Skip to content

GitLab

Switch branch/tag
  1. 04 Apr, 2014 3 commits
    • Stephen Smalley's avatar
      Coalesce shared_app, media_app, release_app into untrusted_app. · 9ba844fe
      Stephen Smalley authored 
      
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).

It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.

As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro.  We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.

Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well.  However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.

Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      9ba844fe
    • Nick Kralevich's avatar
      Merge "Allow reading of radio data files passed over binder." · 3fa9b4dd
      Nick Kralevich authored
      3fa9b4dd
    • Nick Kralevich's avatar
      label app_process64 as zygote_exec · 6bf9bbc8
      Nick Kralevich authored 
      ... otherwise zygote 64 won't run in the correct SELinux domain.

Bug: 13647418
Change-Id: Iada2bf26623784535b70647c472f69b735b8f4fc
      6bf9bbc8
  3. 03 Apr, 2014 1 commit
  5. 02 Apr, 2014 3 commits
    • Nick Kralevich's avatar
      Merge "Drop dontaudit sys_admin rule from rild." · 888d283c
      Nick Kralevich authored
      888d283c
    • Stephen Smalley's avatar
      Drop dontaudit sys_admin rule from rild. · 997d4a18
      Stephen Smalley authored 
      
Old Android kernels (e.g. kernel/goldfish android-2.6.29 commit 2bda29)
fell back to a CAP_SYS_ADMIN check even before checking uids if the cgroup
subsystem did not define its own can_attach handler.  This doesn't appear
to have ever been the case of mainline, and is not true of the 3.4 Android
kernels.  So we no longer need to dontaudit sys_admin to avoid log noise.

Change-Id: I2faade6665a4adad91472c95f94bd922a449b240
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      997d4a18
    • Stephen Smalley's avatar
      Drop dontaudit sys_admin rule from installd. · 016e6365
      Stephen Smalley authored 
      
Old Android kernels (e.g. kernel/goldfish android-2.6.29 commit 2bda29)
fell back to a CAP_SYS_ADMIN check even before checking uids if the cgroup
subsystem did not define its own can_attach handler.  This doesn't appear
to have ever been the case of mainline, and is not true of the 3.4 Android
kernels.  So we no longer need to dontaudit sys_admin to avoid log noise.

Change-Id: I3822600a06c242764a94f9b67d9fcd6f599d3453
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      016e6365
  7. 01 Apr, 2014 3 commits
  9. 28 Mar, 2014 1 commit
    • Stephen Smalley's avatar
      Move shell entry up with other platform UID entries. · 6d8fa695
      Stephen Smalley authored 
      
This is a trivial change to seapp_contexts to force a relabel
of /data/data directories by PMS/installd by yielding a
different hash value for comparison against /data/system/seapp_hash.
This change does not alter any actual app process or data directory
labeling decisions.  The seapp_contexts entries are sorted upon
loading by libselinux to match the precedence rules described
in the comment header, so ordering in this file should not matter.

This should not be merged before the code changes with the same Change-Id.

Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      6d8fa695
  11. 27 Mar, 2014 1 commit
    • Stephen Smalley's avatar
      Allow reading of radio data files passed over binder. · 3fbc536d
      Stephen Smalley authored 
      
Addresses denials such as:
 avc:  denied  { read } for  pid=5114 comm="le.android.talk" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { getattr } for  pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:mediaserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { read } for  pid=29199 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394223232515_recording88476874.amr" dev="mmcblk0p23" ino=64522 scontext=u:r:drmserver:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { getattr } for  pid=9338 comm="MediaLoader" path="/data/data/com.android.providers.telephony/app_parts/PART_1394848620510_image.jpg" dev="mmcblk0p28" ino=287374 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file
 avc:  denied  { read } for  pid=9896 comm="Binder_7" path="/data/data/com.android.providers.telephony/app_parts/PART_1394594346187_image.jpg" dev="mmcblk0p28" ino=287522 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file

This does not allow write denials such as:
 avc:  denied  { write } for  pid=1728 comm="Binder_4" path="/data/data/com.android.providers.telephony/app_parts/PART_1394818738798_image.jpg" dev="mmcblk0p28" ino=82279 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:radio_data_file:s0 tclass=file

Need to understand whether write access is in fact required.

Change-Id: I7693d16cb4f9855909d790d3f16f8bf281764468
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      3fbc536d
  13. 26 Mar, 2014 3 commits
  15. 25 Mar, 2014 1 commit
  17. 24 Mar, 2014 2 commits
  19. 21 Mar, 2014 3 commits
    • Stephen Smalley's avatar
      Allow inputflinger to call system_server. · e06e5363
      Stephen Smalley authored 
      
Resolves denials such as:
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { open } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { search } for  pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { call } for  pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: I099d7dacf7116efa73163245597c3de629d358c1
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      e06e5363
    • Stephen Smalley's avatar
      Allow surfaceflinger to read /proc/pid/cmdline of dumpstate. · 57955712
      Stephen Smalley authored 
      
Resolves denials such as:
avc:  denied  { open } for  pid=3772 comm="Binder_4" name="cmdline" dev="proc" ino=26103 scontext=u:r:surfaceflinger:s0 tcontext=u:r:dumpstate:s0 tclass=file

This seems harmless, although I am unclear as to why/where it occurs.
Likely just for logging/debugging.

Change-Id: I7be38deabb117668b069ebdf086a9ace88dd8dd1
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      57955712
    • Stephen Smalley's avatar
      Allow binder services to use pipes passed over binder. · 644279ba
      Stephen Smalley authored 
      
Resolves denials such as:
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:surfaceflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:keystore:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:healthd:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:drmserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file

Change-Id: I289dcf4b2c5897b7a10e41e5dd8d56ef4b9a4a08
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      644279ba
  21. 20 Mar, 2014 1 commit
    • Paul Lawrence's avatar
      Allow vold to call to healthd · 01ba6834
      Paul Lawrence authored 
      vold needs to be able to check remaining battery to safely abort
certain operations

Bug: 11985952
Change-Id: I7dfe83f7d1029593882e0e5ad33f90fb29e5532b
      01ba6834
  23. 19 Mar, 2014 2 commits
  25. 18 Mar, 2014 7 commits
  27. 17 Mar, 2014 3 commits
    • Nick Kralevich's avatar
      Merge "Fix broken halt while in healthd charger mode" · b97ed1ad
      Nick Kralevich authored
      b97ed1ad
    • Mark Salyzyn's avatar
      shell: access to clear logs · ad5315d4
      Mark Salyzyn authored 
      Bug: 13464830

Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
      ad5315d4
    • Nick Kralevich's avatar
      Fix broken halt while in healthd charger mode · 9ada894a
      Nick Kralevich authored 
      Reboots/halts aren't working in healthd charger mode. This is
causing high power draw in an unplugged, powered off state.

Steps to reproduce (on Nexus 5):
  Unplug device from USB charger/computer
  Turn device off
  Wait for device to turn off
  Plug in USB cable/charger
  Wait for charge animation (wait for animation, not just lightning bolt, may have to press power button briefly to get animation going)
  Wait for panel to turn off
  Unplug USB cable/charger
  Press power button again, notice screen turns on at some frame in the animation.
  (not important) Each press of the power button advances the animation
  Power on.
  Examine denials from /proc/last_kmsg

Addresses the following denials:

[   24.934809] type=1400 audit(12534308.640:8): avc:  denied  { write } for  pid=130 comm="healthd" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:healthd:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file
[   24.935395] type=1400 audit(12534308.640:9): avc:  denied  { sys_boot } for  pid=130 comm="healthd" capability=22  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13229119
Change-Id: If14a9c373bbf156380a34fbd9aca6201997d5553
      9ada894a
  29. 15 Mar, 2014 4 commits
  31. 14 Mar, 2014 2 commits