| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:
registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window
Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the following services from tmp_system_server_service to appropriate
attributes:
network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats
Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the following services from tmp_system_server_service to appropriate
attributes:
jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats
Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the following services from tmp_system_server_service to appropriate
attributes:
diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service
Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the following services from tmp_system_server_service to appropriate
attributes:
battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle
Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
|
|
|
|
|
|
|
|
| |
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.
Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
|
|
|
|
|
|
|
|
|
| |
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.
Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
|
|
|
|
|
|
|
|
|
|
|
| |
System services differ in designed access level. Add attributes reflecting this
distinction and label services appropriately. Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute. Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.
Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
|
|
|
|
|
|
|
| |
Get ready to switch system_server service lookups into enforcing.
Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
|
|
|
|
|
|
|
|
|
|
|
| |
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:
avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager
Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.
Addresses the following denials (and many more):
avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file
This reverts commit 0f0324cc826afb9beefda802d496befe823a081e
and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1
Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address the following denial:
SELinux E avc: denied { find } for service=drm.drmManager scontext=u:r:radio:s0 tcontext=u:object_r:drmserver_service:s0
which occurs when a non-default SMS app sends an MMS. The message would be
stored into system automatically in MMS service (from phone process and phone
UID). The storing of the message involves the creation of
android.drm.DrmManagerClient instance.
Change-Id: Ic4e493f183c9ce7f7ac3f74f6ea062893ea67608
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Messenger can't send MMSes on the master branch. When Messenger sends
an MMS, it stores the message data in local file and publishes it
via a content provider. The URI is passed to the MMS API. The
MmsServiceBroker in system process gets the call and grant URI
permission to phone UID. The MmsService in phone process (and sharing
the phone UID) needs to read the URI to get message data to send.
Addresses the following denial:
type=1400 audit(0.0:32): avc: denied { read } for path="/data/data/com.google.android.apps.messaging/cache/rawmms/5394791820000274558.dat" dev="mmcblk0p28" ino=83180 scontext=u:r:radio:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file
Change-Id: I2b694ff6c516714d3524e0613bae0f6773ed2e95
|
|
|
|
|
|
|
| |
Reduce logspam and record further observed service connections.
Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
|
|
|
|
|
|
|
|
|
|
|
| |
SELinux domains wanting read access to /proc/net need to
explicitly declare it.
TODO: fixup the ListeningPortsTest cts test so that it's not
broken.
Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
|
|
|
|
|
|
|
|
| |
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.
Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
|
|
|
|
|
|
|
|
|
| |
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
|
|
|
|
|
|
|
|
|
| |
They need to see when it changes so they know when netd bounces.
(cherrypicked from commit 71e9a7c4718f786c9d1bc5e6ab62d3f7d46dce66)
bug:18069270
Change-Id: I954cf43ff02f1d352015f128ef88b659e6d0f95a
|
|
|
|
|
|
|
|
| |
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.
Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
|
|
|
|
|
|
|
|
|
|
| |
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
|
|
|
|
|
|
|
| |
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.
Two bugs here:
1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.
2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.
Addresses the following denials:
<5>[ 149.342181] type=1400 audit(1389419775.872:17): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 149.371844] type=1400 audit(1389419775.902:18): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 149.980161] type=1400 audit(1389419776.512:22): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.095066] type=1400 audit(1389419776.622:23): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.096748] type=1400 audit(1389419776.632:24): avc: denied { getattr } for pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.097090] type=1400 audit(1389419776.632:25): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 154.545583] type=1400 audit(1389419781.072:43): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.000877] type=1400 audit(1389419782.532:44): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.022567] type=1400 audit(1389419782.552:45): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.043463] type=1400 audit(1389419782.572:46): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.062550] type=1400 audit(1389419782.592:47): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
|
|
|
|
|
| |
Change-Id: I3522c38a6019a42acbdd7221240caec54b89aee1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
|
|
|
|
|
|
| |
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.
Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.
The following domains were deliberately NOT changed:
1) kernel
2) init
In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.
When we're ready to tighten up the rules for these domains,
we can:
1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.
For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.
Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
|
|
|
|
|
|
|
|
| |
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
|
|
|
|
|
| |
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
|
|
|
|
|
|
|
| |
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
|
|
|