Skip to content

GitLab

Switch branch/tag
  1. 23 Jun, 2016 1 commit
    • Daniel Micay's avatar
      expose control over unpriv perf access to shell · 5fff25ec
      Daniel Micay authored 
      This allows the shell user to control whether unprivileged access to
perf events is allowed.

To enable unprivileged access to perf:

    adb shell setprop security.perf_harden 0

To disable it again:

    adb shell setprop security.perf_harden 1

This allows Android to disable this kernel attack surface by default,
while still allowing profiling tools to work automatically. It can also
be manually toggled, but most developers won't ever need to do that if
tools end up incorporating this.

(Cherry picked from commit 38ac77e4c2b3c3212446de2f5ccc42a4311e65fc)

Bug: 29054680

Change-Id: Idcf6a2f6cbb35b405587deced7da1f6749b16a5f
      5fff25ec
  3. 27 May, 2016 2 commits
    • Nick Kralevich's avatar
      Remove generic socket access from untrusted processes · c2d06123
      Nick Kralevich authored 
      SELinux defines various classes for various socket types, including
tcp_socket, udp_socket, rawip_socket, netlink_socket, etc. Socket
classes not known to the SELinux kernel code get lumped into the generic
"socket" class. In particular, this includes the AF_MSM_IPC socket
class.

Bluetooth using apps were granted access to this generic socket class at
one point in 2012. In 16011320,
a TODO was added indicating that this access was likely unnecessary. In
cb835a28, an auditallow was added to
test to see if this rule was actually used, and in master branch
d0113ae0, this rule was completely
deleted.

Revoke access to the generic socket class for isolated_app,
untrusted_app, and shell for older Android releases. This is
conceptually a backport of d0113ae0, but
affecting fewer domains to avoid potential breakage.

Add a neverallow rule asserting that this rule isn't present for the
untrusted domains. Contrary to our usual conventions, the neverallow
rule is placed in bluetooth.te, to avoid merge conflicts and simplify
patching.

Bug: 28612709
Bug: 25768265
Change-Id: Ibfbb67777e448784bb334163038436f3c4dc1b51
      c2d06123
    • Jeff Vander Stoep's avatar
      Further restrict socket ioctls available to apps · daa2c25b
      Jeff Vander Stoep authored 
      Restrict unix_dgram_socket and unix_stream_socket to a whitelist
for all domains. Remove ioctl permission for netlink_selinux_socket and
netlink_route_socket for netdomain.

Bug: 28171804
Bug: 27424603
Change-Id: I650639115b8179964ae690a39e4766ead0032d2e
      daa2c25b
  5. 12 Jan, 2016 3 commits
  7. 05 Jan, 2016 1 commit
  9. 18 Dec, 2015 1 commit
  11. 29 Oct, 2015 2 commits
  13. 22 Oct, 2015 2 commits
  15. 21 Oct, 2015 4 commits
  17. 19 Oct, 2015 3 commits
  19. 14 Oct, 2015 4 commits
  21. 25 Sep, 2015 1 commit
  23. 15 Sep, 2015 2 commits
  25. 14 Sep, 2015 1 commit
    • Lorenzo Colitti's avatar
      Allow system_server to bind ping sockets. · 16c36f68
      Lorenzo Colitti authored 
      This allows NetworkDiagnostics to send ping packets from specific
source addresses in order to detect reachability problems on the
reverse path.

This addresses the following denial:

[  209.744636] type=1400 audit(1441805730.510:14): avc: denied { node_bind } for pid=8347 comm="Thread-202" saddr=2400:xxxx:xxxx:xxxx:40b1:7e:a1d7:b3ae scontext=u:r:system_server:s0 tcontext=u:object_r:node:s0 tclass=rawip_socket permissive=0

Bug: 23661687

(cherry picked from commit c3712143)

Change-Id: Ia93c14bc7fec17e2622e1b48bfbf591029d84be2
      16c36f68
  27. 11 Sep, 2015 1 commit
  29. 10 Sep, 2015 1 commit
    • dcashman's avatar
      Allow untrusted_app to list services. · 0b764ae9
      dcashman authored 
      CTS relies on the ability to see all services on the system to make sure
the dump permission is properly enforced on all services.  Allow this.

Bug: 23476772
Change-Id: I144b825c3a637962aaca59565c9f567953a866e8
      0b764ae9
  31. 01 Sep, 2015 1 commit
  33. 28 Aug, 2015 10 commits