tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/kernel.te

26 lines
876 B
Text
Raw Normal View History

SE Android policy.
2012-01-04 18:33:27 +01:00
# Life begins with the kernel.
type kernel, domain;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-25 05:43:07 +01:00
allow kernel init:process dyntransition;
SE Android policy.
2012-01-04 18:33:27 +01:00
# The kernel is unconfined.
unconfined_domain(kernel)
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 23:46:05 +02:00
relabelto_domain(kernel)
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
Fix more long-tail denials. For additional context- The denials related to init_tmpfs are of the form: denied { read } for pid=12315 comm=""dboxed_process0"" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=""tmpfs"" ino=9464 scontext=u:r:isolated_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file (the path above is "/dev/ashmem/dalvik-heap (deleted)") The denials related to executing things from the dalvik cache are of the form: enied { execute } for pid=3565 comm=""dboxed_process0"" path=""/data/dalvik-cache/system@app@Chrome.apk@classes.dex"" dev=""mmcblk0p28"" ino=105983 scontext=u:r:isolated_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file The denials related to isolated_app and the init socket are: denied { getattr } for pid=3824 comm=""Binder_2"" path=""socket:[14059]"" dev=""sockfs"" ino=14059 scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket The getopt denials for the aforementioned socket are: denied { getopt } for pid=3824 comm=""Binder_2"" path=""/dev/socket/dumpstate"" scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket Change-Id: I3c57702e2af5a779a7618da9aa40930e7f12ee49
2013-09-06 00:36:30 +02:00
allow kernel unlabeled:filesystem mount;
Remove mount-related permissions from unconfined domains. Only allow to specific domains as required, and add a neverallow to prevent allowing it to other domains not explicitly whitelisted. sdcard_type is exempted from the neverallow since more domains require the ability to mount it, including device-specific domains. Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 19:29:38 +01:00
allow kernel fs_type:filesystem *;
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 14:05:53 +01:00
# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 15:29:30 +01:00
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 22:31:04 +01:00
# For operations performed by kernel or init prior to switching to init domain.
## TODO: Investigate whether it is safe to remove these
allow kernel self:capability { sys_rawio mknod };
auditallow kernel self:capability { sys_rawio mknod };
Remove block device access from unconfined domains. Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 20:40:14 +01:00
allow kernel dev_type:blk_file rw_file_perms;
auditallow kernel dev_type:blk_file rw_file_perms;
Reference in a new issue Copy permalink