- Oct 16, 2018
-
-
Nick Kralevich authored
am: 86881bd3 Change-Id: I892a1dce285c2af14dea4b5fd180bc573f9aa959
-
Nick Kralevich authored
am: 2e7ac24b Change-Id: Id5b3e10d776575cf578d5ae2d31023169adf18d0
-
Nick Kralevich authored
am: 9c22895c Change-Id: Icf1b28c653ed40e827ad087dec13bcd02b9ba484
-
Nick Kralevich authored
Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). system/sepolicy commit 4397f082 added the map permission to common file macros, to ensure that file access would continue working even in the presence of a newer kernel. However, that change did not affect socket access. Certain socket classes, such as AF_NETLINK and AF_PACKET, also support mmap operations. This change adds the map permission to rw_socket_perms, to ensure continued support for newer kernels. This technically allows mmap even in cases where the socket family doesn't support it (such as TCP and UDP sockets), but granting it is harmless in those cases. In particular, this fixes a bug in clatd, where the following error would occur: 10-01 13:59:03.182 7129 7129 I clatd : Starting clat version 1.4 on rmnet0 netid=100 mark=0xf0064 10-01 13:59:03.195 7129 7129 I auditd : type=1400 audit(0.0:18): avc: denied { map } for comm="clatd" path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 10-01 13:59:03.195 7129 7129 W clatd : type=1400 audit(0.0:18): avc: denied { map } for path="socket:[52802]" dev="sockfs" ino=52802 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket permissive=0 10-01 13:59:03.199 7129 7129 F clatd : mmap 1048576 failed: Permission denied Test: policy compiles Bug: 117791876 Change-Id: I39f286d577b4a2160037ef271517ae8a3839b49b -
Chong Zhang authored
am: 31ef820c Change-Id: I7d03e88e6a9c19c483ecb90867b997feaa8b207e
-
Chong Zhang authored
am: c601d9e5 Change-Id: Ib6a0d41c614857d385645ad870599b5ef6f6a2fb
-
Chong Zhang authored
am: 52fb3edb Change-Id: I106c471e9251ec7a4f43b13103c429c3b4fc2476
-
- Oct 15, 2018
-
-
-
David Anderson authored
am: c024e8b2 Change-Id: I7de97c483297989bd415a0f49a19967cb0ef71cd
-
Florian Mayer authored
am: 2e14b40c Change-Id: I024b49496db0cc0c2c5f95b0fe71c4a8054c3eb5
-
-
David Anderson authored
am: e71ebaa3 Change-Id: I8760aa1ee504a7680998114470ac65d2f4c56069
-
Florian Mayer authored
am: 40144ea2 Change-Id: I44022adbe0056a764dd143cbbfb7e2878585da6c
-
-
David Anderson authored
am: a9f9a3a8 Change-Id: Idb5f98a8516fa849d1ed0d502fe99ae826ba2919
-
Florian Mayer authored
am: d5c62bfb Change-Id: Ie33eefd304941d2d4553eb35a91e174b2c3c859d
-
Chong Zhang authored
Add a service in mediaswcodec to load updated codecs, and restrict it to userdebug/eng. Reuse existing mediaextractor_update_service since the codec update service is identical, this avoids adding a new one for now as we may not need the service anymore after switching to APEX. Bug: 111407413 Bug: 117290290 Change-Id: Ia75256f47433bd13ed819c70c1fb34ecd5d507b4
-
Tri Vo authored
Bug: 111243627 Test: m selinux_policy Change-Id: I0bab79d1a3b7a8b5bf5d12ba2dc5ce46abea5332
-
David Anderson authored
-
Treehugger Robot authored
-
David Anderson authored
This reverts commit 7a560eb4. Reason for revert: build bustage Change-Id: Iba0ba7a899dca865129a9c715c5f60f8a6edcc2f
-
-
-
-
Tri Vo authored
Policy w.r.t to apps: - cgroup access from untrusted apps and priv app is neverallow'ed. - other apps (e.g. vendor apps) need to explicitly declare appropriate access rules to cgroups. Policy w.r.t native domains: - libcutils exports API to /dev/{cpuset, stune}/*. This API is used abundantly in native vendor code. So we are not going to limit non-app access to cgroup. Bug: 110043362 Bug: 117666318 Test: m selinux_policy, boot device Change-Id: I83aee21ca3e8941725c70706769ea9dbdc76b9c5 -
Nick Kralevich authored
am: 24a7302d Change-Id: Ic751334f23b732d5e260bf060132d6da7096831e
-
-
Nick Kralevich authored
am: 8551db90 Change-Id: I219705e2f6a8f39a549b017fbbb97cc4da1bf1a1
-
-
Nick Kralevich authored
am: b7d36521 Change-Id: Iae9439196695c23d255161731b6c9cb4fb9dd958
-
-
Treehugger Robot authored
-
Florian Mayer authored
This does not actually grant any permissions but just adds the necessary boilerplate for a new service. Bug: 117762471 Bug: 117761873 Change-Id: I7cdd2ae368616cfd54fc685c15f775604bfc80d4
-
Nick Kralevich authored
This is needed to find the file on the raw block device, so it can be securely deleted. Addresses the following denials: type=1400 audit(0.0:492): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/10/current/encrypted_key" dev="dm-3" ino=9984 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:517): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/11/current/secdiscardable" dev="dm-3" ino=9581 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:694): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/0/current/keymaster_key_blob" dev="dm-3" ino=9903 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0 Test: policy compiles and device boots Change-Id: I1adf21b7fa92b1f92ce76532f4d9337a4d58a2e5
-
- Oct 13, 2018
-
-
Tri Vo authored
Input files are public API: https://source.android.com/devices/input/input-device-configuration-files Now that they have labels from core policy (aosp/782082), we can tighten up our neverallows. Bug: 37168747 Test: m selinux_policy Change-Id: I7545b190f35b6b2c86c5dc42c0814f7bccbf1281
-
-
-
-
-
-
