Commit dddbaaf1e8 ("update sepolicy
for fs notification hooks") updated global macros, and added
watch, watch_mount, watch_sb, watch_with_perm, and watch_reads
to r_file_perms and r_dir_perms.
In retrospect, the commit was overly permissive and some of the
permissions shouldn't be granted by default. In particular:
1) watch_with_perm: This is only used with fanotify and requires
CAP_SYS_ADMIN. fanotify has limited use cases, including virus scanning
and hierarchical storage management. Granting this by default makes it
harder to audit and understand this powerful capability. In particular,
anti-virus file like monitoring is something which inherently conflicts
with Android app privacy guarantees and would need to be carefully
reviewed.
2) watch_mount & watch_sb: Setting a watch on a mount (FAN_MARK_MOUNT)
or superblock (FAN_MARK_FILESYSTEM) should be extremely unusual.
Granting this by default makes it harder to audit and understand.
Both "watch" and "watch_reads" are retained for now.
References:
* https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ac5656d8a4cdd93cd2c74355ed12e5617817e0e7
* dddbaaf1e8
Test: compiles
Change-Id: Ib74e7119853eb991e0e9828645c7f9e076b919c4
These attributes are intended to be used w/ services using the system
copy of libbinder (for vendor, this is libbinder_ndk).
Switching vndservicemanager users using the libbinder copy of vendor to
be able to use the system copy of libbinder for registration is an open
problem.
Bug: 136027762
Test: N/A
Change-Id: I1d70380edcb39ca8ef2cb98c25617701b67ba7e1
Since this was an example service providing no real functionality and
accidentally got installed on a device.
Bug: 140115084
Test: install on test device and see that it runs
Change-Id: I553da8e1f4da7d6a9f0c3e7d4a3561f0b22321dc
Since non-full-Treble devices aren't guaranteed to have coredomain
applied to all system processes, this is breaking some downstream
non-Treble devices.
Bug: 140076135
Test: N/A
Change-Id: I2942506cb0cfd8096c631281389a16aa48b4da08
On cuttlefish devices, the resource loading code apparently maps the file rather
than just reading it.
Denial log:
viewcompiler: type=1400 audit(0.0:308): avc: denied { map } for
path="/data/app/android.startop.test-Z2JxVhtKPw2wx4o-nmo5NA==/base.apk"
dev="vdb" ino=139269 scontext=u:r:viewcompiler:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=0
app=android.startop.test
Bug: 139018973
Change-Id: I4bbbc44abc3c4315137f76a0be737236cf10f4ef
Since this service no longer exists.
Fix: 80317992
Test: TH, codesearch.
Merged-In: I257c8cc3dba657d98f19eb61b36aae147afea393
Change-Id: I257c8cc3dba657d98f19eb61b36aae147afea393
Say, foo_attribute is removed in 30 API. We need to preserve
typeattribute declaration in 29.0.cil, 28.0.cil, etc for backwards
compatibility.
(typeattribute binder_in_vendor_violators)
Automatically expand these typeattribute declaration into older map
files, so that we only need to update 29.0.cil.
Test: remove binder_in_vendor_violators; only 29.0.cil map needs to be
updated
Change-Id: Ifa7767d771f802e122b2f1ff6faf198ba2afa42e
This reverts commit 6b2eaade82.
Reason for revert: reland original CL
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
This service is requested by AOSP framework, but there is no context for
it defined.
Bug: 136023468
Test: N/A
Change-Id: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
Merged-In: Ibc5b048aaa1c9eda7b9180caca92cb876c3f6b28
(cherry picked from commit 67cb30fabf)
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
to dexoptanalyzer(d) in cases where it could already access files (in
particular, secondary dex files).
Addresses denials of the form:
avc: denied { map } for […] path="/data/data/[…]" […]
scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0
Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel
and check the absence of SELinux denials
Bug: 138683603
Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
To support linker-specific property, sys.linker.* has been defined as
linker_prop. This will have get_prop access from domain so all binaries
can start with linker using proper property access level.
Bug: 138920271
Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found
Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
This is required for Idf851b3a42910e0ce8fdd75daea1cce91dd1aa98
And is part of enabling upcoming platform changes that are
described in the bug linked below.
Bug: 135341433
Test: m
Change-Id: I1d842fcfae3740d51e7cb2050decf1f83543af7e
This should be available in user and userdebug builds.
Bug: 137289935
Test: Alongside atrace changes, recorded a trace using Traceur and
verified that the tracepoints were included in the recorded trace in
both user and userdebug builds.
Change-Id: I6131557bdd0a298be9e75b39759599b189b9b988
Additional permission is required for linkerconfig from domain to get
access to ld.config.txt file from linker. This change allows linker to
get /dev/linkerconfig/ld.config.txt
Bug: 138920271
Test: m -j && confirmed from cuttlefish
Change-Id: Id130a072add8ae82840b0b4d9e997e146f502124
This change is part of enabling upcoming platform changes that are
described in the bug linked below.
Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5