Skip to content
Snippets Groups Projects
  1. Feb 08, 2017
    • Alex Klyubin's avatar
      Move binderservicedomain policy to private · 84aebd3c
      Alex Klyubin authored
      This leaves only the existence of binderservicedomain attribute as
      public API. All other rules are implementation details of this
      attribute's policy and are thus now private.
      
      Test: No change to policy according to sesearch, except for
            disappearance of all allow rules to do with *_current targets
            referenced in binderservicedomain.te.
      Bug: 31364497
      Change-Id: Ic830bcc5ffb6d624e0b3aec831071061cccc513c
      84aebd3c
  2. Feb 07, 2017
  3. Oct 06, 2016
    • dcashman's avatar
      Split general policy into public and private components. · cc39f637
      dcashman authored
      Divide policy into public and private components.  This is the first
      step in splitting the policy creation for platform and non-platform
      policies.  The policy in the public directory will be exported for use
      in non-platform policy creation.  Backwards compatibility with it will
      be achieved by converting the exported policy into attribute-based
      policy when included as part of the non-platform policy and a mapping
      file will be maintained to be included with the platform policy that
      maps exported attributes of previous versions to the current platform
      version.
      
      Eventually we would like to create a clear interface between the
      platform and non-platform device components so that the exported policy,
      and the need for attributes is minimal.  For now, almost all types and
      avrules are left in public.
      
      Test: Tested by building policy and running on device.
      
      Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
      cc39f637
  4. Mar 07, 2016
  5. Oct 29, 2015
    • dcashman's avatar
      Enable permission checking by binderservicedomain. · 000b6949
      dcashman authored
      binderservicedomain services often expose their methods to untrusted
      clients and rely on permission checks for access control.  Allow these
      services to query the permission service for access decisions.
      
      (cherry-pick of commit: 32d207e0)
      
      Bug: 25282923
      Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b
      000b6949
    • dcashman's avatar
      Enable permission checking by binderservicedomain. · 32d207e0
      dcashman authored
      binderservicedomain services often expose their methods to untrusted
      clients and rely on permission checks for access control.  Allow these
      services to query the permission service for access decisions.
      
      Bug: 25282923
      Change-Id: I39bbef479de3a0df63e0cbca956f3546e13bbb9b
      32d207e0
  6. May 18, 2015
  7. May 14, 2015
  8. Jul 01, 2014
  9. Jun 30, 2014
    • Riley Spahn's avatar
      Remove catchall for unregistered services. · 28b71808
      Riley Spahn authored
      Remove the allow rule for default services in
      binderservicedomain.te so we will need to whitelist any
      services to be registered.
      
      Change-Id: Ibca98b96a3c3a2cbb3722dd33b5eb52cb98cb531
      28b71808
  10. Jun 26, 2014
    • Riley Spahn's avatar
      Adding policies for KeyStore MAC. · 1196d2a5
      Riley Spahn authored
      Add keystore_key class and an action for each action supported
      by keystore. Add policies that replicate the access control that
      already exists in keystore. Add auditallow rules for actions
      not known to be used frequently. Add macro for those domains
      wishing to access keystore.
      
      Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
      1196d2a5
  11. Jun 21, 2014
    • Nick Kralevich's avatar
      Allow dumpsys from serial console · 67d1f1ec
      Nick Kralevich authored
      Trying to run dumpsys from the serial console generates the
      following errors:
      
        shell@device:/ # dumpsys power
        [ 3244.099015] binder: 2259:2259 transaction failed 29201, size 28-8
        [ 3244.099291] type=1400 audit(1403313679.642:12): avc: denied { read write } for pid=2259 comm="dumpsys" path="/dev/console" dev="tmpfs" ino=6188 scontext=u:r:system_server:s0 tcontext=u:object_r:console_device:s0 tclass=chr_file permissive=0
        Error dumping service info: (Unknown error -2147483646) power
      
      and the operation fails. Allow binderservicedomains to perform
      writes to /dev/console.
      
      Bug: 15779131
      Change-Id: Iff55ab09c3a4d40e12d49ff2308bf147f9cb6937
      67d1f1ec
  12. Jun 12, 2014
    • Riley Spahn's avatar
      Add SELinux rules for service_manager. · f90c41f6
      Riley Spahn authored
      Add a service_mananger class with the verb add.
      Add a type that groups the services for each of the
      processes that is allowed to start services in service.te
      and an attribute for all services controlled by the service
      manager. Add the service_contexts file which maps service
      name to target label.
      
      Bug: 12909011
      Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
      f90c41f6
  13. Mar 21, 2014
    • Stephen Smalley's avatar
      Allow binder services to use pipes passed over binder. · 644279ba
      Stephen Smalley authored
      
      Resolves denials such as:
      avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:surfaceflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
      avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:keystore:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
      avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:healthd:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
      avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:drmserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
      avc:  denied  { use } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fd
      avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:inputflinger:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
      avc:  denied  { write } for  pid=18959 comm="dumpsys" path="pipe:[42013]" dev="pipefs" ino=42013 scontext=u:r:mediaserver:s0 tcontext=u:r:untrusted_app:s0 tclass=fifo_file
      
      Change-Id: I289dcf4b2c5897b7a10e41e5dd8d56ef4b9a4a08
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      644279ba
  14. Jan 21, 2014
    • Nick Kralevich's avatar
      Address bug report denials. · 2e7a301f
      Nick Kralevich authored
      Triggering a bug report via
      Settings > Developer Options > Take bug report
      generates a number of denials.
      
      Two bugs here:
      
      1) According to the "allowed" list in
      frameworks/native/cmds/servicemanager/service_manager.c ,
      media apps, nfc, radio, and apps with system/root UIDs can register
      as a binder service. However, they were not placed into the
      binder_service domain. Fix them.
      
      2) The bugreport mechanism queries all the services and java
      programs and asks them to write to a shell owned file. Grant the
      corresponding SELinux capability.
      
      Addresses the following denials:
      
      <5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      <5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
      
      Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
      2e7a301f
  15. Dec 20, 2013
    • Nick Kralevich's avatar
      Allow dumpsys · 51538900
      Nick Kralevich authored
      Allow adb shell to run dumpsys.
      
      Addresses the following denials:
      
      23.720402   type=1400 audit(1387473582.512:12): avc:  denied  { read write } for  pid=1469 comm="dumpsys" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:system_server:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file
      23.862719   type=1400 audit(1387473582.652:13): avc:  denied  { getattr } for  pid=696 comm="Binder_3" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:system_server:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file
      
      Change-Id: I6c56f9267d769d579514dca3cfde8d5a99170456
      51538900
  16. Dec 16, 2013
    • Nick Kralevich's avatar
      initial dumpstate domain · 09e6abd9
      Nick Kralevich authored
      Add the necessary rules to support dumpstate.
      Start off initially in permissive until it has more testing.
      
      Dumpstate is triggered by running "adb bugreport"
      
      Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
      09e6abd9
Loading