| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
For the reasons explained in the pre-existing code, we don't want
to grant fsetid to netd, nor do we want denial messages to be
generated.
Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.
Addresses the following denials (and many more):
avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
This reverts commit 0f0324cc826afb9beefda802d496befe823a081e
and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1
Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
|
| |
|
|
|
|
|
|
|
|
|
|
| |
avc: denied { create } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { setopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { bind } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { getopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { write } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { read } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
Bug: 18335678
Change-Id: I7c03d55b4719d0fd8057507bf8ac1cf573e4744a
|
| |
|
|
|
|
|
|
|
|
|
| |
SELinux domains wanting read access to /proc/net need to
explicitly declare it.
TODO: fixup the ListeningPortsTest cts test so that it's not
broken.
Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file. Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.
This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.
Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
| |
This will be used to populate rt_tables (a mapping from routing table numbers to
table names) that's read by the iproute2 utilities.
Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
| |
(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)
Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
|
| |
|
|
|
|
|
|
|
|
| |
The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.
Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.
Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
| |
Change-Id: I0a06fa32a46e515671b4e9a6f68e1a3f8b2c21a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
fsetid checks are triggered by chmod on a directory or file owned by
a group other than one of the groups assigned to the current process
to see if the setgid bit should be cleared, regardless of whether the
setgid bit was even set. We do not appear to truly need this
capability for netd to operate, so remove it. Potential dontaudit
candidate.
Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
| |
/proc/sys/net could use its own type to help distinguish
among some of the proc access rules. Fix dhcp and netd
because of this.
Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
| |
|
|
|
|
|
| |
This addresses the review comments from
https://android-review.googlesource.com/#/c/69855/
Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f
|
| |\ |
|
| | |\
| | |
| | |
| | |
| | | |
* commit '3bb1ccc265bbc6e865506b38ae66721ec1177b55':
Fix long-tail denials in enforcing domains.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The specific denials we see are:
denied { getattr } for pid=169 comm=""installd"" path=""/data/data/com.android.providers.downloads/cache/downloadfile.jpeg"" dev=""mmcblk0p23"" ino=602861 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file
denied { fsetid } for pid=598 comm=""netd"" capability=4 scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability
denied { read } for pid=209 comm=""installd"" name=""cache"" dev=""mmcblk0p28"" ino=81694 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir
Bug: 10786017
Change-Id: Ia5d0b6337f3de6a168ac0d5a77df2a1ac419ec29
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The patch in 36a5d109e6953c63d2a865eab4c4d021aa52250b wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.
Fixes the following denial:
<5>[ 82.120746] type=1400 audit(1830030.349:5): avc: denied { name_connect } for pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631
Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.
Addresses the following denial:
[ 1831.586826] type=1400 audit(1384129166.563:173): avc: denied { create } for pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket
Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Change-Id: Ia542a9df3e466a8d409955bab6a23a524ff3d07b
Bug: 11097631
|
| |/ /
| |
| |
| | |
Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
|
| |/
|
|
|
| |
Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
| |
Bug: 10175701
Change-Id: I185df22bdbaafd56725760ec6c71340b67455046
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove "self:process ptrace" from all SELinux enforced domains.
In general, a process should never need to ptrace itself.
We can add this back to more narrowly scoped domains as needed.
Add a bunch of neverallow assertions to netd.te, to verify that netd
never gets unexpected capabilities.
Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
|
| |
|
|
|
|
|
|
| |
Allow netd to set ctl.* properties. Currently, mdnsd is broken because
it can't set this property.
Bug: 9777774
Change-Id: I2f32504d77b651e66e0a0067e65a5ed44b427f5a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change does several things:
1) Restore domain.te to the version present at
cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version
currently being distributed in AOSP.
2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.
3) Restore netd.te to the version present at
80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version
currently being distributed in AOSP.
4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.
5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.
6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.
7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.
The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.
Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.
Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
|
| |
|
|
|
|
|
|
| |
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
|
| |
|
|
|
| |
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
|
| |
|
|
|
| |
Change-Id: I013e08bcd82a9e2311a958e1c98931f53f6720c9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
| |
Policy to allow bluetooth tethering.
Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
| | |
|
| |
|
