tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/system_app.te

80 lines
2.5 KiB
Text
Raw Normal View History

Split system_app from system. system_app is for apps that run in the system UID, e.g. Settings. system is for the system_server. Split them into separate files and note their purpose in the comment header of each file. Change-Id: I19369abc728ba2159fd50ae6b230828857e19f10 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-11 17:37:46 +02:00
#
# Apps that run with the system UID, e.g. com.android.system.ui,
# com.android.settings. These are not as privileged as the system
# server.
#
type system_app, domain;
app_domain(system_app)
Resolve overlapping rules between app.te and net.te. There is some overlap between socket rules in app.te and the net.te rules, but they aren't quite identical since not all app domains presently include the net_domain() macro and because the rules in app.te allow more permissions for netlink_route_socket and allow rawip_socket permissions for ping. The current app.te rules prevent one from ever creating a non-networked app domain. Resolve this overlap by: 1) Adding the missing permissions allowed by app.te to net.te for netlink_route_socket and rawip_socket. 2) Adding net_domain() calls to all existing app domains that do not already have it. 3) Deleting the redundant socket rules from app.te. Then we'll have no effective change in what is allowed for apps but allow one to define app domains in the future that are not allowed network access. Also cleanup net.te to use the create_socket_perms macro rather than * and add macros for stream socket permissions. Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 16:48:03 +01:00
net_domain(system_app)
Address bug report denials. Triggering a bug report via Settings > Developer Options > Take bug report generates a number of denials. Two bugs here: 1) According to the "allowed" list in frameworks/native/cmds/servicemanager/service_manager.c , media apps, nfc, radio, and apps with system/root UIDs can register as a binder service. However, they were not placed into the binder_service domain. Fix them. 2) The bugreport mechanism queries all the services and java programs and asks them to write to a shell owned file. Grant the corresponding SELinux capability. Addresses the following denials: <5>[ 149.342181] type=1400 audit(1389419775.872:17): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.371844] type=1400 audit(1389419775.902:18): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 149.980161] type=1400 audit(1389419776.512:22): avc: denied { write } for pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.095066] type=1400 audit(1389419776.622:23): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.096748] type=1400 audit(1389419776.632:24): avc: denied { getattr } for pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 150.097090] type=1400 audit(1389419776.632:25): avc: denied { write } for pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 154.545583] type=1400 audit(1389419781.072:43): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.000877] type=1400 audit(1389419782.532:44): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.022567] type=1400 audit(1389419782.552:45): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.043463] type=1400 audit(1389419782.572:46): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file <5>[ 156.062550] type=1400 audit(1389419782.592:47): avc: denied { write } for pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
2014-01-11 08:05:25 +01:00
binder_service(system_app)
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:12:55 +02:00
Label app data directories for system UID apps with a different type. We were using system_data_file for the /data/data directories of system UID apps to match the DAC ownership of system UID shared with other system files. However, we are seeing cases where files created in these directories must be writable by other apps, and we would like to avoid allowing write to system data files outside of these directories. So introduce a separate system_app_data_file type and assign it. This should also help protect against arbitrary writes by system UID apps to other system data directories. This resolves the following denial when cropping or taking a user photo for secondary users: avc: denied { write } for path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file avc: denied { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 14604553 Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-07 19:10:02 +02:00
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
Allow system_app to access /data/data link files system_app tries to access files in /data/data (lnk_files). But due to permission issue it is not able to access the link files. Change-Id: I2959d899f5e3ab9caa219d684541d36587a6c059
2015-01-13 14:56:54 +01:00
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:12:55 +02:00
Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-13 13:10:08 +02:00
# Read /data/misc/keychain subdirectory.
allow system_app keychain_data_file:dir r_dir_perms;
allow system_app keychain_data_file:file r_file_perms;
Restore system_app access to system-owned /data directories. System UID apps want to be able to create/write to system-owned /data directories outside of their own /data/data package directory, such as /data/system/cache and /data/misc/keychain. Restore access (which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when system_app_data_file was introduced for the /data/data package directories of system UID apps), but audit writes to system_data_file so we can look at introducing separate types for these directories in the future and ultimately remove access to the rest of the system-owned data. Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-27 20:23:32 +02:00
# Read and write to other system-owned /data directories, such as
Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-13 13:10:08 +02:00
# /data/system/cache and /data/misc/user.
Restore system_app access to system-owned /data directories. System UID apps want to be able to create/write to system-owned /data directories outside of their own /data/data package directory, such as /data/system/cache and /data/misc/keychain. Restore access (which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when system_app_data_file was introduced for the /data/data package directories of system UID apps), but audit writes to system_data_file so we can look at introducing separate types for these directories in the future and ultimately remove access to the rest of the system-owned data. Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-27 20:23:32 +02:00
allow system_app system_data_file:dir create_dir_perms;
allow system_app system_data_file:file create_file_perms;
Pull keychain-data policy out of system-data Migrators should be allowed to write to /data/misc/keychain in order to remove it. Similarly /data/misc/user should be writable by system apps. TODO: Revoke zygote's rights to read from /data/misc/keychain on behalf of some preloaded security classes. Bug: 17811821 Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-13 13:10:08 +02:00
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
Restore system_app access to system-owned /data directories. System UID apps want to be able to create/write to system-owned /data directories outside of their own /data/data package directory, such as /data/system/cache and /data/misc/keychain. Restore access (which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when system_app_data_file was introduced for the /data/data package directories of system UID apps), but audit writes to system_data_file so we can look at introducing separate types for these directories in the future and ultimately remove access to the rest of the system-owned data. Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-27 20:23:32 +02:00
# Audit writes to these directories and files so we can identify
# and possibly move these directories into their own type in the future.
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
auditallow system_app system_data_file:file { create setattr append write link unlink rename };
Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:12:55 +02:00
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
Give system_server / system_app ability to write some properties Allow writing to persist.sys and debug. This addresses the following denials (which are actually being enforced): <4>[ 131.700473] avc: denied { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service <3>[ 131.700625] init: sys_prop: permission denied uid:1000 name:debug.force_rtl <4>[ 132.630062] avc: denied { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service <3>[ 132.630184] init: sys_prop: permission denied uid:1000 name:persist.sys.dalvik.vm.lib Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
2013-11-01 18:45:03 +01:00
# Write to properties
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, ctl_bugreport_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 16:27:02 +02:00
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
Allow system_app to start bugreport and to create /data/anr/traces.txt. Resolves denials such as: avc: denied { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service avc: denied { write } for pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir avc: denied { add_name } for pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir avc: denied { create } for pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-06 20:47:22 +01:00
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms;
Allow Developer settings to change runtime size of logd - permit logd control from system_app Bug: 14563261 Change-Id: Id5992cca70647a0e4b913a793c6ba8334dc57963
2014-05-10 02:47:19 +02:00
sepolicy: allow system apps to access ASEC Required for Settings to show name/icon of apps on sd card (permission copied from untrusted_app) Also removed duplicate permission (from domain) in untrusted_app Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
2014-12-11 16:33:49 +01:00
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
Allow system_app to list all services. The Settings app contains a SystemPropPoker class which notifies every service on the system that a property has changed. Address the following denial: avc: denied { list } for service=NULL scontext=u:r:system_app:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 20762975 Change-Id: I81926e8833c1abcb17a4d49687fc89619b416d6c
2015-05-05 00:06:26 +02:00
allow system_app servicemanager:service_manager list;
Allow system_app to locate mediaserver_service. Address the following denial: SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:system_app:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager Change-Id: I6bd5d2490c7d4aa06a645c1ee293f2b3db21968b
2015-01-07 19:24:28 +01:00
allow system_app mediaserver_service:service_manager find;
Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-12 01:01:27 +01:00
allow system_app nfc_service:service_manager find;
allow system_app radio_service:service_manager find;
allow system_app surfaceflinger_service:service_manager find;
Add imms service and system_app_service type. Map imms to system_app_service in service_contexts and add the system_app_service type and allow system_app to add the system_app_service. Bug: 16005467 Change-Id: I06ca75e2602f083297ed44960767df2e78991140
2014-07-01 17:38:56 +02:00
allow system_app system_app_service:service_manager add;
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 01:50:08 +02:00
allow system_app app_api_service:service_manager find;
allow system_app system_api_service:service_manager find;
Add imms service and system_app_service type. Map imms to system_app_service in service_contexts and add the system_app_service type and allow system_app to add the system_app_service. Bug: 16005467 Change-Id: I06ca75e2602f083297ed44960767df2e78991140
2014-07-01 17:38:56 +02:00
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
allow system_app keystore:keystore_key {
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
get_state
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
get
insert
delete
exist
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
list
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
reset
password
lock
unlock
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
is_empty
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
sign
verify
grant
duplicate
clear_uid
Add keystore user_changed permission user_changed will be used for state change methods around android user creation/deletion. Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
2015-05-12 21:33:40 +02:00
user_changed
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
};
Allow Developer settings to change runtime size of logd - permit logd control from system_app Bug: 14563261 Change-Id: Id5992cca70647a0e4b913a793c6ba8334dc57963
2014-05-10 02:47:19 +02:00
control_logd(system_app)
Reference in a new issue Copy permalink