Skip to content

GitLab

Switch branch/tag
  1. 17 Mar, 2014 3 commits
    • Nick Kralevich's avatar
      Merge "Fix broken halt while in healthd charger mode" · b97ed1ad
      Nick Kralevich authored
      b97ed1ad
    • Mark Salyzyn's avatar
      shell: access to clear logs · ad5315d4
      Mark Salyzyn authored 
      Bug: 13464830

Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
      ad5315d4
    • Nick Kralevich's avatar
      Fix broken halt while in healthd charger mode · 9ada894a
      Nick Kralevich authored 
      Reboots/halts aren't working in healthd charger mode. This is
causing high power draw in an unplugged, powered off state.

Steps to reproduce (on Nexus 5):
  Unplug device from USB charger/computer
  Turn device off
  Wait for device to turn off
  Plug in USB cable/charger
  Wait for charge animation (wait for animation, not just lightning bolt, may have to press power button briefly to get animation going)
  Wait for panel to turn off
  Unplug USB cable/charger
  Press power button again, notice screen turns on at some frame in the animation.
  (not important) Each press of the power button advances the animation
  Power on.
  Examine denials from /proc/last_kmsg

Addresses the following denials:

[   24.934809] type=1400 audit(12534308.640:8): avc:  denied  { write } for  pid=130 comm="healthd" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:healthd:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file
[   24.935395] type=1400 audit(12534308.640:9): avc:  denied  { sys_boot } for  pid=130 comm="healthd" capability=22  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13229119
Change-Id: If14a9c373bbf156380a34fbd9aca6201997d5553
      9ada894a
  3. 15 Mar, 2014 3 commits
  5. 14 Mar, 2014 13 commits
  7. 13 Mar, 2014 4 commits
    • Stephen Smalley's avatar
      Silence /proc/pid denials. · 6fe899a0
      Stephen Smalley authored 
      
system_server components such as ActivityManager and CpuTracker
try to access all /proc/pid directories, triggering denials on
domains that are not explicitly allowed to the system_server.
Silence these denials to avoid filling the logs with noise
and overwriting actual useful messages in the kernel ring buffer.

Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      6fe899a0
    • Stephen Smalley's avatar
      Audit attempts by rild to create/write to system_data_file. · 64c0ff00
      Stephen Smalley authored 
      
Audit attempts by rild to create/write to system_data_file
with avc:  granted messages so that we can identify any such
instances and put such directories/files into radio_data_file or
some other type and then remove these rules.

Change-Id: Ice20fed1733a3f4208d541a4baaa8b6c6f44fbb0
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      64c0ff00
    • Stephen Smalley's avatar
      Get rid of separate platform_app_data_file type. · dc88dca1
      Stephen Smalley authored 
      
The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      dc88dca1
    • Nick Kralevich's avatar
      rild: move to enforcing · 599e71a9
      Nick Kralevich authored 
      Move the rild domain into SELinux enforcing mode. This will
start enforcing SELinux rules; security policy violations will
return EPERM.

Change-Id: Iadb51616ecf6f56148ce076d47f04511810de94c
      599e71a9
  9. 12 Mar, 2014 10 commits
    • Nick Kralevich's avatar
      Merge "Label /data/misc/wifi/hostapd with wpa_socket type." · 8b1e8986
      Nick Kralevich authored
      8b1e8986
    • Stephen Smalley's avatar
      Allow wpa to perform binder IPC to keystore. · 867e398d
      Stephen Smalley authored 
      
Addresses denials such as:
 avc:  denied  { call } for  pid=2275 comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder

Change-Id: I8ab148046dd06f56630a2876db787b293e14c0ae
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      867e398d
    • Stephen Smalley's avatar
      Allow dnsmasq dac_override capability. · 45815c3e
      Stephen Smalley authored 
      
dnsmasq presently requires dac_override to create files under
/data/misc/dhcp.  Until it can be changed to run with group dhcp,
allow dac_override.

Addresses denials such as:
avc:  denied  { dac_override } for  pid=21166 comm="dnsmasq" capability=1  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability

Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      45815c3e
    • Stephen Smalley's avatar
      Label /data/misc/wifi/hostapd with wpa_socket type. · 5f8d9f85
      Stephen Smalley authored 
      
hostapd creates sockets under /data/misc/wifi/hostapd.
Ensure that they are labeled correctly both at runtime
(type_transition) and during the init.rc restorecon_recursive /data
(file_contexts).

Addresses denials such as:
 avc:  denied  { create } for  pid=20476 comm="hostapd" name="wlan0" scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { setattr } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { unlink } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file

Change-Id: I80a443faeb6017a9d6cbdb8da9d7416f29a7b85f
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      5f8d9f85
    • dcashman's avatar
      Merge "Allow adbd access to gpu_device." · cb8c5262
      dcashman authored
      cb8c5262
    • dcashman's avatar
      Allow adbd access to gpu_device. · ddde8c29
      dcashman authored 
      Addresses denials seen when attempting to take a screencaputre from ddms:
<5>[ 1232.327360] type=1400 audit(1393354131.695:41): avc:  denied  { read write } for  pid=18487 comm="screencap" name="nvhost-ctrl" dev="tmpfs" ino=4035 scontext=u:r:adbd:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Bug: 13188914
Change-Id: I758e4f87ab024035604d47eebae7f89f21ea1e3e
      ddde8c29
    • Nick Kralevich's avatar
      Merge "Add inline documentation for mac_permissions.xml." · 530d0f6a
      Nick Kralevich authored
      530d0f6a
    • Stephen Smalley's avatar
      Add inline documentation for mac_permissions.xml. · cc7b72e9
      Stephen Smalley authored 
      
Copied from our tree, adjusted to note relationship to keys.conf
and to be consistent with the AOSP implementation.

Change-Id: I09ba86d4c9a1b11a8865890e11283456ea2ffbcf
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      cc7b72e9
    • Robert Craig's avatar
      Introduce post_process_mac_perms script. · 3e70d479
      Robert Craig authored 
      
usage: post_process_mac_perms [-h] -s SEINFO -d DIR -f POLICY

Tool to help modify an existing mac_permissions.xml with additional app certs
not already found in that policy. This becomes useful when a directory
containing apps is searched and the certs from those apps are added to the
policy not already explicitly listed.

optional arguments:
  -h, --help            show this help message and exit
  -s SEINFO, --seinfo SEINFO
                        seinfo tag for each generated stanza
  -d DIR, --dir DIR     Directory to search for apks
  -f POLICY, --file POLICY
                        mac_permissions.xml policy file

Change-Id: Ifbaca3b3120874a567d3f22eb487de1aa8bda796
Signed-off-by: default avatarrpcraig <rpcraig@tycho.ncsc.mil>
      3e70d479
    • Stephen Smalley's avatar
      Drop special handling of app_data_file in mls constraints. · 27042f6d
      Stephen Smalley authored 
      
This was a legacy of trying to support per-app level isolation
in a compatible manner by blocking direct open but permitting
read/write via passing of open files over Binder or local sockets.
It is no longer relevant and just confusing to anyone trying to use
the mls support for anything else.

Change-Id: I6d92a7cc20bd7d2fecd2c9357e470a30f10967a3
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      27042f6d
  11. 11 Mar, 2014 7 commits