Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Search by author
  • Any Author
  • Admin, Lime Admin, Lime lime_admin
  • CodeLinaro CodeLinaro codelinaro
  • CodeLinaro Hoperun CodeLinaro Hoperun hoperun
  • Joshua S. (Stage) Joshua S. (Stage) joshua.sickmeyer
  • Park, Jae Woo Park, Jae Woo jaewpark
5 authors
  1. Aug 06, 2015
    • Jeff Sharkey's avatar
      Protect runtime storage mount points. · 25725b63
      Jeff Sharkey authored 
      We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.

This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.

Also add CTS tests to verify that we're protecting access to
internal mount points like this.

Bug: 22964288
Change-Id: Ic585c4d4381fe51bd764902ef28c38db63b7f2cc
      25725b63
  3. Aug 03, 2015
  5. Aug 02, 2015
  7. Jul 31, 2015
    • Jeff Sharkey's avatar
      Let Settings measure transient free space. · c69b5e0a
      Jeff Sharkey authored 
      Transient volumes like USB drives are only mounted at /mnt/media_rw,
but they still appear in Settings > Storage.  To show stats like
free/used space, give Settings the permissions it needs to access
devices mounted there.

avc: denied { search } for name="media_rw" dev="tmpfs" ino=8358 scontext=u:r:system_app:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0

Bug: 22545248
Change-Id: I273a1729e417873184ad04ba9dd0fec95fd54f97
      c69b5e0a
  9. Jul 13, 2015
    • dcashman's avatar
      Allow domains to read tmpfs symlinks. · 301555e6
      dcashman authored 
      Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

(cherry-pick of commit: 2b0b8299)

Bug: 20755029
Change-Id: Iaa5dc278b34faf33473d3e49f92d8766ae5563c0
      301555e6
  11. Jul 10, 2015
    • Jeff Vander Stoep's avatar
      allow procrank to write to bug report · 099d6329
      Jeff Vander Stoep authored 
      avc: denied { write } for pid=14742 comm="procrank" path="/data/data/com.android.shell/files/bugreports/bugreport-2015-07-02-22-17-43.txt.tmp" dev="dm-2" ino=44479 scontext=u:r:procrank:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

(cherry picked from af16c40c)

Bug: 22400298
Change-Id: Ibf5dcf9f7edf416e977577afc32bbbef62e50974
      099d6329
  13. Jun 30, 2015
    • Jeff Sharkey's avatar
      Let Zygote unmount inherited storage devices. · 24f3bcdb
      Jeff Sharkey authored 
      For example, when launching into an isolated process, we need to drop
all mounts inherited from the root namespace.

avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1

Bug: 22192518
Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
      24f3bcdb
  15. Jun 26, 2015
    • Jeff Sharkey's avatar
      Let's reinvent storage, yet again! · 6b75d099
      Jeff Sharkey authored 
      Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0

Bug: 21858077
Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
      6b75d099
  17. Jun 18, 2015
  19. Jun 17, 2015
  21. Jun 16, 2015
  23. Jun 12, 2015
  25. Jun 11, 2015
  27. Jun 10, 2015
  29. Jun 09, 2015
  31. Jun 08, 2015
    • dcashman's avatar
      Remove service_manager_local_audit_domain. · 4b4b2b92
      dcashman authored 
      service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
      4b4b2b92
    • Nick Kralevich's avatar
      Merge "Allow /dev/klog access, drop mknod and __null__ access" into mnc-dev · 93a7ab8c
      Nick Kralevich authored
      93a7ab8c
    • Nick Kralevich's avatar
      Allow /dev/klog access, drop mknod and __null__ access · e2651972
      Nick Kralevich authored 
      Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
      e2651972
  33. Jun 05, 2015
  35. Jun 04, 2015