Merge "Further restrict SELinux API access"

2017-05-08 18:59:13 +00:00 · 2017-05-08 18:59:13 +00:00 · 076677330d
commit 076677330d
parent 9686cbcdbf 14e2e9261f
3 changed files with 9 additions and 35 deletions
--- a/private/app.te
+++ b/private/app.te
@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
 allow appdomain runas_exec:file getattr;
 # Others are either allowed elsewhere or not desired.

-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@ -441,6 +436,11 @@ neverallow appdomain
 # Access to syslog(2) or /proc/kmsg.
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };

+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;
--- a/private/shell.te
+++ b/private/shell.te
@ -13,3 +13,7 @@ app_domain(shell)

 # allow shell to call dumpsys storaged
 binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@ -292,33 +292,3 @@ auditallow {
  -vold
 } proc_meminfo:file r_file_perms;
 ')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')