| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Change-Id: I91cd6166e2f312c9bc6c9079d439cd2579aa3956
|
| |
|
|
|
|
|
|
|
|
|
| |
service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules. This is no
longer needed.
(cherry-pick of commit: eab26faa60cc0fdadfe128433e0357bdde3f9d9b)
Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
|
| |
|
|
|
|
|
|
|
|
|
| |
Addresses su denials which occur when mounting filesystems not
defined by policy.
Addresses denials similar to:
avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1
Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Addresses the following auditallow messages:
avc: granted { find } for service=accessibility scontext=u:r:su:s0 tcontext=u:object_r:accessibility_service:s0 tclass=service_manager
avc: granted { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager
avc: granted { find } for service=package scontext=u:r:su:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager
avc: granted { find } for service=user scontext=u:r:su:s0 tcontext=u:object_r:user_service:s0 tclass=service_manager
avc: granted { find } for service=window scontext=u:r:su:s0 tcontext=u:object_r:window_service:s0 tclass=service_manager
Change-Id: Ie58ad3347e9ef1aacd39670cfec7d095875e237b
|
| |
|
|
|
|
|
|
| |
Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.
Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.
Suppress service_manager related denials. For example:
SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
SELinux : avc: denied { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager
While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)
Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise the following denial occurs when I3972f846ff5e7363799ba521f1258d662b18d64e
is present and "adb root" is run.
<6>[ 64.507223] type=1400 audit(1411432079.100:471): avc: denied { connectto } for pid=717 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1
<6>[ 64.507617] type=1400 audit(1411432079.100:472): avc: denied { connectto } for pid=1659 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1
Change-Id: I1772912b2ca1446b822303ad6ea3154427f8331f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.
2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.
3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:
type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0
which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.
Bug: 16261280
Bug: 16298582
Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7
|
| |
|
|
|
|
|
| |
Denials generated from the su domain aren't meaningful security
warnings, and just serve to confuse people. Don't log them.
Change-Id: Id38314d4e7b45062c29bed63df4e50e05e4b131e
|
| |
|
|
| |
Change-Id: Ied6e6eba4895524cf8b442694cc48ef2d6f9a811
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell. It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc. We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.
shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.
su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.
Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.
Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.
Only support reading user input on userdebug / eng builds.
Steps to reproduce with the "crasher" program:
adb root
adb shell setprop debug.db.uid 20000
mmm system/core/debuggerd
adb sync
adb shell crasher
Addresses the following denials:
<5>[ 580.637442] type=1400 audit(1392412124.612:149): avc: denied { read } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637589] type=1400 audit(1392412124.612:150): avc: denied { open } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637706] type=1400 audit(1392412124.612:151): avc: denied { read write } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637823] type=1400 audit(1392412124.612:152): avc: denied { open } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637958] type=1400 audit(1392412124.612:153): avc: denied { ioctl } for pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
|
| |
|
|
|
|
|
|
|
|
|
| |
When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.
This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
|
| |
|
|
|
|
|
|
|
|
|
| |
Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.
Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te
Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
|
| |
|
|
|
|
|
|
|
| |
Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.
Dumpstate is triggered by running "adb bugreport"
Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
|
| |
|
|
|
|
|
|
| |
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.
The following domains were deliberately NOT changed:
1) kernel
2) init
In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.
When we're ready to tighten up the rules for these domains,
we can:
1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.
For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.
Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
|
| |
|
|
|
|
|
|
|
| |
Some file types used as domain entrypoints were missing the
exec_type attribute. Add it and add a neverallow rule to
keep it that way.
Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
| |
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
|
| |
|
|
|
|
| |
This reverts commit af56ac19545ff083ceb3c1ddf4bf8e2663d4b934.
Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
|
| |
|
|
| |
Change-Id: Ia544f13910abbe5e9f6a6cafae397415a41a7a94
|
| |
|
