domain.te: Add backwards compatibility for unlabeled files
For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
This commit is contained in:
Nick Kralevich
parent
4a13f7809b
commit
0c9708b2af
9 changed files with 42 additions and 2 deletions
2
app.te
2
app.te
|
|
@ -24,6 +24,8 @@ platform_app_domain(media_app)
|
|||
# Access the network.
|
||||
net_domain(media_app)
|
||||
unconfined_domain(media_app)
|
||||
relabelto_domain(media_app)
|
||||
allow media_app download_file:dir relabelto;
|
||||
|
||||
# Apps signed with the shared key.
|
||||
type shared_app, domain;
|
||||
|
|
|
|||
|
|
@ -64,3 +64,6 @@ attribute binderservicedomain;
|
|||
|
||||
# Allow domains used for platform (signed by build key) apps.
|
||||
attribute platformappdomain;
|
||||
|
||||
# All domains which are allowed the "relabelto" permission
|
||||
attribute relabeltodomain;
|
||||
|
|
|
|||
15
domain.te
15
domain.te
|
|
@ -120,3 +120,18 @@ dontaudit domain debugfs:file rw_file_perms;
|
|||
# security files
|
||||
allow domain security_file:dir { search getattr };
|
||||
allow domain security_file:file getattr;
|
||||
|
||||
######## Backwards compatibility - Unlabeled files ############
|
||||
|
||||
# Revert to DAC rules when looking at unlabeled files. Over time, the number
|
||||
# of unlabeled files should decrease.
|
||||
# TODO: delete these rules in the future.
|
||||
#
|
||||
# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
|
||||
# capability, it's essentially useless. This is needed to allow an app with
|
||||
# relabelto to relabel unlabeled files.
|
||||
#
|
||||
allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
|
||||
allow domain unlabeled:dir { create_dir_perms relabelfrom };
|
||||
allow domain unlabeled:lnk_file { create_file_perms };
|
||||
neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
|
||||
|
|
|
|||
3
init.te
3
init.te
|
|
@ -4,5 +4,8 @@ permissive init;
|
|||
# init is unconfined.
|
||||
unconfined_domain(init)
|
||||
tmpfs_domain(init)
|
||||
relabelto_domain(init)
|
||||
# add a rule to handle unlabelled mounts
|
||||
allow init unlabeled:filesystem mount;
|
||||
|
||||
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ permissive installd;
|
|||
type installd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(installd)
|
||||
relabelto_domain(installd)
|
||||
typeattribute installd mlstrustedsubject;
|
||||
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
|
||||
allow installd system_data_file:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -3,3 +3,6 @@ type kernel, domain;
|
|||
permissive kernel;
|
||||
# The kernel is unconfined.
|
||||
unconfined_domain(kernel)
|
||||
relabelto_domain(kernel)
|
||||
|
||||
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,13 @@ unconfined_domain(system_app)
|
|||
type system, domain;
|
||||
permissive system;
|
||||
unconfined_domain(system);
|
||||
relabelto_domain(system);
|
||||
|
||||
# Create a socket for receiving info from wpa.
|
||||
type_transition system wifi_data_file:sock_file system_wpa_socket;
|
||||
allow system self:zygote { specifyids specifyrlimits specifyseinfo };
|
||||
|
||||
allow system backup_data_file:dir relabelto;
|
||||
allow system cache_backup_file:dir relabelto;
|
||||
allow system apk_data_file:file relabelto;
|
||||
allow system apk_tmp_file:file relabelto;
|
||||
|
|
|
|||
|
|
@ -108,6 +108,13 @@ typeattribute $1 appdomain;
|
|||
tmpfs_domain($1)
|
||||
')
|
||||
|
||||
#####################################
|
||||
# relabelto_domain(domain)
|
||||
# Allows this domain to use the relabelto permission
|
||||
define(`relabelto_domain', `
|
||||
typeattribute $1 relabeltodomain;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# platform_app_domain(domain)
|
||||
# Allow permissions specific to platform apps.
|
||||
|
|
|
|||
|
|
@ -11,8 +11,8 @@ allow unconfineddomain domain:socket_class_set *;
|
|||
allow unconfineddomain domain:ipc_class_set *;
|
||||
allow unconfineddomain domain:key *;
|
||||
allow unconfineddomain fs_type:filesystem *;
|
||||
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *;
|
||||
allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint;
|
||||
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
|
||||
allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
|
||||
allow unconfineddomain node_type:node *;
|
||||
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
||||
allow unconfineddomain netif_type:netif *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue