diff --git a/Android.mk b/Android.mk index 8bf461de8..0c44f1ea5 100644 --- a/Android.mk +++ b/Android.mk @@ -2,22 +2,6 @@ LOCAL_PATH:= $(call my-dir) include $(CLEAR_VARS) -# Force permissive domains to be unconfined+enforcing? -# -# During development, this should be set to false. -# Permissive means permissive. -# -# When we're close to a release and SELinux new policy development -# is frozen, we should flip this to true. This forces any currently -# permissive domains into unconfined+enforcing. -# -FORCE_PERMISSIVE_TO_UNCONFINED ?= false - -ifeq ($(TARGET_BUILD_VARIANT),user) - # User builds are always forced unconfined+enforcing - FORCE_PERMISSIVE_TO_UNCONFINED := true -endif - # SELinux policy version. # Must be <= /selinux/policyvers reported by the Android kernel. # Must be within the compatibility range reported by checkpolicy -V. @@ -114,7 +98,6 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files)) @mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \ - -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit @@ -142,7 +125,6 @@ $(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files)) @mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \ - -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ -D target_recovery=true \ -s $^ > $@ @@ -171,7 +153,6 @@ $(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files) mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=user \ - -D force_permissive_to_unconfined=true \ -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit diff --git a/attributes b/attributes index 3f632ded6..af9af8e92 100644 --- a/attributes +++ b/attributes @@ -56,9 +56,6 @@ attribute mlstrustedsubject; # i.e. files that can be read by lower and written by higher attribute mlstrustedobject; -# Domains that are allowed all permissions ("unconfined"). -attribute unconfineddomain; - # All domains used for apps. attribute appdomain; diff --git a/te_macros b/te_macros index 1efe15f41..de3f9f5aa 100644 --- a/te_macros +++ b/te_macros @@ -70,17 +70,6 @@ allow $1 $2:dir r_dir_perms; allow $1 $2:{ file lnk_file } r_file_perms; ') -##################################### -# unconfined_domain(domain) -# Allow the specified domain to perform more privileged operations -# than would be typically allowed. Please see the comments at the -# top of unconfined.te. -# -define(`unconfined_domain', ` -typeattribute $1 mlstrustedsubject; -typeattribute $1 unconfineddomain; -') - ##################################### # tmpfs_domain(domain) # Define and allow access to a unique type for @@ -307,17 +296,6 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, )) # define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) -##################################### -# permissive_or_unconfined -# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, -# and "unconfined($1)" otherwise. -# -# This is used for experimental domains, where we want to ensure -# the domain is unconfined+enforcing once new SELinux policy development -# has ceased. -# -define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1))) - ##################################### # write_logd(domain) # Ability to write to android log diff --git a/unconfined.te b/unconfined.te deleted file mode 100644 index 559ed593a..000000000 --- a/unconfined.te +++ /dev/null @@ -1,93 +0,0 @@ -####################################################### -# -# This is the unconfined template. This template is the base policy -# which is used by daemons and other privileged components of -# Android. -# -# Historically, this template was called "unconfined" because it -# allowed the domain to do anything it wanted. Over time, -# this has changed, and will continue to change in the future. -# The rules in this file will be removed when no remaining -# unconfined domains require it, or when the rules contradict -# Android security best practices. Domains which need rules not -# provided by the unconfined template should add them directly to -# the relevant policy. -# -# The use of this template is discouraged. -###################################################### - -allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable }; -allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; -allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; -allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; -allow unconfineddomain domain:fd *; -allow unconfineddomain domain:dir r_dir_perms; -allow unconfineddomain domain:lnk_file r_file_perms; -allow unconfineddomain domain:{ fifo_file file } rw_file_perms; -allow unconfineddomain domain:{ - socket - netlink_socket - key_socket - unix_stream_socket - unix_dgram_socket - netlink_route_socket - netlink_firewall_socket - netlink_tcpdiag_socket - netlink_nflog_socket - netlink_xfrm_socket - netlink_selinux_socket - netlink_audit_socket - netlink_ip6fw_socket - netlink_dnrt_socket - netlink_kobject_uevent_socket - tun_socket -} *; -allow unconfineddomain domain:key *; -allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton }; -allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton }; -allow unconfineddomain { - file_type - -keystore_data_file - -property_data_file - -system_file - -exec_type - -security_file - -shell_data_file - -app_data_file - -unlabeled -}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton }; -allow unconfineddomain exec_type:dir r_dir_perms; -allow unconfineddomain exec_type:file { r_file_perms execute }; -allow unconfineddomain exec_type:lnk_file r_file_perms; -allow unconfineddomain system_file:dir r_dir_perms; -allow unconfineddomain system_file:file { r_file_perms execute }; -allow unconfineddomain system_file:lnk_file r_file_perms; -allow unconfineddomain { - fs_type - -usermodehelper - -proc_security - -contextmount_type - -rootfs - -sdcard_type - -device -}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain { - file_type - -keystore_data_file - -property_data_file - -system_file - -exec_type - -security_file - -shell_data_file - -app_data_file - -unlabeled - -dalvikcache_data_file -}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain rootfs:file execute; -allow unconfineddomain contextmount_type:dir r_dir_perms; -allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms; -allow unconfineddomain node_type:node *; -allow unconfineddomain netif_type:netif *; -allow unconfineddomain domain:peer recv; -allow unconfineddomain { domain -init }:binder { call transfer };