platform_system_sepolicy/public/te_macros

951 lines
33 KiB
Text
Raw Normal View History

2012-01-04 18:33:27 +01:00
#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
sepolicy: Define and allow map permission Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This change defines map permission for the Android policy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change also adds map permission to the global macro definitions for file permissions, thereby allowing it in any allow rule that uses these macros, and to specific rules allowing mapping of files from /system and executable types. This should cover most cases where it is needed, although it may still need to be added to specific allow rules when the global macros are not used. Test: Policy builds Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 15:32:10 +02:00
allow $1 $2:file { getattr open read execute map };
2012-01-04 18:33:27 +01:00
allow $1 $3:process transition;
# New domain is entered by executing the file.
sepolicy: Define and allow map permission Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This change defines map permission for the Android policy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change also adds map permission to the global macro definitions for file permissions, thereby allowing it in any allow rule that uses these macros, and to specific rules allowing mapping of files from /system and executable types. This should cover most cases where it is needed, although it may still need to be added to specific allow rules when the global macros are not used. Test: Policy builds Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 15:32:10 +02:00
allow $3 $2:file { entrypoint open read execute getattr map };
2012-01-04 18:33:27 +01:00
# New domain can send SIGCHLD to its caller.
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
2012-01-04 18:33:27 +01:00
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')
#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
define(`domain_auto_trans', `
# Allow the necessary permissions.
domain_trans($1,$2,$3)
# Make the transition occur by default.
type_transition $1 $2:process $3;
')
#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
define(`file_type_trans', `
# Allow the domain to add entries to the directory.
allow $1 $2:dir ra_dir_perms;
# Allow the domain to create the file.
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
')
#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
define(`file_type_auto_trans', `
# Allow the necessary permissions.
file_type_trans($1, $2, $3)
# Make the transition occur by default.
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
')
#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')
#####################################
# tmpfs_domain(domain)
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
2012-01-04 18:33:27 +01:00
define(`tmpfs_domain', `
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write getattr map };
2012-01-04 18:33:27 +01:00
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
# rules from underlying transport (e.g. UDS-based implementation).
#####################################
# pdx_service_attributes(service)
# Defines type attribute used to identify various service-related types.
define(`pdx_service_attributes', `
attribute pdx_$1_endpoint_dir_type;
attribute pdx_$1_endpoint_socket_type;
attribute pdx_$1_channel_socket_type;
attribute pdx_$1_server_type;
')
#####################################
# pdx_service_socket_types(service, endpoint_dir_t)
# Define types for endpoint and channel sockets.
define(`pdx_service_socket_types', `
typeattribute $2 pdx_$1_endpoint_dir_type;
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
userdebug_or_eng(`
dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
')
')
#####################################
# pdx_server(server_domain, service)
define(`pdx_server', `
# Mark the server domain as a PDX server.
typeattribute $1 pdx_$2_server_type;
# Allow the init process to create the initial endpoint socket.
allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
# Allow the server domain to use the endpoint socket and accept connections on it.
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
# than we need (e.g. we don"t need "bind" or "connect").
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
allow $1 self:process setsockcreate;
# Allow the server domain to create a client channel socket.
allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
# Prevent other processes from claiming to be a server for the same service.
neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
')
#####################################
# pdx_connect(client, service)
define(`pdx_connect', `
# Allow client to open the service endpoint file.
allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
# Allow the client to connect to endpoint socket.
allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
')
#####################################
# pdx_use(client, service)
define(`pdx_use', `
# Allow the client to use the PDX channel socket.
# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
# than we need (e.g. we don"t need "bind" or "connect").
allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
# Client needs to use an channel event fd from the server.
allow $1 pdx_$2_server_type:fd use;
# Servers may receive sync fences, gralloc buffers, etc, from clients.
# This could be tightened on a per-server basis, but keeping track of service
# clients is error prone.
allow pdx_$2_server_type $1:fd use;
')
#####################################
# pdx_client(client, service)
define(`pdx_client', `
pdx_connect($1, $2)
pdx_use($1, $2)
')
2012-01-04 18:33:27 +01:00
#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
')
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
allow $1 appdomain_tmpfs:file { execute getattr map read write };
2020-01-10 20:02:43 +01:00
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity
# of application data and execution state. Ptrace bypasses those
2020-01-10 20:02:43 +01:00
# confidentiality guarantees. Disallow ptrace access from system components to
# apps. crash_dump is excluded, as it needs ptrace access to produce stack
# traces. runas_app is excluded, as it operates only on debuggable apps.
# simpleperf is excluded, as it operates only on debuggable or profileable
# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
# live lock conditions.
neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
2012-01-04 18:33:27 +01:00
')
#####################################
# untrusted_app_domain(domain)
# Allow a base set of permissions required for all untrusted apps.
define(`untrusted_app_domain', `
typeattribute $1 untrusted_app_all;
')
2012-01-04 18:33:27 +01:00
#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
typeattribute $1 netdomain;
')
#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
define(`bluetooth_domain', `
typeattribute $1 bluetoothdomain;
')
#####################################
# hal_attribute(hal_name)
# Add an attribute for hal implementations along with necessary
# restrictions.
define(`hal_attribute', `
attribute hal_$1;
expandattribute hal_$1 true;
attribute hal_$1_client;
expandattribute hal_$1_client true;
attribute hal_$1_server;
expandattribute hal_$1_server false;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
# hal_*_client and halclientdomain attributes are always expanded for
# performance reasons. Neverallow rules targeting expanded attributes can not be
# verified by CTS since these attributes are already expanded by that time.
build_test_only(`
neverallow { hal_$1_server -hal_$1 } domain:process fork;
neverallow { hal_$1_client -halclientdomain } domain:process fork;
')
')
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
# type hal_foo_default, domain;
# hal_server_domain(hal_foo_default, hal_foo)
#
define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')
#####################################
# hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a HAL of the specified type.
#
# For example, make some_domain a client of Foo HAL:
# hal_client_domain(some_domain, hal_foo)
#
define(`hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
# non-Treble devices. For now, on non-Treble device, always grant clients of a
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
not_full_treble(`
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute map };
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
')
')
Use _client and _server for Audio HAL policy This starts the switch for HAL policy to the approach where: * domains which are clients of Foo HAL are associated with hal_foo_client attribute, * domains which offer the Foo HAL service over HwBinder are associated with hal_foo_server attribute, * policy needed by the implementation of Foo HAL service is written against the hal_foo attribute. This policy is granted to domains which offer the Foo HAL service over HwBinder and, if Foo HAL runs in the so-called passthrough mode (inside the process of each client), also granted to all domains which are clients of Foo HAL. hal_foo is there to avoid duplicating the rules for hal_foo_client and hal_foo_server to cover the passthrough/in-process Foo HAL and binderized/out-of-process Foo HAL cases. A benefit of associating all domains which are clients of Foo HAL with hal_foo (when Foo HAL is in passthrough mode) is that this removes the need for device-specific policy to be able to reference these domains directly (in order to add device-specific allow rules). Instead, device-specific policy only needs to reference hal_foo and should no longer need to care which particular domains on the device are clients of Foo HAL. This can be seen in simplification of the rules for audioserver domain which is a client of Audio HAL whose policy is being restructured in this commit. This commit uses Audio HAL as an example to illustrate the approach. Once this commit lands, other HALs will also be switched to this approach. Test: Google Play Music plays back radios Test: Google Camera records video with sound and that video is then successfully played back with sound Test: YouTube app plays back clips with sound Test: YouTube in Chrome plays back clips with sound Bug: 34170079 Change-Id: I2597a046753edef06123f0476c2ee6889fc17f20
2017-02-13 23:40:49 +01:00
#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
# passthrough_hal_client_domain(some_domain, hal_foo)
#
define(`passthrough_hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute map };
')
2012-01-04 18:33:27 +01:00
#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#
# Note: If you see denial records that distill to the
# following allow rules:
# allow clientdomain property_socket:sock_file write;
# allow clientdomain init:unix_stream_socket connectto;
# allow clientdomain something_prop:property_service set;
#
# This sequence is indicative of attempting to set a property.
# use set_prop(sourcedomain, targetproperty)
#
2012-01-04 18:33:27 +01:00
define(`unix_socket_connect', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')
#####################################
# set_prop(sourcedomain, targetproperty)
# Allows source domain to set the
# targetproperty.
#
define(`set_prop', `
unix_socket_connect($1, property, init)
allow $1 $2:property_service set;
get_prop($1, $2)
')
#####################################
# get_prop(sourcedomain, targetproperty)
# Allows source domain to read the
# targetproperty.
#
define(`get_prop', `
allow $1 $2:file { getattr open read map };
')
#####################################
2012-01-04 18:33:27 +01:00
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
define(`unix_socket_send', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_dgram_socket sendto;
')
#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# Allow servicemanager to send out callbacks
allow servicemanager $1:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
allow servicemanager $1:process getattr;
2012-01-04 18:33:27 +01:00
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open map };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# vndbinder_use(domain)
# Allow domain to use Binder IPC.
define(`vndbinder_use', `
# Talk to the vndbinder device node
allow $1 vndbinder_device:chr_file rw_file_perms;
# Call the vndservicemanager and transfer references to it.
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
allow vndservicemanager $1:file { read open map };
allow vndservicemanager $1:process getattr;
')
2012-01-04 18:33:27 +01:00
#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# Call the server domain and optionally transfer references to it.
allow $1 $2:binder { call transfer };
# Allow the serverdomain to transfer references to the client on the reply.
allow $2 $1:binder transfer;
2012-01-04 18:33:27 +01:00
# Receive and use open files from the server.
allow $1 $2:fd use;
')
#####################################
# binder_service(domain)
# Mark a domain as being a Binder service domain.
# Used to allow binder IPC to the various system services.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
# deprecated.
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:global_capability2_class_set block_suspend;
# system_suspend permissions
binder_call($1, system_suspend_server)
allow $1 system_suspend_hwservice:hwservice_manager find;
# halclientdomain permissions
hwbinder_use($1)
get_prop($1, hwservicemanager_prop)
allow $1 hidl_manager_hwservice:hwservice_manager find;
')
2012-01-04 18:33:27 +01:00
#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
2012-01-04 18:33:27 +01:00
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
2012-01-04 18:33:27 +01:00
')
#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
2012-01-04 18:33:27 +01:00
allow $1 kernel:security check_context;
')
#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
# Each domain gets a unique devpts type.
type $1_devpts, fs_type;
# Label the pty with the unique type when created.
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')
#####################################
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
#####################################
# Recovery only
# SELinux rules which apply only to recovery mode
#
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
# Not recovery
# SELinux rules which apply only to non-recovery (normal) mode
#
define(`not_recovery', ifelse(target_recovery, `true', , $1))
#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
ifelse(target_full_treble, `cts',
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
$1
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
, )))
#####################################
# Not full TREBLE
# SELinux rules which apply only to devices which are not full TREBLE devices
#
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
ifelse(target_compatible_property, `cts',
# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
$1
# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
, )))
#####################################
# Not compatible property
# SELinux rules which apply only to devices without compatible property
#
define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
#####################################
# native coverage builds
# SELinux rules which apply only to builds with native coverage
#
define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
#####################################
# Build-time-only test
# SELinux rules which are verified during build, but not as part of *TS testing.
#
define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
define(`crash_dump_fallback', `
userdebug_or_eng(`
allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
allow $1 dumpstate:fd use;
allow $1 incidentd:fd use;
# TODO: Figure out why write is needed.
allow $1 dumpstate:fifo_file { append write };
allow $1 incidentd:fifo_file { append write };
allow $1 system_server:fifo_file { append write };
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;
allow $1 tombstone_data_file:file append;
')
#####################################
# WITH_DEXPREOPT builds
# SELinux rules which apply only when pre-opting.
#
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
define(`write_logd', `
unix_socket_send($1, logdw, logd)
allow $1 pmsg_device:chr_file w_file_perms;
')
#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
define(`read_logd', `
allow $1 logcat_exec:file rx_file_perms;
unix_socket_connect($1, logdr, logd)
')
#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
define(`read_runtime_log_tags', `
allow $1 runtime_event_log_tags_file:file r_file_perms;
')
#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
define(`control_logd', `
# Group AID_LOG checked by filesystem & logd
# to permit control commands
unix_socket_connect($1, logd, logd)
')
#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
# to call getpidcon.
define(`use_keystore', `
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
#####################################
# use_credstore(domain)
# Ability to use credstore.
define(`use_credstore', `
allow credstore $1:dir search;
allow credstore $1:file { read open };
allow credstore $1:process getattr;
allow $1 credstore_service:service_manager find;
binder_call($1, credstore)
binder_call(credstore, $1)
')
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
define(`use_drmservice', `
allow drmserver $1:dir search;
allow drmserver $1:file { read open };
allow drmserver $1:process getattr;
')
###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
')
###########################################
# add_hwservice(domain, service)
# Ability for domain to add a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-14 04:05:27 +02:00
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
###########################################
# hal_attribute_hwservice(attribute, service)
# Ability for domain to get a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_hwservice
define(`hal_attribute_hwservice', `
allow $1_client $2:hwservice_manager find;
add_hwservice($1_server, $2)
build_test_only(`
# if you are hitting this neverallow, try using:
# hal_client_domain(<your domain>, hal_<foo>)
# instead
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
###########################################
# hal_attribute_service(attribute, service)
# Ability for domain to get a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
#
# Used to pair hal_foo_client with hal_foo_hwservice
define(`hal_attribute_service', `
allow $1_client $2:service_manager find;
add_service($1_server, $2)
build_test_only(`
# if you are hitting this neverallow, try using:
# hal_client_domain(<your domain>, hal_<foo>)
# instead
neverallow {
domain
-$1_client
-$1_server
# some services are allowed to find all services
-atrace
-dumpstate
-shell
-system_app
-traceur_app
} $2:service_manager find;
')
')
###################################
# can_profile_heap(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
define(`can_profile_heap', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow connecting to the daemon.
unix_socket_connect($1, heapprofd, heapprofd)
# Allow daemon to use the passed fds.
allow heapprofd $1:fd use;
# Allow to read and write to heapprofd shmem.
# The client needs to read the read and write pointers in order to write.
allow $1 heapprofd_tmpfs:file { read write getattr map };
# Use shared memory received over the unix socket.
allow $1 heapprofd:fd use;
# To read and write from the received file descriptors.
# /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
# process they relate to.
# We need to write to /proc/$PID/page_idle to find idle allocations.
# The client only opens /proc/self/page_idle with RDWR, everything else
# with RDONLY.
# heapprofd cannot open /proc/$PID/mem itself, as it does not have
# sys_ptrace.
allow heapprofd $1:file rw_file_perms;
# Allow searching the /proc/[pid] directory for cmdline.
allow heapprofd $1:dir r_dir_perms;
')
###################################
# never_profile_heap(domain)
# Opt out of heap profiling by heapprofd.
define(`never_profile_heap', `
neverallow heapprofd $1:file read;
neverallow heapprofd $1:process signal;
')
###################################
# can_profile_perf(domain)
# Allow processes within the domain to be profiled, and have their stacks
# sampled, by traced_perf.
define(`can_profile_perf', `
# Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
# reads /proc/[pid]/cmdline.
allow traced_perf $1:file r_file_perms;
allow traced_perf $1:dir r_dir_perms;
# Allow central daemon to send signal to request /proc/[pid]/maps and
# /proc/[pid]/mem fds from this process.
allow traced_perf $1:process signal;
# Allow connecting to the daemon.
unix_socket_connect($1, traced_perf, traced_perf)
# Allow daemon to use the passed fds.
allow traced_perf $1:fd use;
')
###################################
# never_profile_perf(domain)
# Opt out of profiling by traced_perf.
define(`never_profile_perf', `
neverallow traced_perf $1:file read;
neverallow traced_perf $1:process signal;
')
###################################
# perfetto_producer(domain)
# Allow processes within the domain to write data to Perfetto.
# When applying this macro, you might need to also allow traced to use the
# producer tmpfs domain, if the producer will be the one creating the shared
# memory.
define(`perfetto_producer', `
allow $1 traced:fd use;
allow $1 traced_tmpfs:file { read write getattr map };
unix_socket_connect($1, traced_producer, traced)
# Also allow the service to use the producer file descriptors. This is
# necessary when the producer is creating the shared memory, as it will be
# passed to the service as a file descriptor (obtained from memfd_create).
allow traced $1:fd use;
')
###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
#
define(`dump_hal', `
hal_client_domain(dumpstate, $1);
allow $1_server dumpstate:fifo_file write;
allow $1_server dumpstate:fd use;
')
#####################################
# treble_sysprop_neverallow(rules)
# SELinux neverallow rules which enforces the accessibility of each property
# outside the owner.
#
# For devices launching with R or later, exported properties must be explicitly marked as
# "restricted" or "public", depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
#
# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
#
define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
ifelse(target_treble_sysprop_neverallow, `cts',
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
$1
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
, )))
#####################################
# enforce_sysprop_owner(rules)
# SELinux neverallow rules which enforces the owner of each property.
#
# For devices launching with S or later, all properties must be explicitly marked as one of:
# system_property_type, vendor_property_type, or product_property_type.
# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these ules only for devices launching with S or later.
#
define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
ifelse(target_enforce_sysprop_owner, `cts',
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
$1
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
, )))
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
#
define(`define_prop', `
type $1, property_type, $2_property_type, $2_$3_property_type;
')
###########################################
# system_internal_prop(name)
# Define a /system-owned property used only in /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`system_internal_prop', `
define_prop($1, system, internal)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
###########################################
# system_restricted_prop(name)
# Define a /system-owned property which can't be written outside /system
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`system_restricted_prop', `
define_prop($1, system, restricted)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:property_service set;
')
')
###########################################
# system_public_prop(name)
# Define a /system-owned property with no restrictions
#
define(`system_public_prop', `define_prop($1, system, public)')
###########################################
# system_vendor_config_prop(name)
# Define a /system-owned property which can only be written by vendor_init
# This is a macro for vendor-specific configuration properties which is meant
# to be set once from vendor_init.
#
define(`system_vendor_config_prop', `
system_public_prop($1)
set_prop(vendor_init, $1)
neverallow { domain -init -vendor_init } $1:property_service set;
')
###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`product_internal_prop', `
define_prop($1, product, internal)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:file no_rw_file_perms;
')
')
###########################################
# product_restricted_prop(name)
# Define a /product-owned property which can't be written outside /product
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`product_restricted_prop', `
define_prop($1, product, restricted)
treble_sysprop_neverallow(`
neverallow { domain -coredomain } $1:property_service set;
')
')
###########################################
# product_public_prop(name)
# Define a /product-owned property with no restrictions
#
define(`product_public_prop', `define_prop($1, product, public)')
###########################################
# vendor_internal_prop(name)
# Define a /vendor-owned property used only in /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`vendor_internal_prop', `
define_prop($1, vendor, internal)
treble_sysprop_neverallow(`
# init and dumpstate are in coredomain, but should be able to read all props.
neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
')
')
###########################################
# vendor_restricted_prop(name)
# Define a /vendor-owned property which can't be written outside /vendor
# For devices launching with Q or eariler, this restriction can be relaxed with
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
define(`vendor_restricted_prop', `
define_prop($1, vendor, restricted)
treble_sysprop_neverallow(`
# init is in coredomain, but should be able to write all props.
neverallow { coredomain -init } $1:property_service set;
')
')
###########################################
# vendor_public_prop(name)
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')