label folder in rootfs

Hi, Here is my problem : I want to create a new folder inside rootfs and add some files to it. Now I want to label this folder something else. Also the folder is read-only. For example, Suppose my folder is "test" and I want to label it as "test_file" Also would like to label the files explicit

RE: label folder in rootfs

27, 2014 8:32 PM To: Inamdar Sharif Cc: seandroid-list@tycho.nsa.gov Subject: Re: label folder in rootfs Define file_contexts entries for /test and /test/xyz and then call restorecon /test and restorecon /test/xyz (or just restorecon_recursive /test) from your init..rc file. Please refrain from

RE: label folder in rootfs

Thanks. Will give that a try. From: William Roberts [mailto:bill.c.robe...@gmail.com] Sent: Thursday, November 27, 2014 8:46 PM To: Inamdar Sharif Cc: seandroid-list@tycho.nsa.gov; Stephen Smalley Subject: RE: label folder in rootfs You need to remount it writeable too. Adb shell mount -orw

RE: label folder in rootfs

Behalf Of Inamdar Sharif Sent: Friday, November 28, 2014 11:00 AM To: William Roberts Cc: seandroid-list@tycho.nsa.gov Subject: RE: label folder in rootfs Thanks. Will give that a try. From: William Roberts [mailto:bill.c.robe...@gmail.com] Sent: Thursday, November 27, 2014 8:46 PM To: Inamdar Sharif

RE: label folder in rootfs

dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; Thanks. -Original Message- From: Stephen Smalley [mailto:stephen.smal...@gmail.com] Sent: Friday, November 28, 2014 10:01 PM To: Inamdar Sharif Cc: William Roberts; seandroid-list@tycho.nsa.gov

RE: label folder in rootfs

Dec 1, 2014 at 12:14 AM, Inamdar Sharif wrote: > Hi, >>>Most likely you did not define your new file types with the file_type >>>attribute and thus they are not allowed to be asssociated to the >>>rootfs, or your policy lacks the change permitting file_type >>&

RE: label folder in rootfs

] Sent: Tuesday, December 02, 2014 1:07 PM To: Inamdar Sharif Cc: Stephen Smalley; seandroid-list@tycho.nsa.gov Subject: Re: label folder in rootfs With a few exceptions, init spawned services can only execute code from /system. On a userdebug / testing device, you can use "adb push" or

RE: label folder in rootfs

. --Sharif -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Tuesday, December 02, 2014 9:17 PM To: Inamdar Sharif; Nick Kralevich Cc: seandroid-list@tycho.nsa.gov Subject: Re: label folder in rootfs On 12/02/2014 02:49 AM, Inamdar Sharif wrote: > This means t

Per command listing of ioctl's

Hi Guys, I just came across the change https://android.googlesource.com/kernel/common/+/ba733f9857b966459316d0cd33b8da2e22f62d7d These are some of the questions: 1)What level of security this can provide?? Can anyone explain me with an example? 2)Also do we have any policy changes which would b

system server accessing dex2oat

Hi Guys, I am facing the following avc denied avc: denied { execute } for pid=667 comm="android.ui" name="dex2oat" dev="sda22" ino=158 scontext=u:r:system_server:s0 tcontext=u:object_r:dex2oat_exec:s0 tclass=file But on AOSP this is a neverallow rule. https://android.googlesource.com/platform/ex

RE: system server accessing dex2oat

-Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Monday, May 04, 2015 6:15 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: system server accessing dex2oat On 05/04/2015 01:57 AM, Inamdar Sharif wrote: > Hi Guys, > > I am facing the

RE: system server accessing dex2oat

Sent: Tuesday, May 05, 2015 5:48 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: system server accessing dex2oat On 05/04/2015 11:29 PM, Inamdar Sharif wrote: > > > -Original Message- > From: Stephen Smalley [mailto:s...@tycho.nsa.gov] > Sent: Monday, May

Policy version 30 support

Hi, I have some questions for sepolicy version 30: 1)Which kernel version is supported with sepolicy version 30?? 2)What are the changes required for using policy version 30?? I have changed POLICYVERS?=30 Also my POLICYDB_VERSION_MAX is POLICYDB_VERSION_IOCTL_OPERATIONS But I am getting a f

RE: Policy version 30 support

, June 15, 2015 9:13 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: Policy version 30 support On 06/15/2015 05:25 AM, Inamdar Sharif wrote: > Hi, > > > > I have some questions for sepolicy version 30: > > > > 1)Which kernel version is supporte

contextmount_type issue for init

Hi, Here it is what I am trying to do: 1) Mount a partition as read only with contextmount_type label 2) Remount this folder as Read write 3) Write some files in this folder 4) Again Remount this partition as read only I am doing this from init I am able to do 1 and 2 bu

RE: contextmount_type issue for init

n Smalley [mailto:s...@tycho.nsa.gov] Sent: Friday, July 24, 2015 6:52 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: contextmount_type issue for init On 07/24/2015 06:42 AM, Inamdar Sharif wrote: > Hi, > > > > Here it is what I am trying to do: > > 1)

RE: contextmount_type issue for init

On 07/24/2015 09:31 AM, Inamdar Sharif wrote: >>> 1) Mount a partition as read only with contextmount_type label >> >>> Which partition? Which type? Is this mount specifying a context= mount >>> option? If not, why is the type in contextmount_type

RE: contextmount_type issue for init

Thanks Stephen. -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Friday, July 24, 2015 10:17 PM To: Inamdar Sharif Cc: seandroid-list@tycho.nsa.gov Subject: Re: contextmount_type issue for init On 07/24/2015 12:44 PM, Stephen Smalley wrote: > On 07/24/2015

RE: kernel module request personality-8

Thanks. This really helps a lot. I can see a lot many domains ask for module_request permissions. From: Seandroid-list [mailto:seandroid-list-boun...@tycho.nsa.gov] On Behalf Of Roberts, William C Sent: Thursday, September 10, 2015 10:35 PM To: seandroid-list@tycho.nsa.gov Subject: kernel module

RE: kernel module request personality-8

8 which I get. I am using kernel-3.10. But with http://marc.info/?l=linux-arch&m=142912798314177&w=2 it seems that they have removed the support of exec domains. Thanks. -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Friday, September 11, 2015 6:06 PM

capability2 audit_read permission not defined in policy

Hi Guys, I saw that capability2 (audit_read) permission is added in Google's kernel 3.18 https://android.googlesource.com/kernel/common/+/3a101b8de0d39403b2c7e5c23fd0b005668acf48%5E%21/security/selinux/include/classmap.h So do we have any plans of adding audit_read capability to external/sepolic

Restrict access to a particular system app

Hi Guys, How do I restrict the access of a particular dev/ node to only a particular system app , other system app should not be able to access it?? For example, If I have node dev/abc , system apps as A, B, C. So I want system app A should only be able to access dev/abc System app B and C shou

RE: Restrict access to a particular system app

So adding the below line should work +user=system seinfo=platform domain=abc_app type=app_data_file levelFrom=user I have defined abc_app domain. -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Tuesday, September 22, 2015 7:14 PM To: Inamdar Sharif; seandroid

avc denied due to mls constraints

Hi Stephen/William, I am getting the below avc denied: type=1400 audit(0.0:7): avc: denied { search } for name="com.android.providers.downloads" dev="mmcblk0p23" ino=81932 scontext=u:r:system_app:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0 System.err: java.io.File

RE: avc denied due to mls constraints

Any inputs guys . Please help if have some idea. From: Inamdar Sharif Sent: Thursday, November 19, 2015 3:09 PM To: seandroid-list@tycho.nsa.gov Subject: avc denied due to mls constraints Hi Stephen/William, I am getting the below avc denied: type=1400 audit(0.0:7): avc: denied { search } for

MLS constraints blocking untrusted app to access app_data_file

Hi, I am getting the below avc denied for almost every untrusted app type=1400 audit(0.0:1078): avc: denied { search } for name="#" dev="#" ino=# scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=dir permissive=0 Usecase: Apps on SDCard try to access their fil

RE: MLS constraints blocking untrusted app to access app_data_file

:51 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: MLS constraints blocking untrusted app to access app_data_file On 12/02/2015 12:37 AM, Inamdar Sharif wrote: > Hi, > > I am getting the below avc denied for almost every untrusted app > > type=1400 audit(0.0:

RE: MLS constraints blocking untrusted app to access app_data_file

: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Wednesday, December 02, 2015 8:42 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Cc: Nick Kralevich Subject: Re: MLS constraints blocking untrusted app to access app_data_file On 12/02/2015 09:35 AM, Inamdar Sharif wrote: > Steps are: &g

RE: MLS constraints blocking untrusted app to access app_data_file

Sharif [isha...@nvidia.com]; seandroid-list@tycho.nsa.gov [seandroid-list@tycho.nsa.gov] CC: Nick Kralevich [n...@google.com] Subject: Re: MLS constraints blocking untrusted app to access app_data_file On 12/02/2015 11:01 AM, Inamdar Sharif wrote: > Yes the app is trying to access it own app d

RE: MLS constraints blocking untrusted app to access app_data_file

It's data/data/ Sent from my Android phone using Symantec TouchDown (www.symantec.com) -Original Message- From: Stephen Smalley [s...@tycho.nsa.gov] Received: Wednesday, 02 Dec 2015, 11:42PM To: Inamdar Sharif [isha...@nvidia.com]; seandroid-list@tycho.nsa.gov [seandroid

RE: MLS constraints blocking untrusted app to access app_data_file

Here is the logcat failure Unable to create files subdir /data/user/0//cache Thanks. Sent from my Android phone using Symantec TouchDown (www.symantec.com) -Original Message- From: Stephen Smalley [s...@tycho.nsa.gov] Received: Wednesday, 02 Dec 2015, 11:52PM To: Inamdar Sharif [isha

RE: MLS constraints blocking untrusted app to access app_data_file

ntext. Which leads to the crashing of the apps on the sdcard. The problem is resolved now. Thanks. -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Thursday, December 03, 2015 1:07 AM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Cc: n...@google.com Subjec

Trojans/Malwares as system apps

Hi Guys, This is an off-beat question... Do we have any provisions in Android by which we can stop Trojans/Malware to attack our device?? Trojans/Malwares are far more dangerous than virus. So can we not prevent these from getting into the system using some security feature?? Can SELinux help

RE: Trojans/Malwares as system apps

s In this particular case can you just disable the app via the Settings app. That should prevent the app and any associated services from running. On 12/10/2015 09:40 AM, Inamdar Sharif wrote: > Hi Guys, > > This is an off-beat question... > > Do we have any provisions in Android by whi

RE: Trojans/Malwares as system apps

should try to restrict these from getting in. Thanks. From: Nick Kralevich [mailto:n...@google.com] Sent: Thursday, December 10, 2015 11:24 PM To: Inamdar Sharif Cc: Robert Craig; seandroid-list@tycho.nsa.gov Subject: Re: Trojans/Malwares as system apps Do you know what app did this? To assist

Easy way to disable avc denied prints from getting printed on to the UART

Hi Guys, Is there an easy way to stop avc denied messages to get printed on to the UART?? But those should be seen the logcat. Thanks. --- This email message is for the sole use of the intended recipient(s) and may

avc denial while enabling zram

Hi Guys, I am facing the below avc denial while enabling zram. avc: denied { getattr } for pid=7545 comm="e2fsck" path="/dev/block/zram0" dev="tmpfs" ino=11973 scontext=u:r:fsck:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file permissive=0 I have labelled dev/block/zram0 as swap_bl

RE: avc denial while enabling zram

c.robe...@gmail.com] Sent: Monday, January 18, 2016 9:54 PM To: Inamdar Sharif Cc: seandroid-list@tycho.nsa.gov Subject: Re: avc denial while enabling zram Is that denial actually manifesting itself as some broken functionality? Also, why is fsck getting invoked on swap, especially one backed by zram?

system_app to access media_rw_data_file

Hi Guys, While going through the policies, I came across media_rw_data_file Looking into the policies it seems that platform_app and untrusted_app has the following permission. allow platform_app media_rw_data_file:dir create_dir_perms; allow platform_app media_rw_data_file:file create_file_perm

RE: avc denial while enabling zram

. -Original Message- From: Roberts, William C [mailto:william.c.robe...@intel.com] Sent: Tuesday, January 19, 2016 12:50 AM To: William Roberts; Inamdar Sharif Cc: seandroid-list@tycho.nsa.gov Subject: RE: avc denial while enabling zram The only thing we have is the label and for some

RE: system_app to access media_rw_data_file

I think we can make it generic in the AOSP policy itself. From: William Roberts [mailto:bill.c.robe...@gmail.com] Sent: Monday, January 18, 2016 10:34 PM To: Inamdar Sharif Cc: seandroid-list@tycho.nsa.gov Subject: Re: system_app to access media_rw_data_file On Jan 18, 2016 8:58 AM, "In

RE: avc denial while enabling zram

Checked init.rc as well, that’s perfectly alright. This avc I am facing while formatting the sdcard as internal storage. Any more ideas?? Thanks. -Original Message- From: Seandroid-list [mailto:seandroid-list-boun...@tycho.nsa.gov] On Behalf Of Inamdar Sharif Sent: Tuesday, January 19

RE: Patch that removed untrusted_app cache file create/unlink

I think something went wrong in the merge 1.Neverallow added : 2736e7d am 40367ad8: Merge "untrusted_apps: Allow untrusted apps to find healthd_service." into mnc-dr-dev am: 6ab438dc8b

RE: A Quick Start guide for selinux device bringup

Awesome Doc. ☺ Some more sections which I would like to have: 1) Tools which can be used during the bringup for various avc denied. (This can be handy for newbies ) 2) One of the common problem I face is about the apps. Suppose one of my app only wants to access a particular block

removal of vold from using sys_rawio capability

Hi , I saw a change in AOSP for the removal of vold from accessing sys_rawio. https://android.googlesource.com/platform/system/sepolicy/+/1df23cbf8ef4cd35cf6ab832120c2d1a86a46ffd I just want to know the reason why we have removed this?? Thanks. --

Make bluetooth access generic for appdomains.

Hi Guys, While going through the policies I came across the following two changes : 1) In platform_app.te bluetooth_domain(platform_app) 2) In untrusted_app.te bluetooth_domain(untrusted_app) Since both platform and untrusted apps have this capability, is there any reason why sys

RE: Make bluetooth access generic for appdomains.

owing in system app bluetooth_domain(system_app) Else allow { appdomain -isolated_app -su -shell -shared_relro -nfc } bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; Thanks. -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Tuesday, May

SELinux failing with kernel 4.4 (Kernel panic)

Hi Guys, I am getting the following denials and kernel panic while enabling SELinux on k4.4 [4.402909] init: init started! [4.413108] SELinux: Android master kernel running Android M policy in compatibility mode. [4.426907] SELinux: Permission module_load in class system not defi

RE: SELinux failing with kernel 4.4 (Kernel panic)

>>The path above decodes to /dev/__kmsg__ (deleted). The fact that it has the >>rootfs type means you didn't have a /dev mounted before it was created? -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Wednesday, May 25, 2016 5:58 PM T

RE: SELinux failing with kernel 4.4 (Kernel panic)

From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Wednesday, May 25, 2016 6:43 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: SELinux failing with kernel 4.4 (Kernel panic) On 05/25/2016 08:38 AM, Inamdar Sharif wrote: >>>> [4.584035] audit: typ

RE: SELinux failing with kernel 4.4 (Kernel panic)

On 05/25/2016 09:51 AM, Inamdar Sharif wrote: >> >> From: Stephen Smalley [mailto:s...@tycho.nsa.gov] >> Sent: Wednesday, May 25, 2016 6:43 PM >> To: Inamdar Sharif; seandroid-list@tycho.nsa.gov >> Subject: Re: SELinux failing with kernel 4.4 (Kernel panic) >>

RE: SELinux failing with kernel 4.4 (Kernel panic)

Thanks Stephen. That explains most of the part. -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Wednesday, May 25, 2016 8:11 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: SELinux failing with kernel 4.4 (Kernel panic) On 05/25/2016 10:17 AM

tracefs avc denial on k4.4

Hi Guys, I am getting the following avc denial for tracefs on kernel 4.4 avc: denied { search } for pid=285 comm="zygote" name="/" dev="tracefs" ino=1 scontext=u:r:zygote:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 avc: denied { search } for pid=476 comm="dex2oat" name="/" dev="t

RE: tracefs avc denial on k4.4

-Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Friday, May 27, 2016 6:58 PM To: Inamdar Sharif; seandroid-list@tycho.nsa.gov Subject: Re: tracefs avc denial on k4.4 On 05/27/2016 06:01 AM, Inamdar Sharif wrote: >> Hi Guys, >> >> >&

RE: tracefs avc denial on k4.4

:dir r_dir_perms; allow domain debugfs:file w_file_perms; Anything I am missing here?? Thanks. -Original Message- From: Seandroid-list [mailto:seandroid-list-boun...@tycho.nsa.gov] On Behalf Of Inamdar Sharif Sent: Friday, May 27, 2016 7:29 PM To: Stephen Smalley; seandroid-list@tycho.nsa.gov Subj

RE: Issue with platform_app

This is happening due MLS contraints. For the your app to access the socket , either you should declare cp_data_file as mlstrustedobject or category of both the scontext and tcontext should be same. Ie platform_app:s0:c512,c768 Since the category of both scontext and tcontext is different the al

allow domain to access system_data_file

Hi, I saw in AOSP that we have removed the below access: allow domain system_data_file:file { getattr read }; The same rule is present in domain_deprecated. allow domain_deprecated system_data_file:file { getattr read }; We should consider moving this rule back to domain.te back as this required

genfs contexts labelling issue for special character

Hi Guys, I have a node which is "abc,xyz" I want to label this node in genfs_contexts but getting syntax error But if I make the below change in external/selinux/checksepolicy/policy_scan.l it works fine. -"/"({alnum}|[_\.\-/])* { return(PATH); } +"/"({alnum}|[_\.\,\-/])*

RE: genfs contexts labelling issue for special character

>On 07/01/2016 08:06 AM, Inamdar Sharif wrote: >> Hi Guys, > > >> >> >> I have a node which is “abc,xyz” >> >> I want to label this node in genfs_contexts but getting syntax error >> >> >> >> But if I make the below ch

RE: [PATCH] Extend checkpolicy pathname matching.

Thanks Stephen. That works. -Original Message- From: Stephen Smalley [mailto:s...@tycho.nsa.gov] Sent: Thursday, July 14, 2016 9:18 PM To: seli...@tycho.nsa.gov Cc: Inamdar Sharif; seandroid-list@tycho.nsa.gov; Stephen Smalley Subject: [PATCH] Extend checkpolicy pathname matching

unlabeled file access for logd

Hi Guys, I am getting the following denial avc: denied { search } for pid=218 comm="logd" name="/" dev="mmcblk0p29" ino=2 scontext=u:r:logd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 Does anyone know about this?? I recall William facing a similar issue. Thanks. --

RE: Regarding enabling selinux on Android

This can help you http://seandroid-list.tycho.nsa.narkive.com/rSP3VScv/policy-version-30-support Check POLICYDB_VERSION_MAX is pointing to the right version in kernel. Also check POLICYVERS (external/sepolicy/Android.mk or system/sepolicy/Android.mk) to point to the max value of POLICYDB_VERSIO

RE: unlabeled file access for logd

>On 07/18/2016 06:55 AM, Inamdar Sharif wrote: >> Hi Guys, >> >> >> >> I am getting the following denial >> >> avc: denied { search } for pid=218 comm="logd" name="/" dev="mmcblk0p29" >> ino=2

RE: unlabeled file access for logd

> > >-Original Message- >From: Roberts, William C [mailto:william.c.robe...@intel.com] >Sent: Wednesday, August 03, 2016 11:02 PM >To: Inamdar Sharif; Stephen Smalley; seandroid-list@tycho.nsa.gov >Subject: RE: unlabeled file access for logd > > > >>

Avc denied for isolated app

Hi , I am getting the following avc denied avc: denied { search } for pid=3174name="com.google.android.apps.mediashell" dev="mmcblk0p29" ino=503938 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0 Do we want to add the following ru

kernel access device while enabling CONFIG_DEVTMPFS

Hi, I am getting the following denial when I enable CONFIG_DEVTMPFS avc: denied { write } for pid=37 comm="kdevtmpfs" dev="devtmpfs" ino=122 scontext=u:r:kernel:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0 What would be the best solution to solve this?? Thanks.

gms app avc denied for debuggerd

Hi, I am getting the following avc denial type=1400 audit(0.0:13): avc: denied { search } for comm="debuggerd" name="com.google.android.gms" dev="mmcblk0p23" ino=284592 scontext=u:r:debuggerd:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir permissive=0 Is this a known issue?? Als

neverallow rule for media domains accessing udp/tcp socket

Hi Guys, As part of the commit https://android.googlesource.com/platform/system/sepolicy/+/21f77f630b656b9acc034a04e5bf2303118937b0 I see that we have added the neverallow rule only for some media domains and not all. Mediaserver and mediadrmserver doesnot have this neverallow. Is it these dom