platform_system_sepolicy/private/mls

#################################################
# MLS policy constraints
#

#
# Process constraints
#

# Process transition:  Require equivalence unless the subject is trusted.
mlsconstrain process { transition dyntransition }
	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);

# Process read operations: No read up unless trusted.
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
	     (l1 dom l2 or t1 == mlstrustedsubject);

# Process write operations:  Require equivalence unless trusted.
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
	     (l1 eq l2 or t1 == mlstrustedsubject);

#
# Socket constraints
#

# Create/relabel operations:  Subject must be equivalent to object unless
# the subject is trusted.  Sockets inherit the range of their creator.
mlsconstrain socket_class_set { create relabelfrom relabelto }
	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);

# Datagram send: Sender must be equivalent to the receiver unless one of them
# is trusted.
mlsconstrain unix_dgram_socket { sendto }
	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

# Stream connect:  Client must be equivalent to server unless one of them
# is trusted.
mlsconstrain unix_stream_socket { connectto }
	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);

#
# Directory/file constraints
#

# Create/relabel operations:  Subject must be equivalent to object unless
# the subject is trusted. Also, files should always be single-level.
# Do NOT exempt mlstrustedobject types from this constraint.
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));

#
# Constraints for app data files only.
#

# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
	     (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);

#
# Constraints for file types other than app data files.
#

# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
# is a domain type, so that processes can communicate via unnamed pipes
# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr }
	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);

mlsconstrain fifo_file { write setattr append unlink link rename }
	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);

#
# Binder IPC constraints
#
# Presently commented out, as apps are expected to call one another.
# This would only make sense if apps were assigned categories
# based on allowable communications rather than per-app categories.
#mlsconstrain binder call
#	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
SE Android policy. 2012-01-04 18:33:27 +01:00			`#################################################`
			`# MLS policy constraints`
			`#`

			`#`
			`# Process constraints`
			`#`

			`# Process transition: Require equivalence unless the subject is trusted.`
			`mlsconstrain process { transition dyntransition }`
			`((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);`

			`# Process read operations: No read up unless trusted.`
			`mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }`
			`(l1 dom l2 or t1 == mlstrustedsubject);`

sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`# Process write operations: Require equivalence unless trusted.`
SE Android policy. 2012-01-04 18:33:27 +01:00			`mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }`
sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`(l1 eq l2 or t1 == mlstrustedsubject);`
SE Android policy. 2012-01-04 18:33:27 +01:00
			`#`
			`# Socket constraints`
			`#`

Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00			`# Create/relabel operations: Subject must be equivalent to object unless`
			`# the subject is trusted. Sockets inherit the range of their creator.`
			`mlsconstrain socket_class_set { create relabelfrom relabelto }`
			`((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);`
SE Android policy. 2012-01-04 18:33:27 +01:00
sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`# Datagram send: Sender must be equivalent to the receiver unless one of them`
			`# is trusted.`
SE Android policy. 2012-01-04 18:33:27 +01:00			`mlsconstrain unix_dgram_socket { sendto }`
sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);`
SE Android policy. 2012-01-04 18:33:27 +01:00
			`# Stream connect: Client must be equivalent to server unless one of them`
			`# is trusted.`
			`mlsconstrain unix_stream_socket { connectto }`
			`(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);`

			`#`
			`# Directory/file constraints`
			`#`

			`# Create/relabel operations: Subject must be equivalent to object unless`
			`# the subject is trusted. Also, files should always be single-level.`
			`# Do NOT exempt mlstrustedobject types from this constraint.`
			`mlsconstrain dir_file_class_set { create relabelfrom relabelto }`
			`(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));`

Revert "Drop special handling of app_data_file in mls constraints." This reverts commit 27042f6da110b8bef9ff291f724351464958da86. Managed profiles are represented by new android users which have the ability to communicate across profiles as governed by an IntentFilter provisioned by the DevicePolicyManager. This communication includes reading and writing content URIs, which is currently obstructed by the mls separation between an owning user and its managed profile. Bug: 19444116 Bug: 19525465 Bug: 19540297 Bug: 19592525 Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b 2015-03-04 18:50:34 +01:00			`#`
			`# Constraints for app data files only.`
			`#`

			`# Only constrain open, not read/write.`
			`# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.`
Enforce per-app data protections for targetSdk 28+ Adds per-app categories to untrusted app domains and their app data types. Per-app categories are in addition to the existing per-user categories. Apps targeting sdk version 28+ will now have the following characteristics: Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Whereas apps targeting 27- will look like: Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+ Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+ To ensure backwards compatibility with previous SDK versions, the levelFrom=all now enforces categories by dominance instead of equality. Apps with per-app and per-user categories will continue to have selinux permissions (but not necessarily unix permissions) to access app data with only per-user categories, but apps with only per-user categories will not be able to access the data of apps with both per-app and per-user categories. Bug: 63897054 Test: Boot sailfish, run apps, verify no new selinux denials. Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases Test: adb sideload an OTA and verify that files are correctly labeled. Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 2017-12-18 05:55:12 +01:00			`# Subject must dominate object unless the subject is trusted.`
Revert "Drop special handling of app_data_file in mls constraints." This reverts commit 27042f6da110b8bef9ff291f724351464958da86. Managed profiles are represented by new android users which have the ability to communicate across profiles as governed by an IntentFilter provisioned by the DevicePolicyManager. This communication includes reading and writing content URIs, which is currently obstructed by the mls separation between an owning user and its managed profile. Bug: 19444116 Bug: 19525465 Bug: 19540297 Bug: 19592525 Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b 2015-03-04 18:50:34 +01:00			`mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }`
Enforce per-app data protections for targetSdk 28+ Adds per-app categories to untrusted app domains and their app data types. Per-app categories are in addition to the existing per-user categories. Apps targeting sdk version 28+ will now have the following characteristics: Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Whereas apps targeting 27- will look like: Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+ Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+ To ensure backwards compatibility with previous SDK versions, the levelFrom=all now enforces categories by dominance instead of equality. Apps with per-app and per-user categories will continue to have selinux permissions (but not necessarily unix permissions) to access app data with only per-user categories, but apps with only per-user categories will not be able to access the data of apps with both per-app and per-user categories. Bug: 63897054 Test: Boot sailfish, run apps, verify no new selinux denials. Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases Test: adb sideload an OTA and verify that files are correctly labeled. Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 2017-12-18 05:55:12 +01:00			`(t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);`
Revert "Drop special handling of app_data_file in mls constraints." This reverts commit 27042f6da110b8bef9ff291f724351464958da86. Managed profiles are represented by new android users which have the ability to communicate across profiles as governed by an IntentFilter provisioned by the DevicePolicyManager. This communication includes reading and writing content URIs, which is currently obstructed by the mls separation between an owning user and its managed profile. Bug: 19444116 Bug: 19525465 Bug: 19540297 Bug: 19592525 Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b 2015-03-04 18:50:34 +01:00			`mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }`
Enforce per-app data protections for targetSdk 28+ Adds per-app categories to untrusted app domains and their app data types. Per-app categories are in addition to the existing per-user categories. Apps targeting sdk version 28+ will now have the following characteristics: Domain: u:r:untrusted_app:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+,c[0-9],c[0-9] Whereas apps targeting 27- will look like: Domain: u:r:untrusted_app_27:s0:c[0-9]+,c[0-9]+ Data context: u:object_r:app_data_file:s0:c[0-9]+,c[0-9]+ To ensure backwards compatibility with previous SDK versions, the levelFrom=all now enforces categories by dominance instead of equality. Apps with per-app and per-user categories will continue to have selinux permissions (but not necessarily unix permissions) to access app data with only per-user categories, but apps with only per-user categories will not be able to access the data of apps with both per-app and per-user categories. Bug: 63897054 Test: Boot sailfish, run apps, verify no new selinux denials. Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases Test: adb sideload an OTA and verify that files are correctly labeled. Change-Id: I64b013874fe87b55f47e817a1279e76ecf86b7c0 2017-12-18 05:55:12 +01:00			`(t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);`
Revert "Drop special handling of app_data_file in mls constraints." This reverts commit 27042f6da110b8bef9ff291f724351464958da86. Managed profiles are represented by new android users which have the ability to communicate across profiles as governed by an IntentFilter provisioned by the DevicePolicyManager. This communication includes reading and writing content URIs, which is currently obstructed by the mls separation between an owning user and its managed profile. Bug: 19444116 Bug: 19525465 Bug: 19540297 Bug: 19592525 Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b 2015-03-04 18:50:34 +01:00
			`#`
			`# Constraints for file types other than app data files.`
			`#`

SE Android policy. 2012-01-04 18:33:27 +01:00			`# Read operations: Subject must dominate object unless the subject`
			`# or the object is trusted.`
			`mlsconstrain dir { read getattr search }`
Revert "Drop special handling of app_data_file in mls constraints." This reverts commit 27042f6da110b8bef9ff291f724351464958da86. Managed profiles are represented by new android users which have the ability to communicate across profiles as governed by an IntentFilter provisioned by the DevicePolicyManager. This communication includes reading and writing content URIs, which is currently obstructed by the mls separation between an owning user and its managed profile. Bug: 19444116 Bug: 19525465 Bug: 19540297 Bug: 19592525 Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b 2015-03-04 18:50:34 +01:00			`(t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);`
SE Android policy. 2012-01-04 18:33:27 +01:00
Revert "Drop special handling of app_data_file in mls constraints." This reverts commit 27042f6da110b8bef9ff291f724351464958da86. Managed profiles are represented by new android users which have the ability to communicate across profiles as governed by an IntentFilter provisioned by the DevicePolicyManager. This communication includes reading and writing content URIs, which is currently obstructed by the mls separation between an owning user and its managed profile. Bug: 19444116 Bug: 19525465 Bug: 19540297 Bug: 19592525 Change-Id: Id9a97f24081902bceab5a96ddffd9276d751775b 2015-03-04 18:50:34 +01:00			`mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }`
			`(t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);`
SE Android policy. 2012-01-04 18:33:27 +01:00
sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`# Write operations: Subject must be equivalent to the object unless the`
SE Android policy. 2012-01-04 18:33:27 +01:00			`# subject or the object is trusted.`
			`mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }`
sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`(t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);`
SE Android policy. 2012-01-04 18:33:27 +01:00
			`mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }`
sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`(t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);`
SE Android policy. 2012-01-04 18:33:27 +01:00
			`# Special case for FIFOs.`
			`# These can be unnamed pipes, in which case they will be labeled with the`
			`# creating process' label. Thus we also have an exemption when the "object"`
sepolicy: allow cross-user unnamed pipe access Exempt unnamed pipes from the MLS constraints so that they can be used for cross-user communications when passed over binder or local socket IPC. Addresses denials such as: avc: denied { read } for path="pipe:[59071]" dev="pipefs" ino=59071 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fifo_file Bug: 19087939 Change-Id: I77d494c4a38bf473fec05b728eaf253484deeaf8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-02-20 18:30:31 +01:00			`# is a domain type, so that processes can communicate via unnamed pipes`
			`# passed by binder or local socket IPC.`
SE Android policy. 2012-01-04 18:33:27 +01:00			`mlsconstrain fifo_file { read getattr }`
sepolicy: allow cross-user unnamed pipe access Exempt unnamed pipes from the MLS constraints so that they can be used for cross-user communications when passed over binder or local socket IPC. Addresses denials such as: avc: denied { read } for path="pipe:[59071]" dev="pipefs" ino=59071 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fifo_file Bug: 19087939 Change-Id: I77d494c4a38bf473fec05b728eaf253484deeaf8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-02-20 18:30:31 +01:00			`(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);`
SE Android policy. 2012-01-04 18:33:27 +01:00
			`mlsconstrain fifo_file { write setattr append unlink link rename }`
sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-03-13 22:07:39 +01:00			`(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);`
SE Android policy. 2012-01-04 18:33:27 +01:00
			`#`
			`# Binder IPC constraints`
			`#`
			`# Presently commented out, as apps are expected to call one another.`
			`# This would only make sense if apps were assigned categories`
			`# based on allowable communications rather than per-app categories.`
			`#mlsconstrain binder call`
			`# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);`