Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported by keystore. Add policies that replicate the access control that already exists in keystore. Add auditallow rules for actions not known to be used frequently. Add macro for those domains wishing to access keystore. Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
This commit is contained in:
parent
8c6552acfb
commit
1196d2a576
10 changed files with 136 additions and 2 deletions
|
@ -893,3 +893,23 @@ class service_manager
|
||||||
{
|
{
|
||||||
add
|
add
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class keystore_key
|
||||||
|
{
|
||||||
|
test
|
||||||
|
get
|
||||||
|
insert
|
||||||
|
delete
|
||||||
|
exist
|
||||||
|
saw
|
||||||
|
reset
|
||||||
|
password
|
||||||
|
lock
|
||||||
|
unlock
|
||||||
|
zero
|
||||||
|
sign
|
||||||
|
verify
|
||||||
|
grant
|
||||||
|
duplicate
|
||||||
|
clear_uid
|
||||||
|
}
|
||||||
|
|
5
app.te
5
app.te
|
@ -174,6 +174,11 @@ read_logd(appdomain)
|
||||||
# application inherit logd write socket (urge is to deprecate this long term)
|
# application inherit logd write socket (urge is to deprecate this long term)
|
||||||
allow appdomain zygote:unix_dgram_socket write;
|
allow appdomain zygote:unix_dgram_socket write;
|
||||||
|
|
||||||
|
allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
|
||||||
|
auditallow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
|
||||||
|
|
||||||
|
use_keystore(appdomain)
|
||||||
|
|
||||||
###
|
###
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
@ -16,3 +16,8 @@ allow binderservicedomain appdomain:fifo_file write;
|
||||||
# Allow binderservicedomain to add services by default.
|
# Allow binderservicedomain to add services by default.
|
||||||
allow binderservicedomain service_manager_type:service_manager add;
|
allow binderservicedomain service_manager_type:service_manager add;
|
||||||
auditallow binderservicedomain default_android_service:service_manager add;
|
auditallow binderservicedomain default_android_service:service_manager add;
|
||||||
|
|
||||||
|
allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
|
||||||
|
auditallow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
|
||||||
|
|
||||||
|
use_keystore(binderservicedomain)
|
||||||
|
|
|
@ -27,3 +27,6 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notde
|
||||||
neverallow domain keystore:process ptrace;
|
neverallow domain keystore:process ptrace;
|
||||||
|
|
||||||
allow keystore keystore_service:service_manager add;
|
allow keystore keystore_service:service_manager add;
|
||||||
|
|
||||||
|
# Check SELinux permissions.
|
||||||
|
selinux_check_access(keystore)
|
||||||
|
|
10
racoon.te
10
racoon.te
|
@ -8,7 +8,6 @@ typeattribute racoon mlstrustedsubject;
|
||||||
net_domain(racoon)
|
net_domain(racoon)
|
||||||
|
|
||||||
binder_use(racoon)
|
binder_use(racoon)
|
||||||
binder_call(racoon, keystore)
|
|
||||||
|
|
||||||
allow racoon tun_device:chr_file r_file_perms;
|
allow racoon tun_device:chr_file r_file_perms;
|
||||||
allow racoon cgroup:dir { add_name create };
|
allow racoon cgroup:dir { add_name create };
|
||||||
|
@ -22,3 +21,12 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
|
||||||
allow racoon system_file:file rx_file_perms;
|
allow racoon system_file:file rx_file_perms;
|
||||||
allow racoon vpn_data_file:file create_file_perms;
|
allow racoon vpn_data_file:file create_file_perms;
|
||||||
allow racoon vpn_data_file:dir w_dir_perms;
|
allow racoon vpn_data_file:dir w_dir_perms;
|
||||||
|
|
||||||
|
use_keystore(racoon)
|
||||||
|
|
||||||
|
# Racoon (VPN) has a restricted set of permissions from the default.
|
||||||
|
allow racoon keystore:keystore_key {
|
||||||
|
get
|
||||||
|
sign
|
||||||
|
verify
|
||||||
|
};
|
||||||
|
|
|
@ -140,4 +140,7 @@ class property_service # userspace
|
||||||
# Service manager
|
# Service manager
|
||||||
class service_manager # userspace
|
class service_manager # userspace
|
||||||
|
|
||||||
|
# Keystore Key
|
||||||
|
class keystore_key # userspace
|
||||||
|
|
||||||
# FLASK
|
# FLASK
|
||||||
|
|
|
@ -42,4 +42,40 @@ allow system_app logd_prop:property_service set;
|
||||||
allow system_app anr_data_file:dir ra_dir_perms;
|
allow system_app anr_data_file:dir ra_dir_perms;
|
||||||
allow system_app anr_data_file:file create_file_perms;
|
allow system_app anr_data_file:file create_file_perms;
|
||||||
|
|
||||||
|
allow system_app keystore:keystore_key {
|
||||||
|
test
|
||||||
|
get
|
||||||
|
insert
|
||||||
|
delete
|
||||||
|
exist
|
||||||
|
saw
|
||||||
|
reset
|
||||||
|
password
|
||||||
|
lock
|
||||||
|
unlock
|
||||||
|
zero
|
||||||
|
sign
|
||||||
|
verify
|
||||||
|
grant
|
||||||
|
duplicate
|
||||||
|
clear_uid
|
||||||
|
};
|
||||||
|
|
||||||
|
auditallow system_app keystore:keystore_key {
|
||||||
|
test
|
||||||
|
get
|
||||||
|
insert
|
||||||
|
delete
|
||||||
|
exist
|
||||||
|
reset
|
||||||
|
password
|
||||||
|
lock
|
||||||
|
unlock
|
||||||
|
sign
|
||||||
|
verify
|
||||||
|
grant
|
||||||
|
duplicate
|
||||||
|
clear_uid
|
||||||
|
};
|
||||||
|
|
||||||
control_logd(system_app)
|
control_logd(system_app)
|
||||||
|
|
|
@ -359,6 +359,40 @@ allow system_server pstorefs:file r_file_perms;
|
||||||
|
|
||||||
allow system_server system_server_service:service_manager add;
|
allow system_server system_server_service:service_manager add;
|
||||||
|
|
||||||
|
allow system_server keystore:keystore_key {
|
||||||
|
test
|
||||||
|
get
|
||||||
|
insert
|
||||||
|
delete
|
||||||
|
exist
|
||||||
|
saw
|
||||||
|
reset
|
||||||
|
password
|
||||||
|
lock
|
||||||
|
unlock
|
||||||
|
zero
|
||||||
|
sign
|
||||||
|
verify
|
||||||
|
grant
|
||||||
|
duplicate
|
||||||
|
clear_uid
|
||||||
|
};
|
||||||
|
|
||||||
|
auditallow system_server keystore:keystore_key {
|
||||||
|
test
|
||||||
|
get
|
||||||
|
insert
|
||||||
|
delete
|
||||||
|
saw
|
||||||
|
lock
|
||||||
|
unlock
|
||||||
|
sign
|
||||||
|
verify
|
||||||
|
grant
|
||||||
|
duplicate
|
||||||
|
clear_uid
|
||||||
|
};
|
||||||
|
|
||||||
###
|
###
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
###
|
###
|
||||||
|
|
12
te_macros
12
te_macros
|
@ -342,3 +342,15 @@ define(`control_logd', `
|
||||||
# to permit control commands
|
# to permit control commands
|
||||||
unix_socket_connect($1, logd, logd)
|
unix_socket_connect($1, logd, logd)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
# use_keystore(domain)
|
||||||
|
# Ability to use keystore.
|
||||||
|
# Keystore is requires the following permissions
|
||||||
|
# to call getpidcon.
|
||||||
|
define(`use_keystore', `
|
||||||
|
allow keystore $1:dir search;
|
||||||
|
allow keystore $1:file { read open };
|
||||||
|
allow keystore $1:process getattr;
|
||||||
|
binder_call($1, keystore)
|
||||||
|
')
|
||||||
|
|
10
wpa.te
10
wpa.te
|
@ -17,13 +17,21 @@ allow wpa wifi_data_file:file create_file_perms;
|
||||||
unix_socket_send(wpa, system_wpa, system_server)
|
unix_socket_send(wpa, system_wpa, system_server)
|
||||||
|
|
||||||
binder_use(wpa)
|
binder_use(wpa)
|
||||||
binder_call(wpa, keystore)
|
|
||||||
|
|
||||||
# Create a socket for receiving info from wpa
|
# Create a socket for receiving info from wpa
|
||||||
type_transition wpa wifi_data_file:dir wpa_socket "sockets";
|
type_transition wpa wifi_data_file:dir wpa_socket "sockets";
|
||||||
allow wpa wpa_socket:dir create_dir_perms;
|
allow wpa wpa_socket:dir create_dir_perms;
|
||||||
allow wpa wpa_socket:sock_file create_file_perms;
|
allow wpa wpa_socket:sock_file create_file_perms;
|
||||||
|
|
||||||
|
use_keystore(wpa)
|
||||||
|
|
||||||
|
# WPA (wifi) has a restricted set of permissions from the default.
|
||||||
|
allow wpa keystore:keystore_key {
|
||||||
|
get
|
||||||
|
sign
|
||||||
|
verify
|
||||||
|
};
|
||||||
|
|
||||||
# Allow wpa_cli to work. wpa_cli creates a socket in
|
# Allow wpa_cli to work. wpa_cli creates a socket in
|
||||||
# /data/misc/wifi/sockets which wpa supplicant communicates with.
|
# /data/misc/wifi/sockets which wpa supplicant communicates with.
|
||||||
userdebug_or_eng(`
|
userdebug_or_eng(`
|
||||||
|
|
Loading…
Reference in a new issue