20 Nov, 2015
40 commits
-
Commit "SELinux: Enable setting security contexts on rootfs inodes."
cherry-picked in experimental/android-4.1 used a now obsolete flag
SE_SBLABELSUPP. Rename it to SBLABEL_MNT as intended by upstream
commit 12f348b9dcf6 "SELinux: rename SE_SBLABELSUPP to SBLABEL_MNT",
otherwise we run into following build error:CC security/selinux/hooks.o
security/selinux/hooks.c: In function ‘sb_finish_set_opts’:
security/selinux/hooks.c:459:19: error: ‘SE_SBLABELSUPP’ undeclared (first use in this function)
sbsec->flags |= SE_SBLABELSUPP;
^
security/selinux/hooks.c:459:19: note: each undeclared identifier is reported only once for each function it appears in
make[2]: *** [security/selinux/hooks.o] Error 1Signed-off-by: Amit Pundir
-
NOT intended for new Android devices - this commit is unnecessary
for a target device that does not have a previous M variant.DO NOT upstream. Android only.
Motivation:
This commit mitigates a mismatch between selinux kernel and
selinux userspace. The selinux ioctl white-listing binary policy
format that was accepted into Android M differs slightly from what
was later accepted into the upstream kernel. This leaves Android
master branch kernels incompatible with Android M releases. This
patch restores backwards compatibility. This is important because:1. kernels may be updated on a different cycle than the rest of the
OS e.g. security patching.
2. Android M bringup may still be ongoing for some devices. The
same kernel should work for both M and master.Backwards compatibility is achieved by checking for an Android M
policy characteristic during initial policy read and converting to
upstream policy format. The inverse conversion is done for policy
write as required for CTS testing.Bug: 22846070
Change-Id: I2f1ee2eee402f37cf3c9df9f9e03c1b9ddec1929
Signed-off-by: Jeff Vander Stoep -
(cherry picked from commit fa1aa143ac4a682c7f5fd52a3cf05f5a6fe44a0a)
Add extended permissions logic to selinux. Extended permissions
provides additional permissions in 256 bit increments. Extend the
generic ioctl permission check to use the extended permissions for
per-command filtering. Source/target/class sets including the ioctl
permission may additionally include a set of commands. Example:allowxperm : ioctl unpriv_app_socket_cmds
auditallowxperm : ioctl priv_gpu_cmdsWhere unpriv_app_socket_cmds and priv_gpu_cmds are macros
representing commonly granted sets of ioctl commands.When ioctl commands are omitted only the permissions are checked.
This feature is intended to provide finer granularity for the ioctl
permission that may be too imprecise. For example, the same driver
may use ioctls to provide important and benign functionality such as
driver version or socket type as well as dangerous capabilities such
as debugging features, read/write/execute to physical memory or
access to sensitive data. Per-command filtering provides a mechanism
to reduce the attack surface of the kernel, and limit applications
to the subset of commands required.The format of the policy binary has been modified to include ioctl
commands, and the policy version number has been incremented to
POLICYDB_VERSION_XPERMS_IOCTL=30 to account for the format
change.The extended permissions logic is deliberately generic to allow
components to be reused e.g. netlink filtersSigned-off-by: Jeff Vander Stoep
Acked-by: Nick Kralevich
Signed-off-by: Paul Moore
Bug: 22846070
Change-Id: I7c6bdc0362657b47aa1388936c5a1300bc5c0b42
[jstultz: Added missing security.h include, needed to build]
Signed-off-by: John Stultz -
(cherry pick from commit 671a2781ff01abf4fdc8904881fc3abd3a8279af)
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.Signed-off-by: Jeff Vander Stoep
Acked-by: Nick Kralevich
[PM: subject line tweak]
Signed-off-by: Paul Moore
Bug: 22846070
Change-Id: I88a6ecdd59297a315a6fb9c82c0a798bdb6bafaa -
Use the ATTR_FILE attribute to distinguish between truncate()
and ftruncate() system calls. The two other cases where
do_truncate is called with a filp (and therefore ATTR_FILE is set)
are for coredump files and for open(O_TRUNC). In both of those cases
the open permission has already been checked during file open and
therefore does not need to be repeated.Commit 95dbf739313f ("SELinux: check OPEN on truncate calls")
fixed a major issue where domains were allowed to truncate files
without the open permission. However, it introduced a new bug where
a domain with the write permission can no longer ftruncate files
without the open permission, even when they receive an already open
file.(cherry picked from commit b21800f304392ee5d20f411c37470183cc779f11)
Bug: 22567870
Change-Id: I2525a0e244c8d635b2d0c1f966071edbb365a43aSigned-off-by: Jeff Vander Stoep
Acked-by: Stephen Smalley
Signed-off-by: Paul Moore -
Support per-file labeling of sysfs and pstore files based on
genfscon policy entries. This is safe because the sysfs
and pstore directory tree cannot be manipulated by userspace,
except to unlink pstore entries.
This provides an alternative method of assigning per-file labeling
to sysfs or pstore files without needing to set the labels from
userspace on each boot. The advantages of this approach are that
the labels are assigned as soon as the dentry is first instantiated
and userspace does not need to walk the sysfs or pstore tree and
set the labels on each boot. The limitations of this approach are
that the labels can only be assigned based on pathname prefix matching.
You can initially assign labels using this mechanism and then change
them at runtime via setxattr if allowed to do so by policy.Change-Id: If5999785fdc1d24d869b23ae35cd302311e94562
Signed-off-by: Stephen Smalley
Suggested-by: Dominick Grift -
upstream commit 6f29997f4a3117169eeabd41dbea4c1bd94a739c
Add support for per-file labeling of debugfs files so that
we can distinguish them in policy. This is particularly
important in Android where certain debugfs files have to be writable
by apps and therefore the debugfs directory tree can be read and
searched by all.Since debugfs is entirely kernel-generated, the directory tree is
immutable by userspace, and the inodes are pinned in memory, we can
simply use the same approach as with proc and label the inodes from
policy based on pathname from the root of the debugfs filesystem.
Generalize the existing labeling support used for proc and reuse it
for debugfs too.Change-Id: I6460fbed6bb6bd36eb8554ac8c4fdd574edf3b07
Signed-off-by: Stephen Smalley -
rootfs (ramfs) can support setting of security contexts
by userspace due to the vfs fallback behavior of calling
the security module to set the in-core inode state
for security.* attributes when the filesystem does not
provide an xattr handler. No xattr handler required
as the inodes are pinned in memory and have no backing
store.This is useful in allowing early userspace to label individual
files within a rootfs while still providing a policy-defined
default via genfs.Signed-off-by: Stephen Smalley
Signed-off-by: Paul Moore
Signed-off-by: Eric Paris -
Commit b641072 ("security: Add AID_NET_RAW and AID_NET_ADMIN capability
check in cap_capable().") introduces additional checks for AID_NET_xxx
macros. Since the header file including those macros are conditionally
included, the checks should also be conditionally executed.Change-Id: Iaec5208d5b95a46b1ac3f2db8449c661e803fa5b
Signed-off-by: Tushar Behera
Signed-off-by: Andrey Konovalov -
Checking if the uid_entry->uid matches the uid intended to be removed will
prevent deleting unwanted uid_entry.
Type cast the key for the hashtable to the same size, as when they were
inserted. This will make sure that we can find the uid_entry we want.Bug: 25195548
Change-Id: I567942123cfb20e4b61ad624da19ec4cc84642c1
Signed-off: Ruchi kandoi -
Bug: 22833116
Change-Id: I775a18f61bd2f4df2bec23d01bd49421d0969f87
Signed-off-by: Ruchi Kandoi -
Converting cputime_t to usec caused overflow when the value is greater
than 1 hour. Use msec and convert to unsigned long long to support bigger
range.Bug: 22461683
Change-Id: I853fe3e8e7dbf0d3e2cc5c6f9688a5a6e1f1fb3e
Signed-off-by: Jin Qian -
task exit.
This avoids the race where a particular process is terminating and we
read the show_uid_stats. At this time since the task_struct still exists
and we will account for the terminating process as one of the active
task, where as the stats would have been added in the task exit
callback.Bug: 22064385
Change-Id: Id2ae04b33fcd230eda9683a41b6019d4dd8f5d85
Signed-off-by: Jin Qian
Signed-off-by: Ruchi Kandoi -
/proc/uid_cputime/show_uid_stats shows a third field power for each of
the uids. It represents the power in the units (uAusec)Change-Id: I52fdc5e59647e9dc97561a26d56f462a2689ba9c
Signed-off-by: Ruchi Kandoi -
Change-Id: Ice9084e39da599261df0be6dc305b817b50cfbbf
Signed-off-by: Jin Qian -
Create uids from kuids using from_kuid_munged(),
otherwise we run into following build error and warnings:
--------------------
CC drivers/misc/uid_cputime.o
drivers/misc/uid_cputime.c: In function ‘uid_stat_show’:
drivers/misc/uid_cputime.c:90:36: error: incompatible type for argument 1 of ‘find_or_register_uid’
drivers/misc/uid_cputime.c:54:26: note: expected ‘uid_t’ but argument is of type ‘kuid_t’
drivers/misc/uid_cputime.c:94:4: warning: format ‘%d’ expects argument of type ‘int’, but argument 3 has type ‘kuid_t’ [-Wformat]
drivers/misc/uid_cputime.c: In function ‘process_notifier’:
drivers/misc/uid_cputime.c:194:6: error: incompatible types when assigning to type ‘uid_t’ from type ‘kuid_t’
make[2]: *** [drivers/misc/uid_cputime.o] Error 1
--------------------Change-Id: Ifecb98001f7fe2fac74d1ef3e1abd03d43fc9059
Signed-off-by: Amit Pundir
(cherry picked from commit b0f4decae627cf2d74e6f72c7ecb939c77d48625) -
Adds proc files /proc/uid_cputime/show_uid_stat and
/proc/uid_cputime/remove_uid_range.show_uid_stat lists the total utime and stime for the active as well as
terminated processes for each of the uids.Writing a range of uids to remove_uid_range will delete the accounting
for all the uids within that range.Change-Id: I21d9210379da730b33ddc1a0ea663c8c9d2ac15b
-
Fix the build by removing the duplicate line that uses the obsolete INF
macro.Signed-off-by: Dan Willemsen
-
Make oom_adj and oom_score_adj user read-only.
Bug: 19636629
Change-Id: I055bb172d5b4d3d856e25918f3c5de8edf31e4a3
Signed-off-by: Rom Lemarchand -
Signed-off-by: San Mehat
-
PR_SET_TIMERSLACK_PID value keep colliding with that of
newer prctls in mainline (e.g. first with PR_SET_THP_DISABLE,
and again with PR_MPX_ENABLE_MANAGEMENT).So reset PR_SET_TIMERSLACK_PID to a large number so as to
avoid conflict in the near term while it is out of mainline
tree.Corresponding Change-Id up for review in platform/system/core
is Icd8c658c8eb62136dc26c2c4c94f7782e9827cdbChange-Id: I061b25473acc020c13ee22ecfb32336bc358e76a
Signed-off-by: Amit Pundir -
Make PR_SET_TIMERSLACK_PID consider pid namespace and resolve the
target pid in the caller's namespace. Otherwise, calls from pid
namespace other than init would fail or affect the wrong task.Change-Id: I1da15196abc4096536713ce03714e99d2e63820a
Signed-off-by: Micha Kalfon
Acked-by: Oren Laadan -
The case clause for the PR_SET_TIMERSLACK_PID option was placed inside
the an internal switch statement for PR_MCE_KILL (see commits 37a591d4
and 8ae872f1) . This commit moves it to the right place.Change-Id: I63251669d7e2f2aa843d1b0900e7df61518c3dea
Signed-off-by: Micha Kalfon
Acked-by: Oren Laadan -
Adds a capable() check to make sure that arbitary apps do not change the
timer slack for other apps.Bug: 15000427
Change-Id: I558a2551a0e3579c7f7e7aae54b28aa9d982b209
Signed-off-by: Ruchi Kandoi -
Second argument is similar to PR_SET_TIMERSLACK, if non-zero then the
slack is set to that value otherwise sets it to the default for the thread.Takes PID of the thread as the third argument.
This allows power/performance management software to set timer slack for
other threads according to its policy for the thread (such as when the
thread is designated foreground vs. background activity)Change-Id: I744d451ff4e60dae69f38f53948ff36c51c14a3f
Signed-off-by: Ruchi Kandoi -
Change-Id: I05013f6e76c30b0ece3671f9f2b4bbdc626cd35c
Signed-off-by: Dmitry Shmidt -
Signed-off-by: Daniel Rosenberg
-
In 53b5e2f generic cgroup subsystem permission checks have been added.
When this is been done within procs_write an empty taskset is added to
the tasks css set. When a task later on migrates to a new group we see a
dmesg warning cause the mg_node isn't empty (cgroup.c:2086). Cause this
happens all the time this spams dmesg.I am not really familiar with this code, but it looks to me like adding
the taskset is just a temporary action in this context. Therefore this
taskset should be removed after the actual check. This is what this fix
does.This problem was seen and the fix tested on x86 using l-mr1 and master.
Change-Id: I9894d39e8b5692ef65149002b07e65a84a33ffea
Signed-off-by: Christian Poetzsch -
- Return -EINVAL when cgroups support isn't enabled
- Add allow_attach callback in CPU cgroupsChange-Id: Id3360b4a39919524fc4b6fcbd44fa2050009f000
Signed-off-by: Rom Lemarchand -
Pass correct argument to subsys_cgroup_allow_attach(), which
expects 'struct cgroup_subsys_state *' argument but we pass
'struct cgroup *' instead which doesn't seem right.This fixes following 'incompatible pointer type' compiler warning:
----------
CC mm/memcontrol.o
mm/memcontrol.c: In function ‘mem_cgroup_allow_attach’:
mm/memcontrol.c:5052:2: warning: passing argument 1 of ‘subsys_cgroup_allow_attach’ from incompatible pointer type [enabled by default]
In file included from include/linux/memcontrol.h:22:0,
from mm/memcontrol.c:29:
include/linux/cgroup.h:953:5: note: expected ‘struct cgroup_subsys_state *’ but argument is of type ‘struct cgroup *’
----------Signed-off-by: Amit Pundir
-
Rather than using explicit euid == 0 checks when trying to move
tasks into a cgroup via CFS, move permission checks into each
specific cgroup subsystem. If a subsystem does not specify a
'allow_attach' handler, then we fall back to doing our checks
the old way.Use the 'allow_attach' handler for the 'cpu' cgroup to allow
non-root processes to add arbitrary processes to a 'cpu' cgroup
if it has the CAP_SYS_NICE capability set.This version of the patch adds a 'allow_attach' handler instead
of reusing the 'can_attach' handler. If the 'can_attach' handler
is reused, a new cgroup that implements 'can_attach' but not
the permission checks could end up with no permission checks
at all.Change-Id: Icfa950aa9321d1ceba362061d32dc7dfa2c64f0c
Original-Author: San Mehat
Signed-off-by: Colin Cross -
Use the 'allow_attach' handler for the 'mem' cgroup to allow
non-root processes to add arbitrary processes to a 'mem' cgroup
if it has the CAP_SYS_NICE capability set.Bug: 18260435
Change-Id: If7d37bf90c1544024c4db53351adba6a64966250
Signed-off-by: Rom Lemarchand -
move cpu_cgroup_allow_attach to a common subsys_cgroup_allow_attach.
This allows any process with CAP_SYS_NICE to move tasks across cgroups if
they use this function as their allow_attach handler.Bug: 18260435
Change-Id: I6bb4933d07e889d0dc39e33b4e71320c34a2c90f
Signed-off-by: Rom Lemarchand -
Bug: 22368519
Signed-off-by: Ruchi Kandoi -
If a wakeup source is found to be pending in the last stage of suspend
after syscore suspend then the device doesn't suspend but the error is
not propogated which causes an error in the accounting for the number
of suspend aborts and successful suspends.Change-Id: Ib63b4ead755127eaf03e3b303aab3c782ad02ed1
Signed-off-by: Ruchi Kandoi -
Suspend time reporting Change-Id: I2cb9a9408a5fd12166aaec11b935a0fd6a408c63
(Power: Report suspend times from last_suspend_time), is broken on 3.16+
kernels because get_xtime_and_monotonic_and_sleep_offset() hrtimer helper
routine is removed from kernel timekeeping.The replacement helper routines ktime_get_update_offsets_{tick,now}()
are private to core kernel timekeeping so we can't use them, hence using
ktime_get() and ktime_get_boottime() instead and sampling the time twice.Idea is to use Monotonic boottime offset to calculate total time spent
in last suspend state and CLOCK_MONOTONIC to calculate time spent in
last suspend-resume process.Signed-off-by: Amit Pundir
-
There is a possibility that a wakeup source event is received after
the device prepares to suspend which might cause the suspend to abort.This patch adds the functionality of reporting the last active wakeup
source which is currently not active but caused the suspend to abort reason
via the /sys/kernel/power/last_wakeup_reason file.Change-Id: I1760d462f497b33e425f5565cb6cff5973932ec3
Signed-off-by: Ruchi Kandoi -
This node epxorts two values separated by space.
From left to right:
1. time spent in suspend/resume process
2. time spent sleep in suspend stateChange-Id: I2cb9a9408a5fd12166aaec11b935a0fd6a408c63
-
Remove the HAS_WAKELOCK config as it doesn't seem to have been used in
the 3.10 or 3.14 kernels.Add some Documentation to CONFIG_WAKELOCK so that it is selectable and
can be disabled is desired.Signed-off-by: Dylan Reid
-
This unbreaks the build on architectures such as um that do not
support CONFIG_PM_SLEEP.Change-Id: Ia846ed0a7fca1d762ececad20748d23610e8544f
Signed-off-by: Lorenzo Colitti