Gitiles
Code Review Sign In
gerrit-public.fairphone.software / device / google / cuttlefish / 285c0707929600c727a6536aa2f3192f40278042
commit285c0707929600c727a6536aa2f3192f40278042[log] [tgz]
authorAlex Klyubin <klyubin@google.com>Thu Aug 24 18:24:50 2017 -0700
committerAlex Klyubin <klyubin@google.com>Fri Aug 25 10:55:16 2017 -0700
treeafea9164925fa367f2100f69740e673a720c3bb8
parent6f410e33cd0ea1648813d7ed883417b1e182743c [diff]
Address sepolicy denials of GceService

This commit moves GceService app out of system_app domain into its own
new gceservice domain. This is so that the privileged accessed granted
to the GceService app is not granted to other platform / system UID
apps.

denied { write } for comm=".gce.gceservice" name="kmsg" dev="tmpfs" scontext=u:r:system_app:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file
denied { open } for comm=".gce.gceservice" path="/dev/kmsg" dev="tmpfs" scontext=u:r:system_app:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file
denied { getattr } for comm=".gce.gceservice" path="/dev/kmsg" dev="tmpfs" scontext=u:r:system_app:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file
denied { connectto } for comm="pool-1-thread-8" path=006763655F6D65746164617461 scontext=u:r:system_app:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket
denied { getattr } for comm="pool-1-thread-4" path="/ts_snap.txt" dev="rootfs" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { read } for comm="pool-1-thread-4" name="ts_snap.txt" dev="rootfs" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { open } for comm="pool-1-thread-4" path="/ts_snap.txt" dev="rootfs" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { read } for comm="pool-1-thread-4" name="tombstones" dev="vdc" scontext=u:r:system_app:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
denied { open } for comm="pool-1-thread-4" path="/data/tombstones" dev="vdc" scontext=u:r:system_app:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
denied { getattr } for comm="pool-1-thread-4" path="/data/tombstones/tombstone_00" dev="vdc" scontext=u:r:system_app:s0 tcontext=u:object_r:tombstone_data_file:s0
denied  { add } for service=gce scontext=u:r:system_app:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager

Test: Device boots, VPN works, no denials to do with GceService
Test: adb shell dumpsys gce
      outputs sane JSON
Bug: 28053261

Change-Id: I292e94bebaaf6bbda8db41e0236a443bbe0e60cb
7 files changed
tree: afea9164925fa367f2100f69740e673a720c3bb8
  1. shared/
  2. vsoc_x86/
  3. vsoc_x86_64/
  4. Android.mk
  5. AndroidProducts.mk
  6. vendorsetup.sh