From 0b764ae98a7fe452690616b7d722a63bb7cd5fa8 Mon Sep 17 00:00:00 2001 From: dcashman Date: Tue, 8 Sep 2015 18:22:12 -0700 Subject: Allow untrusted_app to list services. CTS relies on the ability to see all services on the system to make sure the dump permission is properly enforced on all services. Allow this. Bug: 23476772 Change-Id: I144b825c3a637962aaca59565c9f567953a866e8 --- untrusted_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/untrusted_app.te b/untrusted_app.te index 693a13c..2aa1495 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -80,6 +80,9 @@ allow untrusted_app mnt_media_rw_file:dir search; allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; +# allow cts to query all services +allow untrusted_app servicemanager:service_manager list; + allow untrusted_app drmserver_service:service_manager find; allow untrusted_app mediaserver_service:service_manager find; allow untrusted_app nfc_service:service_manager find; -- cgit v1.2.3 From 16c36f68ae575a87e438329e6d159532d61cf113 Mon Sep 17 00:00:00 2001 From: Lorenzo Colitti Date: Wed, 9 Sep 2015 17:39:25 +0900 Subject: Allow system_server to bind ping sockets. This allows NetworkDiagnostics to send ping packets from specific source addresses in order to detect reachability problems on the reverse path. This addresses the following denial: [ 209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0 Bug: 23661687 (cherry picked from commit c37121436be95ae2ed75cb83605940455446ef4e) Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2 --- system_server.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/system_server.te b/system_server.te index 0b18eb4..c9d8f3b 100644 --- a/system_server.te +++ b/system_server.te @@ -101,9 +101,13 @@ allow system_server proc_sysrq:file rw_file_perms; # Read /sys/kernel/debug/wakeup_sources. allow system_server debugfs:file r_file_perms; -# WifiWatchdog uses a packet_socket +# The DhcpClient and WifiWatchdog use packet_sockets allow system_server self:packet_socket create_socket_perms; +# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same +# as raw sockets, but the kernel doesn't yet distinguish between the two. +allow system_server node:rawip_socket node_bind; + # 3rd party VPN clients require a tun_socket to be created allow system_server self:tun_socket create_socket_perms; -- cgit v1.2.3