pstore that
sometimes occur when the system is excessively busy spinning in a
foreground task starving this daemon as we absorb the delay in
an init service, rather than in an init exec. This would not have
been efficiently possible without the introduction of liblogcat.
Test: gTest logcat-unit-tests
Test: Manual check logpersist operations
Bug: 28788401
Bug: 30041146
Bug: 30612424
Bug: 35326290
Change-Id: I3454bad666c66663f59ae03bcd72e0fe8426bb0a
