GitLab

Anything writable by rild should be in radio_data_file or efs_file.
System data should be read-only.

Change-Id: I442a253c22f567a147d0591d623e97a6ee8b76e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This change helps with the following denials.
  avc:  denied  { write } for  pid=14157 comm="Thread-88" name="premium_sms_policy.xml" dev="mmcblk0p28" ino=618998 scontext=u:r:radio:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
  avc:  denied  { write } for  pid=14293 comm="Thread-89" name="sms" dev="mmcblk0p28" ino=618952 scontext=u:r:radio:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir

Prior to this patch the directory was labeled as
system_data_file which is a bit too generic. This
directory contains xml files with regexs which
represent premium numbers that are used to warn
the user before sending.

Change-Id: I98288b25aa1546477e05eee9f7622324b013e695
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Resolves denials such as:
avc:  denied  { set } for property=ctl.bugreport scontext=u:r:system_server:s0 tcontext=u:object_r:ctl_bugreport_prop:s0 tclass=property_service

Change-Id: I6c3085065157f418fc0cd4d01fa178eecfe334ad
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
 avc:  denied  { read write } for  pid=4346 comm="hostapd" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:hostapd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket
 avc:  denied  { read write } for  pid=4348 comm="dnsmasq" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket

Change-Id: Ie82f39c32c6e04bc9ef1369ca787cf80b3b4141c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Bug: 13464830

Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d

Reboots/halts aren't working in healthd charger mode. This is
causing high power draw in an unplugged, powered off state.

Steps to reproduce (on Nexus 5):
  Unplug device from USB charger/computer
  Turn device off
  Wait for device to turn off
  Plug in USB cable/charger
  Wait for charge animation (wait for animation, not just lightning bolt, may have to press power button briefly to get animation going)
  Wait for panel to turn off
  Unplug USB cable/charger
  Press power button again, notice screen turns on at some frame in the animation.
  (not important) Each press of the power button advances the animation
  Power on.
  Examine denials from /proc/last_kmsg

Addresses the following denials:

[   24.934809] type=1400 audit(12534308.640:8): avc:  denied  { write } for  pid=130 comm="healthd" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:healthd:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file
[   24.935395] type=1400 audit(12534308.640:9): avc:  denied  { sys_boot } for  pid=130 comm="healthd" capability=22  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13229119
Change-Id: If14a9c373bbf156380a34fbd9aca6201997d5553

Required to support passing resources via open apk files over Binder.
Resolves denials such as:
 avc:  denied  { read } for  pid=31457 comm="SoundPoolThread" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:mediaserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
 avc:  denied  { read } for  pid=31439 comm="Binder_2" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:drmserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

We do not allow open as it is not required (i.e. the files
are passed as open files over Binder or local socket and opened by the
client).

Change-Id: Ib0941df1e9aac8d20621a356d2d212b98471abbc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

healthd performs privileged ioctls on the tty device
when in charger mode. Allow it.

This fixes a bug where off charging mode is forcing the device
to reboot into recovery.

Addresses the following denial:

type=1400 audit(15080631.900:4): avc:  denied  { sys_tty_config } for  pid=130 comm="healthd" capability=26  scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability

Bug: 13472365
Change-Id: I402987baf62ba0017e79e30e370850c32c286a6a

Change-Id: I68a8f37576d0d04d0f9df9ef8991407b6846ba15
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I610723eb9f2edcb4525b0e2d7e55616a1d93957d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ica367f34156a7a460e3663589a29743c4a9e955c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I546c1bcf373f161b7bf5706053340c4f6482b8b9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials such as:
avc:  denied  { write } for  pid=1797 comm="logcat" name="logdr" dev="tmpfs" ino=7523 scontext=u:r:system_server:s0 tcontext=u:object_r:logdr_socket:s0 tclass=sock_file
avc:  denied  { connectto } for  pid=1797 comm="logcat" path="/dev/socket/logdr" scontext=u:r:system_server:s0 tcontext=u:r:logd:s0 tclass=unix_stream_socket

Change-Id: Idc4f48519ca3d81125102e8f15f68989500f5e9e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials such as:
avc:  denied  { read write } for  pid=3142 comm="clatd" path="socket:[12029]" dev="sockfs" ino=12029 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket

Change-Id: I5111410870c71bbfaf6b5310d8f5fd8f10db4f20
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

This appears to have been created to allow untrusted_app to
access DownloadProvider cache files without needing to allow
open access to platform_app_data_file.  Now that platform_app_data_file
is gone, there is no benefit to having this type.

Retain a typealias for download_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

This change depends on:
https://android-review.googlesource.com/#/c/87801/



Change-Id: Iab3c99d7d5448bdaa5c1e03a98fb6163804e1ec4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

system_server components such as ActivityManager and CpuTracker
try to access all /proc/pid directories, triggering denials on
domains that are not explicitly allowed to the system_server.
Silence these denials to avoid filling the logs with noise
and overwriting actual useful messages in the kernel ring buffer.

Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Audit attempts by rild to create/write to system_data_file
with avc:  granted messages so that we can identify any such
instances and put such directories/files into radio_data_file or
some other type and then remove these rules.

Change-Id: Ice20fed1733a3f4208d541a4baaa8b6c6f44fbb0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Move the rild domain into SELinux enforcing mode. This will
start enforcing SELinux rules; security policy violations will
return EPERM.

Change-Id: Iadb51616ecf6f56148ce076d47f04511810de94c

Addresses denials such as:
 avc:  denied  { call } for  pid=2275 comm="wpa_supplicant" scontext=u:r:wpa:s0 tcontext=u:r:servicemanager:s0 tclass=binder

Change-Id: I8ab148046dd06f56630a2876db787b293e14c0ae
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

dnsmasq presently requires dac_override to create files under
/data/misc/dhcp.  Until it can be changed to run with group dhcp,
allow dac_override.

Addresses denials such as:
avc:  denied  { dac_override } for  pid=21166 comm="dnsmasq" capability=1  scontext=u:r:dnsmasq:s0 tcontext=u:r:dnsmasq:s0 tclass=capability

Change-Id: Ic352dc7fc4ab44086c6b06cf727c48f29098f3a1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

hostapd creates sockets under /data/misc/wifi/hostapd.
Ensure that they are labeled correctly both at runtime
(type_transition) and during the init.rc restorecon_recursive /data
(file_contexts).

Addresses denials such as:
 avc:  denied  { create } for  pid=20476 comm="hostapd" name="wlan0" scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { setattr } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { unlink } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file

Change-Id: I80a443faeb6017a9d6cbdb8da9d7416f29a7b85f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Addresses denials seen when attempting to take a screencaputre from ddms:
<5>[ 1232.327360] type=1400 audit(1393354131.695:41): avc:  denied  { read write } for  pid=18487 comm="screencap" name="nvhost-ctrl" dev="tmpfs" ino=4035 scontext=u:r:adbd:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Bug: 13188914
Change-Id: I758e4f87ab024035604d47eebae7f89f21ea1e3e

Copied from our tree, adjusted to note relationship to keys.conf
and to be consistent with the AOSP implementation.

Change-Id: I09ba86d4c9a1b11a8865890e11283456ea2ffbcf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>