GitLab

Bug: 10498304
Change-Id: Ic0e30bdf6cc35f9d9e2752f36940e75e7ae37d83

This fixes another bug encountered while taking bugreports.

Bug: 10498304
Change-Id: Ie33e869ccd28c5461f4f3736c078b2a865aa7cdd

Bug: 10455872
Change-Id: I98885e8cd1e4f9ab0d3e2af6d79b078a000db539

Bug: 10290009
Change-Id: Ic794299261672b36a2b630893b65ab176c3eee6b
(cherry picked from commit eaa4e844e4c8549c9b4808a1272876a6995ca5a7)

Bug: 10290009
Change-Id: Ic794299261672b36a2b630893b65ab176c3eee6b
(cherry picked from commit eaa4e844e4c8549c9b4808a1272876a6995ca5a7)

Bug: 10175701
Change-Id: I185df22bdbaafd56725760ec6c71340b67455046

Change-Id: Ided2cf793e94bb58529789c3075f8480c0d0cf4e

OTAs aren't properly labeling /system, which is causing SELinux
breakage. Temporarily put isolated_app.te and untrusted_app.te
into permissive.

Bug: 9878561
Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c

OTAs aren't properly labeling /system, which is causing SELinux
breakage. Temporarily put isolated_app.te and untrusted_app.te
into permissive.

Bug: 9878561
Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c

Bug: 9872463
Change-Id: I47eabeace3387afd24c0fd4bee70e77c0a3586d5

Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b

This is needed to support "Verify App" functionality.
During side loading, the Verify App functionality reads the APK
to determine if it's safe to install.

Bug: 9863154
Change-Id: I33f6b0fd012f6cb194e253d5d92cf6189d6aa222

/sys was getting labeled as a rootfs file, but according to
genfs_contexts, it's really a sysfs file. This conflict is causing
problems when patch f29c533c49ab1c90eae612b1c454f2c6879a6658 from
system/core is applied.

Change-Id: I3f34c9ee68bedb171ebebfcd356e924c987b58ff

For some reason, the debuggerd socket isn't getting properly
labeled. Work around this bug for now by allowing all domains
to connect to all unix stream sockets.

Bug: 9858255
Change-Id: If994e51b0201ea8cae46341efc76dc71a4e577c8

This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef3
with extensive modifications, some of which are included below.

* Allow communication with netd/dnsproxyd, to allow netd to handle
  dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
  the DAC allows access.

In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.

This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.

Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35

Remove "self:process ptrace" from all SELinux enforced domains.
In general, a process should never need to ptrace itself.
We can add this back to more narrowly scoped domains as needed.

Add a bunch of neverallow assertions to netd.te, to verify that netd
never gets unexpected capabilities.

Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e

app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.

Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.

No functional change.

Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f

In 0c9708b2, we removed relabelto
from unconfined.te.  This broke debuggerd.  Fixed.

type=1400 audit(1373668537.550:5): avc:  denied  { relabelto } for  pid=44 comm="debuggerd" name="tombstones" dev="mtdblock1" ino=71 scontext=u:r:debuggerd:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir

Change-Id: Ic025cbc030d6e776d9d87b1df3240fdc5f0b53d5

The emulator has been upgraded to ext4, which was the root cause
of bug 9685803. See https://code.google.com/p/android/issues/detail?id=38561 .
As a result, we can reenable installd protections.

This reverts commit 201cfae4.

Bug: 9685803
Change-Id: I4ed47f7aeaef4aac504e13c2ae23fb416e4e6e49

Bug: 9781325
Change-Id: Ib6f6875f690420b59fceb0a32590a2b9ed8dda95

For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88

Allow netd to set ctl.* properties. Currently, mdnsd is broken because
it can't set this property.

Bug: 9777774
Change-Id: I2f32504d77b651e66e0a0067e65a5ed44b427f5a

Change-Id: I129536c3d9f6359228165d8a5ec373780b312c86

This fixes the issue where paid apps failed to install via Google
Play with "Package file has a bad manifest" error. The issue appears
to be caused by vold being prevented by SELinux policy from setting
the setgid bit on the ASEC container directory into which the APK is
decrypted. As a result, the APK is not readable to PackageParser.

Bug: 9736808
Change-Id: I07546a9f9caac3de8b720499bd1bf1604edea0fe

This fixes the issue where paid apps failed to install via Google
Play with "Package file has a bad manifest" error. The issue appears
to be caused by vold being prevented by SELinux policy from setting
the setgid bit on the ASEC container directory into which the APK is
decrypted. As a result, the APK is not readable to PackageParser.

Bug: 9736808
Change-Id: I07546a9f9caac3de8b720499bd1bf1604edea0fe

This is breaking the emulator.

Bug: 9685803
Change-Id: Ibd5b312b97d52fdac9289e44a40e9bba07be1c7f

This change enables SELinux security enforcement on the installd
process.

For the installd.te file only, this change is equivalent to reverting
the following commits:

    * 50e37b93
    * 77d4731e

No other changes were required.

Testing: As much as possible, I've tested that package installation
works, from both adb and via Android market. There were no denials
in the kernel dmesg log, and everything appears to be working correctly.

It's quite possible I've missed something. If we experience problems,
I'm happy to roll back this change.

Bug: 9662644
Change-Id: Id93d4ee7b517dfa28c9a0b1d45d936b56892ac0a

This change enables SELinux security enforcement on zygote
(but not zygote spawned apps).

For the zygote.te file only, this change is equivalent to reverting
the following commits:

* 50e37b93
* 77d4731e

No other changes were required.

Testing: As much as possible, I've tested that zygote properly
starts up, and that there's no problem spawning zygote or zygote
apps. There were no denials in the kernel dmesg log, and
everything appears to work correctly. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.

Bug: 9657732
Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558