tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/webview_zygote.te

156 lines
6 KiB
Text
Raw Normal View History

Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
typeattribute webview_zygote coredomain;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
Fix diff in cherry-pick Changes 2d626fd84ea0246c963ce2c87ae62461a60f8826 and 869562e9e30933b6e7342205b9eccd9fd769f5d9 are the same commit, but with a different comment. Fix them up to be the same. Test: build Change-Id: I6311413357f457d6ba95886b729ffa53ab80e016
2018-05-16 23:38:51 +02:00
# Allow access to temporary files, which is normally permitted through
# a domain macro.
Remove rules for starting the webview_zygote as a child of init. The webview_zygote is now launched as a child-zygote process from the main zygote process. Bug: 63749735 Test: m Test: Launch "Third-party licenses" activity from Settings, and it renders correctly via the WebView. Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1 Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08
2018-01-30 16:54:33 +01:00
tmpfs_domain(webview_zygote);
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
Add SELinux policy for using userfaultfd ART runtime will be using userfaultfd for a new heap compaction algorithm. After enabling userfaultfd in android kernels (with SELinux support), the feature needs policy that allows { create ioctl read } operations on userfaultfd file descriptors. Bug: 160737021 Test: Manually tested by exercising userfaultfd ops in ART Change-Id: I9ccb7fa9c25f91915639302715f6197d42ef988e
2021-03-11 20:32:47 +01:00
userfaultfd_use(webview_zygote)
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
allow webview_zygote apk_data_file:file { r_file_perms execute };
# Access to the WebView relro file.
allow webview_zygote shared_relro_file:dir search;
allow webview_zygote shared_relro_file:file r_file_perms;
# Set the UID/GID of the process.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow webview_zygote self:global_capability_class_set { setgid setuid };
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# Drop capabilities from bounding set.
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 23:51:26 +01:00
allow webview_zygote self:global_capability_class_set setpcap;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# Switch SELinux context to app domains.
allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;
# For art.
Permissions for odrefresh and /data/misc/apexdata/com.android.art odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2020-10-16 16:29:55 +02:00
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
Permissions for odrefresh and /data/misc/apexdata/com.android.art odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2020-10-16 16:29:55 +02:00
allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
allow webview_zygote apex_module_data_file:dir search;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
Allow webview_zygote to JIT. bug: 119800099 Test: device boots, no selinux denials Change-Id: I737afbb4e826014fc91a68ac955199bb1d1a04c7
2018-11-20 14:31:49 +01:00
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# Allow webview_zygote to stat the files that it opens. It must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
allow webview_zygote debugfs_trace_marker:file getattr;
# Allow webview_zygote to manage the pgroup of its children.
allow webview_zygote system_server:process getpgid;
# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 21:58:29 +02:00
# TODO (b/63631799) fix this access
# Suppress denials to storage. Webview zygote should not be accessing.
dontaudit webview_zygote mnt_expand_file:dir getattr;
prevent benign dex2oat selinux denial temporarily Since we now call patchoat --verify in zygote art loading code, we have the unintended effect of webview zygote calling patchoat --verify. This is undesireable since webview zygote doesn't need to verify the .art files after the app_process zygote has already done so. The exec of patchoat fails for webview zygote, and this change hides that. This change should be reverted when b/72957399 is resolved. Bug: 66697305 Test: Ensure no new selinux denials were introduced. Change-Id: I4152edc920e5c436516b958b8c861dcc1c4751d8
2018-02-05 23:26:04 +01:00
# TODO (b/72957399) remove this when webview_zygote is reparented to
# app_process zygote
dontaudit webview_zygote dex2oat_exec:file execute;
seapp_context: explicitly label all seapp context files seapp_context files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'seapp_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospSeappContexts Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-27 19:57:07 +02:00
# Get seapp_contexts
allow webview_zygote seapp_contexts_file:file r_file_perms;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# Check validity of SELinux context before use.
selinux_check_context(webview_zygote)
# Check SELinux permissions.
selinux_check_access(webview_zygote)
webview_zygote: allow listing dirs in /system For consistency with zygote, allow webview_zygote to list directories in /system. Test: Boot Taimen. Verify webiew_zygote denials during boot. Bug: 70857705 Change-Id: I27eb18c377a5240d7430abf301c1c3af61704d59
2018-01-02 22:15:16 +01:00
# Directory listing in /system.
Fix permission typo zygote->webview_zygote. Forgot to ammend local change. Test: webview_zygote denials are gone. Change-Id: I02869812feafd127b39e567c28e7278133770e97
2018-01-03 17:46:05 +01:00
allow webview_zygote system_file:dir r_dir_perms;
webview_zygote: allow listing dirs in /system For consistency with zygote, allow webview_zygote to list directories in /system. Test: Boot Taimen. Verify webiew_zygote denials during boot. Bug: 70857705 Change-Id: I27eb18c377a5240d7430abf301c1c3af61704d59
2018-01-02 22:15:16 +01:00
Add getattr access on tmpfs_zygote files for webview_zygote. webview_zygote inherits tmpfs files from zygote and needs to stat them after fork. Bug: 138851227 Test: run walleye_jitzygote config, fork webview_zygote. Change-Id: I092b942c0426f3f5731536ae9f2f5886a9196d3d
2020-01-30 22:24:20 +01:00
# Read and inspect temporary files (like system properties) managed by zygote.
allow webview_zygote zygote_tmpfs:file { read getattr };
SELinux changes to accomodate starting the webview_zygote as a child of the zygote. In this architecture, the system_server instructs the zygote to fork a child-zygote to be the webview_zygote. The system_server tells this new zygote to listen for fork requests on a random abstract unix socket of its choosing. A follow-up CL will remove the rules for starting webview_zygote via init. Bug: 63749735 Test: m Test: Launch "Third-party licenses" activity from Settings, and it renders correctly via the WebView. Merged-In: I864743943c11c18de386010ecd4b616721cb9954 Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e
2018-01-30 16:54:33 +01:00
# Child of zygote.
allow webview_zygote zygote:fd use;
allow webview_zygote zygote:process sigchld;
# Allow apps access to /vendor/overlay
r_dir_file(webview_zygote, vendor_overlay_file)
same_process_hal_file: access to individual coredomains Remove blanket coredomain access to same_process_hal_file in favor of granular access. This change takes into account audits from go/sedenials (our internal dogfood program) Bug: 37211678 Test: m selinux_policy Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-18 21:39:35 +02:00
allow webview_zygote same_process_hal_file:file { execute read open getattr map };
Allow webview_zygote to read the /data/user/0 symlink. ART follows the /data/user/0 symlink while loading cache files, leading to: avc: denied { getattr } for comm="webview_zygote" path="/data/user/0" dev="sda35" ino=1310726 scontext=u:r:webview_zygote:s0 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=0 Allow this access, the same as app and app_zygote do. Bug: 123246126 Test: DeviceBootTest.SELinuxUncheckedDenialBootTest Change-Id: I90faa524e15a17b116a6087a779214f2c2142cc2
2019-04-11 21:30:51 +02:00
allow webview_zygote system_data_file:lnk_file r_file_perms;
Add rules for an unix domain socket for system_server System_server will listen on incoming packets from zygotes. Bug: 136036078 Test: atest CtsAppExitTestCases:ActivityManagerAppExitInfoTest Change-Id: I42feaa317615b90c5277cd82191e677548888a71
2019-12-30 06:38:38 +01:00
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
Enable ART properties modularization ART is becoming a module and we need to be able to add new properties without modifying the non updatable part of the platform: - convert ART properties to use prefix in the namespace of [ro].dalvik.vm. - enable appdomain and coredomain to read device_config properties that configure ART Test: boot Bug: 181748174 Change-Id: Id23ff78474dba947301e1b6243a112b0f5b4a832
2021-05-19 00:33:08 +02:00
# Allow the webview_zygote to access the runtime feature flag properties.
get_prop(webview_zygote, device_config_runtime_native_prop)
get_prop(webview_zygote, device_config_runtime_native_boot_prop)
Allow zygotes and installd to read odsign properties Bug: 192049377 Test: manual Change-Id: I88cfd0b7fa63f195a1ec8f498c106cbf95f649ec
2021-07-01 14:29:37 +02:00
# Allow webview_zygote to access odsign verification status
get_prop(zygote, odsign_prop)
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
#####
##### Neverallow
#####
# Only permit transition to isolated_app.
neverallow webview_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions, except for crash_dump.
neverallow webview_zygote { domain -crash_dump }:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans;
Remove rules for starting the webview_zygote as a child of init. The webview_zygote is now launched as a child-zygote process from the main zygote process. Bug: 63749735 Test: m Test: Launch "Third-party licenses" activity from Settings, and it renders correctly via the WebView. Merged-In: I9c948b58a969d35d5a5add4b6ab62b8f990645d1 Change-Id: I153476642cf14883b0dfea0d9f5b3b5e30ac1c08
2018-01-30 16:54:33 +01:00
# The only way to enter this domain is for the zygote to fork a new
# webview_zygote child.
SELinux changes to accomodate starting the webview_zygote as a child of the zygote. In this architecture, the system_server instructs the zygote to fork a child-zygote to be the webview_zygote. The system_server tells this new zygote to listen for fork requests on a random abstract unix socket of its choosing. A follow-up CL will remove the rules for starting webview_zygote via init. Bug: 63749735 Test: m Test: Launch "Third-party licenses" activity from Settings, and it renders correctly via the WebView. Merged-In: I864743943c11c18de386010ecd4b616721cb9954 Change-Id: I1c352e47b66eca3a3fa641daa6ecc3e7a889b54e
2018-01-30 16:54:33 +01:00
neverallow { domain -zygote } webview_zygote:process dyntransition;
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
# Disallow write access to properties.
neverallow webview_zygote property_socket:sock_file write;
neverallow webview_zygote property_type:property_service set;
# Should not have any access to app data files.
Introduce app_data_file_type attribute. This gives us an easy way for the policy to refer to all existing or future types used for app private data files in type= assignments in seapp_contexts. Apply the label to all the existing types, then refactor rules to use the new attribute. This is intended as a pure refactoring, except that: - Some neverallow rules are extended to cover types they previous omitted; - We allow iorap_inode2filename limited access to shell_data_file and nfc_data_file; - We allow zygote limited access to system_app_data_file. This mostly reverts the revert in commit b01e1d97bf1320d54c8641cfff687f13f32013bf, restoring commit 27e0c740f1894e9a390b7105255eb29401d25c35. Changes to check_seapp to enforce use of app_data_file_type is omitted, to be included in a following CL. Test: Presubmits Bug: 171795911 Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-10-27 18:35:33 +01:00
neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
neverallow webview_zygote {
service_manager_type
-activity_service
-webviewupdate_service
}:service_manager find;
# Isolated apps shouldn't be able to access the driver directly.
neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
# Do not allow webview_zygote access to /cache.
neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
neverallow webview_zygote cache_file:file ~{ read getattr };
# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
# unix_stream_socket, and netlink_selinux_socket.
neverallow webview_zygote domain:{
socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 20:14:58 +01:00
appletalk_socket netlink_route_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
Define extended_socket_class policy capability and socket classes Add a definition for the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. The capability also enables the use of separate security classes for ICMP and SCTP sockets, which were previously mapped to rawip_socket class. Add definitions for the new socket classes and access vectors enabled by this capability. Add the new socket classes to the socket_class_set macro, and exclude them from webview_zygote domain as with other socket classes. Allowing access by specific domains to the new socket security classes is left to future commits. Domains previously allowed permissions to the 'socket' class will require permission to the more specific socket class when running on kernels with this support. The kernel support will be included upstream in Linux 4.11. The relevant kernel commits are da69a5306ab92e07224da54aafee8b1dccf024f6 ("selinux: support distinctions among all network address families"), ef37979a2cfa3905adbf0c2a681ce16c0aaea92d ("selinux: handle ICMPv6 consistently with ICMP"), and b4ba35c75a0671a06b978b6386b54148efddf39f ("selinux: drop unused socket security classes"). This change requires selinux userspace commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 ("libsepol: Define extended_socket_class policy capability") in order to build the policy with this capability enabled. This commit is already in AOSP master. Test: policy builds Change-Id: I788b4be9f0ec0bf2356c0bbef101cd42a1af49bb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 19:35:27 +01:00
sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
Define smc_socket security class. Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all network address families") triggers a build error if a new address family is added without defining a corresponding SELinux security class. As a result, the smc_socket class was added to the kernel to resolve a build failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa Linux 4.11. Define this security class and its access vector, add it to the socket_class_set macro, and exclude it from webview_zygote like other socket classes. Test: Policy builds Change-Id: Idbb8139bb09c6d1c47f1a76bd10f4ce1e9d939cb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 18:06:49 +02:00
alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
Tighten up handling of new classes 1b1d133be5350989cbd6c09e4f000e146f9ab7ae added the process2 class but forgot to suppress SELinux denials associated with these permissions for the su domain. Suppress them. Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule in su.te is relevant. Inspired by https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02 Add xdp_socket to various other neverallow rules. Test: policy compiles. Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7
2018-11-16 11:48:03 +01:00
xdp_socket
Move webview_zygote policy to private This leaves only the existence of webview_zygote domain and its executable's webview_zygote_exec file label as public API. All other rules are implementation details of this domain's policy and are thus now private. Test: Device boots, with Multiproces WebView developer setting enabled, apps with WebView work fine. No new denials. Bug: 31364497 Change-Id: I179476c43a50863ee3b327fc5155847d992a040d
2017-01-26 22:45:31 +01:00
} *;
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-09 05:07:32 +02:00
neverallow webview_zygote {
bluetooth_a2dp_offload_prop
Add rules for accessing the related bluetooth_audio_hal_prop This change allows those daemons of the audio and Bluetooth which include HALs to access the bluetooth_audio_hal_prop. This property is used to force disable the new BluetoothAudio HAL. - persist.bluetooth.bluetooth_audio_hal.disabled Bug: 128825244 Test: audio HAL can access the property Change-Id: I87a8ba57cfbcd7d3e4548aa96bc915d0cc6b2b74
2019-03-18 04:07:32 +01:00
bluetooth_audio_hal_prop
Whitelist vendor-init-settable bluetooth_prop and wifi_prop Values of the following properties are set by SoC vendors on some devices including Pixels. - persist.bluetooth.a2dp_offload.cap - persist.bluetooth.a2dp_offload.enable - persist.vendor.bluetooth.a2dp_offload.enable - ro.bt.bdaddr_path - wlan.driver.status So they should be whitelisted for compatibility. Bug: 77633703 Test: succeeded building and tested with Pixels Change-Id: Ib2b81bcc1fd70ddd571dc7fb2b923b576d62b7d5
2018-04-09 05:07:32 +02:00
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
Reference in a new issue Copy permalink