Merge "Further restrict SELinux API access"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
076677330d
3 changed files with 9 additions and 35 deletions
|
|
@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
|
||||||
allow appdomain runas_exec:file getattr;
|
allow appdomain runas_exec:file getattr;
|
||||||
# Others are either allowed elsewhere or not desired.
|
# Others are either allowed elsewhere or not desired.
|
||||||
|
|
||||||
# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
|
|
||||||
# Check SELinux policy and contexts.
|
|
||||||
selinux_check_access(appdomain)
|
|
||||||
selinux_check_context(appdomain)
|
|
||||||
|
|
||||||
# Apps receive an open tun fd from the framework for
|
# Apps receive an open tun fd from the framework for
|
||||||
# device traffic. Do not allow untrusted app to directly open tun_device
|
# device traffic. Do not allow untrusted app to directly open tun_device
|
||||||
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
|
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
|
||||||
|
|
@ -441,6 +436,11 @@ neverallow appdomain
|
||||||
# Access to syslog(2) or /proc/kmsg.
|
# Access to syslog(2) or /proc/kmsg.
|
||||||
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
|
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
|
||||||
|
|
||||||
|
# SELinux is not an API for apps to use
|
||||||
|
neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
|
||||||
|
neverallow { appdomain -shell } *:security { compute_av check_context };
|
||||||
|
neverallow { appdomain -shell } *:netlink_selinux_socket *;
|
||||||
|
|
||||||
# Ability to perform any filesystem operation other than statfs(2).
|
# Ability to perform any filesystem operation other than statfs(2).
|
||||||
# i.e. no mount(2), unmount(2), etc.
|
# i.e. no mount(2), unmount(2), etc.
|
||||||
neverallow appdomain fs_type:filesystem ~getattr;
|
neverallow appdomain fs_type:filesystem ~getattr;
|
||||||
|
|
|
||||||
|
|
@ -13,3 +13,7 @@ app_domain(shell)
|
||||||
|
|
||||||
# allow shell to call dumpsys storaged
|
# allow shell to call dumpsys storaged
|
||||||
binder_call(shell, storaged)
|
binder_call(shell, storaged)
|
||||||
|
|
||||||
|
# Perform SELinux access checks, needed for CTS
|
||||||
|
selinux_check_access(shell)
|
||||||
|
selinux_check_context(shell)
|
||||||
|
|
|
||||||
|
|
@ -292,33 +292,3 @@ auditallow {
|
||||||
-vold
|
-vold
|
||||||
} proc_meminfo:file r_file_perms;
|
} proc_meminfo:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
# Get SELinux enforcing status.
|
|
||||||
allow domain_deprecated selinuxfs:dir r_dir_perms;
|
|
||||||
allow domain_deprecated selinuxfs:file r_file_perms;
|
|
||||||
userdebug_or_eng(`
|
|
||||||
auditallow {
|
|
||||||
domain_deprecated
|
|
||||||
-appdomain
|
|
||||||
-installd
|
|
||||||
-keystore
|
|
||||||
-postinstall_dexopt
|
|
||||||
-runas
|
|
||||||
-servicemanager
|
|
||||||
-system_server
|
|
||||||
-ueventd
|
|
||||||
-zygote
|
|
||||||
} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
|
|
||||||
auditallow {
|
|
||||||
domain_deprecated
|
|
||||||
-appdomain
|
|
||||||
-installd
|
|
||||||
-keystore
|
|
||||||
-postinstall_dexopt
|
|
||||||
-runas
|
|
||||||
-servicemanager
|
|
||||||
-system_server
|
|
||||||
-ueventd
|
|
||||||
-zygote
|
|
||||||
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
|
|
||||||
')
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue