Skip to content
Snippets Groups Projects
Select Git revision
  • test default
1 result
Search by author
  • Any Author
  • Admin, Lime Admin, Lime lime_admin
  • CodeLinaro CodeLinaro codelinaro
  • CodeLinaro Hoperun CodeLinaro Hoperun hoperun
  • Joshua S. (Stage) Joshua S. (Stage) joshua.sickmeyer
  • Park, Jae Woo Park, Jae Woo jaewpark
5 authors
  1. Sep 27, 2016
    • Lorenzo Colitti's avatar
      Don't allow dumpstate to call ioctl on netlink_tcpdiag_socket. · a8239c61
      Lorenzo Colitti authored 
      This fixes the build error:

=====
libsepol.report_assertion_extended_permissions: neverallowxperm on line 166 of system/sepolicy/domain.te (or line 9201 of policy.conf) violated by
allow dumpstate dumpstate:netlink_tcpdiag_socket { ioctl };
libsepol.check_assertions: 1 neverallow failures occurred
=====

Which is caused, in AOSP and downstream branches, by
I123e5d40955358665800fe3b86cd5f8dbaeb8717.

Test: builds.
Change-Id: I925dec63df7c3a0f731b18093a8ac5c70167c970
      a8239c61
    • Lorenzo Colitti's avatar
      Allow dumpstate to run ss. · bb9b4dd8
      Lorenzo Colitti authored 
      (cherry picked from commit 63c7ad6e)

Bug: 23113288
Test: see http://ag/1476096
Change-Id: I3beb21f1af092c93eceb3d5115f823c1b993727d
      bb9b4dd8
  3. Sep 23, 2016
  5. Sep 21, 2016
    • Felipe Leme's avatar
      Let system_server writes to dumpstate.options property. · a5a8072f
      Felipe Leme authored 
      Currently, we define 4 hardcoded init services to launch dumpstate with
different command-line options (since dumpstate must be launched by
root):

- bugreport
- bugreportplus
- bugreportwear
- bugreportremote

This approach does not scale well; a better option is to have just one
service, and let the framework pass the extra arguments through a system
property.

BUG: 31649719
Test: manual

Change-Id: I7ebbb7ce6a0fd3588baca6fd76653f87367ed0e5
      a5a8072f
  7. Sep 13, 2016
  9. Sep 12, 2016
  11. Sep 07, 2016
  13. Aug 08, 2016
  15. Aug 05, 2016
    • Daniel Micay's avatar
      restrict access to timing information in /proc · 5423db6e
      Daniel Micay authored 
      These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.

The /proc/interrupts and /proc/stat files were covered in this paper:

https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/

The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.

Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.

Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
      5423db6e
  17. Jun 21, 2016
  19. Jun 20, 2016
    • Felipe Leme's avatar
      Grant access to net_raw and net_admin to dumpstate. · 51fdddaf
      Felipe Leme authored 
      These capabilities are required so it can run iptables, otherwise it
will cause failures such as:

06-20 16:19:02.650  5524  5524 W iptables: type=1400 audit(0.0:232): avc: denied { net_raw } for capability=13 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0
06-20 16:56:57.119  5070  5070 W iptables: type=1400 audit(0.0:13): avc: denied { net_admin } for capability=12 scontext=u:r:dumpstate:s0 tcontext=u:r:dumpstate:s0 tclass=capability permissive=0

BUG: 29455997
Change-Id: I9c0d1973f166da202d039eac883a6e53d53e24cb
      51fdddaf
  21. Jun 16, 2016
  23. Jun 14, 2016
    • dcashman's avatar
      Keep pre-existing sysfs write permissions. · 17cfd3fc
      dcashman authored 
      Commit: b144ebab added the sysfs_usb
type and granted the read perms globally, but did not add write
permissions for all domains that previously had them.  Add the ability
to write to sysfs_usb for all domains that had the ability to write to
those files previously (sysfs).

Address denials such as:
type=1400 audit(1904.070:4): avc:  denied  { write } for  pid=321 comm="ueventd" name="uevent" dev="sysfs" ino=1742 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_usb:s0 tclass=file permissive=0

Bug: 28417852
Change-Id: I4562ea73f2158ebefba74b58ca572f2176d1b849
      17cfd3fc
  25. Jun 08, 2016
  27. May 13, 2016
  29. Apr 19, 2016
  31. Apr 14, 2016
  33. Apr 05, 2016
    • Daniel Rosenberg's avatar
      Allow search/getattr access to media_rw_data_file for now. · b80bdef0
      Daniel Rosenberg authored 
      With sdcardfs, we no longer have a separate sdcardd acting as
an intermediate between the outside world and /data/media.
Unless we modify sdcardfs to change contexts, we need these.
Added for: system_server, dumpstate, and bluetooth

Remove this patch if sdcardfs is updated to change the
secontext of fs accesses.

Bug: 27932396
Change-Id: I294cfe23269b7959586252250f5527f13e60529b
      b80bdef0
  35. Apr 01, 2016
  37. Mar 25, 2016
  39. Mar 19, 2016
  41. Mar 17, 2016
  43. Mar 02, 2016
  45. Feb 24, 2016
  47. Feb 09, 2016
  49. Jan 28, 2016
  51. Jan 27, 2016
  53. Jan 22, 2016
  55. Jan 04, 2016
    • Felipe Leme's avatar
      Creates a new permission for /cache/recovery · 549ccf77
      Felipe Leme authored 
      This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
      549ccf77
  57. Dec 11, 2015
  59. Dec 08, 2015
  61. Dec 04, 2015
    • Felipe Leme's avatar
      Increase communication surface between dumpstate and Shell: · 83fd8a54
      Felipe Leme authored 
      - Add a new 'dumpstate' context for system properties. This context
  will be used to share state between dumpstate and Shell. For example,
  as dumpstate progresses, it will update a system property, which Shell
  will use to display the progress in the UI as a system
  notification. The user could also rename the bugreport file, in which
  case Shell would use another system property to communicate such
  change to dumpstate.
- Allow Shell to call 'ctl.bugreport stop' so the same system
  notification can be used to stop dumpstate.

BUG: 25794470

Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
      83fd8a54
  63. Nov 25, 2015
  65. Nov 03, 2015
    • Jeff Vander Stoep's avatar
      Create attribute for moving perms out of domain · d22987b4
      Jeff Vander Stoep authored 
      Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
      d22987b4
  67. Oct 27, 2015
  69. Aug 25, 2015
    • Stephen Smalley's avatar
      Only allow toolbox exec where /system exec was already allowed. · a3c97a76
      Stephen Smalley authored 
      
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      a3c97a76
  71. Aug 13, 2015