tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/domain.te

121 lines
3.2 KiB
Text
Raw Normal View History

Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2016-10-19 23:39:30 +02:00
# Transition to crash_dump when /system/bin/crash_dump* is executed.
# This occurs when the process crashes.
exclude su from transitioning to crash_dump domain When /system/bin/crash_dump is executed from the su domain, do not perform a domain transition. This allows processes run from that domain to crash normally without SELinux interfering. Bug: 114136122 Test: cferris: "This change works for me. I ran the crasher executable on /data, /data/nativetest, /data/nativetest64 (and even /data/local/tmp). All of them show that crash_dump can read the executables." Change-Id: Ic135d61b11774acff37ebfb35831497cddbefdef
2018-09-06 04:11:38 +02:00
# We do not apply this to the su domain to avoid interfering with
# tests (b/114136122)
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed
2016-10-19 23:39:30 +02:00
allow domain crash_dump:process sigchld;
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-08-08 01:03:47 +02:00
userdebug_or_eng(`-llkd')
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
-dumpstate
Allowing incidentd to get stack traces from processes. Bug: 72177715 Test: flash device and check incident output Change-Id: I16c172caec235d985a6767642134fbd5e5c23912
2018-03-13 00:21:40 +01:00
userdebug_or_eng(`-incidentd')
Storaged permissions for task I/O Allow storaged to read /proc/[pid]/io Grant binder access to storaged Add storaged service Grant storaged_exec access to dumpstate Grant storaged binder_call to dumpstate Bug: 32221677 Change-Id: Iecc9dba266c5566817a99ac6251eb943a0bac630
2016-07-01 21:18:54 +02:00
-storaged
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
-system_server
userdebug_or_eng(`-perfprofd')
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
} self:global_capability_class_set sys_ptrace;
Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-11 17:41:25 +02:00
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
Neverallow coredomain to kernel interface files. Core domains should not be allowed access to kernel interfaces, which are not explicitly labeled. These interfaces include (but are not limited to): 1. /proc 2. /sys 3. /dev 4. debugfs 5. tracefs 6. inotifyfs 7. pstorefs 8. configfs 9. functionfs 10. usbfs 11. binfmt_miscfs We keep a lists of exceptions to the rule, which we will be gradually shrinking. This will help us prevent accidental regressions in our efforts to label kernel interfaces. Bug: 68159582 Bug: 68792382 Test: build aosp_sailfish-user Test: build aosp_sailfish-userdebug Test: CP to internal and build walleye-user Change-Id: I1b2890ce1efb02a08709a6132cf2f12f9d88fde7
2017-11-02 18:08:30 +01:00
Use a whitelisting strategy for tracefs. This changes tracefs files to be default-enabled in debug mode, but default-disabled with specific files enabled in user mode. Bug: 64762598 Test: Successfully took traces in user mode. Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-01-31 03:14:45 +01:00
neverallow {
domain
-init
-vendor_init
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
Protect dropbox service data with selinux Create a new label for /data/system/dropbox, and neverallow direct access to anything other than init and system_server. While all apps may write to the dropbox service, only apps with android.permission.READ_LOGS, a signature|privileged|development permission, may read them. Grant access to priv_app, system_app, and platform_app, and neverallow access to all untrusted_apps. Bug: 31681871 Test: atest CtsStatsdHostTestCases Test: atest DropBoxTest Test: atest ErrorsTests Change-Id: Ice302b74b13c4d66e07b069c1cdac55954d9f5df
2018-04-16 16:49:49 +02:00
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
###
# Services should respect app sandboxes
neverallow {
domain
-appdomain
-installd # creation of sandbox
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
# Only the following processes should be directly accessing private app
# directories.
neverallow {
domain
-adbd
-appdomain
-dexoptanalyzer
-init
-installd
userdebug_or_eng(`-perfprofd')
-profman
-runas
-system_server
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir *;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
# Only apps should be modifying app data. init and installd are exempted for
# restorecon and package install/uninstall.
neverallow {
domain
-appdomain
-init
-installd
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-appdomain
-installd
userdebug_or_eng(`-perfprofd')
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:file_class_set open;
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-appdomain
-installd # creation of sandbox
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
Improve tests protecting private app data In particular, add assertions limiting which processes may directly open files owned by apps. Reduce this to just apps, init, and installd. App data is protected by a combination of selinux permissions and Unix permissions, so limiting the open permission to just apps (which are not allowed to have CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH) ensures that only installd and init have complete access an app's private directory. In addition to apps/init/installd, other processes currently granted open are mediaserver, uncrypt, and vold. Uncrypt's access appears to be deprecated (b/80299612). Uncrypt now uses /data/ota_package instead. b/80418809 and b/80300620 track removal for vold and mediaserver. Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit messages in the logs. Bug: 80190017 Bug: 80300620 Bug: 80418809 Fixes: 80299612 Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 19:41:36 +02:00
neverallow {
domain
-init
-installd
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-03 00:54:23 +02:00
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
Transient SELinux domain for system_server JIT Create a transient SELinux domain where system_server can perform certain JIT setup. The idea is that system_server will start in the system_server_startup domain, setup certain JIT pages, then perform a one-way transition into the system_server domain. From that point, further JITing operations are disallowed. Bug: 62356545 Test: device boots, no permission errors Change-Id: Ic55b2cc5aba420ebcf62736622e08881a4779004
2018-10-04 19:57:29 +02:00
neverallow {
domain
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
#
# Assert that, to the extent possible, we're not loading executable content from
# outside the rootfs or /system partition except for a few whitelisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
#
neverallow {
domain
-appdomain
with_asan(`-asan_extract')
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
-webview_zygote
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
} {
file_type
-system_file_type
-system_lib_file
-system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
}:file execute;
Reference in a new issue Copy permalink