From 14e2e9261fec015ab6fa66f2bc67439f13c45b8d Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 8 May 2017 09:51:59 -0700 Subject: [PATCH] Further restrict SELinux API access Remove SELinux access from domain_deprecated. Access to SELinux APIs can be granted on a per-domain basis. Remove appdomain access to SELinux APIs. SELinux APIs are not public and are not intended for application use. In particular, some exploits poll on /sys/fs/selinux/enforce to determine if the attack was successful, and we want to ensure that the behavior isn't allowed. This access was only granted in the past for CTS purposes, but all the relevant CTS tests have been moved to the shell domain. Bug: 27756382 Bug: 28760354 Test: Device boots and no obvious problems. No collected denials. Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b --- private/app.te | 10 +++++----- private/shell.te | 4 ++++ public/domain_deprecated.te | 30 ------------------------------ 3 files changed, 9 insertions(+), 35 deletions(-) diff --git a/private/app.te b/private/app.te index 81de403aa..1cf86ff46 100644 --- a/private/app.te +++ b/private/app.te @@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd) allow appdomain runas_exec:file getattr; # Others are either allowed elsewhere or not desired. -# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java -# Check SELinux policy and contexts. -selinux_check_access(appdomain) -selinux_check_context(appdomain) - # Apps receive an open tun fd from the framework for # device traffic. Do not allow untrusted app to directly open tun_device allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append }; @@ -441,6 +436,11 @@ neverallow appdomain # Access to syslog(2) or /proc/kmsg. neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; +# SELinux is not an API for apps to use +neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms; +neverallow { appdomain -shell } *:security { compute_av check_context }; +neverallow { appdomain -shell } *:netlink_selinux_socket *; + # Ability to perform any filesystem operation other than statfs(2). # i.e. no mount(2), unmount(2), etc. neverallow appdomain fs_type:filesystem ~getattr; diff --git a/private/shell.te b/private/shell.te index c24bfd329..9bc0bd150 100644 --- a/private/shell.te +++ b/private/shell.te @@ -13,3 +13,7 @@ app_domain(shell) # allow shell to call dumpsys storaged binder_call(shell, storaged) + +# Perform SELinux access checks, needed for CTS +selinux_check_access(shell) +selinux_check_context(shell) diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te index 5702aced2..64ad3e64f 100644 --- a/public/domain_deprecated.te +++ b/public/domain_deprecated.te @@ -292,33 +292,3 @@ auditallow { -vold } proc_meminfo:file r_file_perms; ') - -# Get SELinux enforcing status. -allow domain_deprecated selinuxfs:dir r_dir_perms; -allow domain_deprecated selinuxfs:file r_file_perms; -userdebug_or_eng(` -auditallow { - domain_deprecated - -appdomain - -installd - -keystore - -postinstall_dexopt - -runas - -servicemanager - -system_server - -ueventd - -zygote -} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain -auditallow { - domain_deprecated - -appdomain - -installd - -keystore - -postinstall_dexopt - -runas - -servicemanager - -system_server - -ueventd - -zygote -} selinuxfs:file { open read ioctl lock }; # getattr granted in domain -')