| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service
The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.
To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)
This macro handles steps 1, 2 and 3.
No difference in sediff is expected.
(cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232)
Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:
registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window
Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the following services from tmp_system_server_service to appropriate
attributes:
network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats
Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
|
| |
|
|
|
|
|
|
|
|
|
| |
System services differ in designed access level. Add attributes reflecting this
distinction and label services appropriately. Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute. Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.
Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
|
| |
|
|
|
|
|
| |
Reduce logspam and record further observed service connections.
Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
|
| |
|
|
|
|
|
| |
Address the following log entry:
SELinux : avc: granted { find } for service=power scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:power_service:s0 tclass=service_manager
Change-Id: Id750ba9f99c622351fb3206ad007eae8a713adea
|
| |
|
|
|
|
|
|
| |
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.
Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
|
| |
|
|
|
|
|
|
|
| |
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
|
| |
|
|
|
|
|
|
|
|
| |
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
|
| |
|
|
|
|
|
| |
surfaceflinger has been enforcing for a while now. Remove
the reference to the unconfined domain.
Change-Id: Ia86a0553e9c2db3c89f93e26179c79278d1d3bed
|
| |
|
|
|
|
|
|
|
|
|
| |
As of sepolicy commit a16a59e2c7f1e2f09bf7b750101973a974c972e8
(https://android-review.googlesource.com/94580), adf_device
and graphics_device have the exact same security properties.
Merge them into one type to avoid a proliferation of SELinux
types.
Change-Id: Ib1a24f5d880798600e103b9e14934e41abb1ef95
|
| |
|
|
|
| |
Change-Id: Id6d9a7cabc2fe9c18de10c6e9bc0080cdcd7033d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ADF is a modern replacement for fbdev.
ADF's device nodes (/dev/adf[X]), interface nodes
(/dev/adf-interface[X].[Y]), and overlay engine nodes
(/dev/adf-overlay-engine[X].[Y]) are collectively used in similar
contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and
healthd will need to send R/W ioctls to these nodes to prepare and
update the display.
Ordinary apps should not talk to ADF directly.
Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343
Signed-off-by: Greg Hackmann <ghackmann@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When SurfaceFlinger -- or any BufferQueue consumer -- releases a buffer, the
BufferQueue calls back into the producer side in case the producer cares.
This results in a notification from surfaceflinger to bootanim.
This callback started in d1c103655533321b5c74fbefff656838a8196153.
Addresses the following denial:
6.164348 type=1400 audit(1397612702.010:5): avc: denied { call } for pid=128 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:bootanim:s0 tclass=binder
Change-Id: I6f2d62a3ed81fde45150d2ae3ff05822bfda33fe
|
| |
|
|
|
|
|
|
|
|
| |
The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.
Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves denials such as:
avc: denied { open } for pid=3772 comm="Binder_4" name="cmdline" dev="proc" ino=26103 scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=file
This seems harmless, although I am unclear as to why/where it occurs.
Likely just for logging/debugging.
Change-Id: I7be38deabb117668b069ebdf086a9ace88dd8dd1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps. But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket. So there is no
real benefit to keeping it as a separate type.
Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.
Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolves denials such as:
avc: denied { call } for pid=257 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:adbd:s0 tclass=binder
avc: denied { call } for pid=1002 comm="Binder_4" scontext=u:r:surfaceflinger:s0 tcontext=u:r:platform_app:s0 tclass=binder
avc: denied { open } for pid=1468 comm="Binder_1" name="cmdline" dev="proc" ino=10222 scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=file
avc: denied { open } for pid=1275 comm="Binder_5" name="cmdline" dev="proc" ino=38036 scontext=u:r:surfaceflinger:s0 tcontext=u:r:system_app:s0 tclass=file
Change-Id: I92147a1636b44a851d0e0e059f70ec8267cecf08
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Steps to reproduce across devices.
adb shell screenrecord --bit-rate 8000000 --time-limit 10 /data/local/tmp/test.mp4
* Allow surfaceflinger to talk to mediaserver
avc: denied { call } for pid=122 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=binder
* Give mediaserver access to gpu_device
avc: denied { read write } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
avc: denied { open } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
avc: denied { ioctl } for pid=2793 comm="VideoEncMsgThre" path="/dev/kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
Change-Id: Id1812ec95662f4b2433e2989f5fccce6a85c3a41
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Image transfer over NFC is broken.
STEPS TO REPRODUCE:
-----------------------------------------
1. Launch Gallery and open any picture
2. Keep two devices close each other
3. Tap on 'Touch to Beam' option on sender device and observe receiver device
OBSERVED RESULTS:
'Beam did not complete' message showing in Notification window.
EXPECTED RESULTS:
Beam should complete successfully and able to share picture through Beam
ADDITIONAL INFORMATION :
Device : Hammerhead
Reproducibility : 3/3
Addresses the following denials:
<5>[ 3030.955024] type=1400 audit(1391625834.066:72): avc: denied { call } for pid=311 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:nfc:s0 tclass=binder
<5>[ 3049.606559] type=1400 audit(1391625852.716:74): avc: denied { write } for pid=26850 comm="id.nfc:handover" name="0" dev="fuse" ino=3086221568 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.606802] type=1400 audit(1391625852.716:75): avc: denied { add_name } for pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.607068] type=1400 audit(1391625852.716:76): avc: denied { create } for pid=26850 comm="id.nfc:handover" name="beam" scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610602] type=1400 audit(1391625852.716:77): avc: denied { remove_name } for pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
<5>[ 3049.610870] type=1400 audit(1391625852.716:78): avc: denied { rename } for pid=26850 comm="id.nfc:handover" name="IMG_20140205_104344.jpg" dev="fuse" ino=3086246328 scontext=u:r:nfc:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file
Bug: 12891504
Change-Id: I10dc964db9249f53a2b4d8fe871ad9a036c423a2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.
Two bugs here:
1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.
2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.
Addresses the following denials:
<5>[ 149.342181] type=1400 audit(1389419775.872:17): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 149.371844] type=1400 audit(1389419775.902:18): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 149.980161] type=1400 audit(1389419776.512:22): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.095066] type=1400 audit(1389419776.622:23): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.096748] type=1400 audit(1389419776.632:24): avc: denied { getattr } for pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 150.097090] type=1400 audit(1389419776.632:25): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 154.545583] type=1400 audit(1389419781.072:43): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.000877] type=1400 audit(1389419782.532:44): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.022567] type=1400 audit(1389419782.552:45): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.043463] type=1400 audit(1389419782.572:46): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[ 156.062550] type=1400 audit(1389419782.592:47): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.
Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.
This will ensure that all SELinux domains have at least a
minimal level of protection.
Unconditionally enable this flag for all user builds.
Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When playing protected content on manta, surfaceflinger would crash.
STEPS TO REPRODUCE:
1. Launch Play Movies & TV
2. Play any movie and observe
OBSERVED RESULTS:
Device reboot while playing movies
EXPECTED RESULTS:
No device reboot
Even though this only reproduces on manta, this seems appropriate
for a general policy.
Addresses the following denials:
<5>[ 36.066819] type=1400 audit(1389141624.471:9): avc: denied { write } for pid=1855 comm="TimedEventQueue" name="tlcd_sock" dev="mmcblk0p9" ino=627097 scontext=u:r:mediaserver:s0 tcontext=u:object_r:drmserver_socket:s0 tclass=sock_file
<5>[ 36.066985] type=1400 audit(1389141624.471:10): avc: denied { connectto } for pid=1855 comm="TimedEventQueue" path="/data/app/tlcd_sock" scontext=u:r:mediaserver:s0 tcontext=u:r:drmserver:s0 tclass=unix_stream_socket
<5>[ 41.379708] type=1400 audit(1389141629.786:15): avc: denied { connectto } for pid=120 comm="surfaceflinger" path=006D636461656D6F6E scontext=u:r:surfaceflinger:s0 tcontext=u:r:tee:s0 tclass=unix_stream_socket
<5>[ 41.380051] type=1400 audit(1389141629.786:16): avc: denied { read write } for pid=120 comm="surfaceflinger" name="mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file
<5>[ 41.380209] type=1400 audit(1389141629.786:17): avc: denied { open } for pid=120 comm="surfaceflinger" name="mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file
<5>[ 41.380779] type=1400 audit(1389141629.786:18): avc: denied { ioctl } for pid=120 comm="surfaceflinger" path="/dev/mobicore-user" dev="tmpfs" ino=4117 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file
Change-Id: I20286ec2a6cf0d190a84ad74e88e94468bab9fdb
Bug: 12434847
|
| |
|
|
|
| |
Change-Id: Ief925f1f49a6579d5a7a1035f3732834238fa590
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are continued complaints about not being able to generate
bug reports and surfaceflinger crashes. Move surfaceflinger
out of enforcing until I can resolve this.
Here are some denials I'm seeing. I'm not sure what binder service is
running in the shell domain... Need to do more digging.
nnk@nnk:~/Downloads$ grep "avc: " screenshot_runtime_restart.txt | grep surfaceflinger
<5>[ 5.182699] type=1400 audit(1389111729.860:9): avc: denied { search } for pid=186 comm="surfaceflinger" name="tmp" dev="mmcblk0p28" ino=627090 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
<5>[ 744.988702] type=1400 audit(1389112469.578:188): avc: denied { call } for pid=596 comm="Binder_3" scontext=u:r:surfaceflinger:s0 tcontext=u:r:shell:s0 tclass=binder
This reverts commit a11c56e1249419d92db70d11b2976bf8962bad5d.
Bug: 12416329
Change-Id: I7b72608c760c4087f73047ad751a5bd069fa2ec7
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a bugreport is triggered using the device keys,
it generates a screenshot and places it into
/data/data/com.android.shell/files/bugreports. SELinux is denying
those writes.
Addresses the following denials:
<5> type=1400 audit(1389047451.385:23): avc: denied { call } for pid=267 comm="Binder_1" scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=binder
<5> type=1400 audit(1389046083.780:37): avc: denied { write } for pid=4191 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-06-14-07-35.txt.tmp" dev="mmcblk0p28" ino=81874 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
Bug: 12416329
Change-Id: I318145591cda500094d98103d30b784df48a67be
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:
<5>[ 22.812859] type=1400 audit(1389041093.955:17): avc: denied { read } for pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 22.813103] type=1400 audit(1389041093.955:18): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 22.832041] type=1400 audit(1389041093.975:19): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 52.357470] type=1400 audit(1389041123.494:29): avc: denied { read } for pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 52.357717] type=1400 audit(1389041123.494:30): avc: denied { getattr } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[ 52.382276] type=1400 audit(1389041123.524:31): avc: denied { read } for pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.
Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074
|
| |
|
|
|
| |
Change-Id: I55d059cf6b9e13a81545d3d8b8ff86befc89d6b3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
| |
Leave the domain permissive initially until it gets more testing.
Change-Id: I9d88d76d1ffdc79a2eff4545d37a9e615482df50
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
| |
Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
| |
Change-Id: Id6d89e7d87642fba22445484034e39f94bb90f5b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.
The following domains were deliberately NOT changed:
1) kernel
2) init
In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.
When we're ready to tighten up the rules for these domains,
we can:
1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.
For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.
Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
|
| |
|
|
|
|
|
|
| |
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
|
| |
|
|
|
| |
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
|
| |
|
|
| |
This reverts commit 69fbbdd54b04e648b07cdf522760247f3dafd362.
|
| |
|
|
|
|
|
| |
Some of these will get factored out into device-specific
configs later.
Change-Id: I359915e2607b56112bb22456d28e06c162fcbdff
|
| |
|
|
|
|
|
|
| |
This reverts commit ba84bf1dec64d745b6efc516799b2c722a672cd9
Hidden dependency resolved.
Change-Id: I9f0844f643abfda8405db2c722a36c847882c392
|
| |
|
|
|
|
| |
This reverts commit 8a814a7604afd20f12c9ff3dcdae7d10e9b75f84
Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
|
| |
|
|
|
| |
Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
|
|
|
|
|
|
|
| |
The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.
Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| | |
|
| |
|
|
|
|
|
| |
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
|
| |
|
