tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/kernel.te

147 lines
5.5 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
# Life begins with the kernel.
kernel: remove domain_deprecated attribute No "granted" messages for the removed permissions observed in three months of log audits. Bug: 28760354 Change-Id: I6bd9525b663a2bdad4f5b2d4a85d3dd46d5fd106
2016-09-12 06:18:05 +02:00
type kernel, domain, mlstrustedsubject;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow kernel self:global_capability_class_set sys_nice;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
kernel: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
2016-01-28 04:15:41 +01:00
# Root fs.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-10 01:27:17 +02:00
r_dir_file(kernel, rootfs)
Add kernel permission for bootconfig proc file Just before selinux is set up, the kernel context must be allowed to access the /proc/bootconfig file to read the state of the androidboot.selinux= property. Such permission was already granted for accessing the /proc/cmdline file for the same reason. Bug: 173815685 Test: launch_cvd -extra_kernel_cmdline androidboot.selinux=permissive Test: launch_cvd -guest_enforce_security=false [bootconfig method] [..] init: Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1. [..] Change-Id: I999c0c9d736bed18e5daea81bb0f8cc78350eba7
2021-03-09 20:29:47 +01:00
# Used to read androidboot.selinux property
allow kernel {
proc_bootconfig
proc_cmdline
}:file r_file_perms;
kernel: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { open } for path="/sys/fs/selinux/enforce" dev="selinuxfs" ino=4 scontext=u:r:kernel:s0 tcontext=u:object_r:selinuxfs:s0 tclass=file permissive=1 avc: denied { read } for name="selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { open } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 avc: denied { getattr } for path="/selinux_version" dev="rootfs" ino=4765 scontext=u:r:kernel:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=1 Change-Id: I62cbffe85941677283d3b7bf8fc1c437671569a3
2016-01-28 04:15:41 +01:00
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
allow kernel selinuxfs:file r_file_perms;
file_context: explicitly label all file context files file_context files need to be explicitly labeled as they are now split across system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'file_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospFileContexts Change-Id: I603157e9fa7d1de3679d41e343de397631666273 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-24 23:02:13 +01:00
# Get file contexts during first stage
allow kernel file_contexts_file:file r_file_perms;
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 20:38:10 +02:00
# Allow init relabel itself.
allow kernel rootfs:file relabelfrom;
allow kernel init_exec:file relabelto;
# TODO: investigate why we need this.
allow kernel init:process share;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
Explictly allow init and kernel unlabeled access. These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 15:53:00 +02:00
# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;
Allow mounting of usbfs. Addresses denials such as: avc: denied { mount } for pid=5 comm="kworker/u:0" name="/" dev=usbfs ino=3234 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=filesystem Change-Id: I1db52193e6a2548c37a7809ef44cf7fd3357326d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:31:27 +02:00
# Mount usbfs.
allow kernel usbfs:filesystem mount;
kernel: allow usbfs:dir search The deprecated/deleted usbfs kernel driver gets really unhappy when SELinux denies it access to directories. On flo (3.4.0 kernel), this comes across as an SELinux denial followed by a kernel panic. Steps to reproduce: 1. plug in a USB device. 2. notice nothing happens. 3. unplug the USB device 4. plug it in again, watch for restart. Expected: USB device works Actual: [329180.030242] Host mode: Set DC level as 0x68 for flo. [329180.030395] msm_hsusb_host msm_hsusb_host: Qualcomm On-Chip EHCI Host Controller [329180.030639] Unable to create devices usbfs file [329180.030944] type=1400 audit(1425327845.292:12): avc: denied { search } for pid=24033 comm="kworker/0:1" name="/" dev="usbfs" ino=291099 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=dir [329180.060394] msm_hsusb_host msm_hsusb_host: new USB bus registered, assigned bus number 1 [329180.091583] msm_hsusb_host msm_hsusb_host: irq 132, io mem 0x12500000 [deleted] [329180.120178] hub 1-0:1.0: USB hub found [329180.120452] hub 1-0:1.0: 1 port detected [329180.123199] Unable to handle kernel NULL pointer dereference at virtual address 00000070 [329180.123443] pgd = c0004000 [329180.123809] [00000070] *pgd=00000000 [329180.124206] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [329180.124481] CPU: 0 Tainted: G W (3.4.0-g2e8a935 #1) [329180.124908] PC is at mutex_lock+0xc/0x48 [329180.125122] LR is at fs_create_file+0x4c/0x128 [329180.125518] pc : [<c0916708>] lr : [<c0440ec4>] psr: a0000013 [deleted] [329180.281005] [<c0916708>] (mutex_lock+0xc/0x48) from [<c0440ec4>] (fs_create_file+0x4c/0x128) [329180.281280] [<c0440ec4>] (fs_create_file+0x4c/0x128) from [<c04410c8>] (usbfs_notify+0x84/0x2a8) [329180.281738] [<c04410c8>] (usbfs_notify+0x84/0x2a8) from [<c009c3b8>] (notifier_call_chain+0x38/0x68) [329180.282257] [<c009c3b8>] (notifier_call_chain+0x38/0x68) from [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) [329180.282745] [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) from [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) [329180.283264] [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) from [<c043ef8c>] (generic_probe+0x74/0x84) [329180.283752] [<c043ef8c>] (generic_probe+0x74/0x84) from [<c04387c4>] (usb_probe_device+0x58/0x68) [329180.284240] [<c04387c4>] (usb_probe_device+0x58/0x68) from [<c03adc78>] (driver_probe_device+0x148/0x360) [329180.284576] [<c03adc78>] (driver_probe_device+0x148/0x360) from [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) [329180.285034] [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) from [<c03adfc8>] (device_attach+0x74/0xa0) [329180.285522] [<c03adfc8>] (device_attach+0x74/0xa0) from [<c03ac94c>] (bus_probe_device+0x28/0x98) [329180.286041] [<c03ac94c>] (bus_probe_device+0x28/0x98) from [<c03ab014>] (device_add+0x444/0x5e4) [329180.286529] [<c03ab014>] (device_add+0x444/0x5e4) from [<c042f180>] (usb_new_device+0x248/0x2e4) [329180.286804] [<c042f180>] (usb_new_device+0x248/0x2e4) from [<c043472c>] (usb_add_hcd+0x420/0x64c) [329180.287292] [<c043472c>] (usb_add_hcd+0x420/0x64c) from [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) [329180.287811] [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) from [<c0091d8c>] (process_one_work+0x280/0x488) [329180.288299] [<c0091d8c>] (process_one_work+0x280/0x488) from [<c00921a8>] (worker_thread+0x214/0x3b4) [329180.288787] [<c00921a8>] (worker_thread+0x214/0x3b4) from [<c0096b14>] (kthread+0x84/0x90) [329180.289276] [<c0096b14>] (kthread+0x84/0x90) from [<c000f3c8>] (kernel_thread_exit+0x0/0x8) Allow the usbfs operation. Bug: 19568950 Change-Id: Iffdc7bd93ebde8bb75c57a324b996e1775a0fd1e
2015-03-28 10:48:46 +01:00
allow kernel usbfs:dir search;
Allow mounting of usbfs. Addresses denials such as: avc: denied { mount } for pid=5 comm="kworker/u:0" name="/" dev=usbfs ino=3234 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=filesystem Change-Id: I1db52193e6a2548c37a7809ef44cf7fd3357326d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:31:27 +02:00
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 14:05:53 +01:00
# Initial setenforce by init prior to switching to init domain.
Revisit kernel setenforce Kernel userspace helpers may be spawned running in the kernel SELinux domain. Those userspace helpers shouldn't be able to turn SELinux off. This change revisits the discussion in https://android-review.googlesource.com/#/c/71184/ At the time, we were debating whether or not to have an allow rule, or a dontaudit rule. Both have the same effect, as at the time we switch to enforcing mode, the kernel is in permissive and the operation will be allowed. Change-Id: If335a5cf619125806c700780fcf91f8602083824
2014-05-12 23:32:59 +02:00
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
# Write to /proc/1/oom_adj prior to switching to init domain.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow kernel self:global_capability_class_set sys_resource;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
kernel: allow rebooting, and writing to /dev/__kmsg__ Addresses the following denials: avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0 avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0 (cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f) Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-06 02:40:07 +02:00
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow kernel self:global_capability_class_set sys_boot;
kernel: allow rebooting, and writing to /dev/__kmsg__ Addresses the following denials: avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0 avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0 (cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f) Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-06 02:40:07 +02:00
allow kernel proc_sysrq:file w_file_perms;
Simplify /dev/kmsg SELinux policy. Bug: http://b/30317429 Change-Id: I5c499c48d5e321ebdf588a162d29e949935ad8ee Test: adb shell dmesg | grep ueventd
2016-07-26 18:46:20 +02:00
# Allow writing to /dev/kmsg which was created prior to loading policy.
kernel: allow rebooting, and writing to /dev/__kmsg__ Addresses the following denials: avc: denied { write } for pid=1 comm="init" path=2F6465762F5F5F6B6D73675F5F202864656C6574656429 dev="tmpfs" ino=7214 scontext=u:r:kernel:s0 tcontext=u:object_r:tmpfs:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=1 comm="init" name="sysrq-trigger" dev="proc" ino=4026534153 scontext=u:r:kernel:s0 tcontext=u:object_r:proc_sysrq:s0 tclass=file permissive=0 avc: denied { sys_boot } for pid=1 comm="init" capability=22 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0 (cherrypicked from commit e550e79c763bbee969ea87d5f236a9f7f67c2a5f) Change-Id: I46be370d520c4492d97c6ed7ccdc55cc20b22c49
2015-05-06 02:40:07 +02:00
allow kernel tmpfs:chr_file write;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
# Set checkreqprot by init.rc prior to switching to init domain.
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 21:56:15 +02:00
allow kernel selinuxfs:file write;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
allow kernel self:security setcheckreqprot;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
support kernel writes to external SDcards The kernel, when it creates a loop block device, starts a new kernel thread "loop0" (drivers/block/loop.c). This kernel thread, which performs writes on behalf of other processes, needs read/write privileges to the sdcard. Allow it. Steps to reproduce: 0) Get device with external, removable sdcard 1) Run: "adb install -s foo.apk" Expected: APK installs successfully. Actual: APK fails to install. Error message: Vold E Failed to write superblock (I/O error) loop0 W type=1400 audit(0.0:3123): avc: denied { read } for path="/mnt/secure/asec/smdl1645334795.tmp.asec" dev="mmcblk1p1" ino=528 scontext=u:r:kernel:s0 tcontext=u:object_r:vfat:s0 tclass=file permissive=0 PackageHelper E Failed to create secure container smdl1645334795.tmp DefContainer E Failed to create container smdl1645334795.tmp Bug: 17158723 (cherry picked from commit 4c6b13508d1786a3a835ba5427f37e963c2c7506) Change-Id: Iea727ac7958fc31d85a037ac79badbe9c85693bd
2014-08-27 21:13:28 +02:00
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
Add fusefs_type for FUSE filesystems Any FUSE filesystem will receive the 'fuse' type when mounted. It is possible to change this behaviour by specifying the "context=" or "fscontext=" option in mount(). Because 'fuse' has historically been used only for the emulated storage, it also received the 'sdcard_type' attribute. Replace the 'sdcard_type' attribute from 'fuse' with the new 'fusefs_type'. This attribute can be attached on derived types (such as app_fusefs). This change: - Remove the neverallow restriction on this new type. This means any custom FUSE implementation can be mounted/unmounted (if the correct allow rule is added). See domain.te. - Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'. See file.te. - Modify all references to 'sdcard_type' to explicitly include 'fuse' for compatibility reason. Bug: 177481425 Bug: 190804537 Test: Build and boot aosp_cf_x86_64_phone-userdebug Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
2021-06-23 10:21:49 +02:00
allow kernel { sdcard_type fuse }:file { read write };
Allow kernel sdcard access for MTP sync. Address denials such as: avc: denied { write } for pid=2587 comm="kworker/u:4" path="/storage/emulated/0/Download/AllFileFormatesFromTommy/Test3GP.3gp" dev="fuse" ino=3086052592 scontext=u:r:kernel:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file permissive=0 Change-Id: I351e84b48f1b5a3361bc680b2ef379961ac2e8ea Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Bug: 15835289
2014-06-24 19:18:02 +02:00
Add drm and kernel permissions to mediaprovider These were missing when the sepolicy was migrated. Addresses denials: E SELinux : avc: denied { find } for service=drm.drmManager pid=11769 uid=10018 scontext=u:r:mediaprovider:s0:c512,c768 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager W kworker/u16:2: type=1400 audit(0.0:1667): avc: denied { use } for path="/storage/emulated/0/DCIM/Camera/IMG_20170425_124723.jpg" dev="sdcardfs" ino=1032250 scontext=u:r:kernel:s0 tcontext=u:r:mediaprovider:s0:c512,c768 tclass=fd permissive=0 Bug: 37685394 Bug: 37686255 Test: Sync files Test: Open downloaded file Change-Id: Ibb02d233720b8510c3eec0463b8909fcc5bbb73d
2017-04-26 19:18:30 +02:00
# f_mtp driver accesses files from kernel context.
allow kernel mediaprovider:fd use;
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
kernel.te: fix MTP sync STEPS TO REPRODUCE: 1. Connect the device to Mac. 2. Switch to AFT. 3. Now AFT on Mac will show the device contents. 4. Now drag and drop the file to device and observe. EXPECTED RESULTS: Should able to copy. OBSERVED RESULTS: Showing can not copy file and on clicking ok, It shows device storage can not connect and close the AFT. Addresses the following denial: W kworker/u:11: type=1400 audit(0.0:729): avc: denied { use } for path="/storage/emulated/0/Download/song2.mp3" dev="fuse" ino=143 scontext=u:r:kernel:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fd 12310 12530 E MtpRequestPacket: Malformed MTP request packet ps -Z entry: u:r:untrusted_app:s0:c512,c768 u0_a6 12310 203 android.process.media Bug: 15835289 Change-Id: I47b653507f8d4089b31254c19f44706077e2e96a
2015-02-27 05:33:40 +01:00
allow kernel vold:fd use;
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
allow kernel { app_data_file privapp_data_file }:file read;
Allow kernel to read asec_image_file. Address the following denial encountered when installing a forward-locked apk. W loop0 : type=1400 audit(0.0:36): avc: denied { read } for path="/data/app-asec/smdl1061145377.tmp.asec" dev="mmcblk0p28" ino=180226 scontext=u:r:kernel:s0 tcontext=u:object_r:asec_image_file:s0 tclass=file Bug: 19936901 Change-Id: I829858564a8f89677b2bb4cbd4c8fe4250ae51de
2015-03-26 20:40:07 +01:00
allow kernel asec_image_file:file read;
Allow kernel thread to read app data files When vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
2014-09-09 23:12:18 +02:00
Allow kernel to write to update_engine_data_file This is needed to run update_engine unittests in cuttlefish. In the test, the directory is mounted as R/W. Denial: avc: denied { write } for path="/data/misc/update_engine/tmp/a_img.NqUpaa" dev="dm-4" ino=3048 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0 strace: mount("/dev/block/loop26", "/data/local/tmp/.org.chromium.Chromium.3s2KYE", "ext2", 0, "") = -1 EIO (I/O error) Test: unittests pass Change-Id: I4658eb60240bd725bac2aef30305747ffe50aeb6
2020-02-19 08:38:09 +01:00
# Allow mounting loop device in update_engine_unittests. (b/28319454)
Add label for kernel test files and executables This required for kernel to do loopback mounts on filesystem images created by the kernel system call tests in LTP. Add a corresponding neverallow to stop all domains from accessing the location at /data/local/tmp/ltp. Bug: 73220071 Test: Boot sailfish successfully Test: run vts-kernel -m VtsKernelLtp -t syscalls.fchown04 Change-Id: I73f5f14017e22971fc246a05751ba67be4653bca Signed-off-by: Sandeep Patil <sspatil@google.com>
2018-02-20 21:41:30 +01:00
# and for LTP kernel tests (b/73220071)
Allow reading loop device in update_engine_unittests. This fixes the following denies: type=1400 audit(0.0:4389): avc: denied { read } for path="/data/misc/update_engine/tmp/a_loop_file.W0j9ss" dev="mmcblk0p13" ino=24695 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:30): avc: denied { read } for path="/data/nativetest/update_engine_unittests/gen/disk_ext2_unittest.img" dev="mmcblk0p13" ino=71 scontext=u:r:kernel:s0 tcontext=u:object_r:nativetest_data_file:s0 tclass=file permissive=0 Bug: 28319454 Test: setenforce 1 && ./update_engine_unittests Change-Id: I8d54709d4bda06b364b5420d196d75a4ecc011d3
2016-05-03 20:07:11 +02:00
userdebug_or_eng(`
Allow kernel to write to update_engine_data_file This is needed to run update_engine unittests in cuttlefish. In the test, the directory is mounted as R/W. Denial: avc: denied { write } for path="/data/misc/update_engine/tmp/a_img.NqUpaa" dev="dm-4" ino=3048 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0 strace: mount("/dev/block/loop26", "/data/local/tmp/.org.chromium.Chromium.3s2KYE", "ext2", 0, "") = -1 EIO (I/O error) Test: unittests pass Change-Id: I4658eb60240bd725bac2aef30305747ffe50aeb6
2020-02-19 08:38:09 +01:00
allow kernel update_engine_data_file:file { read write };
domain.te & kernel.te: allow kernel to write nativetest_data_file to workaround some VTS VtsKernelLtp failures introduced by change on vfs_iter_write here: https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3 for discussion please check threads here: https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg03348.html Sandeep suggest to re-order the events in that thread, that should be the right solution, this change is only a tempory workaround before that change. Test: manually with -m VtsKernelLtp -t VtsKernelLtp#fs.fs_fill_64bit Change-Id: I3f46ff874d3dbcc556cfbeb27be21878574877d1 Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2018-05-09 15:12:50 +02:00
allow kernel nativetest_data_file:file { read write };
Allow reading loop device in update_engine_unittests. This fixes the following denies: type=1400 audit(0.0:4389): avc: denied { read } for path="/data/misc/update_engine/tmp/a_loop_file.W0j9ss" dev="mmcblk0p13" ino=24695 scontext=u:r:kernel:s0 tcontext=u:object_r:update_engine_data_file:s0 tclass=file permissive=0 type=1400 audit(0.0:30): avc: denied { read } for path="/data/nativetest/update_engine_unittests/gen/disk_ext2_unittest.img" dev="mmcblk0p13" ino=71 scontext=u:r:kernel:s0 tcontext=u:object_r:nativetest_data_file:s0 tclass=file permissive=0 Bug: 28319454 Test: setenforce 1 && ./update_engine_unittests Change-Id: I8d54709d4bda06b364b5420d196d75a4ecc011d3
2016-05-03 20:07:11 +02:00
')
Allow access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: adbd, kernel, mediaserver, and shell Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27915475 Bug: 27937873 Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
2016-03-31 22:53:42 +02:00
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow kernel media_rw_data_file:dir create_dir_perms;
allow kernel media_rw_data_file:file create_file_perms;
Grant kernel access to new "virtual_disk" file. This is a special file that can be mounted as a loopback device to exercise adoptable storage code on devices that don't have valid physical media. For example, they may only support storage media through a USB OTG port that is being used for an adb connection. avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0 Bug: 34903607 Change-Id: I84721ec0e9495189a7d850461875df1839826212
2017-03-26 22:50:59 +02:00
# Access to /data/misc/vold/virtual_disk.
kernel: allow write access to /data/misc/vold/virtual_disk The kernel thread which manages this file really needs read/write access to this file, not read-only. This was suspected in b/36626310 but apparently something must have changed in the kernel surrounding permission checking for kernel threads (still unknown) Bug: 36626310 Bug: 117148019 Bug: 116841589 Test: policy compiles Change-Id: I9c42541e2567a79b2d741eebf3ddf219f59478a9
2018-10-10 04:47:38 +02:00
allow kernel vold_data_file:file { read write };
Grant kernel access to new "virtual_disk" file. This is a special file that can be mounted as a loopback device to exercise adoptable storage code on devices that don't have valid physical media. For example, they may only support storage media through a USB OTG port that is being used for an adb connection. avc: denied { read } for path="/data/misc/vold/virtual_disk" dev="sda35" ino=508695 scontext=u:r:kernel:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0 Bug: 34903607 Change-Id: I84721ec0e9495189a7d850461875df1839826212
2017-03-26 22:50:59 +02:00
Allow the kernel to read staging_data_file. These are APEX files in /data/staging, and will be accessed by the loop driver in the kernel. Bug: 118865310 Test: no denials on emulator Change-Id: I5c849b6677566cb00d28011352b9dc6b787a0bc4
2019-01-16 13:52:50 +01:00
# Allow the kernel to read APEX file descriptors and (staged) data files;
Allow the kernel to access apexd file descriptors. In earlier kernel versions (<4.0), the loopback driver issues requests from a kernel thread. Therefore, the kernel needs access to APEX file descriptors and data files (which are loopback mounted). Bug: 119220815 Test: mounting works on sailfish Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
2018-11-08 10:37:36 +01:00
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
Adding vendor_apex_file for /vendor/apex apexd needs to read /vendor/apex dir and files in it. Bug: 131190070 Bug: 123378252 Test: 1. Add apex to /vendor/apex -> see if boot succeeds with new policy 2. Add flattened apex to /vendor/apex -> see if only root files are labelled as vendor_apex_file Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
2019-04-24 03:45:40 +02:00
allow kernel {
apex_data_file
staging_data_file
vendor_apex_file
}:file read;
Allow kernel to write to shell_data_file loop devices in userdebug builds. Tests around Virtual A/B, DSUs, remount etc need to create loop devices and write to them, which requires the kernel domain to have file write access. However there are very few contexts where this is allowed, and most are for testing. These testing locations are not consistently available (eg, /data/nativetest does not always exist). We already allow readonly loop devices in /data/local/tmp for testing purposes, so this adds write support as well (userdebug/eng only). Bug: 218976943 Test: fiemap_image_test Change-Id: Ic83ff5ef57241215240228ecaee3d9d07ff31d8e
2022-07-20 20:20:04 +02:00
# Also allow the kernel to read/write /data/local/tmp files via loop device
# for ApexTestCases and fiemap_image_test.
Allow the kernel to read shell_data_file In ApexTestCases, a temp file in /data/local/tmp is used via a loop device, which requires the kernel to read it. This is only allowed in userdebug/eng. Bug: 192259606 Test: ApexTestCases Change-Id: Ic7d3e67a8a3e818b43b7caead9053d82cbcbccf7
2021-06-30 17:04:41 +02:00
userdebug_or_eng(`
Allow kernel to write to shell_data_file loop devices in userdebug builds. Tests around Virtual A/B, DSUs, remount etc need to create loop devices and write to them, which requires the kernel domain to have file write access. However there are very few contexts where this is allowed, and most are for testing. These testing locations are not consistently available (eg, /data/nativetest does not always exist). We already allow readonly loop devices in /data/local/tmp for testing purposes, so this adds write support as well (userdebug/eng only). Bug: 218976943 Test: fiemap_image_test Change-Id: Ic83ff5ef57241215240228ecaee3d9d07ff31d8e
2022-07-20 20:20:04 +02:00
allow kernel shell_data_file:file { read write };
Allow the kernel to read shell_data_file In ApexTestCases, a temp file in /data/local/tmp is used via a loop device, which requires the kernel to read it. This is only allowed in userdebug/eng. Bug: 192259606 Test: ApexTestCases Change-Id: Ic7d3e67a8a3e818b43b7caead9053d82cbcbccf7
2021-06-30 17:04:41 +02:00
')
Allow the kernel to access apexd file descriptors. In earlier kernel versions (<4.0), the loopback driver issues requests from a kernel thread. Therefore, the kernel needs access to APEX file descriptors and data files (which are loopback mounted). Bug: 119220815 Test: mounting works on sailfish Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
2018-11-08 10:37:36 +01:00
Strengthen ptrace neverallow rules Add additional compile time constraints on the ability to ptrace various sensitive domains. llkd: remove some domains which llkd should never ptrace, even on debuggable builds, such as kernel threads and init. crash_dump neverallows: Remove the ptrace neverallow checks because it duplicates other neverallow assertions spread throughout the policy. Test: policy compiles and device boots Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-13 20:07:14 +02:00
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
# before the domain is switched to the target domain. So, we need to allow the kernel
# domain (the source domain) to execute the dynamic linker (system_file type).
# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
# kernel older than 4.8.
allow kernel system_file:file execute;
# The label for the dynamic linker is rootfs in the recovery partition. This is because
# the recovery partition which is rootfs does not support xattr and thus labeling can't be
# done at build-time. All files are by default labeled as rootfs upon booting.
recovery_only(`
allow kernel rootfs:file execute;
')
Add permission required by libdm_test This CL fixes the following denials during libdm_test that is part of VTS. avc: denied { read } for comm="loop1" path=2F6D656D66643A66696C655F32202864656C6574656429 dev="tmpfs" ino=97742 scontext=u:r:kernel:s0 tcontext=u:object_r:appdomain_tmpfs:s0 tclass=file permissive=0 W loop1 : type=1400 audit(0.0:371): avc: denied { read } for path=2F6D656D66643A66696C655F32202864656C6574656429 dev="tmpfs" ino=97742 scontext=u:r:kernel:s0 tcontext=u:object_r:appdomain_tmpfs:s0 tclass=file permissive=0 Bug: 135004816 Test: adb shell libdm_test Change-Id: Ifb6d58ee6f032cdf3952a05667aa8696d6e2a2fa Merged-Id: Ifb6d58ee6f032cdf3952a05667aa8696d6e2a2fa
2019-06-17 19:06:56 +02:00
# required by VTS lidbm unit test
Update kernel permissions to pass libdm snapshot unit test Bug: 143654050 Test: libdm_test Change-Id: I671937b3f3144066bf3529e11ad19a73b0eb685e
2019-11-01 19:38:06 +01:00
allow kernel appdomain_tmpfs:file { read write };
Add permission required by libdm_test This CL fixes the following denials during libdm_test that is part of VTS. avc: denied { read } for comm="loop1" path=2F6D656D66643A66696C655F32202864656C6574656429 dev="tmpfs" ino=97742 scontext=u:r:kernel:s0 tcontext=u:object_r:appdomain_tmpfs:s0 tclass=file permissive=0 W loop1 : type=1400 audit(0.0:371): avc: denied { read } for path=2F6D656D66643A66696C655F32202864656C6574656429 dev="tmpfs" ino=97742 scontext=u:r:kernel:s0 tcontext=u:object_r:appdomain_tmpfs:s0 tclass=file permissive=0 Bug: 135004816 Test: adb shell libdm_test Change-Id: Ifb6d58ee6f032cdf3952a05667aa8696d6e2a2fa Merged-Id: Ifb6d58ee6f032cdf3952a05667aa8696d6e2a2fa
2019-06-17 19:06:56 +02:00
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 16:09:35 +02:00
###
### neverallow rules
###
# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
Replace "neverallow domain" by "neverallow *" Modify many "neverallow domain" rules to be "neverallow *" rules instead. This will catch more SELinux policy bugs where a label is assigned an irrelevant rule, as well as catch situations where a domain attribute is not assigned to a process. Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
2016-02-05 23:48:03 +01:00
neverallow * kernel:process { transition dyntransition };
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
# If you encounter an execute_no_trans denial on the kernel domain, then
# possible causes include:
# - The program is a kernel usermodehelper. In this case, define a domain
# for the program and domain_auto_trans() to it.
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
kernel.te: tighten entrypoint / execute_no_trans neverallow The kernel domain exists solely on boot, and is used by kernel threads. Because of the way the system starts, there is never an entrypoint for that domain, not even a file on rootfs. So tighten up the neverallow restriction. Remove an obsolete comment. The *.rc files no longer have a setcon statement, and the transition from the kernel domain to init occurs because init re-execs itself. The statement no longer applies. Test: bullhead policy compiles. Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
2016-10-31 02:42:17 +01:00
neverallow kernel *:file { entrypoint execute_no_trans };
kernel: neverallow dac_{override,read_search} perms The kernel should never be accessing files owned by other users. Disallow this access. Test: Marlin builds. Neverallow are build time assertions, they do not policy on the device. Change-Id: I6ba2eb27c0e2ecf46974059588508cd3223baceb
2017-02-22 23:30:47 +01:00
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
init is a dynamic executable init is now a dynamic executable. So it has to be able to execute the dynamic linker (/system/bin/linker) and shared libraries (e.g., /system/lib/libc.so). Furthermore, when in recovery mode, the files are all labeled as rootfs - because the recovery ramdisk does not support xattr, so files of type rootfs is allowed to be executed. Do the same for kernel and ueventd because they are executing the init executable. Bug: 63673171 Test: `adb reboot recovery; adb devices` shows the device ID Change-Id: Ic6225bb8e129a00771e1455e259ff28241b70396
2018-06-01 12:28:59 +02:00
Strengthen ptrace neverallow rules Add additional compile time constraints on the ability to ptrace various sensitive domains. llkd: remove some domains which llkd should never ptrace, even on debuggable builds, such as kernel threads and init. crash_dump neverallows: Remove the ptrace neverallow checks because it duplicates other neverallow assertions spread throughout the policy. Test: policy compiles and device boots Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-13 20:07:14 +02:00
# Nobody should be ptracing kernel threads
neverallow * kernel:process ptrace;
Reference in a new issue Copy permalink