GitLab

Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove sys_nice capability from domains; this does not appear to be necessary
and should not be possible in particular for app domains.  If we encounter
specific instances where it should be granted, we can add it back on a
per-domain basis.  Allow it explicitly for the system_server.  Unconfined
domains get it via unconfined_domain() and the rules in unconfined.te.

Change-Id: I9669db80a04a90a22241b2fbc5236a28dcde8c6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* changes:
  Do not permit appdomain to create/write to download_file.
  Remove duplicated rules between appdomain and isolated_app.

3.4 goldfish kernel supports sysfs labeling so we no longer need this.

Change-Id: I77514a8f3102ac8be957c57d95e7de7d5901f69d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Otherwise we have different security contexts but the same DAC
permissions:
-rw-rw-rw- root     root              u:object_r:sysfs_writable:s0 process_name
-rw-rw-rw- root     root              u:object_r:sysfs:s0 state
-rw-rw-rw- root     root              u:object_r:sysfs:s0 symbol

This change fixes denials such as:
type=1400 msg=audit(1379096020.770:144): avc:  denied  { write } for  pid=85 comm="SurfaceFlinger" name="symbol" dev="sysfs" ino=47 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file

Change-Id: I261c7751da3778ee9241ec6b5476e8d9f96ba5ed
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The comment says that apps can read downloaded files, but the
file_type_auto_trans() macro expands to permit create/write access.
Also we don't need a type transition when staying in the same type
as the parent directory so we only truly need allow rules here.
Hence, we remove file_type_auto_trans() altogether, and add an allow
rule for search access to the directory.  If create/write access is
truly required, then we can just change the allow rules to use
rw_dir_perms and create_file_perms.

Change-Id: Icd71c9678419442cfd8088317317efd4332f9b4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te;
delete it from isolated_app.te.
binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it.

Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Fixes the following denial:

<5>[28362.335293] type=1400 audit(1378991198.292:24): avc:  denied  { execute } for  pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12

Apps attempting to write to /dev/random or /dev/urandom currently
succeed, but a policy violation is logged. These two Linux RNG
devices are meant to be written to by arbitrary apps. Thus, there's
no reason to deny this capability.

Bug: 10679705

Change-Id: Ife401f1dd2182889471eef7e90fcc92e96f9c4d6

This enables installd to uninstall or clear data of installed apps
whose data directory contains unusual file types, such as FIFO.

Bug: 10680357

(cherry picked from commit 839af9ed)

Change-Id: I5715f7d6d3214896ad0456d614b052cf5fb79eef

This breaks the ability for users to have certs in many
directories. Currently the design is to allow keys.conf
to specify arbitrary locations for pem files, relative to
the root of the Android tree. If users want to have a
common prefix on all the keys, then they can export
DEFAULT_SYSTEM_DEV_CERTIFICATE, and make that an environment
variable in their keys.conf file.
Signed-off-by: William Roberts <wroberts@tresys.com>

Change-Id: I23455b891206cab6eca7db08ff3c28283f87c640
Signed-off-by: William Roberts <wroberts@tresys.com>

For additional context-

The denials related to init_tmpfs are of the form:

denied  { read } for  pid=12315 comm=""dboxed_process0"" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=""tmpfs"" ino=9464 scontext=u:r:isolated_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

(the path above is "/dev/ashmem/dalvik-heap (deleted)")

The denials related to executing things from the dalvik cache are of the form:

enied  { execute } for  pid=3565 comm=""dboxed_process0"" path=""/data/dalvik-cache/system@app@Chrome.apk@classes.dex"" dev=""mmcblk0p28"" ino=105983 scontext=u:r:isolated_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

The denials related to isolated_app and the init socket are:

denied  { getattr } for  pid=3824 comm=""Binder_2"" path=""socket:[14059]"" dev=""sockfs"" ino=14059 scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

The getopt denials for the aforementioned socket are:

denied  { getopt } for  pid=3824 comm=""Binder_2"" path=""/dev/socket/dumpstate"" scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

Change-Id: I3c57702e2af5a779a7618da9aa40930e7f12ee49

At this point, we still don't understand the root cause of
bug 10290009, or if it's even a real bug.  Rollback
29d0d406 so we an get a device
in this state and figure out the root cause of this problem.

This reverts commit 29d0d406.

Bug: 10290009

Change-Id: Ie0947f79c63f962220d3c9316c5d5d82f677821f

This fixes another bug encountered while taking bugreports.

Bug: 10498304
Change-Id: Ie33e869ccd28c5461f4f3736c078b2a865aa7cdd

Bug: 10498304
Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74

* commit 'cec3c1e4':
  Add capabilities to Zygote to fix valgrind.

* commit 'e0362602':
  Add capabilities to Zygote to fix valgrind.

Change-Id: I898bb4ee8fdb95b48e58c98bffdb381b03c719bb

Bug: 10455872
Change-Id: I98885e8cd1e4f9ab0d3e2af6d79b078a000db539

This is based on Joshua Brindle's sepolicy-inject.

Change-Id: Ie75bd56a2996481592dcfe7ad302b52f381d5b18

* commit '81cdd6c6':
  Fix insertkeys.py to resolve keys.conf path entries in a portable way

* commit '1b46b2fe':
  Fix insertkeys.py to resolve keys.conf path entries in a portable way

* commit '553bafef':
  Add the ability to write shell files to the untrusted_app domain.

* commit '29d0d406':
  Add the ability to write shell files to the untrusted_app domain.

Bug: 10290009
Change-Id: Ic794299261672b36a2b630893b65ab176c3eee6b
(cherry picked from commit eaa4e844e4c8549c9b4808a1272876a6995ca5a7)

* commit 'b74efd33':
  Move isolated_app.te / untrusted_app.te into permissive
  Grant fsetid Linux capability to vold.
  Add "shell" to seapp_contexts

Change-Id: If9a2d360a37a8641a70fb475c7f5422d0cf8b900

Currently a path to a key in keys.conf must be fully qualified or have
the -d option appended. This fix will allow paths to have environment
variables that will be expanded. This will give portability to the
entries. For example the following entry will now be resolved correctly:
[@NET_APPS]
ALL : $ANDROID_BUILD_TOP/device/demo_vendor/demo_dev/security/net_apps.x509.pem

Change-Id: If4f169d9ed4f37b6ebd062508de058f3baeafead
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

Bug: 10175701
Change-Id: I185df22bdbaafd56725760ec6c71340b67455046

Change-Id: Ided2cf793e94bb58529789c3075f8480c0d0cf4e

OTAs aren't properly labeling /system, which is causing SELinux
breakage. Temporarily put isolated_app.te and untrusted_app.te
into permissive.

Bug: 9878561
Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c