tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/kernel.te

105 lines
3.9 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
# Life begins with the kernel.
kernel: remove domain_deprecated attribute No "granted" messages for the removed permissions observed in three months of log audits. Bug: 28760354 Change-Id: I6bd9525b663a2bdad4f5b2d4a85d3dd46d5fd106
2016-09-12 06:18:05 +02:00
type kernel, domain, mlstrustedsubject;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow kernel self:global_capability_class_set sys_nice;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
kernel: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
2016-01-28 04:15:41 +01:00
# Root fs.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-10 01:27:17 +02:00
r_dir_file(kernel, rootfs)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
allow kernel proc_cmdline:file r_file_perms;
kernel: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
2016-01-28 04:15:41 +01:00
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
file_context: explicitly label all file context files file_context files need to be explicitly labeled as they are now split across system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'file_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospFileContexts Change-Id: I603157e9fa7d1de3679d41e343de397631666273 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-24 23:02:13 +01:00
# Get file contexts during first stage
allow kernel file_contexts_file:file r_file_perms;
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 20:38:10 +02:00
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
# TODO: investigate why we need this.
allow kernel init:process share;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
Explictly allow init and kernel unlabeled access. These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 15:53:00 +02:00
# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;
Allow mounting of usbfs. Addresses denials such as: avc: denied { mount } for pid=5 comm="kworker/u:0" name="/" dev=usbfs ino=3234 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=filesystem Change-Id: I1db52193e6a2548c37a7809ef44cf7fd3357326d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:31:27 +02:00
# Mount usbfs.
allow kernel usbfs:filesystem mount;
kernel: allow usbfs:dir search The deprecated/deleted usbfs kernel driver gets really unhappy when SELinux denies it access to directories. On flo (3.4.0 kernel), this comes across as an SELinux denial followed by a kernel panic. Steps to reproduce: 1. plug in a USB device. 2. notice nothing happens. 3. unplug the USB device 4. plug it in again, watch for restart. Expected: USB device works Actual: [329180.030242] Host mode: Set DC level as 0x68 for flo. [329180.030395] msm_hsusb_host msm_hsusb_host: Qualcomm On-Chip EHCI Host Controller [329180.030639] Unable to create devices usbfs file [329180.030944] type=1400 audit(1425327845.292:12): avc: denied { search } for pid=24033 comm="kworker/0:1" name="/" dev="usbfs" ino=291099 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=dir [329180.060394] msm_hsusb_host msm_hsusb_host: new USB bus registered, assigned bus number 1 [329180.091583] msm_hsusb_host msm_hsusb_host: irq 132, io mem 0x12500000 [deleted] [329180.120178] hub 1-0:1.0: USB hub found [329180.120452] hub 1-0:1.0: 1 port detected [329180.123199] Unable to handle kernel NULL pointer dereference at virtual address 00000070 [329180.123443] pgd = c0004000 [329180.123809] [00000070] *pgd=00000000 [329180.124206] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [329180.124481] CPU: 0 Tainted: G W (3.4.0-g2e8a935 #1) [329180.124908] PC is at mutex_lock+0xc/0x48 [329180.125122] LR is at fs_create_file+0x4c/0x128 [329180.125518] pc : [<c0916708>] lr : [<c0440ec4>] psr: a0000013 [deleted] [329180.281005] [<c0916708>] (mutex_lock+0xc/0x48) from [<c0440ec4>] (fs_create_file+0x4c/0x128) [329180.281280] [<c0440ec4>] (fs_create_file+0x4c/0x128) from [<c04410c8>] (usbfs_notify+0x84/0x2a8) [329180.281738] [<c04410c8>] (usbfs_notify+0x84/0x2a8) from [<c009c3b8>] (notifier_call_chain+0x38/0x68) [329180.282257] [<c009c3b8>] (notifier_call_chain+0x38/0x68) from [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) [329180.282745] [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) from [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) [329180.283264] [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) from [<c043ef8c>] (generic_probe+0x74/0x84) [329180.283752] [<c043ef8c>] (generic_probe+0x74/0x84) from [<c04387c4>] (usb_probe_device+0x58/0x68) [329180.284240] [<c04387c4>] (usb_probe_device+0x58/0x68) from [<c03adc78>] (driver_probe_device+0x148/0x360) [329180.284576] [<c03adc78>] (driver_probe_device+0x148/0x360) from [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) [329180.285034] [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) from [<c03adfc8>] (device_attach+0x74/0xa0) [329180.285522] [<c03adfc8>] (device_attach+0x74/0xa0) from [<c03ac94c>] (bus_probe_device+0x28/0x98) [329180.286041] [<c03ac94c>] (bus_probe_device+0x28/0x98) from [<c03ab014>] (device_add+0x444/0x5e4) [329180.286529] [<c03ab014>] (device_add+0x444/0x5e4) from [<c042f180>] (usb_new_device+0x248/0x2e4) [329180.286804] [<c042f180>] (usb_new_device+0x248/0x2e4) from [<c043472c>] (usb_add_hcd+0x420/0x64c) [329180.287292] [<c043472c>] (usb_add_hcd+0x420/0x64c) from [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) [329180.287811] [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) from [<c0091d8c>] (process_one_work+0x280/0x488) [329180.288299] [<c0091d8c>] (process_one_work+0x280/0x488) from [<c00921a8>] (worker_thread+0x214/0x3b4) [329180.288787] [<c00921a8>] (worker_thread+0x214/0x3b4) from [<c0096b14>] (kthread+0x84/0x90) [329180.289276] [<c0096b14>] (kthread+0x84/0x90) from [<c000f3c8>] (kernel_thread_exit+0x0/0x8) Allow the usbfs operation. Bug: 19568950 Change-Id: Iffdc7bd93ebde8bb75c57a324b996e1775a0fd1e
2015-03-28 10:48:46 +01:00
allow kernel usbfs:dir search;
Allow mounting of usbfs. Addresses denials such as: avc: denied { mount } for pid=5 comm="kworker/u:0" name="/" dev=usbfs ino=3234 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=filesystem Change-Id: I1db52193e6a2548c37a7809ef44cf7fd3357326d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:31:27 +02:00
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 14:05:53 +01:00
# Initial setenforce by init prior to switching to init domain.
Revisit kernel setenforce Kernel userspace helpers may be spawned running in the kernel SELinux domain. Those userspace helpers shouldn't be able to turn SELinux off. This change revisits the discussion in https://android-review.googlesource.com/#/c/71184/ At the time, we were debating whether or not to have an allow rule, or a dontaudit rule. Both have the same effect, as at the time we switch to enforcing mode, the kernel is in permissive and the operation will be allowed. Change-Id: If335a5cf619125806c700780fcf91f8602083824
2014-05-12 23:32:59 +02:00
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
# Write to /proc/1/oom_adj prior to switching to init domain.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow kernel self:global_capability_class_set sys_resource;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
kernel: allow rebooting, and writing to /dev/__kmsg__ Addresses the following denials: avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0 avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0 (cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f) Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-06 02:40:07 +02:00
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow kernel self:global_capability_class_set sys_boot;
kernel: allow rebooting, and writing to /dev/__kmsg__ Addresses the following denials: avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0 avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0 (cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f) Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-06 02:40:07 +02:00
allow kernel proc_sysrq:file w_file_perms;
Simplify /dev/kmsg SELinux policy. Bug: http://b/30317429 Change-Id: I5c499c48d5e321ebdf588a162d29e949935ad8ee Test: adb shell dmesg | grep ueventd
2016-07-26 18:46:20 +02:00
# Allow writing to /dev/kmsg which was created prior to loading policy.
kernel: allow rebooting, and writing to /dev/__kmsg__ Addresses the following denials: avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0 avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0 (cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f) Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-06 02:40:07 +02:00
allow kernel tmpfs:chr_file write;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
# Set checkreqprot by init.rc prior to switching to init domain.
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
allow kernel selinuxfs:file write;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
allow kernel self:security setcheckreqprot;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
support kernel writes to external SDcards The kernel, when it creates a loop block device, starts a new kernel thread "loop0" (drivers/block/loop.c). This kernel thread, which performs writes on behalf of other processes, needs read/write privileges to the sdcard. Allow it. Steps to reproduce: 0) Get device with external, removable sdcard 1) Run: "adb install -s foo.apk" Expected: APK installs successfully. Actual: APK fails to install. Error message: Vold E Failed to write superblock (I/O error) loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 PackageHelper E Failed to create secure container smdl1645334795.tmp DefContainer E Failed to create container smdl1645334795.tmp Bug: 17158723 (cherry picked from commit 4c6b13508d1786a3a835ba5427f37e963c2c7506) Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
2014-08-27 21:13:28 +02:00
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel sdcard_type:file { read write };
Allow kernel sdcard access for MTP sync. Address denials such as: avc: denied { write } for pid=2587 comm="kworker/u:4" path="/storage/emulated/0/Download/AllFileFormatesFromTommy/Test3GP.3gp" dev="fuse" ino=3086052592 scontext=u:r:kernel:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file permissive=0 Change-Id: I351e84b48f1b5a3361bc680b2ef379961ac2e8ea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Bug: 15835289
2014-06-24 19:18:02 +02:00
Add drm and kernel permissions to mediaprovider These were missing when the sepolicy was migrated. Addresses denials: E SELinux : avc: denied { find } for service=drm.drmManager pid=11769 uid=10018 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg" dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0 tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0 Bug: 37685394 Bug: 37686255 Test: Sync files Test: Open downloaded file Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d
2017-04-26 19:18:30 +02:00
# f_mtp driver accesses files from kernel context.
allow kernel mediaprovider:fd use;
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
kernel.te: fix MTP sync STEPS TO REPRODUCE: 1. Connect the device to Mac. 2. Switch to AFT. 3. Now AFT on Mac will show the device contents. 4. Now drag and drop the file to device and observe. EXPECTED RESULTS: Should able to copy. OBSERVED RESULTS: Showing can not copy file and on clicking ok, It shows device storage can not connect and close the AFT. Addresses the following denial: W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd 12310 12530 E MtpRequestPacket: Malformed MTP request packet ps -Z entry: u:r:untrusted_app:s0:c512,c768 u0_a6 12310 203 android.process.media Bug: 15835289 Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a
2015-02-27 05:33:40 +01:00
allow kernel vold:fd use;
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
allow kernel app_data_file:file read;
Allow kernel to read asec_image_file. Address the following denial encountered when installing a forward-locked apk. W loop0 : type=1400 audit(0.0:36): avc: denied { read } for path="/data/app-asec/smdl1061145377.tmp.asec" dev="mmcblk0p28" ino=180226 scontext=u:r:kernel:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file Bug: 19936901 Change-Id: I829858564a8f89677b2bb4cbd4c8fe4250ae51de
2015-03-26 20:40:07 +01:00
allow kernel asec_image_file:file read;
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
Allow reading loop device in update_engine_unittests. This fixes the following denies: type=1400 audit(0.0:4389): avc: denied { read } for path="/data/misc/update_engine/tmp/a_loop_file.W0j9ss" dev="mmcblk0p13" ino=24695 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:30): avc: denied { read } for path="/data/nativetest/update_engine_unittests/gen/disk_ext2_unittest.img" dev="mmcblk0p13" ino=71 scontext=u:r:kernel:s0 tcontext=u:object_r:nativetest_data_file:s0 tclass=file permissive=0 Bug: 28319454 Test: setenforce 1 && ./update_engine_unittests Change-Id: I8d54709d4bda06b364b5420d196d75a4ecc011d3
2016-05-03 20:07:11 +02:00
# Allow reading loop device in update_engine_unittests. (b/28319454)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
allow kernel nativetest_data_file:file read;
')
Allow access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: adbd, kernel, mediaserver, and shell Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27915475 Bug: 27937873 Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
2016-03-31 22:53:42 +02:00
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow kernel media_rw_data_file:dir create_dir_perms;
allow kernel media_rw_data_file:file create_file_perms;
Grant kernel access to new "virtual_disk" file. This is a special file that can be mounted as a loopback device to exercise adoptable storage code on devices that don't have valid physical media. For example, they may only support storage media through a USB OTG port that is being used for an adb connection. avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0 Bug: 34903607 Change-Id: I84721ec0e9495189a7d850461875df1839826212
2017-03-26 22:50:59 +02:00
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file read;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
###
### neverallow rules
###
# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
Replace "neverallow domain" by "neverallow *" Modify many "neverallow domain" rules to be "neverallow *" rules instead. This will catch more SELinux policy bugs where a label is assigned an irrelevant rule, as well as catch situations where a domain attribute is not assigned to a process. Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
2016-02-05 23:48:03 +01:00
neverallow * kernel:process { transition dyntransition };
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
# If you encounter an execute_no_trans denial on the kernel domain, then
# possible causes include:
# - The program is a kernel usermodehelper. In this case, define a domain
# for the program and domain_auto_trans() to it.
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
kernel.te: tighten entrypoint / execute_no_trans neverallow The kernel domain exists solely on boot, and is used by kernel threads. Because of the way the system starts, there is never an entrypoint for that domain, not even a file on rootfs. So tighten up the neverallow restriction. Remove an obsolete comment. The *.rc files no longer have a setcon statement, and the transition from the kernel domain to init occurs because init re-execs itself. The statement no longer applies. Test: bullhead policy compiles. Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
2016-10-31 02:42:17 +01:00
neverallow kernel *:file { entrypoint execute_no_trans };
kernel: neverallow dac_{override,read_search} perms The kernel should never be accessing files owned by other users. Disallow this access. Test: Marlin builds. Neverallow are build time assertions, they do not policy on the device. Change-Id: I6ba2eb27c0e2ecf46974059588508cd3223baceb
2017-02-22 23:30:47 +01:00
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
Reference in a new issue Copy permalink