Google Git
Sign in
android / platform / system / sepolicy / 7a4638096916b729af479710660a3e14bb5358fc
commit7a4638096916b729af479710660a3e14bb5358fc[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Aug 11 09:48:30 2017 -0700
committerNick Kralevich <nnk@google.com>Fri Aug 11 10:05:22 2017 -0700
tree3da80053947d04c7a5e364bf3278717c282191bf
parent4b547a151618be29cf2f5c0d91787275c048d683 [diff]
Validate no-cross-domain /proc/PID access

Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.

TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.

Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
2 files changed
tree: 3da80053947d04c7a5e364bf3278717c282191bf
  1. private/
  2. public/
  3. reqd_mask/
  4. tools/
  5. vendor/
  6. Android.mk
  7. CleanSpec.mk
  8. MODULE_LICENSE_PUBLIC_DOMAIN
  9. NOTICE
  10. OWNERS
  11. PREUPLOAD.cfg
  12. README