platform_system_sepolicy/public/ppp.te

# Point to Point Protocol daemon
type ppp, domain;
type ppp_device, dev_type;
type ppp_exec, system_file_type, exec_type, file_type;

net_domain(ppp)

r_dir_file(ppp, proc_net_type)

allow ppp mtp:{ socket pppox_socket } rw_socket_perms;

# ioctls needed for VPN.
allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;

allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:global_capability_class_set net_admin;
allow ppp system_file:file rx_file_perms;
not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;
Add ppp/mtp policy. Initial policy for Point-to-Point tunneling and tunneling manager services. 2012-08-20 12:13:28 +02:00			`# Point to Point Protocol daemon`
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b 2017-05-15 22:19:03 +02:00			`type ppp, domain;`
Add ppp/mtp policy. Initial policy for Point-to-Point tunneling and tunneling manager services. 2012-08-20 12:13:28 +02:00			`type ppp_device, dev_type;`
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 2018-09-27 19:21:37 +02:00			`type ppp_exec, system_file_type, exec_type, file_type;`
Make ppp permissive or unconfined. Also add rules from our policy. Change-Id: I6f552538cc4f6b28b2883aa74832230944cbdb7a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:38 +01:00
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-24 21:06:11 +01:00			`net_domain(ppp)`

Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e) 2018-04-10 21:47:48 +02:00			`r_dir_file(ppp, proc_net_type)`
domain_deprecated.te: remove /proc/net access Remove /proc/net access to domain_deprecated. Add it to domains where it was missing before. Other than these domains, SELinux denial monitoring hasn't picked up any denials related to /proc/net Bug: 28760354 Test: Device boots Test: No unexpected denials in denial collection logs. Change-Id: Ie5bfa4bc0070793c1e8bf3b00676fd31c08d426a 2016-12-01 00:22:18 +01:00
ppp: support using pppox_socket family Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families") modified the kernel to support fine grain differentiation of socket families, if userspace enables it (which Android does). Modify the ppp SELinux policy to allow the use of pppox_socket (needed for kernels 4.14 or greater) and the generic "socket" family (for kernels below 4.14). Addresses the following denials: 04-19 20:25:34.059 16848 16848 I pppd : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 04-19 20:25:34.075 16848 16848 I pppd : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 Bug: 130852066 Test: compiles Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc 2019-05-06 21:52:17 +02:00			`allow ppp mtp:{ socket pppox_socket } rw_socket_perms;`
ppp: Allow specific ioctls on mtp:socket. The fix for b/35100237 surfaced this error. This SELinux policy fragment was included only on Marlin, but needs to be included in core policy. Bug: 35100237 Test: With https://android-review.googlesource.com/#/c/354292/ Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin. Test: Connect: 03-17 15:41:22.602 3809 3809 I mtpd : Starting pppd (pppox = 9) 03-17 15:41:22.628 3811 3811 I pppd : Using PPPoX (socket = 9) 03-17 15:41:22.637 3811 3811 I pppd : pppd 2.4.7 started by vpn, uid 1016 03-17 15:41:22.639 3811 3811 I pppd : Using interface ppp0 03-17 15:41:22.639 3811 3811 I pppd : Connect: ppp0 <--> 03-17 15:41:22.770 3811 3811 I pppd : CHAP authentication succeeded 03-17 15:41:22.909 3811 3811 I pppd : MPPE 128-bit stateless compression enabled 03-17 15:41:23.065 3811 3811 I pppd : local IP address 172.16.36.113 03-17 15:41:23.065 3811 3811 I pppd : remote IP address 172.16.36.1 03-17 15:41:23.065 3811 3811 I pppd : primary DNS address 8.8.8.8 03-17 15:41:23.065 3811 3811 I pppd : secondary DNS address 91.239.100.100 Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927 2017-03-17 18:48:39 +01:00
			`# ioctls needed for VPN.`
			`allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;`
ppp: support using pppox_socket family Kernel commit da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families") modified the kernel to support fine grain differentiation of socket families, if userspace enables it (which Android does). Modify the ppp SELinux policy to allow the use of pppox_socket (needed for kernels 4.14 or greater) and the generic "socket" family (for kernels below 4.14). Addresses the following denials: 04-19 20:25:34.059 16848 16848 I pppd : type=1400 audit(0.0:8703): avc: denied { read write } for dsm=HS_Q path="socket:[171178]" dev="sockfs" ino=171178 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 04-19 20:25:34.075 16848 16848 I pppd : type=1400 audit(0.0:8704): avc: denied { ioctl } for dsm=HS_Q path="socket:[171179]" dev="sockfs" ino=171179 ioctlcmd=0x7437 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=pppox_socket permissive=1 Bug: 130852066 Test: compiles Change-Id: I00cc07108acaac5f2519ad0093d9db9572e325dc 2019-05-06 21:52:17 +02:00			`allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;`
ppp: Allow specific ioctls on mtp:socket. The fix for b/35100237 surfaced this error. This SELinux policy fragment was included only on Marlin, but needs to be included in core policy. Bug: 35100237 Test: With https://android-review.googlesource.com/#/c/354292/ Test: Set up PPTP VPN using http://www.vpnbook.com/ on Marlin. Test: Connect: 03-17 15:41:22.602 3809 3809 I mtpd : Starting pppd (pppox = 9) 03-17 15:41:22.628 3811 3811 I pppd : Using PPPoX (socket = 9) 03-17 15:41:22.637 3811 3811 I pppd : pppd 2.4.7 started by vpn, uid 1016 03-17 15:41:22.639 3811 3811 I pppd : Using interface ppp0 03-17 15:41:22.639 3811 3811 I pppd : Connect: ppp0 <--> 03-17 15:41:22.770 3811 3811 I pppd : CHAP authentication succeeded 03-17 15:41:22.909 3811 3811 I pppd : MPPE 128-bit stateless compression enabled 03-17 15:41:23.065 3811 3811 I pppd : local IP address 172.16.36.113 03-17 15:41:23.065 3811 3811 I pppd : remote IP address 172.16.36.1 03-17 15:41:23.065 3811 3811 I pppd : primary DNS address 8.8.8.8 03-17 15:41:23.065 3811 3811 I pppd : secondary DNS address 91.239.100.100 Change-Id: I192b4dfc9613d1000f804b9c4ca2727d502a1927 2017-03-17 18:48:39 +01:00
Allow ppp to inherit/use mtp unix datagram socket. Resolves denials such as: avc: denied { read write } for path="socket:[33571]" dev="sockfs" ino=33571 scontext=u:r:ppp:s0 tcontext=u:r:mtp:s0 tclass=unix_dgram_socket Change-Id: Icb1ee00d8513179039bfb738647f49480e836f25 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-13 14:24:38 +02:00			`allow ppp mtp:unix_dgram_socket rw_socket_perms;`
Make ppp permissive or unconfined. Also add rules from our policy. Change-Id: I6f552538cc4f6b28b2883aa74832230944cbdb7a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:38 +01:00			`allow ppp ppp_device:chr_file rw_file_perms;`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow ppp self:global_capability_class_set net_admin;`
Make ppp permissive or unconfined. Also add rules from our policy. Change-Id: I6f552538cc4f6b28b2883aa74832230944cbdb7a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:38 +01:00			`allow ppp system_file:file rx_file_perms;`
restore permissions to /vendor for non-treble devices Relabeling /vendor and /system/vendor to vendor_file removed previously granted permissions. Restore these for non-treble devices. Addresses: avc: denied { execute_no_trans } for pid=2944 comm="dumpstate" path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0 tclass=file And potentially some other bugs that have yet to surface. Bug: 37105075 Test: build Fugu Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8 2017-04-14 06:58:12 +02:00			not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
Make ppp permissive or unconfined. Also add rules from our policy. Change-Id: I6f552538cc4f6b28b2883aa74832230944cbdb7a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:38 +01:00			`allow ppp vpn_data_file:dir w_dir_perms;`
			`allow ppp vpn_data_file:file create_file_perms;`
			`allow ppp mtp:fd use;`