Skip to content

GitLab

Switch branch/tag
  1. 26 May, 2016 1 commit
    • Nick Kralevich's avatar
      Remove generic socket access from untrusted processes · f517a9bd
      Nick Kralevich authored 
      SELinux defines various classes for various socket types, including
tcp_socket, udp_socket, rawip_socket, netlink_socket, etc. Socket
classes not known to the SELinux kernel code get lumped into the generic
"socket" class. In particular, this includes the AF_MSM_IPC socket
class.

Bluetooth using apps were granted access to this generic socket class at
one point in 2012. In 16011320,
a TODO was added indicating that this access was likely unnecessary. In
cb835a28, an auditallow was added to
test to see if this rule was actually used, and in master branch
d0113ae0, this rule was completely
deleted.

Revoke access to the generic socket class for isolated_app,
untrusted_app, and shell for older Android releases. This is
conceptually a backport of d0113ae0, but
affecting fewer domains to avoid potential breakage.

Add a neverallow rule asserting that this rule isn't present for the
untrusted domains. Contrary to our usual conventions, the neverallow
rule is placed in bluetooth.te, to avoid merge conflicts and simplify
patching.

Bug: 28612709
Bug: 25768265
Change-Id: Ibfbb67777e448784bb334163038436f3c4dc1b51
      f517a9bd
  3. 09 Feb, 2015 1 commit
  5. 06 Feb, 2015 4 commits
  7. 05 Feb, 2015 2 commits
    • Nick Kralevich's avatar
      appdomain: relax netlink_socket neverallow rule · 87f3802a
      Nick Kralevich authored 
      Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

(cherry picked from commit d31936f8)

Change-Id: I4763cb0c9510220693c506636dbb7584712b67e2
      87f3802a
    • Stephen Smalley's avatar
      Add neverallow checking to sepolicy-analyze. · c423b1aa
      Stephen Smalley authored 
      See NEVERALLOW CHECKING in tools/README for documentation.

Depends on change I45b3502ff96b1d093574e1fecff93a582f8d00bd
for libsepol to support reporting all neverallow failures.

Cherry-pick of commit: 59906bf8
with build-fix from commit: 74bbf703


added manually.

Bug: 19191637

Change-Id: I1c18fa854b3c5f5e05d5dc42d9006c5fdacebdc3
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      c423b1aa
  9. 02 Feb, 2015 1 commit
  11. 29 Jan, 2015 1 commit
    • Nick Kralevich's avatar
      appdomain: relax netlink_socket neverallow rule · bf626ce9
      Nick Kralevich authored 
      Relax the neverallow netlink restrictions for app domains.
In particular, some non-AOSP app domains may use netlink sockets
to communicate with a kernel driver.

Continue to neverallow generic netlink sockets for untrusted_app.
The intention here is that only app domains which explicitly need
this functionality should be able to request it.

This change does not add or remove any SELinux rules. Rather, it
just changes SELinux compile time assertions, as well as allowing
this behavior in CTS.

Modify other neverallow rules to use "domain" instead of "self".
Apps shouldn't be able to handle netlink sockets, even those
created in other SELinux domains.

(cherry picked from commit d31936f8)

Bug: 19198997
Change-Id: Icfed1ee66f082df1117b090341f62981f01bc849
      bf626ce9
  13. 21 Jan, 2015 1 commit
  15. 16 Jan, 2015 1 commit
  17. 22 Dec, 2014 1 commit
  19. 12 Dec, 2014 3 commits
  21. 11 Dec, 2014 2 commits
  23. 10 Dec, 2014 1 commit
  25. 09 Dec, 2014 2 commits
  27. 08 Dec, 2014 1 commit
  29. 04 Dec, 2014 2 commits
    • The Android Automerger's avatar
      merge in lmp-mr1-release history after reset to lmp-mr1-dev · b972ddf2
      The Android Automerger authored
      b972ddf2
    • Nick Kralevich's avatar
      allow untrusted_app read /data/anr/traces.txt · e2547c3b
      Nick Kralevich authored 
      The GMS core feedback agent runs as untrusted_app, and needs
the ability to read /data/anr/traces.txt to report ANR information.

Allow all untrusted_apps to read /data/anr/traces.txt so that GMS core
can access it.

Longer term, we need to move GMS core into it's own domain, but that's
a longer term change.

Addresses the following denial:

W/ndroid.feedback(17825): type=1400 audit(0.0:68004): avc: denied { read } for name="traces.txt" dev="mmcblk0p28" ino=325762 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Bug: 18504118
Bug: 18340553
Change-Id: Ia9fac599befc3a3b6e5282be15ec8fd04bb23385
      e2547c3b
  31. 27 Nov, 2014 1 commit
  33. 26 Nov, 2014 1 commit
    • Nick Kralevich's avatar
      Allow dex2oat to work on /oem APKs · adbabeeb
      Nick Kralevich authored 
      Dex2oat needs the ability to read from already open file descriptors
in /oem so that apps from that location can be installed. Allow it.

Addresses the following denials:

  avc: denied { read } for comm="dex2oat" path="/oem/app/TabletInfo.apk" dev="mmcblk0p12" ino=20 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/AskMe_android_one.apk" dev="mmcblk0p12" ino=14 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerRegulatoryInfo.apk" dev="mmcblk0p12" ino=19 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerLauncherProvider.apk" dev="mmcblk0p12" ino=18 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Amazon_Mobile_com.apk" dev="mmcblk0p12" ino=13 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/PartnerBookmarksProvider.apk" dev="mmcblk0p12" ino=17 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/Hike.apk" dev="mmcblk0p12" ino=15 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0
  avc: denied { read } for comm="dex2oat" path="/oem/app/MiLive_embedded_IndiaGames_version4.0_android1.apk" dev="mmcblk0p12" ino=16 scontext=u:r:dex2oat:s0 tcontext=u:object_r:oemfs:s0 tclass=file permissive=0

Bug: 18539205
Change-Id: I92bd91c66befc5a1060dd189324b2c046bba0258
      adbabeeb
  35. 24 Nov, 2014 1 commit
  37. 20 Nov, 2014 1 commit
  39. 19 Nov, 2014 3 commits
  41. 13 Nov, 2014 2 commits
  43. 12 Nov, 2014 2 commits
  45. 11 Nov, 2014 2 commits
  47. 10 Nov, 2014 3 commits