Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Search by author
  • Any Author
  • Admin, Lime Admin, Lime lime_admin
  • CodeLinaro CodeLinaro codelinaro
  • CodeLinaro Hoperun CodeLinaro Hoperun hoperun
  • Joshua S. (Stage) Joshua S. (Stage) joshua.sickmeyer
  • Park, Jae Woo Park, Jae Woo jaewpark
5 authors
  1. Aug 02, 2015
    • Nick Kralevich's avatar
      init.te: delete kernel load policy support · 356df327
      Nick Kralevich authored 
      Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: Id98b5e09d79254816d920b92003efe8dcbe6cd2e
      356df327
  3. Jul 13, 2015
    • dcashman's avatar
      Allow domains to read tmpfs symlinks. · 301555e6
      dcashman authored 
      Domains have the ability to read normal tmpfs files but not symlinks.
Grant this ability.  In particular, allow domains to read /mnt/sdcard.

Addresses the following denial:
type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0

(cherry-pick of commit: 2b0b8299)

Bug: 20755029
Change-Id: Iaa5dc278b34faf33473d3e49f92d8766ae5563c0
      301555e6
  5. Jul 10, 2015
    • Jeff Vander Stoep's avatar
      allow procrank to write to bug report · 099d6329
      Jeff Vander Stoep authored 
      avc: denied { write } for pid=14742 comm="procrank" path="/data/data/com.android.shell/files/bugreports/bugreport-2015-07-02-22-17-43.txt.tmp" dev="dm-2" ino=44479 scontext=u:r:procrank:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0

(cherry picked from af16c40c)

Bug: 22400298
Change-Id: Ibf5dcf9f7edf416e977577afc32bbbef62e50974
      099d6329
  7. Jun 30, 2015
    • Jeff Sharkey's avatar
      Let Zygote unmount inherited storage devices. · 24f3bcdb
      Jeff Sharkey authored 
      For example, when launching into an isolated process, we need to drop
all mounts inherited from the root namespace.

avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1

Bug: 22192518
Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
      24f3bcdb
  9. Jun 26, 2015
    • Jeff Sharkey's avatar
      Let's reinvent storage, yet again! · 6b75d099
      Jeff Sharkey authored 
      Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app.  This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.

The only thing left that can change dynamically is the filesystem
itself, so let's do that.  This means changing the FUSE daemon to
present itself as three different views:

/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access

There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.

During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions.  When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.

avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0

Bug: 21858077
Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
      6b75d099
  11. Jun 18, 2015
  13. Jun 17, 2015
  15. Jun 16, 2015
  17. Jun 12, 2015
  19. Jun 11, 2015
  21. Jun 10, 2015
  23. Jun 09, 2015
  25. Jun 08, 2015
    • dcashman's avatar
      Remove service_manager_local_audit_domain. · 4b4b2b92
      dcashman authored 
      service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
      4b4b2b92
    • Nick Kralevich's avatar
      Merge "Allow /dev/klog access, drop mknod and __null__ access" into mnc-dev · 93a7ab8c
      Nick Kralevich authored
      93a7ab8c
    • Nick Kralevich's avatar
      Allow /dev/klog access, drop mknod and __null__ access · e2651972
      Nick Kralevich authored 
      Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.

Addresses the following denials:

    avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
    avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.

Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.

Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.

Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
      e2651972
  27. Jun 05, 2015
  29. Jun 04, 2015
  31. Jun 03, 2015
    • Paul Lawrence's avatar
      Move crypt commands to a different listener in vold · 3aac44ed
      Paul Lawrence authored 
      In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.

While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.

Bug: 19197175
Change-Id: I819f6a54c0a232826016823f2fde3adf7be31f9d
      3aac44ed
  33. Jun 02, 2015
    • Mark Salyzyn's avatar
      logd: logpersistd · 7e0838aa
      Mark Salyzyn authored 
      (cherry pick from commit 0d22c6ce)

- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
      7e0838aa
  35. May 29, 2015