Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Search by author
  • Any Author
  • Admin, Lime Admin, Lime lime_admin
  • CodeLinaro CodeLinaro codelinaro
  • CodeLinaro Hoperun CodeLinaro Hoperun hoperun
  • Joshua S. (Stage) Joshua S. (Stage) joshua.sickmeyer
  • Park, Jae Woo Park, Jae Woo jaewpark
5 authors
  1. Sep 13, 2016
  3. Sep 12, 2016
  5. Sep 07, 2016
  7. Aug 08, 2016
  9. Aug 05, 2016
    • Daniel Micay's avatar
      restrict access to timing information in /proc · 5423db6e
      Daniel Micay authored 
      These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.

The /proc/interrupts and /proc/stat files were covered in this paper:

https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/

The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.

Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.

Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
      5423db6e
  11. Jun 21, 2016
  13. Jun 20, 2016
    • Felipe Leme's avatar
      Grant access to net_raw and net_admin to dumpstate. · 51fdddaf
      Felipe Leme authored 
      These capabilities are required so it can run iptables, otherwise it
will cause failures such as:

06-20 16:19:02.650  5524  5524 W iptables: type=1400 audit(0.0:232): avc: denied { net_raw } for capability=13 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0
06-20 16:56:57.119  5070  5070 W iptables: type=1400 audit(0.0:13): avc: denied { net_admin } for capability=12 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0

BUG: 29455997
Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb
      51fdddaf
  15. Jun 16, 2016
  17. Jun 14, 2016
    • dcashman's avatar
      Keep pre-existing sysfs write permissions. · 17cfd3fc
      dcashman authored 
      Commit: b144ebab added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them.  Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc:  denied  { write } for  pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
      17cfd3fc
  19. Jun 08, 2016
  21. May 13, 2016
  23. Apr 19, 2016
  25. Apr 14, 2016
  27. Apr 05, 2016
    • Daniel Rosenberg's avatar
      Allow search/getattr access to media_rw_data_file for now. · b80bdef0
      Daniel Rosenberg authored 
      With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b
      b80bdef0
  29. Apr 01, 2016
  31. Mar 25, 2016
  33. Mar 19, 2016
  35. Mar 17, 2016
  37. Mar 02, 2016
  39. Feb 24, 2016
  41. Feb 09, 2016
  43. Jan 28, 2016
  45. Jan 27, 2016
  47. Jan 22, 2016
  49. Jan 04, 2016
    • Felipe Leme's avatar
      Creates a new permission for /cache/recovery · 549ccf77
      Felipe Leme authored 
      This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
      549ccf77
  51. Dec 11, 2015
  53. Dec 08, 2015
  55. Dec 04, 2015
    • Felipe Leme's avatar
      Increase communication surface between dumpstate and Shell: · 83fd8a54
      Felipe Leme authored 
      - Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
      83fd8a54
  57. Nov 25, 2015
  59. Nov 03, 2015
    • Jeff Vander Stoep's avatar
      Create attribute for moving perms out of domain · d22987b4
      Jeff Vander Stoep authored 
      Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
      d22987b4
  61. Oct 27, 2015
  63. Aug 25, 2015
    • Stephen Smalley's avatar
      Only allow toolbox exec where /system exec was already allowed. · a3c97a76
      Stephen Smalley authored 
      
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      a3c97a76
  65. Aug 13, 2015
  67. Jun 08, 2015
    • dcashman's avatar
      Remove service_manager_local_audit_domain. · 4b4b2b92
      dcashman authored 
      service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
      4b4b2b92
    • dcashman's avatar
      Remove service_manager_local_audit_domain. · eab26faa
      dcashman authored 
      service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
      eab26faa
  69. Apr 06, 2015
    • Andres Morales's avatar
      SELinux permissions for gatekeeper TEE proxy · e207986e
      Andres Morales authored 
      sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
      e207986e
    • Nick Kralevich's avatar
      dumpstate: allow df on /storage/emulated · c24d90cb
      Nick Kralevich authored 
      dumpstate runs "df" on all mounted filesystems. Allow dumpstate
to access /storage/emulated so df works.

Addresses the following denial:

  avc: denied { search } for pid=4505 comm="df" name="/" dev="tmpfs" ino=6207 scontext=u:r:dumpstate:s0 tcontext=u:object_r:storage_file:s0 tclass=dir

Change-Id: I99dac8321b19952e37c0dd9d61a680a27beb1ae8
      c24d90cb