Adding policies for KeyStore MAC.

Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
This commit is contained in:
Riley Spahn 2014-06-17 14:58:52 -07:00
parent 8c6552acfb
commit 1196d2a576
10 changed files with 136 additions and 2 deletions

View file

@ -893,3 +893,23 @@ class service_manager
{ {
add add
} }
class keystore_key
{
test
get
insert
delete
exist
saw
reset
password
lock
unlock
zero
sign
verify
grant
duplicate
clear_uid
}

5
app.te
View file

@ -174,6 +174,11 @@ read_logd(appdomain)
# application inherit logd write socket (urge is to deprecate this long term) # application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write; allow appdomain zygote:unix_dgram_socket write;
allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
auditallow appdomain keystore:keystore_key { test get insert delete exist saw sign verify };
use_keystore(appdomain)
### ###
### Neverallow rules ### Neverallow rules
### ###

View file

@ -16,3 +16,8 @@ allow binderservicedomain appdomain:fifo_file write;
# Allow binderservicedomain to add services by default. # Allow binderservicedomain to add services by default.
allow binderservicedomain service_manager_type:service_manager add; allow binderservicedomain service_manager_type:service_manager add;
auditallow binderservicedomain default_android_service:service_manager add; auditallow binderservicedomain default_android_service:service_manager add;
allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
auditallow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
use_keystore(binderservicedomain)

View file

@ -27,3 +27,6 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notde
neverallow domain keystore:process ptrace; neverallow domain keystore:process ptrace;
allow keystore keystore_service:service_manager add; allow keystore keystore_service:service_manager add;
# Check SELinux permissions.
selinux_check_access(keystore)

View file

@ -8,7 +8,6 @@ typeattribute racoon mlstrustedsubject;
net_domain(racoon) net_domain(racoon)
binder_use(racoon) binder_use(racoon)
binder_call(racoon, keystore)
allow racoon tun_device:chr_file r_file_perms; allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create }; allow racoon cgroup:dir { add_name create };
@ -22,3 +21,12 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };
allow racoon system_file:file rx_file_perms; allow racoon system_file:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms; allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms; allow racoon vpn_data_file:dir w_dir_perms;
use_keystore(racoon)
# Racoon (VPN) has a restricted set of permissions from the default.
allow racoon keystore:keystore_key {
get
sign
verify
};

View file

@ -140,4 +140,7 @@ class property_service # userspace
# Service manager # Service manager
class service_manager # userspace class service_manager # userspace
# Keystore Key
class keystore_key # userspace
# FLASK # FLASK

View file

@ -42,4 +42,40 @@ allow system_app logd_prop:property_service set;
allow system_app anr_data_file:dir ra_dir_perms; allow system_app anr_data_file:dir ra_dir_perms;
allow system_app anr_data_file:file create_file_perms; allow system_app anr_data_file:file create_file_perms;
allow system_app keystore:keystore_key {
test
get
insert
delete
exist
saw
reset
password
lock
unlock
zero
sign
verify
grant
duplicate
clear_uid
};
auditallow system_app keystore:keystore_key {
test
get
insert
delete
exist
reset
password
lock
unlock
sign
verify
grant
duplicate
clear_uid
};
control_logd(system_app) control_logd(system_app)

View file

@ -359,6 +359,40 @@ allow system_server pstorefs:file r_file_perms;
allow system_server system_server_service:service_manager add; allow system_server system_server_service:service_manager add;
allow system_server keystore:keystore_key {
test
get
insert
delete
exist
saw
reset
password
lock
unlock
zero
sign
verify
grant
duplicate
clear_uid
};
auditallow system_server keystore:keystore_key {
test
get
insert
delete
saw
lock
unlock
sign
verify
grant
duplicate
clear_uid
};
### ###
### Neverallow rules ### Neverallow rules
### ###

View file

@ -342,3 +342,15 @@ define(`control_logd', `
# to permit control commands # to permit control commands
unix_socket_connect($1, logd, logd) unix_socket_connect($1, logd, logd)
') ')
#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
# to call getpidcon.
define(`use_keystore', `
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
binder_call($1, keystore)
')

10
wpa.te
View file

@ -17,13 +17,21 @@ allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server) unix_socket_send(wpa, system_wpa, system_server)
binder_use(wpa) binder_use(wpa)
binder_call(wpa, keystore)
# Create a socket for receiving info from wpa # Create a socket for receiving info from wpa
type_transition wpa wifi_data_file:dir wpa_socket "sockets"; type_transition wpa wifi_data_file:dir wpa_socket "sockets";
allow wpa wpa_socket:dir create_dir_perms; allow wpa wpa_socket:dir create_dir_perms;
allow wpa wpa_socket:sock_file create_file_perms; allow wpa wpa_socket:sock_file create_file_perms;
use_keystore(wpa)
# WPA (wifi) has a restricted set of permissions from the default.
allow wpa keystore:keystore_key {
get
sign
verify
};
# Allow wpa_cli to work. wpa_cli creates a socket in # Allow wpa_cli to work. wpa_cli creates a socket in
# /data/misc/wifi/sockets which wpa supplicant communicates with. # /data/misc/wifi/sockets which wpa supplicant communicates with.
userdebug_or_eng(` userdebug_or_eng(`