platform_system_sepolicy/public/attributes

452 lines
14 KiB
Text
Raw Normal View History

2012-01-04 18:33:27 +01:00
######################################
# Attribute declarations
#
# All types used for devices.
# On change, update CHECK_FC_ASSERT_ATTRS
# in tools/checkfc.c
2012-01-04 18:33:27 +01:00
attribute dev_type;
much more finegrained bpf selinux privs for networking mainline Goal is to gain a better handle on who has access to which maps and to allow (with bpfloader changes to create in one directory and move into the target directory) per-map selection of selinux context, while still having reasonable defaults for stuff pinned directly into the target location. BPFFS (ie. /sys/fs/bpf) labelling is as follows: subdirectory selinux context mainline usecase / usable by / fs_bpf no (*) core operating system (ie. platform) /net_private fs_bpf_net_private yes, T+ network_stack /net_shared fs_bpf_net_shared yes, T+ network_stack & system_server /netd_readonly fs_bpf_netd_readonly yes, T+ network_stack & system_server & r/o to netd /netd_shared fs_bpf_netd_shared yes, T+ network_stack & system_server & netd [**] /tethering fs_bpf_tethering yes, S+ network_stack /vendor fs_bpf_vendor no, T+ vendor * initial support for bpf was added back in P, but things worked differently back then with no bpfloader, and instead netd doing stuff by hand, bpfloader with pinning into /sys/fs/bpf was (I believe) added in Q (and was definitely there in R) ** additionally bpf programs are accesible to netutils_wrapper for use by iptables xt_bpf extensions 'mainline yes' currently means shipped by the com.android.tethering apex, but this is really another case of bad naming, as it's really the 'networking/connectivity/tethering' apex / mainline module. Long term the plan is to merge a few other networking mainline modules into it (and maybe give it a saner name...). The reason for splitting net_private vs tethering is that: S+ must support 4.9+ kernels and S era bpfloader v0.2+ T+ must support 4.14+ kernels and T beta3 era bpfloader v0.13+ The kernel affects the intelligence of the in-kernel bpf verifier and the available bpf helper functions. Older kernels have a tendency to reject programs that newer kernels allow. / && /vendor are not shipped via mainline, so only need to work with the bpfloader that's part of the core os. Bug: 218408035 Test: TreeHugger, manually on cuttlefish Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I674866ebe32aca4fc851818c1ffcbec12ac4f7d4 (cherry picked from commit 15715aea32b85c933778b97a46de6ccab42ca7fb)
2022-05-21 14:03:29 +02:00
# Attribute for all bpf filesystem subtypes.
attribute bpffs_type;
2012-01-04 18:33:27 +01:00
# All types used for processes.
attribute domain;
# All types used for filesystems.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
2012-01-04 18:33:27 +01:00
attribute fs_type;
# All types used for context= mounts.
attribute contextmount_type;
# All types referencing a FUSE filesystem.
# When mounting a new FUSE filesystem, the fscontext= option should be used to
# set a domain-specific type with this attribute. See app_fusefs for an
# example.
attribute fusefs_type;
2012-01-04 18:33:27 +01:00
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
2012-01-04 18:33:27 +01:00
attribute file_type;
# All types used for domain entry points.
attribute exec_type;
# All types used for /data files.
attribute data_file_type;
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
expandattribute core_data_file_type false;
# All types used for app private data files in seapp_contexts.
# Such types should not be applied to any other files.
attribute app_data_file_type;
expandattribute app_data_file_type false;
# All types in /system
attribute system_file_type;
# All types in /system_dlkm
attribute system_dlkm_file_type;
# All types in /vendor
attribute vendor_file_type;
# All types used for procfs files.
attribute proc_type;
expandattribute proc_type false;
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
# Types in /proc/net, excluding qtaguid types.
# TODO(b/9496886) Lock down access to /proc/net.
# This attribute is used to audit access to proc_net. it is temporary and will
# be removed.
attribute proc_net_type;
expandattribute proc_net_type true;
# All types used for sysfs files.
2012-01-04 18:33:27 +01:00
attribute sysfs_type;
# All types use for debugfs files.
attribute debugfs_type;
# All types used for tracefs files.
attribute tracefs_type;
# Attribute used for all sdcards
attribute sdcard_type;
2012-01-04 18:33:27 +01:00
# All types used for nodes/hosts.
attribute node_type;
# All types used for network interfaces.
attribute netif_type;
# All types used for network ports.
attribute port_type;
# All types used for property service
# On change, update CHECK_PC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute property_type;
# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
# All properties used to configure log filtering.
attribute log_property_type;
# All properties that are not specific to device but are added from
# outside of AOSP. (e.g. OEM-specific properties)
# These properties are not accessible from device-specific domains
attribute extended_core_property_type;
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
# Properties used for representing ownership. All properties should have one
# of: system_property_type, product_property_type, or vendor_property_type.
# All properties defined by /system.
attribute system_property_type;
expandattribute system_property_type false;
# All /system-defined properties used only in /system.
attribute system_internal_property_type;
expandattribute system_internal_property_type false;
# All /system-defined properties which can't be written outside /system.
attribute system_restricted_property_type;
expandattribute system_restricted_property_type false;
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
expandattribute system_public_property_type false;
# All keystore2_key labels.
attribute keystore2_key_type;
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
define(`product_property_type', `system_property_type')
define(`product_internal_property_type', `system_internal_property_type')
define(`product_restricted_property_type', `system_restricted_property_type')
define(`product_public_property_type', `system_public_property_type')
# All properties defined by /vendor.
attribute vendor_property_type;
expandattribute vendor_property_type false;
# All /vendor-defined properties used only in /vendor.
attribute vendor_internal_property_type;
expandattribute vendor_internal_property_type false;
# All /vendor-defined properties which can't be written outside /vendor.
attribute vendor_restricted_property_type;
expandattribute vendor_restricted_property_type false;
# All /vendor-defined properties with no restrictions.
attribute vendor_public_property_type;
expandattribute vendor_public_property_type false;
# All service_manager types created by system_server
attribute system_server_service;
# services which should be available to all but isolated apps
attribute app_api_service;
# services which should be available to all ephemeral apps
attribute ephemeral_app_api_service;
# services which export only system_api
attribute system_api_service;
# services which are explicitly disallowed for untrusted apps to access
attribute protected_service;
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
attribute service_manager_type;
# All types used for services managed by hwservicemanager
attribute hwservice_manager_type;
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-22 02:06:43 +02:00
# All HwBinder services guaranteed to be passthrough. These services always run
# in the process of their clients, and thus operate with the same access as
# their clients.
attribute same_process_hwservice;
# All HwBinder services guaranteed to be offered only by core domain components
attribute coredomain_hwservice;
# All HwBinder services that untrusted apps can't directly access
attribute protected_hwservice;
# All types used for services managed by vndservicemanager
attribute vndservice_manager_type;
# All services declared as part of an HAL
attribute hal_service_type;
2012-01-04 18:33:27 +01:00
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
# All domains used for apps.
attribute appdomain;
# All third party apps (except isolated_app and ephemeral_app)
attribute untrusted_app_all;
# All apps with UID between AID_ISOLATED_START (99000) and AID_ISOLATED_END (99999).
attribute isolated_app_all;
# All service types that would be allowed for isolated_compute_app.
attribute isolated_compute_allowed_service;
# All device types that would be allowed for isolated_compute_app.
attribute isolated_compute_allowed_device;
2012-01-04 18:33:27 +01:00
# All domains used for apps with network access.
attribute netdomain;
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
# Specific domains that expose a binder service.
# Deprecated, consider granting the exact permissions required by your service.
2012-01-04 18:33:27 +01:00
attribute binderservicedomain;
# All domains which have BPF access.
attribute bpfdomain;
expandattribute bpfdomain false;
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
# All vendor hwservice.
attribute vendor_hwservice_type;
# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
attribute socket_between_core_and_vendor_violators;
expandattribute socket_between_core_and_vendor_violators false;
# All vendor domains which violate the requirement of not executing
# system processes
# TODO(b/36463595)
attribute vendor_executes_system_violators;
expandattribute vendor_executes_system_violators false;
# All domains which violate the requirement of not sharing files by path
# between between vendor and core domains.
# TODO(b/34980020)
attribute data_between_core_and_vendor_violators;
expandattribute data_between_core_and_vendor_violators false;
# All system domains which violate the requirement of not executing vendor
# binaries/libraries.
# TODO(b/62041836)
attribute system_executes_vendor_violators;
expandattribute system_executes_vendor_violators false;
# All system domains which violate the requirement of not writing vendor
# properties.
# TODO(b/78598545): Remove this once there are no violations
attribute system_writes_vendor_properties_violators;
expandattribute system_writes_vendor_properties_violators false;
# All system domains which violate the requirement of not writing to
# /mnt/vendor/*. Must not be used on devices launched with P or later.
attribute system_writes_mnt_vendor_violators;
expandattribute system_writes_mnt_vendor_violators false;
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
# transition to treble and will be removed in a future platform
# version, requiring all hwservices that are labeled with this
# attribute to be submitted to AOSP in order to maintain their
# app-visibility.
attribute untrusted_app_visible_hwservice_violators;
expandattribute untrusted_app_visible_hwservice_violators false;
# halserver domains that are accessible to untrusted applications. These
# domains are typically those hosting hwservices attributed by the
# untrusted_app_visible_hwservice_violators.
# WARNING: Use of this attribute should be avoided unless absolutely necessary.
# It is a temporary allowance to aid the transition to treble and will be
# removed in the future platform version, requiring all halserver domains that
# are labeled with this attribute to be submitted to AOSP in order to maintain
# their app-visibility.
attribute untrusted_app_visible_halserver_violators;
expandattribute untrusted_app_visible_halserver_violators false;
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
expandattribute pdx_endpoint_socket_type false;
attribute pdx_channel_socket_type;
expandattribute pdx_channel_socket_type false;
pdx_service_attributes(display_client)
pdx_service_attributes(display_manager)
pdx_service_attributes(display_screenshot)
pdx_service_attributes(display_vsync)
pdx_service_attributes(performance_client)
pdx_service_attributes(bufferhub_client)
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
# All HAL servers
attribute halserverdomain;
# All HAL clients
attribute halclientdomain;
expandattribute halclientdomain true;
# Exempt for halserverdomain to access sockets. Only builds for automotive
# device types are allowed to use this attribute (enforced by CTS).
# Unlike phone, in a car many modules are external from Android perspective and
# HALs should be able to communicate with those devices through sockets.
attribute hal_automotive_socket_exemption;
# HALs
hal_attribute(allocator);
hal_attribute(atrace);
hal_attribute(audio);
hal_attribute(audiocontrol);
hal_attribute(authgraph);
hal_attribute(authsecret);
hal_attribute(bluetooth);
hal_attribute(bootctl);
hal_attribute(broadcastradio);
hal_attribute(camera);
hal_attribute(can_bus);
hal_attribute(can_controller);
hal_attribute(cas);
hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);
hal_attribute(face);
hal_attribute(fastboot);
hal_attribute(fingerprint);
hal_attribute(gatekeeper);
hal_attribute(gnss);
hal_attribute(graphics_allocator);
hal_attribute(graphics_composer);
hal_attribute(health);
hal_attribute(health_storage);
hal_attribute(identity);
hal_attribute(input_classifier);
hal_attribute(input_processor);
hal_attribute(ir);
hal_attribute(ivn);
hal_attribute(keymaster);
hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(macsec);
hal_attribute(memtrack);
hal_attribute(neuralnetworks);
hal_attribute(nfc);
hal_attribute(nlinterceptor);
hal_attribute(oemlock);
hal_attribute(omx);
hal_attribute(power);
hal_attribute(power_stats);
hal_attribute(rebootescrow);
hal_attribute(remoteaccess);
hal_attribute(secretkeeper);
hal_attribute(remotelyprovisionedcomponent_avf);
hal_attribute(secure_element);
hal_attribute(sensors);
hal_attribute(telephony);
hal_attribute(tetheroffload);
hal_attribute(thermal);
hal_attribute(threadnetwork);
hal_attribute(tv_cec);
hal_attribute(tv_hdmi_cec);
hal_attribute(tv_hdmi_connection);
hal_attribute(tv_hdmi_earc);
hal_attribute(tv_input);
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
hal_attribute(uwb);
# TODO(b/196225233): Remove this attribute and its usages elsewhere
# once all chip vendors integrate to the new UWB stack.
hal_attribute(uwb_vendor);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
hal_attribute(weaver);
hal_attribute(wifi);
hal_attribute(wifi_hostapd);
hal_attribute(wifi_supplicant);
# HwBinder services offered across the core-vendor boundary
#
# We annotate server domains with x_server to loosen the coupling between
# system and vendor images. For example, it should be possible to move a service
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
attribute automotive_display_service_server;
attribute camera_service_server;
attribute display_service_server;
attribute evsmanager_service_server;
attribute remote_provisioning_service_server;
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
attribute system_suspend_internal_server;
attribute system_suspend_server;
attribute wifi_keystore_service_server;
# All types used for super partition block devices.
attribute super_block_device_type;
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
# Types for VM managers
attribute vm_manager_device_type;
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;
# Types used for module-specific APEX data directories under
# /data/{misc,misc_ce,misc_de}/apexdata.
attribute apex_data_file_type;
# Domains used for charger.
# This is the common type for domains that executes charger's
# functionalities, including setting and getting necessary properties,
# permissions to maintain the health loop, writing to kernel log, handling
# inputs and drawing screens, etc.
attribute charger_type;
# All types of ART properties.
attribute dalvik_config_prop_type;