tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/init.te

143 lines
5.2 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
# init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 23:46:05 +02:00
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 22:31:04 +01:00
allow init self:capability { sys_rawio mknod };
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
# Mounting filesystems.
Restrict use of context= mount options. Prior to this change, the init and recovery domains were allowed unrestricted use of context= mount options to force all files within a given filesystem to be treated as having a security context specified at mount time. The context= mount option can be used in device-specific fstab.<board> files to assign a context to filesystems that do not support labeling such as vfat where the default label of sdcard_external is not appropriate (e.g. /firmware on hammerhead). Restrict the use of context= mount options to types marked with the contextmount_type attribute, and then remove write access from such types from unconfineddomain and prohibit write access to such types via neverallow. This ensures that the no write to /system restriction cannot be bypassed via context= mount. Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 19:05:38 +02:00
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
Allow init to relabel rootfs files. This is required for the restorecon /adb_keys in init.rc or for any other relabeling of rootfs files to more specific types on kernels that support setting security contexts on rootfs inodes. Addresses denials such as: avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 We do not need to prohibit relabelfrom of such files because our goal is to prevent writing to executable files, while relabeling the file to another type will take it to a non-executable (or non-writable) type. In contrast, relabelto must be prohibited by neverallow so that a modified file in a writable type cannot be made executable. Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:17:51 +02:00
# restorecon /adb_keys or any other rootfs files to a more specific type.
allow init rootfs:file relabelfrom;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
# restorecon and restorecon_recursive calls from init.rc files.
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
Remove /system write from unconfined Don't allow writes to /system from unconfined domains. /system is always mounted read-only, and no process should ever need to write there. Allow recovery to write to /system. This is needed to apply OTA images. Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-20 20:09:16 +02:00
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
Allow init to restorecon sysfs files. The boot-time restorecon_recursive("/sys") occurs while still in the kernel domain, but init.rc files may nonetheless perform restorecon_recursive of parts of /sys created later and therefore require this permission. Required for: https://android-review.googlesource.com/#/c/101800/ Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-17 20:54:44 +02:00
allow init sysfs_type:{ dir file lnk_file } relabelto;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
Explictly allow init and kernel unlabeled access. These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 15:53:00 +02:00
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
Restrict /data/security and setprop selinux.reload_policy access. Remove /data/security and setprop selinux.reload_policy access from unconfineddomain, and only add back what is needed to init (system_server already gets the required allow rules via the selinux_manage_policy macro). init (via init.rc post-fs-data) originally creates /data/security and may later restorecon it. init also sets the property (also from init.rc post-fs-data) to trigger a reload once /data is mounted. The system_server (SELinuxPolicyInstallReceiver in particular) creates subdirectories under /data/security for updates, writes files to these subdirectories, creates the /data/security/current symlink to the update directory, and sets the property to trigger a reload when an update bundle is received. Add neverallow rules to ensure that we do not allow undesired access to security_file or security_prop. This is only truly meaningful if the support for /data/security policies is restored, but is harmless otherwise. Also drop the persist.mmac property_contexts entry; it was never used in AOSP, only in our tree (for middleware MAC) and is obsolete. Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 16:25:00 +02:00
# Create /data/security from init.rc post-fs-data.
allow init security_file:dir { create setattr };
# setprop selinux.reload_policy 1 from init.rc post-fs-data.
allow init security_prop:property_service set;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
# Reload policy upon setprop selinux.reload_policy 1.
Restrict /data/security and setprop selinux.reload_policy access. Remove /data/security and setprop selinux.reload_policy access from unconfineddomain, and only add back what is needed to init (system_server already gets the required allow rules via the selinux_manage_policy macro). init (via init.rc post-fs-data) originally creates /data/security and may later restorecon it. init also sets the property (also from init.rc post-fs-data) to trigger a reload once /data is mounted. The system_server (SELinuxPolicyInstallReceiver in particular) creates subdirectories under /data/security for updates, writes files to these subdirectories, creates the /data/security/current symlink to the update directory, and sets the property to trigger a reload when an update bundle is received. Add neverallow rules to ensure that we do not allow undesired access to security_file or security_prop. This is only truly meaningful if the support for /data/security policies is restored, but is harmless otherwise. Also drop the persist.mmac property_contexts entry; it was never used in AOSP, only in our tree (for middleware MAC) and is obsolete. Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 16:25:00 +02:00
r_dir_file(init, security_file)
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 14:05:53 +01:00
allow init kernel:security load_policy;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
remove syslog_* from unconfined As suggested in https://android-review.googlesource.com/95966 , remove various syslog_* from unconfined. SELinux domains which want to use syslog_* can declare it themselves. Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
2014-05-28 22:48:52 +02:00
allow init kernel:system syslog_mod;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
# Set usermodehelpers and /proc security settings.
Restrict the ability to set usermodehelpers and proc security settings. Limit the ability to write to the files that configure kernel usermodehelpers and security-sensitive proc settings to the init domain. Permissive domains can also continue to set these values. The current list is not exhaustive, just an initial set. Not all of these files will exist on all kernels/devices. Controlling access to certain kernel usermodehelpers, e.g. cgroup release_agent, will require kernel changes to support and cannot be addressed here. Expected output on e.g. flo after the change: ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper -rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper -rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable -rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern -rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug -rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd -rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space -rw------- root root u:object_r:usermodehelper:s0 bset -rw------- root root u:object_r:usermodehelper:s0 inheritable Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 15:31:40 +01:00
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
# Transitions to seclabel processes in init.rc
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-04 07:13:14 +02:00
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, healthd)
recovery_only(`
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, rootfs, ueventd)
domain_trans(init, rootfs, watchdogd)
# Certain domains need LD_PRELOAD passed from init.
# https://android-review.googlesource.com/94851
lmkd: avoid locking libsigchain into memory https://android-review.googlesource.com/94851 added an LD_PRELOAD line to init.environ.rc.in. This has the effect of loading libsigchain.so into every process' memory space, regardless of whether it wants it or not. For lmkd, it doesn't need libsigchain, so it doesn't make any sense to load it and keep it locked in memory. Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the linker to not honor security sensitive environment variables such as LD_PRELOAD. This prevents libsigchain.so from being loaded into lmkd's memory. Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
2014-07-17 03:42:36 +02:00
# For now, allow it to most domains.
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-04 07:13:14 +02:00
# TODO: scope this down.
lmkd: avoid locking libsigchain into memory https://android-review.googlesource.com/94851 added an LD_PRELOAD line to init.environ.rc.in. This has the effect of loading libsigchain.so into every process' memory space, regardless of whether it wants it or not. For lmkd, it doesn't need libsigchain, so it doesn't make any sense to load it and keep it locked in memory. Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the linker to not honor security sensitive environment variables such as LD_PRELOAD. This prevents libsigchain.so from being loaded into lmkd's memory. Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
2014-07-17 03:42:36 +02:00
allow init { domain -lmkd }:process noatsecure;
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-04 07:13:14 +02:00
# Support "adb shell stop"
allow init domain:process sigkill;
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
2014-05-09 08:28:52 +02:00
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 17:26:19 +02:00
remove shell_data_file from unconfined. Domains which want to access /data/local/tmp must do so by creating their own SELinux domain. Bug: 15164984 Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
2014-06-07 19:00:59 +02:00
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 17:26:19 +02:00
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
Protect /data/property. /data/property is only accessible by root and is used by the init property service for storing persistent property values. Create a separate type for it and only allow init to write to the directory and files within it. Ensure that we do not allow access to other domains in future changes or device-specific policy via a neverallow rule. Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 15:22:16 +02:00
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 16:27:02 +02:00
# Set any property.
allow init property_type:property_service set;
unconfined: remove internet access Don't allow unconfined domains to access the internet. Restrict internet functionality to domains which explicitly declare their use. Removing internet access from unconfined domains helps protect daemons from network level attacks. In unconfined.te, expand out socket_class_set, and explicitly remove tcp_socket, udp_socket, rawip_socket, packet_socket, and appletalk_socket. Remove name_bind, node_bind and name_connect rules, since they only apply to internet accessible rules. Add limited udp support to init.te. This is needed to bring up the loopback interface at boot. Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
2014-06-21 06:15:56 +02:00
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-04 07:13:14 +02:00
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow init kernel:process setsched;
allow init swapon() swapon(2) requires write access to the underlying block device. Allow it. Addresses the following denial: avc: denied { write } for pid=1 comm="init" name="zram0" dev="tmpfs" ino=6267 scontext=u:r:init:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file permissive=0 Change-Id: Id1a4f51038d0b6ce7351294698a0ff146d6e4643
2014-10-20 20:52:19 +02:00
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
Remove -unconfineddomain from neverallow rules. With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 16:09:33 +02:00
# Read from /dev/hw_random if present.
# system/core/init/init.c - mix_hwrng_into_linux_rng_action
allow init hw_random_device:chr_file r_file_perms;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done.
# TODO: Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file create_file_perms;
auditallow init device:file create_file_perms;
# Access character devices without a specific type,
# e.g. /dev/keychord.
# TODO: Move these devices into their own type unless they
# are only ever accessed by init.
allow init device:chr_file { rw_file_perms setattr };
auditallow init device:chr_file { rw_file_perms setattr };
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
###
### neverallow rules
###
# The init domain is only entered via setcon from the kernel domain,
# never via an exec-based transition.
neverallow { domain -kernel} init:process dyntransition;
neverallow domain init:process transition;
neverallow init { file_type fs_type }:file entrypoint;
Prohibit reading of untrusted symlinks via neverallow. Change-Id: Id669fa1850edf2adee230e71bca2278f215e39f4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-02 23:05:44 +02:00
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init app_data_file:lnk_file read;
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
Reference in a new issue Copy permalink