platform_system_sepolicy/public/init.te

677 lines
20 KiB
Text
Raw Normal View History

# init is its own domain.
type init, domain, mlstrustedsubject;
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
#
# init direct restorecon calls.
#
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { getattr write relabelto };
# /dev/kmsg_debug
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
# allow init to mount and unmount debugfs in debug builds
userdebug_or_eng(`
allow init debugfs:dir mounton;
')
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
# /dev/__properties__/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
# and /dev/urandom
allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
allow init dm_user_device:chr_file relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
metadata_block_device
misc_block_device
recovery_block_device
system_block_device
userdata_block_device
}:{ blk_file lnk_file } relabelto;
allow init super_block_device:lnk_file relabelto;
# Create /mnt/sdcard -> /storage/self/primary symlink.
allow init mnt_sdcard_file:lnk_file create;
# setrlimit
allow init self:global_capability_class_set sys_resource;
# Remove /dev/.booting and load /debug_ramdisk/* files
allow init tmpfs:file { getattr unlink };
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
# Create /dev/fscklogs files.
allow init fscklogs:file create_file_perms;
# Access /dev/__null__ node created prior to initial policy load.
allow init tmpfs:chr_file write;
# Access /dev/console.
allow init console_device:chr_file rw_file_perms;
# Access /dev/tty0.
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
allow init self:global_capability_class_set sys_admin;
# Call setns(2).
allow init self:global_capability_class_set sys_chroot;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init {
rootfs
cache_file
cgroup
linkerconfig_file
storage_file
mnt_user_file
system_data_file
system_data_root_file
system_dlkm_file
system_file
vendor_file
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
# Mount tmpfs on /apex
allow init apex_mnt_dir:dir mounton;
# Bind-mount on /system/apex/com.android.art
allow init art_apex_dir:dir mounton;
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
allow init configfs:{ file lnk_file } create_file_perms;
# /metadata
allow init metadata_file:dir mounton;
# Run restorecon on /dev
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
allow init self:global_capability_class_set { dac_override dac_read_search };
# Set system clock.
allow init self:global_capability_class_set sys_time;
allow init self:global_capability_class_set { sys_rawio mknod };
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
allowxperm init dev_type:blk_file ioctl BLKROSET;
# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init {
fs_type
enforce_debugfs_restriction(`-debugfs_type')
}:filesystem ~relabelto;
# Allow init to mount/unmount debugfs in non-user builds.
enforce_debugfs_restriction(`
userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
')
# Allow init to mount tracefs in /sys/kernel/tracing
allow init debugfs_tracing_debug:filesystem mount;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
# restorecon /adb_keys or any other rootfs files and directories to a more
# specific type.
allow init rootfs:{ dir file } relabelfrom;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:global_capability_class_set { chown fowner fsetid };
allow init {
file_type
-app_data_file
-exec_type
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
}:dir { create search getattr open read setattr ioctl };
allow init {
file_type
-app_data_file
-exec_type
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
allow init {
file_type
-apex_info_file
-app_data_file
-exec_type
-gsi_data_file
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow init tracefs_type:file { create_file_perms relabelfrom };
allow init {
file_type
-app_data_file
-exec_type
-gsi_data_file
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {
file_type
-apex_mnt_dir
-app_data_file
-exec_type
-gsi_data_file
-iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file r_file_perms;
allow init {
file_type
-system_dlkm_file_type
-system_file_type
-vendor_file_type
-exec_type
-app_data_file
-privapp_data_file
}:dir_file_class_set relabelto;
allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file w_file_perms;
# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir create_dir_perms;
allow init debugfs_tracing_instances:file w_file_perms;
allow init debugfs_wifi_tracing:file w_file_perms;
allow init and system_server access to tracing Revise policy, to allow init and system_server to configure, clear, and read kernel trace events. This will enable us to debug certain WiFi failures. Note that system_server is restricted to only accessing a wifi-specific trace instance. (Hence, system_server is not allowed to interfere with atrace.) Moreover, even for the wifi trace instance, system_server is granted limited permissions. (system_server can not, e.g., change which events are traced.) Note also that init and system_server are only granted these powers on userdebug or eng builds. The init.te and system_server.te changes resolve the following denials: // Denials when wifi-events.rc configures tracing { write } for pid=1 comm="init" name="instances" dev="debugfs" ino=755 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { add_name } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { create } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { write } for pid=1 comm="init" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { write } for pid=1 comm="init" name="buffer_size_kb" dev="debugfs" ino=18061 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=file permissive=1 // Denials when system_server sets up fail-safe // (auto-terminate tracing if system_server dies) { search } for pid=882 comm="system_server" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { read } for pid=882 comm="system_server" name="free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 // Denials when system_server toggles tracing on or off // (WifiStateMachine is a thread in system_server) { search } for pid=989 comm="WifiStateMachin" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 // Denials when system_server reads the event trace // (This happens in response to a dumpsys request) { search } for pid=3537 comm="Binder:882_B" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { read } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { write } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 Bug: 27254565 Test: manual Manual test: - Build this CL along with CL:322337 - Verify that system boots, and that we can connect to GoogleGuest. (Testing of actual trace functionality with require some more patches in frameworks/opt/net/wifi.) $ adb root && adb shell dmesg | egrep 'avc: denied.+debugfs' Change-Id: Ib6eb4116549277f85bd510d25fb30200f1752f4d
2016-05-18 00:32:04 +02:00
# chown/chmod on pseudo files.
allow init {
fs_type
-contextmount_type
-keychord_device
-proc_type
-sdcard_type
-fusefs_type
-sysfs_type
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
binder_device
console_device
devpts
dm_device
hwbinder_device
input_device
kmsg_device
null_device
owntty_device
pmsg_device
ptmx_device
random_device
tty_device
zero_device
}:chr_file { read open };
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
allow init self:global_capability2_class_set syslog;
# init access to /proc.
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
r_dir_file(init, proc_net_type)
allow init proc_filesystems:file r_file_perms;
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
allow init overlayfs_file:dir { relabelfrom mounton write };
allow init overlayfs_file:file { append };
allow init system_block_device:blk_file { write };
')
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_bootconfig
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
proc_meminfo
proc_stat # Read /proc/stat for bootchart.
proc_uptime
proc_version
}:file r_file_perms;
allow init {
proc_abi
introduce new 'proc_bpf' for bpf related sysctls What to tag chosen based on output of: find /proc 2>/dev/null | egrep bpf on a 5.10 kernel. Tagged with prefixes to be more likely not require changes in the future $ adb root $ adb shell 'ls -lZ /proc/sys/net/core/bpf_* /proc/sys/kernel/*bpf*' Before: -rw-r--r-- 1 root root u:object_r:proc:s0 0 2021-11-11 02:11 /proc/sys/kernel/bpf_stats_enabled -rw-r--r-- 1 root root u:object_r:proc:s0 0 2021-11-11 02:11 /proc/sys/kernel/unprivileged_bpf_disabled -rw-r--r-- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_enable -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_harden -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_kallsyms -rw------- 1 root root u:object_r:proc_net:s0 0 2021-11-11 02:11 /proc/sys/net/core/bpf_jit_limit After: -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/kernel/bpf_stats_enabled -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/kernel/unprivileged_bpf_disabled -rw-r--r-- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_enable -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_harden -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_kallsyms -rw------- 1 root root u:object_r:proc_bpf:s0 0 2021-11-11 02:08 /proc/sys/net/core/bpf_jit_limit Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I46ea81ff42d3b915cf7a96735dc2636d9808ead6
2021-11-11 10:51:15 +01:00
proc_bpf
proc_cpu_alignment
proc_dirty
proc_hostname
proc_hung_task
proc_extra_free_kbytes
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
proc_net_type
proc_max_map_count
proc_min_free_order_shift
proc_overcommit_memory # /proc/sys/vm/overcommit_memory
proc_panic
proc_page_cluster
proc_perf
proc_sched
proc_sysrq
proc_watermark_boost_factor
}:file w_file_perms;
allow init {
proc_security
}:file rw_file_perms;
# init chmod/chown access to /proc files.
allow init {
proc_cmdline
proc_bootconfig
proc_kmsg
proc_net
proc_pagetypeinfo
proc_qtaguid_stat
proc_slabinfo
proc_sysrq
proc_qtaguid_ctrl
proc_vmallocinfo
}:file setattr;
# init access to /sys files.
allow init {
sysfs_android_usb
sysfs_dm_verity
sysfs_leds
sysfs_power
sysfs_fs_f2fs
sysfs_dm
sysfs_lru_gen_enabled
}:file w_file_perms;
allow init {
sysfs_dt_firmware_android
sysfs_fs_ext4_features
}:file r_file_perms;
allow init {
sysfs_zram
}:file rw_file_perms;
# allow init to create loop devices with /dev/loop-control
allow init loop_control_device:chr_file rw_file_perms;
allow init loop_device:blk_file rw_file_perms;
allowxperm init loop_device:blk_file ioctl {
LOOP_SET_FD
LOOP_CLR_FD
LOOP_CTL_GET_FREE
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_GET_STATUS
LOOP_SET_STATUS64
};
# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file w_file_perms;
# init chmod/chown access to /sys files.
allow init {
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_ipv4
sysfs_leds
sysfs_lowmemorykiller
sysfs_power
sysfs_vibrator
sysfs_wake_lock
sysfs_zram
}:file setattr;
# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
allow init self:global_capability_class_set net_admin;
# Reboot.
allow init self:global_capability_class_set sys_boot;
refine /data/misc/logd rules Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa. Move misc_logd_file neverallow rule from domain.te to logd.te, since the goal of the neverallow rule is to protect logd / logpersist files from other processes. Switch the misc_logd_file neverallow rule from using "rw_file_perms" to "no_rw_file_perms". The latter covers more cases of file modifications. Add more neverallow rules covering misc_logd_file directories. Instead of using not_userdebug_nor_eng(), modify the rules to be consistent with other highly constrained file types such as keystore_data_file or vold_data_file. See, for example, https://android-review.googlesource.com/144768 To see the net effect of this change, you can use the following command line: sesearch --allow -t misc_logd_file -c file,dir,lnk_file \ out/target/product/bullhead/root/sepolicy Before this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open }; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file relabelto; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; After this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
2016-03-26 15:43:38 +01:00
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
allow init misc_logd_file:file { open create getattr setattr write };
refine /data/misc/logd rules Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa. Move misc_logd_file neverallow rule from domain.te to logd.te, since the goal of the neverallow rule is to protect logd / logpersist files from other processes. Switch the misc_logd_file neverallow rule from using "rw_file_perms" to "no_rw_file_perms". The latter covers more cases of file modifications. Add more neverallow rules covering misc_logd_file directories. Instead of using not_userdebug_nor_eng(), modify the rules to be consistent with other highly constrained file types such as keystore_data_file or vold_data_file. See, for example, https://android-review.googlesource.com/144768 To see the net effect of this change, you can use the following command line: sesearch --allow -t misc_logd_file -c file,dir,lnk_file \ out/target/product/bullhead/root/sepolicy Before this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open }; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file relabelto; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; After this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
2016-03-26 15:43:38 +01:00
# Support "adb shell stop"
allow init self:global_capability_class_set kill;
Add getpgid to system_service and init In libprocessgroup, we want to only send signals once to processes, particularly for SIGTERM. We must send the signal both to all processes within a POSIX process group and a cgroup. To ensure that we do not duplicate the signals being sent, we check the processes in the cgroup to see if they're in the POSIX process groups that we're killing. If they are, we skip sending a second signal. This requires getpgid permissions, hence this SELinux change. avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1 avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=process permissive=1 avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=797 comm="ActivityManager" scontext=u:r:system_server:s0 tcontext=u:r:system_app:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1 avc: denied { getpgid } for pid=1 comm="init" scontext=u:r:init:s0 tcontext=u:r:system_server:s0 tclass=process permissive=1 Bug: 37853905 Bug: 62418791 Test: Boot, kill zygote, reboot Change-Id: Ib6c265dbaac8833c47145ae28fb6594ca8545570
2017-06-13 23:49:17 +02:00
allow init domain:process { getpgid sigkill signal };
# Init creates credstore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init credstore_data_file:dir { open create read getattr setattr search };
allow init credstore_data_file:file { getattr };
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
# Set UID, GID, and adjust capability bounding set for services.
allow init self:global_capability_class_set { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
# to different domains.
r_dir_file(init, domain)
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
# Get file context
allow init file_contexts_file:file r_file_perms;
# sepolicy access
allow init sepolicy_file:file r_file_perms;
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
# Ask the kernel for the new context on services to label their sockets.
allow init kernel:security compute_create;
# Create sockets for the services.
allow init domain:unix_stream_socket { create bind setopt };
allow init domain:unix_dgram_socket { create bind setopt };
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
# Set any property.
allow init property_type:property_service set;
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
allow init self:global_capability_class_set net_raw;
# Set scheduling info for psi monitor thread.
# TODO: delete or revise this line b/131761776
allow init kernel:process { getsched setsched };
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file create_file_perms;
# keychord retrieval from /dev/input/ devices
allow init input_device:dir r_dir_perms;
allow init input_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
# Access dm-user for OTA boot
allow init dm_user_device:chr_file rw_file_perms;
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
allow init kernel:system syslog_read;
# linux keyring configuration
allow init init:key { write search setattr };
# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir create_dir_perms;
# Set encryption policy on dirs in /data
allowxperm init { data_file_type unlabeled }:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
r_dir_file(init, system_dlkm_file_type)
r_dir_file(init, vendor_file_type)
allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file r_file_perms;
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
# Metadata setup
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
allow init metadata_bootstat_file:dir create_dir_perms;
allow init metadata_bootstat_file:file w_file_perms;
allow init userspace_reboot_metadata_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
# allow filesystem tuning
allow init userdata_sysdev:file create_file_perms;
# allow disk tuning
allow init rootdisk_sysdev:file create_file_perms;
###
### neverallow rules
###
# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
neverallow { domain -kernel } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init { app_data_file privapp_data_file }:lnk_file read;
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
# when init is executing other binaries. The use of LD_PRELOAD for init spawned
# services is generally considered a no-no, as it injects libraries which the
# binary was not expecting. This is especially problematic for APEXes. The use
# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
# code into a process which wasn't expecting that code, with potentially
# unexpected side effects. (b/140789528)
neverallow init *:process noatsecure;
# init can never add binder services
neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
neverallow init servicemanager:service_manager list;
# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };
# Init should not access sysfs node that are not explicitly labeled.
neverallow init sysfs:file { open write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
# init owns the root of /data
# TODO(b/140259336) We want to remove vendor_init
# TODO(b/141108496) We want to remove toolbox
neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };