tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/recovery.te

141 lines
5.3 KiB
Text
Raw Normal View History

Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 15:45:45 +01:00
# recovery console (used in recovery init.rc for /sbin/recovery)
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 18:54:39 +01:00
type recovery, domain, domain_deprecated;
Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 15:45:45 +01:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
Allow executing update_engine_sideload from recovery. The recovery flow for A/B devices allows to sideload an OTA downloaded to a desktop and apply from recovery. This patch allows the "recovery" context to perform all the operations required to apply an update as update_engine would do in the background. These rules are now extracted into a new attributte called update_engine_common shared between recovery and update_engine. Bug: 27178350 Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a
2016-08-04 05:31:37 +02:00
# Allow recovery to perform an update as update_engine would do.
Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
typeattribute recovery update_engine_common;
Recovery can use HALs only in passthrough mode This adjusts the grants for recovery to make it explicit that recovery can use the Boot Control HAL only in passthrough mode. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
2017-03-20 21:11:33 +01:00
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
Allow executing update_engine_sideload from recovery. The recovery flow for A/B devices allows to sideload an OTA downloaded to a desktop and apply from recovery. This patch allows the "recovery" context to perform all the operations required to apply an update as update_engine would do in the background. These rules are now extracted into a new attributte called update_engine_common shared between recovery and update_engine. Bug: 27178350 Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a
2016-08-04 05:31:37 +02:00
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 18:15:22 +02:00
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin;
Remove MAC capabilities from unconfined domains. Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-30 19:23:08 +01:00
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
# Run helpers from / or /system without changing domain.
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 17:38:29 +02:00
allow recovery toolbox_exec:file rx_file_perms;
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Mount filesystems.
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery rootfs:dir mounton;
Restrict use of context= mount options. Prior to this change, the init and recovery domains were allowed unrestricted use of context= mount options to force all files within a given filesystem to be treated as having a security context specified at mount time. The context= mount option can be used in device-specific fstab.<board> files to assign a context to filesystems that do not support labeling such as vfat where the default label of sdcard_external is not appropriate (e.g. /firmware on hammerhead). Restrict the use of context= mount options to types marked with the contextmount_type attribute, and then remove write access from such types from unconfineddomain and prohibit write access to such types via neverallow. This ensures that the no write to /system restriction cannot be bypassed via context= mount. Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 19:05:38 +02:00
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 15:45:45 +01:00
refine recovery domain. Make sure we have all necessary rules to modify system_file and exec_type. Allow writing to /proc/sys/vm/drop_caches and other proc files. Addresses denials like: avc: denied { getattr } for pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { read } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { open } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { remove_name } for pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { add_name } for pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { write } for pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file recovery is still in permissive_or_unconfined(), so no rules are being enforced. Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
2014-06-05 08:43:03 +02:00
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
Remove SElinux audit to libart_file Since it was introduced it caused quite a few issues and it spams the SElinux logs unnecessary. The end goal of the audit was to whitelist the access to the interpreter. However that's unfeasible for now given the complexity. Test: devices boots and everything works as expected no more auditallow logs Bug: 29795519 Bug: 32871170 Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
2017-01-27 05:01:50 +01:00
allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
refine recovery domain. Make sure we have all necessary rules to modify system_file and exec_type. Allow writing to /proc/sys/vm/drop_caches and other proc files. Addresses denials like: avc: denied { getattr } for pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { read } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { open } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { remove_name } for pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { add_name } for pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { write } for pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file recovery is still in permissive_or_unconfined(), so no rules are being enforced. Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
2014-06-05 08:43:03 +02:00
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
recovery: allow relabelto unlabeled and other unlabeled rules The recovery script may ask to label a file with a label not known to the currently loaded policy. Allow it. Addresses the following denials: avc: denied { relabelto } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file avc: denied { setattr } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
2014-07-07 22:19:24 +02:00
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
recovery: allow changing unlabeled symbolic links Currently, recovery is allowed write access to the following three file labels: * system_file (directories, files, and symbolic links) * exec_type (directories, files, and symbolic links) * unlabeled (directory and files) system_file is the default label on all files in /system. exec_type is the attribute used to mark executables on /system. The third file type, "unlabeled", refers to filesystem objects where the label hasn't been set, or a label is set but isn't defined by the currently loaded policy. The current policy only allows unlabeled files or directories to be modified. Symbolic links were accidentally excluded. This causes problems when trying to fix up labels/permissions on unlabeled symbolic links. Allow unlabeled symbolic link modifications. (cherrypicked from commit 683ac49d9d2f7dafcc4204f737747117a5d72e4e) Bug: 18079773 Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
2014-10-23 21:12:58 +02:00
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
recovery: allow relabelto unlabeled and other unlabeled rules The recovery script may ask to label a file with a label not known to the currently loaded policy. Allow it. Addresses the following denials: avc: denied { relabelto } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file avc: denied { setattr } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
2014-07-07 22:19:24 +02:00
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
file_context: explicitly label all file context files file_context files need to be explicitly labeled as they are now split across system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'file_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospFileContexts Change-Id: I603157e9fa7d1de3679d41e343de397631666273 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-24 23:02:13 +01:00
# Get file contexts
allow recovery file_contexts_file:file r_file_perms;
recovery: allow relabelto unlabeled and other unlabeled rules The recovery script may ask to label a file with a label not known to the currently loaded policy. Allow it. Addresses the following denials: avc: denied { relabelto } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file avc: denied { setattr } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
2014-07-07 22:19:24 +02:00
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
# some directories are inappropriately labeled as exec_type. This is
# only transient, and subsequent steps in the OTA script correct this
recovery: remove auditallow for exec_type:dir writes With the move to block based OTAs, we're never going to fix this bug. Remove the auditallow statement to avoid SELinux log spam. Bug: 15575013 Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd
2015-03-05 23:58:30 +01:00
# mistake. New devices are moving to block based OTAs, so this is not
# worth fixing. b/15575013
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
refine recovery domain. Make sure we have all necessary rules to modify system_file and exec_type. Allow writing to /proc/sys/vm/drop_caches and other proc files. Addresses denials like: avc: denied { getattr } for pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { read } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { open } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { remove_name } for pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { add_name } for pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { write } for pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file recovery is still in permissive_or_unconfined(), so no rules are being enforced. Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
2014-06-05 08:43:03 +02:00
# Write to /proc/sys/vm/drop_caches
drop_caches label, vold scratch space on expanded. Define an explicit label for /proc/sys/vm/drop_caches and grant to the various people who need it, including vold which uses it when performing storage benchmarks. Also let vold create new directories under it's private storage area where the benchmarks will be carried out. Mirror the definition of the private storage area on expanded media. avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 21172095 Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
2015-05-15 05:55:31 +02:00
allow recovery proc_drop_caches:file w_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 18:15:22 +02:00
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
recovery.te: Allow writing to sysfs_devices_system_cpu. recovery (update_binary) may need to set up cpufreq during an update. avc: denied { write } for pid=335 comm="update_binary" name="scaling_max_freq" dev="sysfs" ino=7410 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 Bug: 32463933 Test: Build a recovery image and apply an OTA package that writes to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. Change-Id: Ia90af9dd15e162dd94bcd4722b66aa296e3058c5
2016-11-22 22:53:01 +01:00
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
allow recovery sysfs_devices_system_cpu:file w_file_perms;
Enable recovery to read batteryinfo. Bug: 26879394 Change-Id: I09ac9027ca343e00488dedab8df1687fd32bb255
2016-02-17 21:23:13 +01:00
allow recovery sysfs_batteryinfo:file r_file_perms;
recovery: Allow accessing sysfs_leds. Bug: 34077703 Test: recovery image can set the backlight brightness. Change-Id: I34d72e1a0e959c2d9f48b3b9c55c4eb2d1cc41bf
2017-01-25 08:29:11 +01:00
# Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
# control backlight brightness.
allow recovery sysfs_leds:dir r_dir_perms;
allow recovery sysfs_leds:file rw_file_perms;
allow recovery sysfs_leds:lnk_file read;
remove access_kmsg macro, because it to be more explicit. This macro does not give us anything to it. Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
2016-01-26 08:42:54 +01:00
allow recovery kernel:system syslog_read;
Allow recovery to access kmsg for log retrieval Bug: 18642766 Change-Id: I97d6ab0b76b69d99dcc1928232c8961437e1e68c Signed-off-by: Patrick Tjin <pattjin@google.com>
2014-12-09 21:43:26 +01:00
Remove support for legacy f_adb interface. Bug: http://b/34228376 Test: m Change-Id: I1321ada1521bb3e3fd08105f1a41d519ee486683
2017-01-11 23:58:28 +01:00
# Access /dev/usb-ffs/adb/ep0
support newer-style adbd interface in recovery Support opening the ffs-based interface for adbd in recovery. (Copied from adbd.te.) Bug: 16183878 Change-Id: Ib80e5b910d9ad4252cb80e7ce2f85e478cd94816
2014-07-10 22:40:25 +02:00
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 18:15:22 +02:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Required to e.g. wipe userdata/cache.
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
allow recovery device:dir r_dir_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery block_device:dir r_dir_perms;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
allow recovery dev_type:blk_file rw_file_perms;
Remove /system write from unconfined Don't allow writes to /system from unconfined domains. /system is always mounted read-only, and no process should ever need to write there. Allow recovery to write to /system. This is needed to apply OTA images. Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-20 20:09:16 +02:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# GUI
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms;
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 20:48:35 +02:00
allow recovery tty_device:chr_file rw_file_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
# Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms };
allow recovery tmpfs:dir create_dir_perms;
Remove block device access from unconfined domains. Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 20:40:14 +01:00
Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2015-12-22 21:37:17 +01:00
# Manage files on /cache and /cache/recovery
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
Allow recovery to read thermal info We want to track temperature metrics during an OTA update. denial message: denied { search } for pid=349 comm="recovery" name="thermal" dev="sysfs" ino=18029 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 denied { read } for pid=326 comm="recovery" name="temp" dev="sysfs" ino=18479 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 36920500 Bug: 32518487 Test: temperature logs on angler Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e (cherry picked from commit 3da2f21fbfa943b408c01d4db2468c7d05b311f9)
2017-04-05 21:43:33 +02:00
# Read /sys/class/thermal/*/temp for thermal info.
Allow recovery to read thermal info on sailfish Encountered more denials on sailfish: avc: denied { read } for pid=439 comm="recovery" name="thermal" dev="sysfs" ino=28516 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 avc: denied { read } for pid=441 comm="recovery" name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0 Bug: 36920500 Test: sideload a package in sailfish (cherry picked from commit b4e4565d58218cc5a878d4998dc9dd079d4b7dc0) Change-Id: I46b14babd47168e87c0d30ec06281aaa237563bf
2017-04-14 23:06:22 +02:00
r_dir_file(recovery, sysfs_thermal)
Allow recovery to read thermal info We want to track temperature metrics during an OTA update. denial message: denied { search } for pid=349 comm="recovery" name="thermal" dev="sysfs" ino=18029 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 denied { read } for pid=326 comm="recovery" name="temp" dev="sysfs" ino=18479 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 36920500 Bug: 32518487 Test: temperature logs on angler Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e (cherry picked from commit 3da2f21fbfa943b408c01d4db2468c7d05b311f9)
2017-04-05 21:43:33 +02:00
Allow recovery to read files with oemfs label The recovery and update_binary need to access the /oem partition for devices like sprout. Bug: 19764039 Change-Id: Ie6cbcae899ad664c6a1809c0d5478031091b6eda
2015-06-11 00:52:49 +02:00
# Read files on /oem.
r_dir_file(recovery, oemfs);
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
# Reboot the device
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(recovery, powerctl_prop)
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 17:26:19 +02:00
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 16:27:02 +02:00
# Start/stop adbd via ctl.start adbd
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(recovery, ctl_default_prop)
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 16:27:02 +02:00
Fix warning in recovery.te SELinux policy compiler complained about a quote inside the recovery_only section of recovery.te. This section's contents are inside quotes and thus can't contain quotes. Test: mmm system/sepolicy produces no warnings Bug: 33700679 Change-Id: I5bf943166f4f514d04472f7e59b025a9723eb1b8
2016-12-27 21:38:07 +01:00
# Read serial number of the device from system properties
Restrict access to ro.serialno and ro.boot.serialno This restricts access to ro.serialno and ro.boot.serialno, the two system properties which contain the device's serial number, to a select few SELinux domains which need the access. In particular, this removes access to these properties from Android apps. Apps can access the serial number via the public android.os.Build API. System properties are not public API for apps. The reason for the restriction is that serial number is a globally unique identifier which cannot be reset by the user. Thus, it can be used as a super-cookie by apps. Apps need to wean themselves off of identifiers not resettable by the user. Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome Test: Access the device via ADB (ADBD exposes serial number) Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo Bug: 31402365 Bug: 33700679 Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-21 00:31:37 +01:00
get_prop(recovery, serialno_prop)
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
Rename sdcard_internal/external types. Rename sdcard_internal/external types to fuse and vfat respectively to make it clear that they are assigned to any fuse or vfat filesystem by default (absent a context= mount option) and do not necessarily represent the SDcard. The sdcard_type attribute is still assigned to both types and can still be used in allow rules to permit access to either the internal or external SDcard. Define type aliases for the old names to preserve compatibility on policy reload and for device-specific policies that may not yet be updated. Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-08 20:45:09 +02:00
# Allow recovery to create a fuse filesystem, and read files from it.
recovery: allow creating and reading fuse filesystems The new sideloading mechanism in recovery needs to create a fuse filesystem and read files from it. Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf
2014-07-02 19:28:20 +02:00
allow recovery fuse_device:chr_file rw_file_perms;
Rename sdcard_internal/external types. Rename sdcard_internal/external types to fuse and vfat respectively to make it clear that they are assigned to any fuse or vfat filesystem by default (absent a context= mount option) and do not necessarily represent the SDcard. The sdcard_type attribute is still assigned to both types and can still be used in allow rules to permit access to either the internal or external SDcard. Define type aliases for the old names to preserve compatibility on policy reload and for device-specific policies that may not yet be updated. Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-08 20:45:09 +02:00
allow recovery fuse:dir r_dir_perms;
allow recovery fuse:file r_file_perms;
recovery: allow creating and reading fuse filesystems The new sideloading mechanism in recovery needs to create a fuse filesystem and read files from it. Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf
2014-07-02 19:28:20 +02:00
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
wakelock_use(recovery)
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 20:48:35 +02:00
recovery: don't use single quote single quotes make the m4 parser think it's at the end of a block, and generates the following compile time warning: external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720: Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b
2014-06-10 05:35:51 +02:00
# This line seems suspect, as it should not really need to
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 20:48:35 +02:00
# set scheduling parameters for a kernel domain task.
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery kernel:process setsched;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
')
recovery.te: add /data neverallow rules Recovery should never be accessing files from /data. In particular, /data may be encrypted, and the files within /data will be inaccessible to recovery, because recovery doesn't know the decryption key. Enforce write/execute restrictions on recovery. We can't tighten it up further because domain.te contains some /data read-only access rules, which shouldn't apply to recovery but do. Create neverallow_macros, used for storing permission macros useful for neverallow rules. Standardize recovery.te and property_data_file on the new macros. Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
2014-11-06 00:30:41 +01:00
###
### neverallow rules
###
# Recovery should never touch /data.
#
# In particular, if /data is encrypted, it is not accessible
# to recovery anyway.
#
# For now, we only enforce write/execute restrictions, as domain.te
# contains a number of read-only rules that apply to all
# domains, including recovery.
#
# TODO: tighten this up further.
neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
neverallow recovery data_file_type:dir no_w_dir_perms;
Reference in a new issue Copy permalink