tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/access_vectors

768 lines
8.3 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
sepolicy: Define and allow map permission Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This change defines map permission for the Android policy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change also adds map permission to the global macro definitions for file permissions, thereby allowing it in any allow rule that uses these macros, and to specific rules allowing mapping of files from /system and executable types. This should cover most cases where it is needed, although it may still need to be added to specific allow rules when the global macros are not used. Test: Policy builds Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 15:32:10 +02:00
map
SE Android policy.
2012-01-04 18:33:27 +01:00
unlink
link
rename
execute
quotaon
mounton
access_vectors: re-organize common file perms The open, audit_access, execmod, and watch* permissions are all defined in the COMMON_FILE_PERMS in the kernel classmap and inherited by all the file-related classes; we can do the same in the policy by putting them into the common file declaration. refpolicy recently similarly reorganized its definitions and added the watch* permissions to common file, see: https://github.com/SELinuxProject/refpolicy/commit/e5dbe7527690d95cced0e58052746fb59d9321c7 https://github.com/SELinuxProject/refpolicy/commit/c656b97a289ce6c2da2871700384f0f9d831be18 https://github.com/SELinuxProject/refpolicy/commit/3952ecb4dd4435c8e017a0d2733ba49b02730764 Adding new permissions to the end of the existing classes was only required for kernels that predate the dynamic class/perm mapping support (< v2.6.33). Test: policy still builds Change-Id: I44a2c3a94c21ed23410b6f807af7f1179e2c1747 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 20:27:45 +01:00
audit_access
open
execmod
watch
watch_mount
watch_sb
watch_with_perm
watch_reads
SE Android policy.
2012-01-04 18:33:27 +01:00
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
sepolicy: Define and allow map permission Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This change defines map permission for the Android policy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change also adds map permission to the global macro definitions for file permissions, thereby allowing it in any allow rule that uses these macros, and to specific rules allowing mapping of files from /system and executable types. This should cover most cases where it is needed, although it may still need to be added to specific allow rules when the global macros are not used. Test: Policy builds Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 15:32:10 +02:00
map
SE Android policy.
2012-01-04 18:33:27 +01:00
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-27 15:42:57 +02:00
#
# Define a common for capability access vectors.
#
common cap
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the cap2 common.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
common cap2
{
mac_override # unused by SELinux
access_vectors: remove incorrect comment about mac_admin CAP_MAC_ADMIN was originally introduced into the kernel for use by Smack and not used by SELinux. However, SELinux later appropriated CAP_MAC_ADMIN as a way to control setting/getting security contexts unknown to the currently loaded policy for use in labeling filesystems while running a policy that differs from the one being applied to the filesystem, in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12b29f34558b9b45a2c6eabd4f3c6be939a3980f circa v2.6.27. Hence, the comment about mac_admin being unused by SELinux is inaccurate. Remove it. The corresponding change to refpolicy is: https://github.com/SELinuxProject/refpolicy/commit/5fda529636b75974462ee66041a5c5f62d8e5391 Test: policy builds Change-Id: Ie3637882200732e498c53a834a27284da838dfb8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-16 16:29:15 +01:00
mac_admin
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-27 15:42:57 +02:00
syslog
wake_alarm
block_suspend
audit_read
Add new perfmon capability2 and use it There are probably more cases but this one blocks presubmit for cuttlefish with mainline kernels. Bug: 158304247 Change-Id: I6d769b16a230a113a804df61f8de4dcbce2193b6
2020-06-05 19:15:30 +02:00
perfmon
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-27 15:42:57 +02:00
}
SE Android policy.
2012-01-04 18:33:27 +01:00
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
associate
quotamod
quotaget
update sepolicy for fs notification hooks Update access_vectors and global_macros to account for the changes in kernel commit https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ac5656d8a4cdd93cd2c74355ed12e5617817e0e7 This change is needed to allow Android to boot on linux-next Test: compiles Change-Id: I35c59fc50fa9c94ab94399ce74d637e49d38129d
2019-08-28 00:29:02 +02:00
watch
SE Android policy.
2012-01-04 18:33:27 +01:00
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
}
class file
inherits file
{
execute_no_trans
entrypoint
}
class lnk_file
inherits file
class chr_file
inherits file
{
execute_no_trans
entrypoint
}
class blk_file
inherits file
class sock_file
inherits file
class fifo_file
inherits file
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
recvfrom
sendto
}
class netif
{
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
setkeycreate
setsockcreate
Define getrlimit permission for class process This permission was added to the kernel in commit 791ec491c372 ("prlimit,security,selinux: add a security hook for prlimit") circa Linux 4.12 in order to control the ability to get the resource limits of another process. It is only checked when acting on another process, so it is not required for getrlimit(2), only for prlimit(2) on another process. Test: Policy builds Change-Id: Ic0079a341e959f1c5a3d045974df4b756fd4ab67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:12:12 +02:00
getrlimit
SE Android policy.
2012-01-04 18:33:27 +01:00
}
Add nnp_nosuid_transition policycap and related class/perm definitions. https://github.com/torvalds/linux/commit/af63f4193f9fbbbac50fc766417d74735afd87ef allows a security policy writer to determine whether transitions under nosuid / NO_NEW_PRIVS should be allowed or not. Define these permissions, so that they're usable to policy writers. This change is modeled after refpolicy https://github.com/TresysTechnology/refpolicy/commit/1637a8b407c85f67f0b2ca5c6d852cef3c999087 Test: policy compiles and device boots Test Note: Because this requires a newer kernel, full testing on such kernels could not be done. Change-Id: I9866724b3b97adfc0cdef5aaba6de0ebbfbda72f
2018-09-07 19:48:55 +02:00
class process2
{
nnp_transition
nosuid_transition
}
SE Android policy.
2012-01-04 18:33:27 +01:00
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
read_policy
sepolicy: Define validate_trans permission Kernel commit f9df6458218f4fe ("selinux: export validatetrans decisions") introduced a /sys/fs/selinux/validatetrans pseudo file for use by userspace file system servers and defined a new validatetrans permission to control its use. Define the new permission in the Android SELinux policy. This change only defines the new permission; it does not allow it to any domains by default. This avoids a kernel message warning about the undefined permission on the policy load, ala: SELinux: Permission validate_trans in class security not defined in policy. Test: Policy builds Change-Id: Ib922a83b7d8f94905207663a72f7a1bc3db8d2c2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-10 20:45:15 +02:00
validate_trans
SE Android policy.
2012-01-04 18:33:27 +01:00
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
Add module_load permission to system class Enforce restrictions on kernel module origin when kernel has commit: 61d612ea selinux: restrict kernel module loading Bug: 27824855 Change-Id: Icf2fefec4231f3df8f0f3d914123c22084d87b0b
2016-04-07 20:06:05 +02:00
module_load
SE Android policy.
2012-01-04 18:33:27 +01:00
}
#
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-27 15:42:57 +02:00
# Define the access vector interpretation for controlling capabilities
SE Android policy.
2012-01-04 18:33:27 +01:00
#
class capability
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-27 15:42:57 +02:00
inherits cap
SE Android policy.
2012-01-04 18:33:27 +01:00
class capability2
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-27 15:42:57 +02:00
inherits cap2
SE Android policy.
2012-01-04 18:33:27 +01:00
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
netlink_route_socket: add new nlmsg_readpriv perm Used when mapping RTM_GETLINK messages to this new permission. Users of netlink_route_sockets that do not use the net_domain() macro will need to grant this permission as needed. Compatibility with older vendor images is preserved by granting all vendor domains access to this new permission in *.compat.cil files. Bug: 141455849 Test: build (this change is a no-op without kernel changes) Change-Id: I18f1c9fc958120a26b7b3bea004920d848ffb26e
2019-10-16 15:19:40 +02:00
nlmsg_readpriv
SE Android policy.
2012-01-04 18:33:27 +01:00
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
nlmsg_tty_audit
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
sendto
recvfrom
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
class appletalk_socket
inherits socket
class packet
{
send
recv
relabelto
forward_in
forward_out
}
class key
{
view
read
write
search
link
setattr
create
}
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
# network peer labels
class peer
{
recv
}
class kernel_service
{
use_as_override
create_files_as
}
class tun_socket
inherits socket
add attach_queue to tun_socket Modeled after http://oss.tresys.com/pipermail/refpolicy/2013-January/006283.html Addresses the following kernel error message: <6>[ 3.855423] SELinux: Permission attach_queue in class tun_socket not defined in policy. <6>[ 3.862482] SELinux: the above unknown classes and permissions will be denied <7>[ 3.869668] SELinux: Completing initialization. Change-Id: Iad87fcd5348d121a808dbe7ae3c63f8c90fc09fc
2014-06-07 01:51:11 +02:00
{
attach_queue
}
SE Android policy.
2012-01-04 18:33:27 +01:00
class binder
{
impersonate
call
set_context_mgr
transfer
}
Update netlink socket classes. Define new netlink socket security classes introduced by upstream kernel commit 6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 ("selinux: update netlink socket classes"). This was merged in Linux 4.2 and is therefore only required for Android kernels based on 4.2 or newer (e.g. the android-4.4 branch of the kernel/common tree). Add the new socket classes to socket_class_set. Add an initial set of allow rules although further refinement will likely be necessary. Any allow rule previously written on :netlink_socket may need to be rewritten or duplicated for one or more of the more specific classes. For now, we retain the existing :netlink_socket rules for compatibility on older kernels. Change-Id: I5040b30edd2d374538490a080feda96dd4bae5bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-21 22:17:26 +02:00
class netlink_iscsi_socket
inherits socket
class netlink_fib_lookup_socket
inherits socket
class netlink_connector_socket
inherits socket
class netlink_netfilter_socket
inherits socket
class netlink_generic_socket
inherits socket
class netlink_scsitransport_socket
inherits socket
class netlink_rdma_socket
inherits socket
class netlink_crypto_socket
inherits socket
Update access_vectors Update access_vectors to support newer kernel functionality. This change does not grant any new access. Inspired by the following refpolicy commits: * https://github.com/SELinuxProject/refpolicy/commit/25a5b2427447eb14edb07ce302217d37528813bc * https://github.com/SELinuxProject/refpolicy/commit/109ab3296bce27281c453617d3629a238f5e4dbf * https://github.com/SELinuxProject/refpolicy/commit/437e48ac53307e1e2e13e49d349c0a09b12eb187 Bug: 118843234 Test: policy compiles Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
2018-11-02 03:39:44 +01:00
class infiniband_pkey
{
access
}
class infiniband_endport
{
manage_subnet
}
Define the user namespace capability classes and access vectors. Kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f (selinux: distinguish non-init user namespace capability checks) introduced support for distinguishing capability checks against a target associated with the init user namespace versus capability checks against a target associated with a non-init user namespace by defining and using separate security classes for the latter. This support is needed on Linux to support e.g. Chrome usage of user namespaces for the Chrome sandbox without needing to allow Chrome to also exercise capabilities on targets in the init user namespace. Define the new security classes and access vectors for the Android policy. Refactor the original capability and capability2 access vector definitions as common declarations to allow reuse by the new cap_userns and cap2_userns classes. This change does not allow use of the new classes by any domain; that is deferred to future changes as needed if/when Android enables user namespaces and the Android version of Chrome starts using them. The kernel support went upstream in Linux 4.7. Based on the corresponding refpolicy patch by Chris PeBenito, but reworked for the Android policy. Test: policy builds Change-Id: I71103d39e93ee0e8c24816fca762944d047c2235 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-27 15:42:57 +02:00
#
# Define the access vector interpretation for controlling capabilities
# in user namespaces
#
class cap_userns
inherits cap
class cap2_userns
inherits cap2
Define extended_socket_class policy capability and socket classes Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 19:35:27 +01:00
#
# Define the access vector interpretation for the new socket classes
# enabled by the extended_socket_class policy capability.
#
#
# The next two classes were previously mapped to rawip_socket and therefore
# have the same definition as rawip_socket (until further permissions
# are defined).
#
class sctp_socket
inherits socket
{
node_bind
Update access_vectors Update access_vectors to support newer kernel functionality. This change does not grant any new access. Inspired by the following refpolicy commits: * https://github.com/SELinuxProject/refpolicy/commit/25a5b2427447eb14edb07ce302217d37528813bc * https://github.com/SELinuxProject/refpolicy/commit/109ab3296bce27281c453617d3629a238f5e4dbf * https://github.com/SELinuxProject/refpolicy/commit/437e48ac53307e1e2e13e49d349c0a09b12eb187 Bug: 118843234 Test: policy compiles Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
2018-11-02 03:39:44 +01:00
name_connect
association
Define extended_socket_class policy capability and socket classes Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 19:35:27 +01:00
}
class icmp_socket
inherits socket
{
node_bind
}
#
# The remaining network socket classes were previously
# mapped to the socket class and therefore have the
# same definition as socket.
#
class ax25_socket
inherits socket
class ipx_socket
inherits socket
class netrom_socket
inherits socket
class atmpvc_socket
inherits socket
class x25_socket
inherits socket
class rose_socket
inherits socket
class decnet_socket
inherits socket
class atmsvc_socket
inherits socket
class rds_socket
inherits socket
class irda_socket
inherits socket
class pppox_socket
inherits socket
class llc_socket
inherits socket
class can_socket
inherits socket
class tipc_socket
inherits socket
class bluetooth_socket
inherits socket
class iucv_socket
inherits socket
class rxrpc_socket
inherits socket
class isdn_socket
inherits socket
class phonet_socket
inherits socket
class ieee802154_socket
inherits socket
class caif_socket
inherits socket
class alg_socket
inherits socket
class nfc_socket
inherits socket
class vsock_socket
inherits socket
class kcm_socket
inherits socket
class qipcrtr_socket
inherits socket
Define smc_socket security class. Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all network address families") triggers a build error if a new address family is added without defining a corresponding SELinux security class. As a result, the smc_socket class was added to the kernel to resolve a build failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa Linux 4.11. Define this security class and its access vector, add it to the socket_class_set macro, and exclude it from webview_zygote like other socket classes. Test: Policy builds Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:06:49 +02:00
class smc_socket
inherits socket
Move class bpf definition No functional change. This reorg just makes it easier to perform diffs against https://github.com/SELinuxProject/refpolicy/blob/master/policy/flask/access_vectors Test: policy builds. Change-Id: I10cf9547d57981c76ee7e76daa382bb504e36d0b
2018-10-18 18:08:26 +02:00
class bpf
{
map_create
map_read
map_write
prog_load
prog_run
}
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
2012-04-04 16:11:16 +02:00
class property_service
{
set
}
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-06 00:52:02 +02:00
class service_manager
{
add
Add access control for each service_manager action. Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-07 22:56:27 +02:00
find
list
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-06 00:52:02 +02:00
}
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
Add new classes and types for (hw|vnd)servicemanager. Bug: 34454312 Bug: 36052864 Test: device boots, works Change-Id: If61d9b736a74c5944cef4449de4dfbaf78d9ccfa
2017-04-06 18:24:41 +02:00
class hwservice_manager
{
add
find
list
}
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
class keystore_key
{
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
get_state
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
get
insert
delete
exist
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
list
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
reset
password
lock
unlock
Rename keystore methods and delete unused permissions Keystore is going through an API cleanup to make names more clear and remove unclear methods. Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-13 23:39:48 +02:00
is_empty
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
sign
verify
grant
duplicate
clear_uid
Add keystore add_auth This is for the new addAuthToken keystore method from I7f7647d9a36ea453ec6d62fc84087ca8f76e53dd. These tokens will be used to authorize keymaster operations. The tokens are HMAC'd and so shouldn't be fakeable but this is still limited to system_server only. Change-Id: I3ff46b676ecac8a878d3aa0a25ba9a8b0c5e1f47
2015-03-31 22:03:06 +02:00
add_auth
Add keystore user_changed permission user_changed will be used for state change methods around android user creation/deletion. Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
2015-05-12 21:33:40 +02:00
user_changed
Add keystore_key:attest_unique_id to priv_app. Only privileged apps are supposed to be able to get unique IDs from attestation. Test: CTS test verifies the negative condition, manual the positive Bug: 34671471 Change-Id: I9ab3f71b1e11ed1d7866ff933feece73152d2578
2017-04-11 17:41:25 +02:00
gen_unique_id
Adding policies for KeyStore MAC. Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-17 23:58:52 +02:00
}
Define debuggerd class, permissions, and rules. Define a new class, permissions, and rules for the debuggerd SELinux MAC checks. Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd. Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-24 21:25:43 +02:00
Add security class keystore2_key. Keystore 2.0 has a different set of permission that it enforces. We introduce keystore2_key so that we can set up policy for both Keystore 1.0 and Keystore 2.0 for a gradual transition from one to the other. Bug: 158500146 Test: None Change-Id: I3dcab06d73d242d63d21883659c304dfab8bf74f Merged-In: I3dcab06d73d242d63d21883659c304dfab8bf74f
2020-07-25 22:08:15 +02:00
class keystore2
{
add_auth
clear_ns
get_state
Move list permission from keystore2_key to keystore class. The list permission protects the ability to list arbitrary namespaces. This is not a namespace specific permission but a Keystore specific permission. Listing the entries of a given namsepace is covered by the get_info permission already. Ignore-AOSP-First: This needs to land in googleplex first to updated prebuilt vendor images. Otherwise it breaks aosp-with-phone builds. Test: N/A Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-09-24 17:55:28 +02:00
list
Add security class keystore2_key. Keystore 2.0 has a different set of permission that it enforces. We introduce keystore2_key so that we can set up policy for both Keystore 1.0 and Keystore 2.0 for a gradual transition from one to the other. Bug: 158500146 Test: None Change-Id: I3dcab06d73d242d63d21883659c304dfab8bf74f Merged-In: I3dcab06d73d242d63d21883659c304dfab8bf74f
2020-07-25 22:08:15 +02:00
lock
reset
unlock
}
class keystore2_key
{
delete
gen_unique_id
get_info
grant
manage_blob
rebind
req_forced_op
update
use
use_dev_id
}
Add fine grained access control to DrmManagerService. Add policies supporting SELinux MAC in DrmManagerservice. Add drmservice class with verbs for each of the functions exposed by drmservice. Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
2014-07-02 21:42:59 +02:00
class drmservice {
consumeRights
setPlaybackStatus
openDecryptSession
closeDecryptSession
initializeDecryptUnit
decrypt
finalizeDecryptUnit
pread
}
Update access_vectors Update access_vectors to support newer kernel functionality. This change does not grant any new access. Inspired by the following refpolicy commits: * https://github.com/SELinuxProject/refpolicy/commit/25a5b2427447eb14edb07ce302217d37528813bc * https://github.com/SELinuxProject/refpolicy/commit/109ab3296bce27281c453617d3629a238f5e4dbf * https://github.com/SELinuxProject/refpolicy/commit/437e48ac53307e1e2e13e49d349c0a09b12eb187 Bug: 118843234 Test: policy compiles Change-Id: I7c5a8dcf288dc2321adcf368bd0c0573c5257202
2018-11-02 03:39:44 +01:00
class xdp_socket
inherits socket
perf_event: define security class and access vectors This patch allows us to write SELinux policies for the perf_event_open() syscall LSM hooks added to the kernel in the following commit: https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e Bug: 137092007 Change-Id: I0005759eb7a487faebe94a4653e3865343eb441e
2020-01-08 18:30:26 +01:00
class perf_event
{
open
cpu
kernel
tracepoint
read
write
}
access_vectors: add lockdown class Needed to support upstream patch https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 Bug: 148822198 Test: compiles Change-Id: I304c1a97c12067dd08d4ceef93702101908012ed
2020-02-13 21:57:27 +01:00
class lockdown
{
integrity
confidentiality
}
Reference in a new issue Copy permalink