Commits · c5ee21d4202f7c154d3a1d278c3e806294624b32 · CodeLinaro / public-release-test / platform / system / sepolicy

Aug 08, 2016
- fine-grained policy for access to /proc/zoneinfo · 7078e8b6
  Daniel Micay authored 8 years ago
```
Change-Id: Ica9a16311075f5cc3744d0e0833ed876e201029f
```
  7078e8b6
Aug 05, 2016

restrict access to timing information in /proc · 5423db6e

Daniel Micay authored 8 years ago

These APIs expose sensitive information via timing side channels. This
leaves access via the adb shell intact along with the current uses by
dumpstate, init and system_server.

The /proc/interrupts and /proc/stat files were covered in this paper:

https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/

The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are
also relevant.

Access to /proc has been greatly restricted since then, with untrusted
apps no longer having direct access to these, but stricter restrictions
beyond that would be quite useful.

Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd

5423db6e

Jul 22, 2016
- sepolicy: Add policy for sdcardfs and configfs · c15090b3
  Daniel Rosenberg authored 9 years ago
```
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
```
  c15090b3
Jun 28, 2016

domain: allow reading /proc/sys/vm/overcommit_memory · bc1986fb

Jeff Vander Stoep authored 8 years ago

Needed for jemalloc commit:

2f970c32b527660a33fa513a76d913c812dcf7c
Modify pages_map() to support mapping uncommitted virtual memory.

avc: denied { read } for name="overcommit_memory" dev="proc" ino=10544
scontext=u:r:wificond:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 29773242
Change-Id: I78054c1ed576a7998c4ee1d1beca2f610c589c3a

bc1986fb

May 13, 2016

sepolicy: add support for new tracefs · 97573fdf

Christian Poetzsch authored 8 years ago

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799



Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

(cherry picked from commit 4dafa72a)

Change-Id: I75738c756b49da4ac109ae442ee37c1e2844ff0a

97573fdf

sepolicy: add support for new tracefs · 4dafa72a

Christian Poetzsch authored 8 years ago

Since kernel 4.1 ftrace is supported as a new separate filesystem. It
gets automatically mounted by the kernel under the old path
/sys/kernel/debug/tracing. Because it lives now on a separate device
some sepolicy rules need to be updated. This patch is doing that. Most
of the rules are created based on a conversation happened on the SELinux
Android mailing list:

http://comments.gmane.org/gmane.comp.security.seandroid/2799



Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common.
Also note that when tracefs is auto mounted by the kernel, the kernel
does not use the "mode" parameter specified to mount debugfs for
tracefs. So an extra line like

   chmod 0755 /sys/kernel/debug/tracing

is necessary in init.${ro.hardware}.rc after debugfs was mounted.

Change-Id: I60fb7a90e24628e0370c3bca57644451fce5646d
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>

4dafa72a

Mar 07, 2016
- sepolicy: Add policy for sdcardfs and configfs · 47fb4b9f
  Daniel Rosenberg authored 9 years ago
```
Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff
Bug: 19160983
```
  47fb4b9f
Feb 24, 2016

Label /proc/meminfo. · f25ea5f9

dcashman authored 9 years ago

Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

(cherry-pick of internal commit: 971aeeda)

Bug: 22032619
Chromium Bug: 586021

Change-Id: I2dcb2d4800bbc92ea47c37d4fd7a10f827a0114c

f25ea5f9

Label /proc/meminfo. · 971aeeda

dcashman authored 9 years ago

Address the following denial:
m.chrome.canary: type=1400 audit(0.0:15): avc: granted { read open } for path="/proc/meminfo" dev="proc" ino=4026544360 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file

Bug: 22032619
Chromium Bug: 586021

Change-Id: I584345c84d870c313da69ec97a0b1e54c0eb9ee1

971aeeda

Jul 13, 2015

Give /proc/iomem a more specific label. · 26cd912e

dcashman authored 9 years ago

/proc/iomem is currently given the proc label but contains system information
which should not be available to all processes.

Bug: 22008387
Change-Id: I4f1821f40113a743ad986d13d8d130ed8b8abf2f

26cd912e

May 15, 2015

drop_caches label, vold scratch space on expanded. · c960596c

Jeff Sharkey authored 9 years ago

Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.

Also let vold create new directories under it's private storage area
where the benchmarks will be carried out.  Mirror the definition of
the private storage area on expanded media.

avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f

c960596c

May 13, 2015
- Allow system_server to read/write /proc/uid_cputime/ module · 3526a669
  Adam Lesinski authored 9 years ago
```
Bug:20182139
Change-Id: I1829a83c7d8e2698715e424a688a2753d65de868
```
  3526a669
Apr 11, 2015

genfs_contexts: provide a label for binfmt_misc · fdc56c5f

Nick Kralevich authored 9 years ago

Provide a default label for binfmt_misc. This is not used by the
core policy, although it may be used in device specific policy.

Bug: 20152930
Change-Id: Id51d69333bfeda40720d0e65e1539fab0b6e1e95

fdc56c5f

Feb 25, 2015

Revert /proc/net related changes · 5cf3994d

Nick Kralevich authored 10 years ago

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc
and commit 99940d1a

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

5cf3994d

Jan 22, 2015

domain.te: allow /proc/net/psched access · 0f0324cc

Nick Kralevich authored 10 years ago

external/sepolicy commit 99940d1a
(https://android-review.googlesource.com/123331) removed /proc/net
access from domain.te.

Around the same time, system/core commit
9a20e67fa62c1e0e0080910deec4be82ebecc922
(https://android-review.googlesource.com/123531) was checked in.
This change added libnl as a dependency of libsysutils.

external/libnl/lib/utils.c has a function called get_psched_settings(),
which is annotated with __attribute__((constructor)). This code
gets executed when the library is loaded, regardless of whether or
not other libnl code is executed.

By adding the libnl dependency, even code which doesn't use the
network (such as vold and logd) ends up accessing /proc/net/psched.

For now, allow this behavior. However, in the future, it would be
better to break this dependency so the additional code isn't loaded
into processes which don't need it.

Addresses the following denials:

  avc: denied { read } for  pid=148 comm="logd" name="psched" dev="proc" ino=4026536508 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=152 comm="vold" name="psched" dev="proc" ino=4026536508 scontext=u:r:vold:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
  avc: denied { read } for pid=930 comm="wpa_supplicant" name="psched" dev="proc" ino=4026536508 scontext=u:r:wpa:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0

Bug: 19079006
Change-Id: I1b6d2c144534d3f70f0028ef54b470a75bace1cf

0f0324cc

Sep 26, 2014

zygote: allow replacing /proc/cpuinfo · f2c01189

Nick Kralevich authored 10 years ago

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501

(cherry picked from commit 2de02877)

Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb

f2c01189

zygote: allow replacing /proc/cpuinfo · 2de02877

Nick Kralevich authored 10 years ago

Android's native bridge functionality allows an Android native
app written on one CPU architecture to run on a different architecture.
For example, Android ARM apps may run on an x86 CPU.

To support this, the native bridge functionality needs to replace
/proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo
using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86
in system/core.

This change:

1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo
that label.
2) Grants read-only access to all SELinux domains, to avoid
breaking pre-existing apps.
3) Grants zygote mounton capabilities for that file, so zygote
can replace the file as necessary.

Addresses the following denial:

  avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file

Bug: 17671501
Change-Id: Ib70624fba2baeccafbc0a41369833f76b976ee20

2de02877

Jul 15, 2014
- reconcile aosp (4da3bb14) after branching. Please do not merge. · e9c90bdd
  Ed Heyl authored 10 years ago
```
Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e
```
  e9c90bdd
Jul 08, 2014

Rename sdcard_internal/external types. · 374b2a19

Stephen Smalley authored 10 years ago


Rename sdcard_internal/external types to fuse and vfat
respectively to make it clear that they are assigned to any
fuse or vfat filesystem by default (absent a context= mount option)
and do not necessarily represent the SDcard.

The sdcard_type attribute is still assigned to both types and
can still be used in allow rules to permit access to either the
internal or external SDcard.

Define type aliases for the old names to preserve compatibility
on policy reload and for device-specific policies that may not yet
be updated.

Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

374b2a19

Jun 09, 2014

label usbfs · 5a5fb85f

Nick Kralevich authored 10 years ago

Right now usbfs doesn't have any labels, generating the
following kernel warnings:

<7>[    3.009582] SELinux: initialized (dev usbfs, type usbfs), not configured for labeling

and the occasional SELinux unlabeled auditallow logs:

<4>[  285.579254] type=1400 audit(1402010345.094:16): avc: granted { search } for pid=371 comm="qcks" name="/" dev="usbfs" ino=15794 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  285.632354] type=1400 audit(1402010345.154:18): avc: granted { search } for pid=371 comm="qcks" name="001" dev="usbfs" ino=15796 scontext=u:r:kickstart:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir

Make sure usbfs is assigned via genfscon

Change-Id: I7191f2584014ba55a3c3a98e7efd0350dc958782

5a5fb85f

May 13, 2014

DO NOT MERGE: Address system_server denials. · dfee702c

Stephen Smalley authored 11 years ago

Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.

Resolves denials such as:
avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder

avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file

avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file

avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process

avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process

avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket

avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket

avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket

avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket

avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket

avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file

avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket

avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file

Bug: 14833575

Change-Id: I23425b4ef1552ff31486d0a52ee2c69d6236691d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

dfee702c

Apr 15, 2014

Label /dev/usb-ffs/adb functionfs · 77cc0550

Nick Kralevich authored 10 years ago

Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.

Once labeled, this addresses the following denials:

<12>[   16.127191] type=1400 audit(949060866.189:4): avc:  denied  { read write } for  pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[   16.127406] type=1400 audit(949060866.189:5): avc:  denied  { open } for  pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[  377.366011] type=1400 audit(949061227.419:16): avc:  denied  { ioctl } for  pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file

Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2

77cc0550

Apr 10, 2014

pstore file system labeling · 318e0c9c

jaejyn.shin authored 10 years ago

pstore(persistent store) have been applied since kernel 3.5
We need to label the pstore-fs in order to use Android with kernel 3.5 or upper version.
My kernel version is 3.10 and I got the below denial log when I ran the "df" command on the adb shell.

type=1400 msg=audit(1388540540.220:18): avc: denied { getattr } for pid=7296 comm="df" name="/" dev="pstore" ino=7703 scontext=u:r:init:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem

And the below log is also shown during booting

type=1400 msg=audit(1388539193.750:4): avc: denied { mount } for pid=2844 comm="mount" name="/" dev="pstore" ino=11393 scontext=u:r:init_shell:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem

Change-Id: Iaba543d44565c4f20a77a95b9573a628bbd3fd34

318e0c9c

Mar 05, 2014

Address system_server denials. · 3dad7b61