Commit Graph

9 Commits

Author SHA1 Message Date
codeworkx
01490eface sepolicy: fix denial for sudaemon
fixes root access for apps

Change-Id: Iff443bf4cbea817917da72bbfc58f9fe42acceb5
2015-11-22 09:57:08 -08:00
myfluxi
8501771607 sepolicy: Make superuser_device and sudaemon mlstrustedobjects
Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0

avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0

And thus fix su.

Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27
2015-11-05 23:53:50 +01:00
Dan Pasanen
9ca9d95a76 sepolicy: remove sudaemon type declaration
* this is already defined in external/sepolicy

Change-Id: I541b5de5bb6057f4fa3d88b6e9b9425b65f9963e
2015-10-17 09:22:14 -05:00
Ricardo Cerqueira
a7dfa18fd5 sepolicy: Add policies for the new superuser sockets.
Change-Id: Ia3e1044616bee95eb4774254fb098487d983b5db
2015-01-04 01:16:25 +00:00
Ricardo Cerqueira
4df29e013d selinux: Workaround for devices with PR_SET_NO_NEW_PRIVS enforcement
PR_SET_NO_NEW_PRIVS blocks domain transitions from within app_process,
unless the new domain is bounded by the app's context. So we can't
switch to a domain that has perms not available to untrusted_app :(

This means any app can talk to the daemon, bypassing the su executable
client. That's not a good thing, and needs to be resolved.

Change-Id: I85b74f90b8737caaa193a0555b5262e7392519b2
2014-12-10 20:38:34 +00:00
Ricardo Cerqueira
7cd698341f Revert "SELinux: su: update policies"
This reverts commit 04fd9192b0.

Change-Id: I69e51fb6c151a48972cf81947c1c59c6f26f60e9
2014-12-10 17:19:14 +00:00
Pawit Pornkitprasan
04fd9192b0 SELinux: su: update policies
- Integrate policies from domain.te (fixes ES File Manager which uses unix socket)
- Allow platform_app to use su (fixes CM File Manager)

Change-Id: I39dd55e63b44590575bbe6d889c8d77141ba8545
2014-12-08 05:43:14 +00:00
Chirayu Desai
9e0dba30b7 SELinux: su: Remove extra quote in a comment
* Fixes
  vendor/cm/sepolicy/su.te:46:WARNING 'unrecognized character' at token '''

Change-Id: I3957ba7ac05062766cbf6c8f3c3975f20c95532e
2014-11-30 03:05:41 +00:00
Ricardo Cerqueira
09159ac7ce Add selinux policies for superuser
Change-Id: I878eaa9d25feaedf46e89083f91d6a21f4aff37a
2014-11-27 01:45:53 +00:00