tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/recovery.te

173 lines
5.6 KiB
Text
Raw Normal View History

Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 15:45:45 +01:00
# recovery console (used in recovery init.rc for /sbin/recovery)
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 22:19:03 +02:00
type recovery, domain;
Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 15:45:45 +01:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
Allow executing update_engine_sideload from recovery. The recovery flow for A/B devices allows to sideload an OTA downloaded to a desktop and apply from recovery. This patch allows the "recovery" context to perform all the operations required to apply an update as update_engine would do in the background. These rules are now extracted into a new attributte called update_engine_common shared between recovery and update_engine. Bug: 27178350 Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a
2016-08-04 05:31:37 +02:00
# Allow recovery to perform an update as update_engine would do.
Switch Boot Control HAL policy to _client/_server This switches Boot Control HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Boot Control HAL. Domains which are clients of Boot Control HAL, such as update_server, are granted rules targeting hal_bootctl only when the Boot Control HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_bootctl are not granted to client domains. Domains which offer a binderized implementation of Boot Control HAL, such as hal_bootctl_default domain, are always granted rules targeting hal_bootctl. P. S. This commit removes direct access to Boot Control HAL from system_server because system_server is not a client of this HAL. This commit also removes bootctrl_block_device type which is no longer used. Finally, boot_control_hal attribute is removed because it is now covered by the hal_bootctl attribute. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I9c410c092069e431a3852b66c04c4d2a9f1a25cf
2017-03-17 03:17:15 +01:00
typeattribute recovery update_engine_common;
Recovery can use HALs only in passthrough mode This adjusts the grants for recovery to make it explicit that recovery can use the Boot Control HAL only in passthrough mode. Test: Device boots up, no new denials Test: Reboot into recovery, sideload OTA update succeeds Test: Apply OTA update via update_engine: 1. make dist 2. Ensure device has network connectivity 3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip Bug: 34170079 Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
2017-03-20 21:11:33 +01:00
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
Allow executing update_engine_sideload from recovery. The recovery flow for A/B devices allows to sideload an OTA downloaded to a desktop and apply from recovery. This patch allows the "recovery" context to perform all the operations required to apply an update as update_engine would do in the background. These rules are now extracted into a new attributte called update_engine_common shared between recovery and update_engine. Bug: 27178350 Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a
2016-08-04 05:31:37 +02:00
Restore recovery's ability to format cache and preserve logs Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed many permissions from recovery, a few of which are still required. Restore these. [ 2918.409108] type=1400 audit(2327427.540:159): avc: denied { search } for pid=339 comm="recovery" name="/" dev="mmcblk0p38" ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 [ 2586.563071] E:Failed to mount / create /cache/recovery: Permission denied [ 2586.780320] E:Can't open /cache/recovery/log: Permission denied [ 2586.850399] E:Can't open /cache/recovery/last_log: Permission denied [ 2586.918979] E:Can't open /cache/recovery/last_install: Permission denied [ 54.035867] type=1400 audit(59206654.526:12): avc: denied { chown } for pid=330 comm="recovery" capability=0 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability permissive=0a Bug: 70350029 Test: xunchang to test Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
2017-12-11 18:22:01 +01:00
allow recovery self:global_capability_class_set {
chown
dac_override
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-07 00:19:40 +02:00
dac_read_search
Restore recovery's ability to format cache and preserve logs Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed many permissions from recovery, a few of which are still required. Restore these. [ 2918.409108] type=1400 audit(2327427.540:159): avc: denied { search } for pid=339 comm="recovery" name="/" dev="mmcblk0p38" ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 [ 2586.563071] E:Failed to mount / create /cache/recovery: Permission denied [ 2586.780320] E:Can't open /cache/recovery/log: Permission denied [ 2586.850399] E:Can't open /cache/recovery/last_log: Permission denied [ 2586.918979] E:Can't open /cache/recovery/last_install: Permission denied [ 54.035867] type=1400 audit(59206654.526:12): avc: denied { chown } for pid=330 comm="recovery" capability=0 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability permissive=0a Bug: 70350029 Test: xunchang to test Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
2017-12-11 18:22:01 +01:00
fowner
setuid
setgid
sys_admin
sys_tty_config
};
Remove MAC capabilities from unconfined domains. Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-30 19:23:08 +01:00
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
# Run helpers from / or /system without changing domain.
recovery: clean up audit logspam avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir Fixes: 62619253 Test: policy builds, no more "granted" messages in dmesg for recovery. Merged-In: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3 Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3 (cherry picked from commit ea1d6e7dc253a79d666034ddb11df7bfa332b496)
2017-06-14 19:11:12 +02:00
r_dir_file(recovery, rootfs)
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 17:38:29 +02:00
allow recovery toolbox_exec:file rx_file_perms;
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 15:07:17 +02:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Mount filesystems.
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery rootfs:dir mounton;
adbd is allowed to execute shell in recovery mode The shell is now available directly in the recovery ramdisk. We no longer need to mount system.img to /system as the recovery ramdisk is self-contained. However, there is a problem that every file in the ramdisk is labeled as rootfs because the ramdisk does not support xattr. This CL adds several recovery-only rules that are required to make the recovery ramdisk self-contained. Most importantly, adbd is allowed to domain_trans to shell. Also shell is allowe to execute files of type rootfs. Finally, the recovery is allowed to mount on tmpfs since it now mounts system.img to /mnt/system. Bug: 63673171 Test: `adb reboot recovery; adb devices` shows the device ID Test: `adb root && adb shell` and then $ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from the /lib directory. Change-Id: If21b069aee63541344a5ca8939fb9a46ffef4d3e
2018-06-01 05:31:33 +02:00
allow recovery tmpfs:dir mounton;
Restrict use of context= mount options. Prior to this change, the init and recovery domains were allowed unrestricted use of context= mount options to force all files within a given filesystem to be treated as having a security context specified at mount time. The context= mount option can be used in device-specific fstab.<board> files to assign a context to filesystems that do not support labeling such as vfat where the default label of sdcard_external is not appropriate (e.g. /firmware on hammerhead). Restrict the use of context= mount options to types marked with the contextmount_type attribute, and then remove write access from such types from unconfineddomain and prohibit write access to such types via neverallow. This ensures that the no write to /system restriction cannot be bypassed via context= mount. Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 19:05:38 +02:00
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 15:45:45 +01:00
Restore recovery's ability to format cache and preserve logs Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed many permissions from recovery, a few of which are still required. Restore these. [ 2918.409108] type=1400 audit(2327427.540:159): avc: denied { search } for pid=339 comm="recovery" name="/" dev="mmcblk0p38" ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 [ 2586.563071] E:Failed to mount / create /cache/recovery: Permission denied [ 2586.780320] E:Can't open /cache/recovery/log: Permission denied [ 2586.850399] E:Can't open /cache/recovery/last_log: Permission denied [ 2586.918979] E:Can't open /cache/recovery/last_install: Permission denied [ 54.035867] type=1400 audit(59206654.526:12): avc: denied { chown } for pid=330 comm="recovery" capability=0 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability permissive=0a Bug: 70350029 Test: xunchang to test Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
2017-12-11 18:22:01 +01:00
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
file_context: explicitly label all file context files file_context files need to be explicitly labeled as they are now split across system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'file_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospFileContexts Change-Id: I603157e9fa7d1de3679d41e343de397631666273 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-24 23:02:13 +01:00
# Get file contexts
allow recovery file_contexts_file:file r_file_perms;
recovery: allow relabelto unlabeled and other unlabeled rules The recovery script may ask to label a file with a label not known to the currently loaded policy. Allow it. Addresses the following denials: avc: denied { relabelto } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file avc: denied { setattr } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
2014-07-07 22:19:24 +02:00
refine recovery domain. Make sure we have all necessary rules to modify system_file and exec_type. Allow writing to /proc/sys/vm/drop_caches and other proc files. Addresses denials like: avc: denied { getattr } for pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { read } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { open } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { remove_name } for pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { add_name } for pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { write } for pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file recovery is still in permissive_or_unconfined(), so no rules are being enforced. Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
2014-06-05 08:43:03 +02:00
# Write to /proc/sys/vm/drop_caches
drop_caches label, vold scratch space on expanded. Define an explicit label for /proc/sys/vm/drop_caches and grant to the various people who need it, including vold which uses it when performing storage benchmarks. Also let vold create new directories under it's private storage area where the benchmarks will be carried out. Mirror the definition of the private storage area on expanded media. avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 21172095 Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
2015-05-15 05:55:31 +02:00
allow recovery proc_drop_caches:file w_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 20:35:55 +02:00
recovery: fix denials during factory reset Addresses these denials when wiping data on sailfish: avc: denied { open } for pid=488 comm="mke2fs_static" path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0 tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1 avc: denied { search } for pid=488 comm="mke2fs_static" name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1 avc: denied { read } for pid=488 comm="mke2fs_static" name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1 Test: Wipe data/factory reset -> no selinux denials Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc
2017-10-26 19:29:52 +02:00
# Read /proc/swaps
allow recovery proc_swaps:file r_file_perms;
Allow access to /proc/config.gz for priv_app and recovery Bug: 37485771 Test: sideloaded OTA through recovery on sailfish Change-Id: I98bb4e0e919db585131391f57545f1a9a0096701 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-19 20:35:15 +02:00
# Read kernel config through libvintf for OTA matching
allow recovery config_gz:file { open read getattr };
Re-add access to /sys/class/android_usb. Access to /sys/class/android_usb/ was lost when that dir received a new label sysfs_android_usb. Bug: 65643247 Test: can enter recovery mode and sideload through usb without denials to /sys Change-Id: I22821bab9833b832f13e0c45ff8da4dae115fa4d
2017-10-17 01:19:47 +02:00
# Write to /sys/class/android_usb/android0/enable.
r_dir_file(recovery, sysfs_android_usb)
allow recovery sysfs_android_usb:file w_file_perms;
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 18:15:22 +02:00
recovery.te: Allow writing to sysfs_devices_system_cpu. recovery (update_binary) may need to set up cpufreq during an update. avc: denied { write } for pid=335 comm="update_binary" name="scaling_max_freq" dev="sysfs" ino=7410 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=file permissive=0 Bug: 32463933 Test: Build a recovery image and apply an OTA package that writes to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq. Change-Id: Ia90af9dd15e162dd94bcd4722b66aa296e3058c5
2016-11-22 22:53:01 +01:00
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
allow recovery sysfs_devices_system_cpu:file w_file_perms;
Enable recovery to read batteryinfo. Bug: 26879394 Change-Id: I09ac9027ca343e00488dedab8df1687fd32bb255
2016-02-17 21:23:13 +01:00
allow recovery sysfs_batteryinfo:file r_file_perms;
recovery: fix denials during factory reset Addresses these denials when wiping data on sailfish: avc: denied { open } for pid=488 comm="mke2fs_static" path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0 tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1 avc: denied { search } for pid=488 comm="mke2fs_static" name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1 avc: denied { read } for pid=488 comm="mke2fs_static" name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1 Test: Wipe data/factory reset -> no selinux denials Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc
2017-10-26 19:29:52 +02:00
# Read /sysfs/fs/ext4/features
r_dir_file(recovery, sysfs_fs_ext4_features)
recovery: Allow accessing sysfs_leds. Bug: 34077703 Test: recovery image can set the backlight brightness. Change-Id: I34d72e1a0e959c2d9f48b3b9c55c4eb2d1cc41bf
2017-01-25 08:29:11 +01:00
# Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
# control backlight brightness.
allow recovery sysfs_leds:dir r_dir_perms;
allow recovery sysfs_leds:file rw_file_perms;
allow recovery sysfs_leds:lnk_file read;
remove access_kmsg macro, because it to be more explicit. This macro does not give us anything to it. Change-Id: Ie0b56716cc0144f0a59849647cad31e06a25acf1
2016-01-26 08:42:54 +01:00
allow recovery kernel:system syslog_read;
Allow recovery to access kmsg for log retrieval Bug: 18642766 Change-Id: I97d6ab0b76b69d99dcc1928232c8961437e1e68c Signed-off-by: Patrick Tjin <pattjin@google.com>
2014-12-09 21:43:26 +01:00
Remove support for legacy f_adb interface. Bug: http://b/34228376 Test: m Change-Id: I1321ada1521bb3e3fd08105f1a41d519ee486683
2017-01-11 23:58:28 +01:00
# Access /dev/usb-ffs/adb/ep0
support newer-style adbd interface in recovery Support opening the ffs-based interface for adbd in recovery. (Copied from adbd.te.) Bug: 16183878 Change-Id: Ib80e5b910d9ad4252cb80e7ce2f85e478cd94816
2014-07-10 22:40:25 +02:00
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
allow recovery FUNCTIONFS_ENDPOINT_DESC Commit ebc3a1a34ce914654fcc4edf9a2d26bf5fa76260 ("Move to ioctl whitelisting for plain files / directories", Oct 10th), enabled ioctl filtering on all files, including functionfs files. However, recovery performs the ioctl FUNCTIONFS_ENDPOINT_DESC on functionfs files, so allow it. Addresses the following denial: audit: type=1400 audit(673009.476:507811): avc: denied { ioctl } for pid=731 comm="recovery" path="/dev/usb-ffs/adb/ep1" dev="functionfs" ino=473 ioctlcmd=0x6782 scontext=u:r:recovery:s0 tcontext=u:object_r:functionfs:s0 tclass=file permissive=1 Test: policy compiles. Bug: 119877813 Change-Id: I09715acc16ab319b8d8b1f233cefaec23a358962
2018-11-21 21:37:40 +01:00
allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 18:15:22 +02:00
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# Access to /sys/fs/selinux/policyvers for compatibility check
allow recovery selinuxfs:file r_file_perms;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Required to e.g. wipe userdata/cache.
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 18:40:12 +02:00
allow recovery device:dir r_dir_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery block_device:dir r_dir_perms;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
allow recovery dev_type:blk_file rw_file_perms;
recovery: Address the ioctl denials during wiping. avc: denied { ioctl } for pid=599 comm="mke2fs" path="/dev/block/sda13" dev="tmpfs" ino=18975 ioctlcmd=127b scontext=u:r:recovery:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file avc: denied { ioctl } for pid=587 comm="mke2fs" path="/dev/block/sda20" dev="tmpfs" ino=17931 ioctlcmd=0x127b scontext=u:r:recovery:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file 0x127b (BLKPBSZGET) is called by mke2fs that queries physical sector size. Although the denial is currently non-fatal, as mke2fs falls back to use logical sector size, it might lead to undesired result in future. Test: Factory reset on taimen and blueline respectively. Change-Id: I14fc6593aeae309c79f5eadcffc8158b0a2ab2f6
2019-01-16 01:08:09 +01:00
allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
Remove /system write from unconfined Don't allow writes to /system from unconfined domains. /system is always mounted read-only, and no process should ever need to write there. Allow recovery to write to /system. This is needed to apply OTA images. Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-20 20:09:16 +02:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# GUI
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms;
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 20:48:35 +02:00
allow recovery tty_device:chr_file rw_file_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
# Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms };
allow recovery tmpfs:dir create_dir_perms;
Remove block device access from unconfined domains. Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 20:40:14 +01:00
Creates a new permission for /cache/recovery This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
2015-12-22 21:37:17 +01:00
# Manage files on /cache and /cache/recovery
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
Allow recovery to read thermal info We want to track temperature metrics during an OTA update. denial message: denied { search } for pid=349 comm="recovery" name="thermal" dev="sysfs" ino=18029 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 denied { read } for pid=326 comm="recovery" name="temp" dev="sysfs" ino=18479 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 36920500 Bug: 32518487 Test: temperature logs on angler Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e (cherry picked from commit 3da2f21fbfa943b408c01d4db2468c7d05b311f9)
2017-04-05 21:43:33 +02:00
# Read /sys/class/thermal/*/temp for thermal info.
Allow recovery to read thermal info on sailfish Encountered more denials on sailfish: avc: denied { read } for pid=439 comm="recovery" name="thermal" dev="sysfs" ino=28516 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 avc: denied { read } for pid=441 comm="recovery" name="thermal_zone9" dev="sysfs" ino=40364 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=lnk_file permissive=0 Bug: 36920500 Test: sideload a package in sailfish (cherry picked from commit b4e4565d58218cc5a878d4998dc9dd079d4b7dc0) Change-Id: I46b14babd47168e87c0d30ec06281aaa237563bf
2017-04-14 23:06:22 +02:00
r_dir_file(recovery, sysfs_thermal)
Allow recovery to read thermal info We want to track temperature metrics during an OTA update. denial message: denied { search } for pid=349 comm="recovery" name="thermal" dev="sysfs" ino=18029 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=dir permissive=0 denied { read } for pid=326 comm="recovery" name="temp" dev="sysfs" ino=18479 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_thermal:s0 tclass=file permissive=0 Bug: 36920500 Bug: 32518487 Test: temperature logs on angler Change-Id: Ib70c1c7b4e05f91a6360ff134a11c80537d6015e (cherry picked from commit 3da2f21fbfa943b408c01d4db2468c7d05b311f9)
2017-04-05 21:43:33 +02:00
Allow recovery to read files with oemfs label The recovery and update_binary need to access the /oem partition for devices like sprout. Bug: 19764039 Change-Id: Ie6cbcae899ad664c6a1809c0d5478031091b6eda
2015-06-11 00:52:49 +02:00
# Read files on /oem.
r_dir_file(recovery, oemfs);
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
# Reboot the device
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(recovery, powerctl_prop)
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 17:26:19 +02:00
Fix warning in recovery.te SELinux policy compiler complained about a quote inside the recovery_only section of recovery.te. This section's contents are inside quotes and thus can't contain quotes. Test: mmm system/sepolicy produces no warnings Bug: 33700679 Change-Id: I5bf943166f4f514d04472f7e59b025a9723eb1b8
2016-12-27 21:38:07 +01:00
# Read serial number of the device from system properties
Restrict access to ro.serialno and ro.boot.serialno This restricts access to ro.serialno and ro.boot.serialno, the two system properties which contain the device's serial number, to a select few SELinux domains which need the access. In particular, this removes access to these properties from Android apps. Apps can access the serial number via the public android.os.Build API. System properties are not public API for apps. The reason for the restriction is that serial number is a globally unique identifier which cannot be reset by the user. Thus, it can be used as a super-cookie by apps. Apps need to wean themselves off of identifiers not resettable by the user. Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome Test: Access the device via ADB (ADBD exposes serial number) Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo Bug: 31402365 Bug: 33700679 Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-21 00:31:37 +01:00
get_prop(recovery, serialno_prop)
recovery.te: Allow setting sys.usb.ffs.ready. This is needed for devices using configfs, where init listens for sys.usb.ffs.ready=1 to config usb_gadget. When recovery starts sideloading, minadbd (forked from recovery) sets the property to trigger that action. avc: denied { set } for property=sys.usb.ffs.ready pid=541 uid=0 gid=0 scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0 tclass=property_service Bug: 35803743 Test: Device shows up in sideload mode. Change-Id: Ie7f1224d3a8650160ac29811f73b8286fbced4f4
2017-05-11 00:48:57 +02:00
# Set sys.usb.ffs.ready when starting minadbd for sideload.
set_prop(recovery, ffs_prop)
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 09:54:49 +02:00
set_prop(recovery, exported_ffs_prop)
recovery.te: Allow setting sys.usb.ffs.ready. This is needed for devices using configfs, where init listens for sys.usb.ffs.ready=1 to config usb_gadget. When recovery starts sideloading, minadbd (forked from recovery) sets the property to trigger that action. avc: denied { set } for property=sys.usb.ffs.ready pid=541 uid=0 gid=0 scontext=u:r:recovery:s0 tcontext=u:object_r:ffs_prop:s0 tclass=property_service Bug: 35803743 Test: Device shows up in sideload mode. Change-Id: Ie7f1224d3a8650160ac29811f73b8286fbced4f4
2017-05-11 00:48:57 +02:00
Add sepolicy for fastbootd Also allow adb and fastboot to talk to recovery through recovery_socket. This enables changing between modes with usb commands. Test: No selinux denials Bug: 78793464 Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
2018-05-29 19:54:16 +02:00
# Set sys.usb.config when switching into fastboot.
set_prop(recovery, system_radio_prop)
set_prop(recovery, exported_system_radio_prop)
Switch /data/misc/reboot/last_reboot_reason to persistent property Switch from /data/misc/reboot/last_reboot_reason to persistent Android property persist.sys.boot.reason for indicating why the device is rebooted or shutdown. Introduce protection for all boot reason properties Protect the following properties with these labels ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0 sys.boot.reason u:object_r:sys_boot_reason_prop:s0 persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0 Setup the current as-need access rules for each. ToDo: Remove u:object_r:reboot_data_file after internal fixes. Test: system/core/bootstat/boot_reason_test.sh Bug: 64687998 Change-Id: I3771c73933e8ae2d94aee936c7a38b6282611b80
2017-08-14 23:25:10 +02:00
# Read ro.boot.bootreason
get_prop(recovery, bootloader_boot_reason_prop)
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
Rename sdcard_internal/external types. Rename sdcard_internal/external types to fuse and vfat respectively to make it clear that they are assigned to any fuse or vfat filesystem by default (absent a context= mount option) and do not necessarily represent the SDcard. The sdcard_type attribute is still assigned to both types and can still be used in allow rules to permit access to either the internal or external SDcard. Define type aliases for the old names to preserve compatibility on policy reload and for device-specific policies that may not yet be updated. Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-08 20:45:09 +02:00
# Allow recovery to create a fuse filesystem, and read files from it.
recovery: allow creating and reading fuse filesystems The new sideloading mechanism in recovery needs to create a fuse filesystem and read files from it. Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf
2014-07-02 19:28:20 +02:00
allow recovery fuse_device:chr_file rw_file_perms;
Rename sdcard_internal/external types. Rename sdcard_internal/external types to fuse and vfat respectively to make it clear that they are assigned to any fuse or vfat filesystem by default (absent a context= mount option) and do not necessarily represent the SDcard. The sdcard_type attribute is still assigned to both types and can still be used in allow rules to permit access to either the internal or external SDcard. Define type aliases for the old names to preserve compatibility on policy reload and for device-specific policies that may not yet be updated. Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-08 20:45:09 +02:00
allow recovery fuse:dir r_dir_perms;
allow recovery fuse:file r_file_perms;
recovery: allow creating and reading fuse filesystems The new sideloading mechanism in recovery needs to create a fuse filesystem and read files from it. Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf
2014-07-02 19:28:20 +02:00
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
wakelock_use(recovery)
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 20:48:35 +02:00
recovery: don't use single quote single quotes make the m4 parser think it's at the end of a block, and generates the following compile time warning: external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720: Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b
2014-06-10 05:35:51 +02:00
# This line seems suspect, as it should not really need to
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 20:48:35 +02:00
# set scheduling parameters for a kernel domain task.
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 01:16:21 +02:00
allow recovery kernel:process setsched;
Fix selinux denials when applying updates in recovery. These lines are copied from update_engine.te, and are needed to update dynamic partitions in recovery. Bug: 132943965 Test: sideload OTA on cuttlefish Change-Id: Id03a658aac69b8d20fa7bb758530a4469c75cf9c
2019-05-22 01:22:21 +02:00
# These are needed to update dynamic partitions in recovery.
r_dir_file(recovery, sysfs_dm)
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 22:40:15 +02:00
')
recovery.te: add /data neverallow rules Recovery should never be accessing files from /data. In particular, /data may be encrypted, and the files within /data will be inaccessible to recovery, because recovery doesn't know the decryption key. Enforce write/execute restrictions on recovery. We can't tighten it up further because domain.te contains some /data read-only access rules, which shouldn't apply to recovery but do. Create neverallow_macros, used for storing permission macros useful for neverallow rules. Standardize recovery.te and property_data_file on the new macros. Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
2014-11-06 00:30:41 +01:00
###
### neverallow rules
###
# Recovery should never touch /data.
#
# In particular, if /data is encrypted, it is not accessible
# to recovery anyway.
#
# For now, we only enforce write/execute restrictions, as domain.te
# contains a number of read-only rules that apply to all
# domains, including recovery.
#
# TODO: tighten this up further.
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
with_native_coverage(`-method_trace_data_file')
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
}:file { no_w_file_perms no_x_file_perms };
neverallow recovery {
data_file_type
-cache_file
-cache_recovery_file
In native coverage builds, allow all domains to access /data/misc/trace Bug: http://b/135139675 Coverage files are written to /data/misc/trace (governed by the method_trace_data_file selinux type). Allow all domains to access (create directories, access files) this directory when native coverage is enabled (by setting NATIVE_COVERAGE to true) in an userdebug or eng build. Also relax neverallow constraints to allow access to method_trace_data_file for native coverage builds. Test: Build 32-bit cuttlefish with coverage: m NATIVE_COVERAGE=true COVERAGE_PATHS="*" and verify that there are no selinux denials in kernel log and logcat. Change-Id: I3fe7c77612854b9de7de7a0ddd5cbf44a2f5c21e
2019-06-14 00:05:15 +02:00
with_native_coverage(`-method_trace_data_file')
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
}:dir no_w_dir_perms;
Reference in a new issue Copy permalink