GitLab

* commit '38936af0':
  Fix compile time / CTS gps_data_files neverallow assertion

* commit '480374e4':
  Fix compile time / CTS gps_data_files neverallow assertion

Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.

Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.

This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.

(cherrypick from commit 480374e4)

Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93

Currently, zygote spawned apps are prohibited from modifying GPS
data files. If someone tries to allow GPS access to any app domain,
it generates a compile time / CTS exception.

Relax the rules slightly for system_app. These apps run with UID=system,
and shouldn't be banned from handling gps data files.

This change doesn't add or remove any SELinux rules. Rather, it just
relaxes a compile time assertion, allow partners to create SELinux
rules allowing the access if they desire.

Bug: 18021422
Change-Id: Iad0c6a3627efe129246e2c817f6f71d2735eba93

* commit '664ef57b':
  logd: Add klogd

Change-Id: Ib9bc89b05771a12c6bb9a25cf59ea51afd22ae15

Change-Id: I8ea400354e33a01d3223b4efced6db76ba00aed6

Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547

* commit '74bbf703':
  maybe fix mac build.

  1 warning generated.
  external/sepolicy/tools/sepolicy-analyze.c:446:27: error: implicit declaration of function 'isspace' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
          while (p < end && isspace(*p))
                          ^
  1 error generated.
  make: *** [out/host/darwin-x86/obj32/EXECUTABLES/sepolicy-analyze_intermediates/sepolicy-analyze.o] Error 1
  make: *** Waiting for unfinished jobs....

Change-Id: I250dcef7c726d5b66835dc51c057e472b801aa2c

* commit 'ddd47b0b':
  Add neverallow checking to sepolicy-analyze.

* commit '8c6dba90':
  fix whitespace

Change-Id: I2911d2b5d1931c6f6245cc54465458a8a3c2b2bb

See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Change-Id: I47c16ccb910ac730c092cb3ab977c59cb8197ce0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '669a9773':
  Do not allow isolated_app to directly open app data files.

* commit 'ebfd9f87':
  allow oemfs:dir search

mediaserver and drmserver both have permission to read oemfs
related files. However, there are no search permissions on the
directory, so the files would be unreachable.

Grant search permissions on the oemfs directory, so that the files
within that directory can be read.

Bug: 17954291
Change-Id: I9e36dc7b940bd46774753c1fa07b0f47c36ff0db

* commit '2380d05f':
  allow system_server oemfs read access

Bug: 17954291
Change-Id: Ia904fff65df5142732928561d81ea0ece0c52a8d

* commit '59bc00ab':
  Remove net_domain() from isolated_app.

Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.

Change-Id: I3c096607a74fd0f360d41f3e6f06535ca00c58ec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: I3c6af086fc8ca3e9600c2267c439718c9a572dfb

isolated_app performs no direct network socket communication, so
we can remove net_domain() from it.

Change-Id: I112aa4140fd577a5ea28f7a3d62567ebabcdb48d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Bug: 17674304

Change-Id: Ide32833809bca8d3ed8ddc898748e25d7a692319

* commit 'c6cb6ac4':
  isolated_app: remove app_data_file execute

* commit '206b1a6c':
  Define specific block device types for system and recovery partitions.

Define a specific block device type for system so that we can
prevent raw writes to the system partition by anything other than
recovery.

Define a specific block device type for recovery so that we
can prevent raw writes to the recovery partition by anything
other than install_recovery or recovery.

These types must be assigned to specific block device nodes
via device-specific policy.  This change merely defines the types,
adds allow rules so that nothing will break when the types are assigned,
and adds neverallow rules to prevent adding further allow rules
on these types.

This change does not remove access to the generic block_device type
from any domain so nothing should break even on devices without these
type assignments.

Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

In commit ad891591, we allowed
isolated processes to execute files from /data/data/APPNAME.

I'm pretty sure all the necessary linker changes have been made
so that this functionality isn't required anymore. Remove the
allow rule.

This is essentially a revert of ad891591.

Change-Id: I1b073916f66f4965dfc53c0ea2b624bbb2fe8816

* commit 'eb5b76aa':
  Mark asec_apk_file as mlstrustedobject.

* commit 'cedee697':
  Fix fsck-related denials with encrypted userdata.

Allow error reporting via the pty supplied by init.
Allow vold to invoke fsck for checking volumes.

Addresses denials such as:
avc:  denied  { ioctl } for  pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file

avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file

These denials show up if you have encrypted userdata.

Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Resolves denials such as:
avc:  denied  { write } for  pid=1546 comm="Binder_1" name="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:asec_apk_file:s0 tclass=dir

This is required to install a forward-locked app.

Change-Id: I2b37a56d087bff7baf82c738896d9563f0ab4fc4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '92dfa31f':
  seinfo for platform based domains should be stated explicitly.

* commit '8a0c25ef':
  Do not allow init to execute anything without changing domains.

The current policy would allow any application that were to
"magically" get a sensitive UID into the coresponding
sensitive domain. Rather then only using UID as an input
selector, require seinfo=platform.

Change-Id: I8a7490ed55bdcd3e4a116aece2c3522b384024ec

Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

* commit '54e9bc45':
  Dependencies for new goldfish service domains.