platform_system_sepolicy/kernel.te

# Life begins with the kernel.
type kernel, domain;

# setcon to init domain.
allow kernel self:process setcurrent;
allow kernel init:process dyntransition;

# The kernel is unconfined.
unconfined_domain(kernel)

# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;

# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
allow kernel { device socket_device }:dir relabelto;
# /dev/__properties__
allow kernel properties_device:file relabelto;
# /sys
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
allow kernel sysfs_type:{ dir file lnk_file } relabelto;

# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
SE Android policy. 2012-01-04 18:33:27 +01:00			`# Life begins with the kernel.`
			`type kernel, domain;`
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29 2014-01-25 05:43:07 +01:00
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-23 17:26:19 +02:00			`# setcon to init domain.`
			`allow kernel self:process setcurrent;`
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29 2014-01-25 05:43:07 +01:00			`allow kernel init:process dyntransition;`

SE Android policy. 2012-01-04 18:33:27 +01:00			`# The kernel is unconfined.`
			`unconfined_domain(kernel)`
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 2013-07-10 23:46:05 +02:00
Explictly allow init and kernel unlabeled access. These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-30 15:53:00 +02:00			`# cgroup filesystem initialization prior to setting the cgroup root directory label.`
			`allow kernel unlabeled:dir search;`

Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-29 20:35:55 +02:00			`# init direct restorecon calls prior to switching to init domain`
			`# /dev and /dev/socket`
			`allow kernel { device socket_device }:dir relabelto;`
			`# /dev/__properties__`
			`allow kernel properties_device:file relabelto;`
			`# /sys`
			`allow kernel sysfs:{ dir file lnk_file } relabelfrom;`
			`allow kernel sysfs_type:{ dir file lnk_file } relabelto;`
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-06 14:05:53 +01:00
			`# Initial setenforce by init prior to switching to init domain.`
Revisit kernel setenforce Kernel userspace helpers may be spawned running in the kernel SELinux domain. Those userspace helpers shouldn't be able to turn SELinux off. This change revisits the discussion in https://android-review.googlesource.com/#/c/71184/ At the time, we were debating whether or not to have an allow rule, or a dontaudit rule. Both have the same effect, as at the time we switch to enforcing mode, the kernel is in permissive and the operation will be allowed. Change-Id: If335a5cf619125806c700780fcf91f8602083824 2014-05-12 23:32:59 +02:00			`# We use dontaudit instead of allow to prevent a kernel spawned userspace`
			`# process from turning off SELinux once enabled.`
			`dontaudit kernel self:security setenforce;`
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-01-08 15:29:30 +01:00
			`# Set checkreqprot by init.rc prior to switching to init domain.`
			`allow kernel self:security setcheckreqprot;`