Drop rules on data_file_type attribute and replace with rules
on specific types under /data.
Change-Id: I5cbfef64cdd71b8e93478d9ef377689bf6dda192
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
I didn't fix unpublished denials before switching this into enforcing. Need to revert.
This reverts commit ae50551142.
Bug: 14844424
Change-Id: I01408b77a67ad43a8fb20be213d3ffbace658616
Kernel userspace helpers may be spawned running in the kernel
SELinux domain. Those userspace helpers shouldn't be able to turn
SELinux off.
This change revisits the discussion in
https://android-review.googlesource.com/#/c/71184/
At the time, we were debating whether or not to have an allow rule,
or a dontaudit rule. Both have the same effect, as at the time we
switch to enforcing mode, the kernel is in permissive and the operation
will be allowed.
Change-Id: If335a5cf619125806c700780fcf91f8602083824
Report any attempts by zygote to create/write files in system_data_file
so that we can ultimately move any such cases to their own type
and reduce this to read-only access.
Change-Id: I310b8da5ba5b462ef2cfdaab289628498f4d2cec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
installd creates /data/.layout_version. Introduce a separate type
for this file (and any other file created by installd under a directory
labeled system_data_file) so that we can allow create/write access by
installd without allowing it to any system data files created by other
processes. This prevents installd from overwriting other system data
files, and ensure that any files it creates will require explicit
rules in order to access.
Change-Id: Id04e49cd571390d18792949c8b2b13b1ac59c016
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Drop rules on data_file_type attribute and replace with
rules on specific types, coalescing with existing rules
where appropriate. Reorganize the rules and try to
annotate the reason for the different rules.
Change-Id: I2d07e7c276a9c29677f67db0ebecfc537c084965
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
91a4f8d4fd created system_app_data_file,
and assigned all system_apps to use this file type. For testing purposes,
our automated testing infrastructure sideloads shared system UID apks.
Installd does not have permission to create the lib symlink, so the
installation fails.
Allow installd to create this symlink.
repro:
adb install AppLaunch.apk
276 KB/s (8414 bytes in 0.029s)
pkg: /data/local/tmp/AppLaunch.apk
Failure [INSTALL_FAILED_INTERNAL_ERROR]
logcat:
05-08 23:16:36.336 605 637 I PackageManager: Copying native libraries to /data/app-lib/vmdl609237490
05-08 23:16:36.338 605 637 W asset : Installing empty resources in to table 0x5e89a368
05-08 23:16:36.359 193 193 W installd: type=1400 audit(0.0:29): avc: denied { create } for name="lib" scontext=u:r:installd:s0 tcontext=u:object_r:system_app_data_file:s0 tclass=lnk_file
05-08 23:16:36.363 193 193 E installd: couldn't symlink directory '/data/data/com.android.tests.applaunch/lib' -> '/data/app-lib/com.android.tests.applaunch-1': Permission denied
05-08 23:16:36.364 605 637 W PackageManager: Failed linking native library dir (user=0)
05-08 23:16:36.364 605 637 W PackageManager: Package couldn't be installed in /data/app/com.android.tests.applaunch-1.apk
Bug: 14659632
Change-Id: Iac4890302cd070aa3f71553af217f343ed7b8bc3
Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.
Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
As per the discussion in:
https://android-review.googlesource.com/#/c/92903/
Add sysfs_type attribute to sysfs type so that it is included
in rules on sysfs_type, allow setattr to all sysfs_type for ueventd
for chown/chmod, and get rid of redundant rules.
Change-Id: I1228385d5703168c3852ec75605ed8da7c99b83d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Should no longer be required due to restorecon_recursive of /data
by init.rc (covers everything outside of /data/data) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).
Move the neverallow rule on relabelto to the neverallow section.
We could potentially drop this altogether, along with the relabelto_domain
macro and its callers, since its motivation was to provide some
safeguard in spite of allowing relabelfrom to unlabeled files for
all domains and this change removes relabelfrom.
unconfined still retains rw access to unlabeled, as do specific domains
that are explicitly allowed it.
Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Should no longer be required due to restorecon_recursive of /data
by init.rc (covers /data/dalvik-cache and /data/app-lib) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).
Change-Id: Icb217c0735852db7cca8583e381264ef8cd8839c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
ADF is a modern replacement for fbdev.
ADF's device nodes (/dev/adf[X]), interface nodes
(/dev/adf-interface[X].[Y]), and overlay engine nodes
(/dev/adf-overlay-engine[X].[Y]) are collectively used in similar
contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and
healthd will need to send R/W ioctls to these nodes to prepare and
update the display.
Ordinary apps should not talk to ADF directly.
Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Not sure what denial originally motivated adding this
access, but drop it and see if it resurfaces. platform_app
is still permissive_or_unconfined() so this should not break
anything.
Change-Id: Ia4418080e3477346fa48d23b4bb5d53396ed5593
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
See if we can remove these allow rules by auditing any granting
of these permissions. These rules may be a legacy of older Android
or some board where the gpu device lived under /dev/graphics too.
Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files. However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.
This resolves the following denial when cropping or taking a user photo
for secondary users:
avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Otherwise it is treated as a regex and matches any character.
Change-Id: I9e23f01b0e104d3ef57993fd1a3d9a5b13201910
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit 3fbc536dfd allowed untrusted
app to read radio data files passed via binder, but didn't allow
write access. Write access is needed when sending MMS messages.
Steps to reproduce:
1) have some photos on the device
2) Launch messaging app
3) Attach a MMS (Picture, capture video, capture picture, audio recording etc..)
4) Send
EXPECTED RESULTS:
No crash
OBSERVED RESULTS:
- Messaging crashes on sending MMS
- messages are stuck in sending state
Additional details:
05-05 10:14:01.196 2457 2457 W Binder_3: type=1400 audit(0.0:20): avc: denied { write } for path="/data/data/com.android.providers.telephony/app_parts/PART_1399310041183_temp.jpg" dev="mmcblk0p23" ino=604417 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
05-05 10:14:01.202 27809 28219 E JavaBinder: !!! FAILED BINDER TRANSACTION !!!
05-05 10:14:01.203 27809 28219 E PduPersister: Failed to open Input/Output stream.
05-05 10:14:01.203 27809 28219 E PduPersister: java.io.FileNotFoundException: Failed opening content provider: content://mms/part/4
05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openAssetFileDescriptor(ContentResolver.java:966)
05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:674)
05-05 10:14:01.203 27809 28219 E PduPersister: at android.content.ContentResolver.openOutputStream(ContentResolver.java:650)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistData(PduPersister.java:837)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persistPart(PduPersister.java:761)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.google.android.mms.pdu.PduPersister.persist(PduPersister.java:1398)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.createDraftMmsMessage(WorkingMessage.java:1577)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1431)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
05-05 10:14:01.203 27809 28219 E PduPersister: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
05-05 10:14:01.203 27809 28219 E PduPersister: at java.lang.Thread.run(Thread.java:818)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: FATAL EXCEPTION: WorkingMessage.send MMS
05-05 10:14:01.221 27809 28219 E AndroidRuntime: Process: com.android.mms, PID: 27809
05-05 10:14:01.221 27809 28219 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.net.Uri.getLastPathSegment()' on a null object reference
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at android.content.ContentUris.parseId(ContentUris.java:85)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.model.SlideshowModel.finalResize(SlideshowModel.java:691)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.sendMmsWorker(WorkingMessage.java:1448)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage.access$700(WorkingMessage.java:82)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at com.android.mms.data.WorkingMessage$2.run(WorkingMessage.java:1228)
05-05 10:14:01.221 27809 28219 E AndroidRuntime: at java.lang.Thread.run(Thread.java:818)
05-05 10:14:01.222 659 5253 W ActivityManager: Force finishing activity com.android.mms/.ui.ComposeMessageActivity
Bug: 14562421
Change-Id: Iba6914eeec4bf0c8c04ee83584327a4824c0a9a9
specifycapabilities is no longer specified by the zygote userspace manager.
It was removed in commit: 42a4bb5730266f80585e67262c73505d0bfffbf8. Remove
this permission from policy.
Change-Id: I866a25b590a375a68de6eec9af1b3ef779889985
Allow the zygote to create instruction set specific
directories under /data/dalvik-cache and to change their owner
to the system UID.
These subdirectories are required in order to support
instruction set specific dex caches on devices that support
multiple instruction sets. We can't ask init to create these
directories for us, because init doesn't have any knowledge
about the list of runtime instruction sets the device supports.
The owner needs to be system because the package manager (running
in the system_server) is allowed to manipulate files under this
directory.
(cherry picked from commit 032e5b0ae1)
Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361
Developers should be able to use systrace with user builds.
This requires read access to /sys/kernel/debug/tracing/trace,
otherwise the following error occurs:
$ atrace
capturing trace... done
TRACE:
error opening /sys/kernel/debug/tracing/trace: Permission denied (13)
with the following SELinux denial:
<4>[ 79.830542] type=1400 audit(11940551.039:8): avc: denied { read } for pid=1156 comm="atrace" name="trace" dev="debugfs" ino=3024 scontext=u:r:shell:s0 tcontext=u:object_r:debugfs:s0 tclass=file
At least on the kernel I've tested this on, debugfs doesn't support
setting SELinux file labels. Grant read access to all of debugfs to
work around this limitation.
Bug: 13904660
Change-Id: Ib58e98972c5012e9b34fec9e0a6094641638cd9a
To see whether we can safely remove these allow rules on unlabeled files
since we now have restorecon_recursive /data in init.rc to fully relabel
legacy userdata partitions, audit all accesses on such files.
Exclude the init domain since it performs the restorecon_recursive /data
and therefore will read unlabeled directories, stat unlabeled files,
and relabel unlabeled directories and files on upgrade. init may also
create/write unlabeled files in /data prior to the restorecon_recursive
/data being called.
Exclude the kernel domain for search on unlabeled:dir as this happens
during cgroup filesystem initialization in the kernel as a side effect
of populating the cgroup directory during the superblock initialization
before SELinux has set the label on the root directory.
Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When SurfaceFlinger -- or any BufferQueue consumer -- releases a buffer, the
BufferQueue calls back into the producer side in case the producer cares.
This results in a notification from surfaceflinger to bootanim.
This callback started in d1c103655533321b5c74fbefff656838a8196153.
Addresses the following denial:
6.164348 type=1400 audit(1397612702.010:5): avc: denied { call } for pid=128 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:bootanim:s0 tclass=binder
Change-Id: I6f2d62a3ed81fde45150d2ae3ff05822bfda33fe
Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.
Once labeled, this addresses the following denials:
<12>[ 16.127191] type=1400 audit(949060866.189:4): avc: denied { read write } for pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[ 16.127406] type=1400 audit(949060866.189:5): avc: denied { open } for pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[ 377.366011] type=1400 audit(949061227.419:16): avc: denied { ioctl } for pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2
