tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/attributes

143 lines
3.9 KiB
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
######################################
# Attribute declarations
#
# All types used for devices.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# in tools/checkfc.c
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute dev_type;
# All types used for processes.
attribute domain;
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 18:54:39 +01:00
# Temporary attribute used for migrating permissions out of domain.
# Motivation: Domain is overly permissive. Start removing permissions
# from domain and assign them to the domain_deprecated attribute.
# Domain_deprecated and domain can initially be assigned to all
# domains. The goal is to not assign domain_deprecated to new domains
# and to start removing domain_deprecated where it's not required or
# reassigning the appropriate permissions to the inheriting domain
# when necessary.
attribute domain_deprecated;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for filesystems.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute fs_type;
Define contextmount_type attribute and add it to oemfs. Several device-specific policy changes with the same Change-Id also add this attribute to device-specific types. Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 14:49:51 +02:00
# All types used for context= mounts.
attribute contextmount_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
SE Android policy.
2012-01-04 18:33:27 +01:00
attribute file_type;
# All types used for domain entry points.
attribute exec_type;
# All types used for /data files.
attribute data_file_type;
# All types use for sysfs files.
attribute sysfs_type;
Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker Add initial support for labeling files on /sys/kernel/debug. The kernel support was added in https://android-review.googlesource.com/122130 but the userspace portion of the change was never completed until now. Start labeling the file /sys/kernel/debug/tracing/trace_marker . This is the trace_marker file, which is written to by almost all processes in Android. Allow global write access to this file. This change should be submitted at the same time as the system/core commit with the same Change-Id as this patch. Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-08 02:02:31 +01:00
# All types use for debugfs files.
attribute debugfs_type;
Split internal and external sdcards Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
2013-03-07 01:26:36 +01:00
# Attribute used for all sdcards
attribute sdcard_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All types used for nodes/hosts.
attribute node_type;
# All types used for network interfaces.
attribute netif_type;
# All types used for network ports.
attribute port_type;
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
2012-04-04 16:11:16 +02:00
# All types used for property service
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_PC_ASSERT_ATTRS
# definition in tools/checkfc.c.
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
2012-04-04 16:11:16 +02:00
attribute property_type;
Remove property read access for non-core properties Instead of allowing global read access to all properties, only allow read access to the properties which are part of core SELinux policy. Device-specific policies are no longer readable by default and need to be granted in device-specific policy. Grant read-access to any property where the person has write access. In most cases, anyone who wants to write a property needs read access to that property. Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
2015-12-08 23:45:50 +01:00
# All properties defined in core SELinux policy. Should not be
# used by device specific properties
attribute core_property_type;
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
# All properties used to configure log filtering.
attribute log_property_type;
Enforce more specific service access. Move the remaining services from tmp_system_server_service to appropriate attributes and remove tmp_system_server and associated logging: registry restrictions rttmanager scheduling_policy search sensorservice serial servicediscovery statusbar task textservices telecom_service trust_service uimode updatelock usagestats usb user vibrator voiceinteraction wallpaper webviewupdate wifip2p wifi window Bug: 18106000 Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-09 00:12:24 +02:00
# All service_manager types created by system_server
Add system_api_service and app_api_service attributes. System services differ in designed access level. Add attributes reflecting this distinction and label services appropriately. Begin moving access to the newly labeled services by removing them from tmp_system_server_service into the newly made system_server_service attribute. Reflect the move of system_server_service from a type to an attribute by removing access to system_server_service where appropriate. Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 01:50:08 +02:00
attribute system_server_service;
# services which should be available to all but isolated apps
attribute app_api_service;
# services which export only system_api
attribute system_api_service;
Make system_server_service an attribute. Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2014-12-17 00:45:26 +01:00
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-06 00:52:02 +02:00
# All types used for services managed by service_manager.
checkfc: add attribute test Enable checkfc to check *_contexts against a set of valid attributes which must be associated with all types in the contexts file that is being checked. Since it's imperative that checkfc knows which file its checking to choose the proper attribute set, the -s option is introduced to indicate the service_contexts file. The property_contexts file continues to use the existing -p and file_contexts requires no specification, aka it's the default. Failure examples: file_contexts: Error: type "init" is not of set: "fs_type, dev_type, file_type" service_contexts: Error: type "init_exec" is not of set: "service_manager_type" property_contexts: Error: type "bluetooth_service" is not of set: "property_type" Change-Id: I62077e4d0760858a9459e753e14dfd209868080f Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-09-25 03:10:54 +02:00
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
Add SELinux rules for service_manager. Add a service_mananger class with the verb add. Add a type that groups the services for each of the processes that is allowed to start services in service.te and an attribute for all services controlled by the service manager. Add the service_contexts file which maps service name to target label. Bug: 12909011 Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-06 00:52:02 +02:00
attribute service_manager_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
# All types that can override MLS restrictions.
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
# All domains used for apps.
attribute appdomain;
# All domains used for apps with network access.
attribute netdomain;
# All domains used for apps with bluetooth access.
attribute bluetoothdomain;
# All domains used for binder service domains.
attribute binderservicedomain;
Move boot_control HAL permissions to an attribute. The boot_control HAL is library loaded by our daemons (like update_engine and update_verifier) that interacts with the bootloader. The actual implementation of this library is provided by the vendor and its runtime permissions are tied to this implementation which varies a lot based on how the bootloader and the partitions it uses are structured. This patch moves these permissions to an attribute so the attribute can be expanded on each device without the need to repeat that on each one of our daemons using the boot_control HAL. Bug: 27107517 Change-Id: Idfe6a208720b49802b03f70fee4a3e73030dae2e
2016-04-22 22:23:36 +02:00
# All domains that access the boot_control HAL. The permissions the HAL
# requires are specific to the implementation provided in each device, but
# common daemons need to be aware of those when calling into the HAL.
attribute boot_control_hal;
Allow executing update_engine_sideload from recovery. The recovery flow for A/B devices allows to sideload an OTA downloaded to a desktop and apply from recovery. This patch allows the "recovery" context to perform all the operations required to apply an update as update_engine would do in the background. These rules are now extracted into a new attributte called update_engine_common shared between recovery and update_engine. Bug: 27178350 Change-Id: I97b301cb2c039fb002e8ebfb23c3599463ced03a
2016-08-04 05:31:37 +02:00
# update_engine related domains that need to apply an update and run
# postinstall. This includes the background daemon and the sideload tool from
# recovery for A/B devices.
attribute update_engine_common;
Move hal_light to attribute. HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
2016-11-15 19:05:55 +01:00
Group all HAL impls using haldomain attribute This marks all HAL domain implementations with the haldomain attribute so that rules can be written which apply to all HAL implementations. This follows the pattern used for appdomain, netdomain and bluetoothdomain. Test: No change to policy according to sesearch. Bug: 34180936 Change-Id: I0cfe599b0d49feed36538503c226dfce41eb65f6
2017-01-11 00:54:25 +01:00
# All domains used for HAL implementations
attribute haldomain;
Move hal_light to attribute. HAL policy defines how the platform and a given HAL interact, but not how the HAL is implemented. This policy should be represented as an attribute that all processes implementing the HAL can include. Bug: 32123421 Test: Builds. Change-Id: I17e5612c0835773c28e14f09e2ce7bdc3f210c15
2016-11-15 19:05:55 +01:00
# HALs
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_audio;
Add selinux policy for Bluetooth HAL Bug: 31972505 Test: VTS test passes, Bluetooth starts/stops Change-Id: Ic068c9fca7c50e63c5b6e3d86a2ee6cc53207e08
2016-10-12 23:49:56 +02:00
attribute hal_bluetooth;
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
2016-12-22 21:55:02 +01:00
attribute hal_camera;
Sort hal_* declarations alphabetically Test: No change to SELinux policy Change-Id: I45d6d6ab0538b9d4768b922cfdc2c972272d0b18
2017-01-20 19:39:32 +01:00
attribute hal_contexthub;
Add hal_dumpstate attribute. - Also allow dumpstate to talk to hal_dumpstate. Bug: 31982882 Test: compiles Change-Id: Ib9cf0027ee7e71fa40b9ccc29fc8dccea6977e5c
2016-12-01 18:39:10 +01:00
attribute hal_dumpstate;
New SeLinux policy for fingerprint HIDL Move from fingerprintd to new fingerprint_hal and update SeLinux policy. Test: Boot with no errors related to fingerprint sepolicy Bug: 33199080 Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6
2016-12-16 04:46:43 +01:00
attribute hal_fingerprint;
gatekeeper HAL service: add security policy Change-Id: I79a305407c3a362d7be11f4c026f31f1e9666f1c Signed-off-by: Alexey Polyudov <apolyudov@google.com>
2016-10-20 20:20:25 +02:00
attribute hal_gatekeeper;
add selinux policy for GNSS hal The following are the avc denials that are addressed: avc: denied { call } for pid=889 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:hal_gnss_default:s0 tclass=binder permissive=0 avc: denied { call } for scontext=u:r:hal_gnss_default:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=0 avc: denied { read } for name="hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 avc: denied { open } for path="/system/lib64/hw" dev="mmcblk0p43" ino=1837 scontext=u:r:hal_gnss_default:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Bug:31974439 Test: Checked that there no more related avc denial messages related to the GNSS HAL in dmesg. Change-Id: I5b43dc088017a5568dd8e442726d2bf52e95b1d5
2016-12-09 17:53:42 +01:00
attribute hal_gnss;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_graphics_allocator;
attribute hal_graphics_composer;
hal_health: express the sepolicy as attribute Bug: http://b/32905206 Test: Boot sailfish and no new selinux failures observed in logs Change-Id: Id9a46180074a61f8cf8d176a7b2ebc995a13b9f9 Signed-off-by: Sandeep Patil <sspatil@google.com>
2016-12-16 22:20:25 +01:00
attribute hal_health;
Add sepolicy for consumerir HIDL HAL Test: logging confirms service runs on boot Change-Id: If86fa7daf4a626b3e04fa0d2677d4cb590eb71ce Signed-off-by: Connor O'Brien <connoro@google.com>
2016-12-06 01:20:44 +01:00
attribute hal_ir;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_light;
attribute hal_memtrack;
attribute hal_nfc;
attribute hal_power;
Add sepolicy for sensors Adding sepoilcy for sensors. Test: Sensors work. Change-Id: Ibbf0c1a22654a17b1573e3761ea9ccd816150255
2016-11-29 21:26:51 +01:00
attribute hal_sensors;
SEPolicy changes for BT SAP hal. Test: Verified that WIP telephony and BT SAP CLs work fine with this change https://android-review.googlesource.com/#/q/topic:%22Basic+radio+service+and+client%22+(status:open+OR+status:merged) https://android-review.googlesource.com/#/q/topic:%22SAP+HAL%22+(status:open+OR+status:merged) Bug: 32020264 Change-Id: If15820d43e324d80e35808a292ee811f98d499cc
2016-12-08 02:43:46 +01:00
attribute hal_telephony;
All hal policies expressed as attributes. Bug: 32123421 Bug: 32905206 Test: compiles, nfc works Change-Id: Ibf72ef70255573e4df0863ea640354b3c37eb47d
2016-12-13 21:17:09 +01:00
attribute hal_thermal;
attribute hal_vibrator;
attribute hal_vr;
attribute hal_wifi;
Reference in a new issue Copy permalink