- Apr 06, 2017
-
-
Martijn Coenen authored
Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
-
- Feb 06, 2017
-
-
Stephen Smalley authored
The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Stephen Smalley authored
Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Jan 18, 2017
-
-
Josh Gao authored
Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
-
- Nov 21, 2016
-
-
Nick Kralevich authored
Description stolen from https://github.com/torvalds/linux/commit/42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Test: policy compiles and no boot errors (marlin) Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
-
- Oct 06, 2016
-
-
dcashman authored
Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
-
- Apr 07, 2016
-
-
Jeff Vander Stoep authored
(cherry picked from AOSP a16b0589) Enforce restrictions on kernel module origin when kernel has commit: 61d612ea selinux: restrict kernel module loading Bug: 27824855 Change-Id: Icf2fefec4231f3df8f0f3d914123c22084d87b0b
-
Jeff Vander Stoep authored
Enforce restrictions on kernel module origin when kernel has commit: 61d612ea selinux: restrict kernel module loading Bug: 27824855 Change-Id: Icf2fefec4231f3df8f0f3d914123c22084d87b0b
-
- Mar 03, 2016
-
-
Stephen Smalley authored
Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov> (cherry picked from commit 01d95c23) Change-Id: Ic00a0d474730cda91ba3bc387e0cc14482f82114
-
Stephen Smalley authored
Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Oct 01, 2015
-
-
Woojung Min authored
In kernel 3.18 following error message is seen since audit_read is added to capability2 at classmap.h So add audit_read permission to capability2. SELinux: Permission audit_read in class capability2 not defined in policy. SELinux: the above unknown classes and permissions will be denied The kernel change from AOSP is: https://android.googlesource.com/kernel/common/+/3a101b8de0d39403b2c7e5c23fd0b005668acf48%5E%21/security/selinux/include/classmap.h Change-Id: I236fbb8ac575c5cb8df097014da6395e20378175 Signed-off-by:
Woojung Min <wmin@nvidia.com>
-
- May 26, 2015
-
-
Stephen Smalley authored
These are all userspace security class definitions that are unused in Android; they are only meaningful in Linux distributions. Change-Id: I99738752da996d9a1c7793eea049d937ffe4255b Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- May 18, 2015
-
-
Chad Brubaker authored
Keystore is going through an API cleanup to make names more clear and remove unclear methods. (cherry-picked from commit cbc8f796) Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
-
Chad Brubaker authored
user_changed will be used for state change methods around android user creation/deletion. (cherry-picked from commit 520bb816) Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
-
- May 14, 2015
-
-
Chad Brubaker authored
Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
-
- May 12, 2015
-
-
Chad Brubaker authored
user_changed will be used for state change methods around android user creation/deletion. Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
-
- Mar 31, 2015
-
-
Chad Brubaker authored
This is for the new addAuthToken keystore method from I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to authorize keymaster operations. The tokens are HMAC'd and so shouldn't be fakeable but this is still limited to system_server only. Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47
-
- Mar 09, 2015
-
-
dcashman authored
Add neverallow rules to ensure that zygote commands are only taken from system_server. Also remove the zygote policy class which was removed as an object manager in commit: ccb3424639821b5ef85264bc5836451590e8ade7 Bug: 19624279 Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
-
- Sep 11, 2014
-
- Aug 29, 2014
-
-
Robin Lee authored
Permits the system server to change keystore passwords for users other than primary. Bug: 16233206 Change-Id: I7941707ca66ac25bd122fd22e5e0f639e7af697e
-
- Jul 24, 2014
-
-
Stephen Smalley authored
Define a new class, permissions, and rules for the debuggerd SELinux MAC checks. Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd. Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
Riley Spahn authored
Add policies supporting SELinux MAC in DrmManagerservice. Add drmservice class with verbs for each of the functions exposed by drmservice. Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
-
- Jul 15, 2014
-
-
Riley Spahn authored
Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. (cherry picked from commit b8511e0d) Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
-
- Jul 14, 2014
-
-
Riley Spahn authored
Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
-
- Jun 26, 2014
-
-
Riley Spahn authored
Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
-
- Jun 12, 2014
-
-
Riley Spahn authored
Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
-
- Jun 06, 2014
-
-
Nick Kralevich authored
Modeled after http://oss.tresys.com/pipermail/refpolicy/2013-January/006283.html Addresses the following kernel error message: <6>[ 3.855423] SELinux: Permission attach_queue in class tun_socket not defined in policy. <6>[ 3.862482] SELinux: the above unknown classes and permissions will be denied <7>[ 3.869668] SELinux: Completing initialization. Change-Id: Iad87fcd5348d121a808dbe7ae3c63f8c90fc09fc
-
- May 03, 2014
-
-
dcashman authored
specifycapabilities is no longer specified by the zygote userspace manager. It was removed in commit: 42a4bb5730266f80585e67262c73505d0bfffbf8. Remove this permission from policy. Change-Id: I866a25b590a375a68de6eec9af1b3ef779889985
-
- Mar 19, 2013
-
-
Stephen Smalley authored
The binder_transfer_binder hook was changed in the kernel, obsoleting the receive permission and changing the target of the transfer permission. Update the binder-related policy to match the revised permission checking. Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>
-
- Aug 10, 2012
-
-
Stephen Smalley authored
-
- Apr 04, 2012
-
-
Stephen Smalley authored
New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
-
- Jan 04, 2012
-
-
Stephen Smalley authored
-