tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/domain.te

235 lines
8.8 KiB
Text
Raw Normal View History

Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Rules for all domains.
# Allow reaping by init.
allow domain init:process sigchld;
# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;
# Intra-domain accesses.
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 17:26:19 +02:00
allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 21:06:11 +01:00
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Inherit or receive open files from others.
allow domain init:fd use;
1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
2013-09-14 00:59:04 +02:00
allow domain system_server:fd use;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Connect to adbd and use a socket transferred from it.
Address adb backup/restore denials. Resolves the following denials seen during an adb backup and restore sequence. <5>[ 90.247039] type=1400 audit(1388759567.693:16): avc: denied { getopt } for pid=3503 comm="Thread-149" scontext=u:r:system_server:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket <5>[ 90.249176] type=1400 audit(1388759567.703:17): avc: denied { getopt } for pid=2334 comm="app_process" scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket Change-Id: I1f6f90f29eecc32ee692764b04b812988f099cde Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-03 20:38:41 +01:00
# This is used for e.g. adb backup/restore.
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
Address adb backup/restore denials. Resolves the following denials seen during an adb backup and restore sequence. <5>[ 90.247039] type=1400 audit(1388759567.693:16): avc: denied { getopt } for pid=3503 comm="Thread-149" scontext=u:r:system_server:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket <5>[ 90.249176] type=1400 audit(1388759567.703:17): avc: denied { getopt } for pid=2334 comm="app_process" scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket Change-Id: I1f6f90f29eecc32ee692764b04b812988f099cde Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-03 20:38:41 +01:00
allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
Support running adbd in the su domain. When adbd runs as root, it transitions into the su domain. Add the various rules to support this. This is needed to run the adbd and shell domains in enforcing on userdebug / eng devices without breaking developer workflows. Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
2014-01-19 03:07:06 +01:00
userdebug_or_eng(`
# Same as adbd rules above, except allow su to do the same thing
allow domain su:unix_stream_socket connectto;
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
Address system_server denials. Label /proc/sysrq-trigger and allow access. Label /dev/socket/mtpd and allow access. Resolves denials such as: avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv er:s0 tclass=udp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]" dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s 0 tclass=tcp_socket avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-05 15:50:08 +01:00
binder_call(domain, su)
Support running adbd in the su domain. When adbd runs as root, it transitions into the su domain. Add the various rules to support this. This is needed to run the adbd and shell domains in enforcing on userdebug / eng devices without breaking developer workflows. Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
2014-01-19 03:07:06 +01:00
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
allow domain su:fifo_file { write getattr };
# allow "gdbserver --attach" to work for su.
allow domain su:process sigchld;
')
domain.te: Temporarily work around debuggerd connection bug For some reason, the debuggerd socket isn't getting properly labeled. Work around this bug for now by allowing all domains to connect to all unix stream sockets. Bug: 9858255 Change-Id: If994e51b0201ea8cae46341efc76dc71a4e577c8
2013-07-15 20:41:24 +02:00
###
### Talk to debuggerd.
###
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;
# Root fs.
allow domain rootfs:dir r_dir_perms;
untrusted_app.te / isolated_app.te / app.te first pass This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 03:45:56 +02:00
allow domain rootfs:file r_file_perms;
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:25:53 +02:00
allow domain rootfs:lnk_file r_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Device accesses.
allow domain device:dir search;
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:25:53 +02:00
allow domain dev_type:lnk_file r_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain devpts:dir search;
allow domain device:file read;
Allow all domains to read from socket_device directory. This is a world-readable directory anyway and will help to address a small number of new denials. Change-Id: I9e53c89a19da8553cbcbef8295c02ccaaa5d564c Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-06 16:16:53 +01:00
allow domain socket_device:dir r_dir_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
make /dev/zero read-write CTS test luni/src/test/java/libcore/java/nio/BufferTest.java function testDevZeroMapRW() requires us to be able to open /dev/zero in read-write mode. Allow it. Change-Id: I2be266875b1d190188376fd84c0996039d3c1524
2014-05-20 15:01:55 +02:00
allow domain zero_device:chr_file rw_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain ashmem_device:chr_file rw_file_perms;
allow domain binder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain log_device:dir search;
allow domain log_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
Permit writing to /dev/random and /dev/urandom. Apps attempting to write to /dev/random or /dev/urandom currently succeed, but a policy violation is logged. These two Linux RNG devices are meant to be written to by arbitrary apps. Thus, there's no reason to deny this capability. Bug: 10679705 Change-Id: Ife401f1dd2182889471eef7e90fcc92e96f9c4d6
2013-09-10 20:13:15 +02:00
allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain properties_device:file r_file_perms;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-13 00:34:52 +01:00
# logd access
write_logd(domain)
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
# System file accesses.
allow domain system_file:dir r_dir_perms;
allow domain system_file:file r_file_perms;
allow domain system_file:file execute;
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:25:53 +02:00
allow domain system_file:lnk_file r_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:25:53 +02:00
allow domain system_data_file:lnk_file r_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Read apk files under /data/app.
Fix denials encountered while getting bugreports. Bug: 10498304 Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74
2013-08-30 22:02:30 +02:00
allow domain apk_data_file:dir { getattr search };
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain apk_data_file:file r_file_perms;
# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;
Define a type for /data/dalvik-cache/profiles. I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles subdirectory to /data/dalvik-cache with files that must be app-writable. As a result, we have denials such as: W/Profiler( 3328): type=1400 audit(0.0:199): avc: denied { write } for name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null) W/auditd ( 286): type=1307 audit(0.0:199): cwd="/" W/auditd ( 286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0 We do not want to allow untrusted app domains to write to the existing type on other /data/dalvik-cache files as that could be used for code injection into another app domain, the zygote or the system_server. So define a new type for this subdirectory. The restorecon_recursive /data in init.rc will fix the labeling on devices that already have a profiles directory created. For correct labeling on first creation, we also need a separate change to installd under the same change id. Bug: 13927667 Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-09 20:24:33 +02:00
allow domain dalvikcache_profiles_data_file:dir { search getattr };
allow domain dalvikcache_profiles_data_file:file r_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
allow domain cache_file:file { getattr read };
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:25:53 +02:00
allow domain cache_file:lnk_file r_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
Label /data/misc/zoneinfo And allow any SELinux domain to read these timezone related files. Addresses the following denial: <5>[ 4.746399] type=1400 audit(3430294.470:7): avc: denied { open } for pid=197 comm="time_daemon" name="tzdata" dev="mmcblk0p28" ino=618992 scontext=u:r:time:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Change-Id: Iff32465e62729d7aad8c79607848d89ce0aede86
2013-12-13 00:32:42 +01:00
# Read timezone related information
r_dir_file(domain, zoneinfo_data_file)
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;
#Allow access to ion memory allocation device
allow domain ion_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain, proc)
r_dir_file(domain, sysfs)
Move sysfs_devices_system_cpu to the central policy. Every device has a CPU. This is not device specific. Allow every domain to read these files/directories. For unknown reasons, these files are accessed by A LOT of processes. Allow ueventd to write to these files. This addresses the following denials seen on mako: <5>[ 4.935602] type=1400 audit(1383167737.512:4): avc: denied { read } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir <5>[ 4.935785] type=1400 audit(1383167737.512:5): avc: denied { open } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir <5>[ 4.935937] type=1400 audit(1383167737.512:6): avc: denied { search } for pid=140 comm="ueventd" name="cpu0" dev="sysfs" ino=3163 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir <5>[ 4.936120] type=1400 audit(1383167737.512:7): avc: denied { write } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file <5>[ 4.936303] type=1400 audit(1383167737.512:8): avc: denied { open } for pid=140 comm="ueventd" name="uevent" dev="sysfs" ino=3164 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file Change-Id: I4766dc571762d8fae06aa8c26828c070b80f5936
2013-10-30 22:12:21 +01:00
r_dir_file(domain, sysfs_devices_system_cpu)
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
Create proc_net type for /proc/sys/net entries. /proc/sys/net could use its own type to help distinguish among some of the proc access rules. Fix dhcp and netd because of this. Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-07 19:46:56 +01:00
r_dir_file(domain, proc_net)
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
# debugfs access
allow domain debugfs:dir r_dir_perms;
domain.te: allow access to /sys/kernel/debug/tracing/trace_marker Bug: 9781325 Change-Id: Ib6f6875f690420b59fceb0a32590a2b9ed8dda95
2013-07-11 20:30:20 +02:00
allow domain debugfs:file w_file_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:25:53 +02:00
# Get SELinux enforcing status.
selinux_getenforce(domain)
Allow reading of /data/security/current symlink. If we are going to allow all domains to search and stat the contents of /data/security, then we should also allow them to read the /data/security/current symlink created by SELinuxPolicyInstallReceiver to the directory containing the current policy update. Change-Id: Ida352ed7ae115723964d2723f1115a87af438013 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 17:35:39 +01:00
# /data/security files
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 00:11:02 +02:00
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;
Allow reading of /data/security/current symlink. If we are going to allow all domains to search and stat the contents of /data/security, then we should also allow them to read the /data/security/current symlink created by SELinuxPolicyInstallReceiver to the directory containing the current policy update. Change-Id: Ida352ed7ae115723964d2723f1115a87af438013 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 17:35:39 +01:00
allow domain security_file:lnk_file r_file_perms;
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 23:46:05 +02:00
Introduce asec_public_file type. This new type will allow us to write finer-grained policy concerning asec containers. Some files of these containers need to be world readable. Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-04 17:36:41 +01:00
# World readable asec image contents
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
Bring back the unlabeled allowall rules On an upgrade from 4.2 to tip-of-tree master, there are still a number of files which aren't properly labeled. Restore the unlabeled compat rules until we can get everything properly labeled. It's not ideal, but it works around the immediate problem. After applying https://android-review.googlesource.com/94966 , I'm still seeing the following denials. <4>[ 12.040639] type=1400 audit(1400289656.430:4): avc: denied { read } for pid=143 comm="installd" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 168.289170] type=1400 audit(1400289812.680:5): avc: denied { getattr } for pid=1079 comm="system_server" path="/data/data/com.android.backupconfirm" dev=mmcblk0p9 ino=112676 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.088406] type=1400 audit(1400289813.480:6): avc: denied { read } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.088790] type=1400 audit(1400289813.480:7): avc: denied { open } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.089205] type=1400 audit(1400289813.480:8): avc: denied { write } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.089615] type=1400 audit(1400289813.480:9): avc: denied { remove_name } for pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.090024] type=1400 audit(1400289813.480:10): avc: denied { unlink } for pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 169.090350] type=1400 audit(1400289813.480:11): avc: denied { rmdir } for pid=143 comm="installd" name="com.android.renderscript.cache" dev=mmcblk0p9 ino=112902 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 171.875822] type=1400 audit(1400289816.260:12): avc: denied { unlink } for pid=143 comm="installd" name="8882B60ADE91B9E4.toc" dev=mmcblk0p9 ino=112903 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 180.615263] type=1400 audit(1400289825.000:13): avc: denied { rename } for pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 180.615578] type=1400 audit(1400289825.000:14): avc: denied { setattr } for pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 393.934310] type=1400 audit(1400290038.320:15): avc: denied { read } for pid=2410 comm="d.process.acore" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 399.370936] type=1400 audit(1400290043.760:16): avc: denied { read } for pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 399.371792] type=1400 audit(1400290043.760:17): avc: denied { getattr } for pid=2998 comm="SharedPreferenc" path="/data/data/com.google.android.backuptransport/shared_prefs/BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 399.372219] type=1400 audit(1400290043.760:18): avc: denied { open } for pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
2014-05-17 02:45:01 +02:00
######## Backwards compatibility - Unlabeled files ############
# Revert to DAC rules when looking at unlabeled files. Over time, the number
# of unlabeled files should decrease.
# TODO: delete these rules in the future.
#
allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
allow domain unlabeled:dir { create_dir_perms relabelfrom };
Suppress installd auditallow installd is expected to be handling unlabeled apps. Don't emit an audit rule when it occurs. Change-Id: Ia173914ff4d1b8368a18f326494eda8173d30192
2014-05-20 01:33:51 +02:00
auditallow { domain -init -installd } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
auditallow { domain -init -kernel -installd } unlabeled:dir { create_dir_perms relabelfrom };
Bring back the unlabeled allowall rules On an upgrade from 4.2 to tip-of-tree master, there are still a number of files which aren't properly labeled. Restore the unlabeled compat rules until we can get everything properly labeled. It's not ideal, but it works around the immediate problem. After applying https://android-review.googlesource.com/94966 , I'm still seeing the following denials. <4>[ 12.040639] type=1400 audit(1400289656.430:4): avc: denied { read } for pid=143 comm="installd" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 168.289170] type=1400 audit(1400289812.680:5): avc: denied { getattr } for pid=1079 comm="system_server" path="/data/data/com.android.backupconfirm" dev=mmcblk0p9 ino=112676 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.088406] type=1400 audit(1400289813.480:6): avc: denied { read } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.088790] type=1400 audit(1400289813.480:7): avc: denied { open } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.089205] type=1400 audit(1400289813.480:8): avc: denied { write } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.089615] type=1400 audit(1400289813.480:9): avc: denied { remove_name } for pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.090024] type=1400 audit(1400289813.480:10): avc: denied { unlink } for pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 169.090350] type=1400 audit(1400289813.480:11): avc: denied { rmdir } for pid=143 comm="installd" name="com.android.renderscript.cache" dev=mmcblk0p9 ino=112902 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 171.875822] type=1400 audit(1400289816.260:12): avc: denied { unlink } for pid=143 comm="installd" name="8882B60ADE91B9E4.toc" dev=mmcblk0p9 ino=112903 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 180.615263] type=1400 audit(1400289825.000:13): avc: denied { rename } for pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 180.615578] type=1400 audit(1400289825.000:14): avc: denied { setattr } for pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 393.934310] type=1400 audit(1400290038.320:15): avc: denied { read } for pid=2410 comm="d.process.acore" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 399.370936] type=1400 audit(1400290043.760:16): avc: denied { read } for pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 399.371792] type=1400 audit(1400290043.760:17): avc: denied { getattr } for pid=2998 comm="SharedPreferenc" path="/data/data/com.google.android.backuptransport/shared_prefs/BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 399.372219] type=1400 audit(1400290043.760:18): avc: denied { open } for pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
2014-05-17 02:45:01 +02:00
auditallow kernel unlabeled:dir ~search;
Suppress installd auditallow installd is expected to be handling unlabeled apps. Don't emit an audit rule when it occurs. Change-Id: Ia173914ff4d1b8368a18f326494eda8173d30192
2014-05-20 01:33:51 +02:00
auditallow installd unlabeled:dir ~{ getattr search relabelfrom };
auditallow installd unlabeled:notdevfile_class_set ~{ getattr relabelfrom };
Bring back the unlabeled allowall rules On an upgrade from 4.2 to tip-of-tree master, there are still a number of files which aren't properly labeled. Restore the unlabeled compat rules until we can get everything properly labeled. It's not ideal, but it works around the immediate problem. After applying https://android-review.googlesource.com/94966 , I'm still seeing the following denials. <4>[ 12.040639] type=1400 audit(1400289656.430:4): avc: denied { read } for pid=143 comm="installd" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 168.289170] type=1400 audit(1400289812.680:5): avc: denied { getattr } for pid=1079 comm="system_server" path="/data/data/com.android.backupconfirm" dev=mmcblk0p9 ino=112676 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.088406] type=1400 audit(1400289813.480:6): avc: denied { read } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.088790] type=1400 audit(1400289813.480:7): avc: denied { open } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.089205] type=1400 audit(1400289813.480:8): avc: denied { write } for pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.089615] type=1400 audit(1400289813.480:9): avc: denied { remove_name } for pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 169.090024] type=1400 audit(1400289813.480:10): avc: denied { unlink } for pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 169.090350] type=1400 audit(1400289813.480:11): avc: denied { rmdir } for pid=143 comm="installd" name="com.android.renderscript.cache" dev=mmcblk0p9 ino=112902 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir <4>[ 171.875822] type=1400 audit(1400289816.260:12): avc: denied { unlink } for pid=143 comm="installd" name="8882B60ADE91B9E4.toc" dev=mmcblk0p9 ino=112903 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 180.615263] type=1400 audit(1400289825.000:13): avc: denied { rename } for pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 180.615578] type=1400 audit(1400289825.000:14): avc: denied { setattr } for pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 393.934310] type=1400 audit(1400290038.320:15): avc: denied { read } for pid=2410 comm="d.process.acore" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file <4>[ 399.370936] type=1400 audit(1400290043.760:16): avc: denied { read } for pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 399.371792] type=1400 audit(1400290043.760:17): avc: denied { getattr } for pid=2998 comm="SharedPreferenc" path="/data/data/com.google.android.backuptransport/shared_prefs/BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file <4>[ 399.372219] type=1400 audit(1400290043.760:18): avc: denied { open } for pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
2014-05-17 02:45:01 +02:00
Only init should be able to load a security policy Bug: 9859477 Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b
2013-07-16 02:10:35 +02:00
###
### neverallow rules
###
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 22:31:04 +01:00
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
# Limit device node creation and raw I/O to these whitelisted domains.
initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 22:33:32 +01:00
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 22:31:04 +01:00
Neverallow low memory mappings. This just adds a neverallow rule to ensure we never add an allow rule permitting such mappings. Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-14 20:05:49 +02:00
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow domain self:memprotect mmap_zero;
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 22:31:04 +01:00
# No domain needs mac_override as it is unused by SELinux.
Remove MAC capabilities from unconfined domains. Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-30 19:23:08 +01:00
neverallow domain self:capability2 mac_override;
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 22:31:04 +01:00
# Only recovery needs mac_admin to set contexts not defined in current policy.
Remove MAC capabilities from unconfined domains. Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-30 19:23:08 +01:00
neverallow { domain -recovery } self:capability2 mac_admin;
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 14:05:53 +01:00
# Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet.
# Policy reload requires allowing this to the init domain.
neverallow { domain -init } kernel:security load_policy;
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
Revisit kernel setenforce Kernel userspace helpers may be spawned running in the kernel SELinux domain. Those userspace helpers shouldn't be able to turn SELinux off. This change revisits the discussion in https://android-review.googlesource.com/#/c/71184/ At the time, we were debating whether or not to have an allow rule, or a dontaudit rule. Both have the same effect, as at the time we switch to enforcing mode, the kernel is in permissive and the operation will be allowed. Change-Id: If335a5cf619125806c700780fcf91f8602083824
2014-05-12 23:32:59 +02:00
neverallow domain kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;
Make sure exec_type is assigned to all entrypoint types. Some file types used as domain entrypoints were missing the exec_type attribute. Add it and add a neverallow rule to keep it that way. Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 16:38:14 +02:00
Deduplicate neverallow rules on selinuxfs operations. We already have neverallow rules for all domains about loading policy, setting enforcing mode, and setting checkreqprot, so we can drop redundant ones from netd and appdomain. Add neverallow rules to domain.te for setbool and setsecparam and exclude them from unconfined to allow fully eliminating separate neverallow rules on the :security class from anything other than domain.te. Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-06 19:02:50 +01:00
# No booleans in AOSP policy, so no need to ever set them.
neverallow domain kernel:security setbool;
# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b
2013-10-06 21:36:11 +02:00
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
Restrict access to /dev/hw_random to system_server and init. /dev/hw_random is accessed only by init and by EntropyMixer (which runs inside system_server). Other domains are denied access because apps/services should be obtaining randomness from the Linux RNG. Change-Id: Ifde851004301ffd41b2189151a64a0c5989c630f
2013-10-03 22:35:56 +02:00
Make sure exec_type is assigned to all entrypoint types. Some file types used as domain entrypoints were missing the exec_type attribute. Add it and add a neverallow rule to keep it that way. Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 16:38:14 +02:00
# Ensure that all entrypoint executables are in exec_type.
neverallow domain { file_type -exec_type }:file entrypoint;
Neverallow access to the kmem device from userspace. Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
2013-10-31 19:17:23 +01:00
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
Restrict the ability to set usermodehelpers and proc security settings. Limit the ability to write to the files that configure kernel usermodehelpers and security-sensitive proc settings to the init domain. Permissive domains can also continue to set these values. The current list is not exhaustive, just an initial set. Not all of these files will exist on all kernels/devices. Controlling access to certain kernel usermodehelpers, e.g. cgroup release_agent, will require kernel changes to support and cannot be addressed here. Expected output on e.g. flo after the change: ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper -rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper -rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable -rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern -rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug -rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd -rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space -rw------- root root u:object_r:usermodehelper:s0 bset -rw------- root root u:object_r:usermodehelper:s0 inheritable Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 15:31:40 +01:00
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init } proc_security:file { append write };
Restrict ptrace access by debuggerd and unconfineddomain. Remove init, ueventd, watchdogd, healthd and adbd from the set of domains traceable by debuggerd. bionic/linker/debugger.cpp sets up handlers for all dynamically linked programs in Android but this should not apply for statically linked programs. Exclude ptrace access from unconfineddomain. Prohibit ptrace access to init via neverallow. Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-09 18:49:47 +01:00
# No domain should be allowed to ptrace init.
neverallow domain init:process ptrace;
Don't allow zygote init:binder call init can't handle binder calls. It's always incorrect to allow init:binder call, and represents a binder call to a service without an SELinux domain. Adding this allow rule was a mistake; the dumpstate SELinux domain didn't exist at the time this rule was written, and dumpstate was running under init's domain. Add a neverallow rule to prevent the reintroduction of this bug. Change-Id: I78d35e675fd142d880f15329471778c18972bf50
2014-01-04 05:44:07 +01:00
# Init can't receive binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow domain init:binder call;
assert: do not allow raw access to generic block_device Rather then allowing open,read,write to raw block devices, one should relabel it to something more specific. vold should be re-worked so we can drop it from this assert. Change-Id: Ie891a9eaf0814ea3878d32b18b4e9f4d7dac4faf
2014-01-30 18:10:28 +01:00
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
initial policy for uncrypt. Add initial support for uncrypt, started via the pre-recovery service in init.rc. On an encrypted device, uncrypt reads an OTA zip file on /data, opens the underlying block device, and writes the unencrypted blocks on top of the encrypted blocks. This allows recovery, which can't normally read encrypted partitions, to reconstruct the OTA image and apply the update as normal. Add an exception to the neverallow rule for sys_rawio. This is needed to support writing to the raw block device. Add an exception to the neverallow rule for unlabeled block devices. The underlying block device for /data varies between devices within the same family (for example, "flo" vs "deb"), and the existing per-device file_context labeling isn't sufficient to cover these differences. Until I can resolve this problem, allow access to any block devices. Bug: 13083922 Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
2014-02-19 22:33:32 +01:00
neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
assert: Do not allow access to generic device:chr_file Rather, enforce that a relabel should be done. This tightens an existing assertion. Change-Id: I0500e3dc483e6bf97e5b017043e358bcbdc69904
2014-01-30 18:15:45 +01:00
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# ueventd is exempt from this, as its managing these devices.
neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
Remove mount-related permissions from unconfined domains. Only allow to specific domains as required, and add a neverallow to prevent allowing it to other domains not explicitly whitelisted. sdcard_type is exempted from the neverallow since more domains require the ability to mount it, including device-specific domains. Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 19:29:38 +01:00
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
Reference in a new issue Copy permalink