commit 2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 Author: Stephen Smalley Date: Wed Jan 4 12:33:27 2012 -0500 SE Android policy. diff --git a/Android.mk b/Android.mk new file mode 100644 index 000000000..8b92edaf9 --- /dev/null +++ b/Android.mk @@ -0,0 +1,34 @@ +LOCAL_PATH:= $(call my-dir) +include $(CLEAR_VARS) + +# SELinux policy version. +# Must be <= /selinux/policyvers reported by the Android kernel. +# Must be within the compatibility range reported by checkpolicy -V. +POLICYVERS := 24 + +MLS_SENS=1 +MLS_CATS=1024 + +file := $(TARGET_ROOT_OUT)/policy.$(POLICYVERS) +$(file) : $(LOCAL_PATH)/policy.$(POLICYVERS) | $(ACP) + $(transform-prebuilt-to-target) +ALL_PREBUILT += $(file) +$(INSTALLED_RAMDISK_TARGET): $(file) + +$(LOCAL_PATH)/policy.$(POLICYVERS): $(LOCAL_PATH)/policy.conf + checkpolicy -M -c $(POLICYVERS) -o $@ $< + +$(LOCAL_PATH)/policy.conf: $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users ocontexts)) + m4 -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -s $^ > $@ + +file := $(TARGET_ROOT_OUT)/file_contexts +$(file) : $(LOCAL_PATH)/file_contexts | $(ACP) + $(transform-prebuilt-to-target) +ALL_PREBUILT += $(file) +$(INSTALLED_RAMDISK_TARGET): $(file) + +file := $(TARGET_ROOT_OUT)/seapp_contexts +$(file) : $(LOCAL_PATH)/seapp_contexts | $(ACP) + $(transform-prebuilt-to-target) +ALL_PREBUILT += $(file) +$(INSTALLED_RAMDISK_TARGET): $(file) diff --git a/access_vectors b/access_vectors new file mode 100644 index 000000000..90927e7e0 --- /dev/null +++ b/access_vectors @@ -0,0 +1,882 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define a common prefix for userspace database object access vectors. +# + +common database +{ + create + drop + getattr + setattr + relabelfrom + relabelto +} + +# +# Define a common prefix for pointer and keyboard access vectors. +# + +common x_device +{ + getattr + setattr + use + read + write + getfocus + setfocus + bell + force_cursor + freeze + grab + manage + list_property + get_property + set_property + add + remove + create + destroy +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir + open + audit_access + execmod +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class lnk_file +inherits file +{ + open + audit_access + execmod +} + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class blk_file +inherits file +{ + open + audit_access + execmod +} + +class sock_file +inherits file +{ + open + audit_access + execmod +} + +class fifo_file +inherits file +{ + open + audit_access + execmod +} + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest + dccp_recv + dccp_send + recvfrom + sendto +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + dccp_recv + dccp_send + ingress + egress +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot + read_policy +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the capability2 class. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +class capability2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog +} + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} + +# +# SE-X Windows stuff +# +class x_drawable +{ + create + destroy + read + write + blend + getattr + setattr + list_child + add_child + remove_child + list_property + get_property + set_property + manage + override + show + hide + send + receive +} + +class x_screen +{ + getattr + setattr + hide_cursor + show_cursor + saver_getattr + saver_setattr + saver_hide + saver_show +} + +class x_gc +{ + create + destroy + getattr + setattr + use +} + +class x_font +{ + create + destroy + getattr + add_glyph + remove_glyph + use +} + +class x_colormap +{ + create + destroy + read + write + getattr + add_color + remove_color + install + uninstall + use +} + +class x_property +{ + create + destroy + read + write + append + getattr + setattr +} + +class x_selection +{ + read + write + getattr + setattr +} + +class x_cursor +{ + create + destroy + read + write + getattr + setattr + use +} + +class x_client +{ + destroy + getattr + setattr + manage +} + +class x_device +inherits x_device + +class x_server +{ + getattr + setattr + record + debug + grab + manage +} + +class x_extension +{ + query + use +} + +class x_resource +{ + read + write +} + +class x_event +{ + send + receive +} + +class x_synthetic_event +{ + send + receive +} + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} + +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access and communication through the D-BUS messaging +# system. +# +class dbus +{ + acquire_svc + send_msg +} + +# Define the access vector interpretation for controlling +# access through the name service cache daemon (nscd). +# +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost + getserv + shmemserv +} + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom + setcontext + polmatch +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket + +class appletalk_socket +inherits socket + +class packet +{ + send + recv + relabelto + flow_in # deprecated + flow_out # deprecated + forward_in + forward_out +} + +class key +{ + view + read + write + search + link + setattr + create +} + +class context +{ + translate + contains +} + +class dccp_socket +inherits socket +{ + node_bind + name_connect +} + +class memprotect +{ + mmap_zero +} + +class db_database +inherits database +{ + access + install_module + load_module + get_param # deprecated + set_param # deprecated +} + +class db_table +inherits database +{ + use # deprecated + select + update + insert + delete + lock +} + +class db_procedure +inherits database +{ + execute + entrypoint + install +} + +class db_column +inherits database +{ + use # deprecated + select + update + insert +} + +class db_tuple +{ + relabelfrom + relabelto + use # deprecated + select + update + insert + delete +} + +class db_blob +inherits database +{ + read + write + import + export +} + +# network peer labels +class peer +{ + recv +} + +class x_application_data +{ + paste + paste_after_confirm + copy +} + +class kernel_service +{ + use_as_override + create_files_as +} + +class tun_socket +inherits socket + +class x_pointer +inherits x_device + +class x_keyboard +inherits x_device + +class db_schema +inherits database +{ + search + add_name + remove_name +} + +class db_view +inherits database +{ + expand +} + +class db_sequence +inherits database +{ + get_value + next_value + set_value +} + +class db_language +inherits database +{ + implement + execute +} + +class binder +{ + impersonate + call + set_context_mgr + transfer + receive +} + +class zygote +{ + specifyids + specifyrlimits + specifycapabilities + specifyinvokewith + specifyseinfo +} diff --git a/adbd.te b/adbd.te new file mode 100644 index 000000000..3a0aa3b01 --- /dev/null +++ b/adbd.te @@ -0,0 +1,29 @@ +# adbd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type adbd, domain, mlstrustedsubject; +allow adbd adb_device:chr_file rw_file_perms; +allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin }; +allow adbd rootfs:file entrypoint; +allow adbd init:process sigchld; +allow adbd self:tcp_socket *; +allow adbd self:unix_stream_socket *; +allow adbd node:tcp_socket node_bind; +allow adbd port:tcp_socket name_bind; +allow adbd devpts:chr_file rw_file_perms; +allow adbd cgroup:dir { write add_name create }; +allow adbd labeledfs:filesystem remount; +allow adbd shell_data_file:dir rw_dir_perms; +allow adbd shell_data_file:file create_file_perms; +allow adbd graphics_device:dir search; +allow adbd graphics_device:chr_file r_file_perms; +allow adbd log_device:chr_file r_file_perms; +# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? +allow adbd system_file:file rx_file_perms; +unix_socket_connect(adbd, vold, vold) +# Talk to init via the property socket. +unix_socket_connect(adbd, property, init) + +# Perform binder IPC to surfaceflinger (screencap) +# XXX Run screencap in a separate domain? +binder_use(adbd) +binder_call(adbd, surfaceflinger) diff --git a/app.te b/app.te new file mode 100644 index 000000000..b2bd81750 --- /dev/null +++ b/app.te @@ -0,0 +1,107 @@ +# +# Domains for apps that do not run with one of the predefined +# platform UIDs (system, radio, nfc, ...). +# + +# +# Trusted apps. +# +type trusted_app, domain; +app_domain(trusted_app) +# Access the network. +net_domain(trusted_app) +# Access bluetooth. +bluetooth_domain(trusted_app) +# Read logs. +allow trusted_app log_device:chr_file read; +# Write to /cache. +allow trusted_app cache_file:dir rw_dir_perms; +allow trusted_app cache_file:file create_file_perms; +# Read from /data/local. +allow trusted_app shell_data_file:dir search; +allow trusted_app shell_data_file:file { open getattr read }; +allow trusted_app shell_data_file:lnk_file read; +# Access the sdcard. +allow trusted_app sdcard:dir create_dir_perms; +allow trusted_app sdcard:file create_file_perms; +# Populate /data/app/vmdl*.tmp file created by system server. +# It would be better if this was labeled differently. +allow trusted_app apk_data_file:file write; +# Perform binder IPC to any app domain. +binder_call(trusted_app, appdomain) +binder_transfer(trusted_app, appdomain) + +# +# An example of a specific domain for a specific app +# A domain for com.android.browser. +type browser_app, domain; +app_domain(browser_app) +# Access the network. +net_domain(browser_app) + +# +# Untrusted apps. +# +type untrusted_app, domain; +app_domain(untrusted_app) +# Boolean-controlled options for untrusted apps. +# Network access. +bool app_network true; +if (app_network) { +# Cannot use net_domain within a conditional - type attribute. +allow untrusted_app self:{ tcp_socket udp_socket } *; +allow untrusted_app port_type:tcp_socket name_connect; +allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind; +allow untrusted_app port_type:udp_socket name_bind; +allow untrusted_app port_type:tcp_socket name_bind; +unix_socket_connect(untrusted_app, dnsproxyd, netd) +} +# Bluetooth access. +bool app_bluetooth false; +if (app_bluetooth) { +# No specific SELinux class for bluetooth sockets presently. +allow untrusted_app self:socket *; +} +# SDCard rw access. +bool app_sdcard_rw true; +if (app_sdcard_rw) { +allow untrusted_app sdcard:dir create_dir_perms; +allow untrusted_app sdcard:file create_file_perms; +} +# Native app support. +bool app_ndk false; +if (app_ndk) { +allow untrusted_app app_data_file:file execute; +} + +# +# Rules for all app domains. +# + +# Receive and use open file descriptors inherited from zygote. +allow appdomain zygote:fd use; + +# Read system properties managed by zygote. +allow appdomain zygote_tmpfs:file read; + +# Notify zygote of death; +allow appdomain zygote:process sigchld; + +# Communicate over a FIFO to system processes. +allow appdomain system:fifo_file rw_file_perms; + +# App sandbox file accesses. +allow appdomain app_data_file:dir create_dir_perms; +allow appdomain app_data_file:notdevfile_class_set create_file_perms; + +# lib subdirectory of /data/data dir is system-owned. +allow appdomain system_data_file:dir r_dir_perms; + +# Use the Binder. +binder_use(appdomain) +# Perform binder IPC to binder services. +binder_call(appdomain, binderservicedomain) +binder_transfer(appdomain, binderservicedomain) +# Perform binder IPC to apps in the trusted_app domain. +binder_call(appdomain, trusted_app) +binder_transfer(appdomain, trusted_app) diff --git a/attributes b/attributes new file mode 100644 index 000000000..f2ea0c53a --- /dev/null +++ b/attributes @@ -0,0 +1,57 @@ +###################################### +# Attribute declarations +# + +# All types used for devices. +attribute dev_type; + +# All types used for processes. +attribute domain; + +# All types used for filesystems. +attribute fs_type; + +# All types used for files that can exist on a labeled fs. +# Do not use for pseudo file types. +attribute file_type; + +# All types used for domain entry points. +attribute exec_type; + +# All types used for /data files. +attribute data_file_type; + +# All types use for sysfs files. +attribute sysfs_type; + +# All types used for nodes/hosts. +attribute node_type; + +# All types used for network interfaces. +attribute netif_type; + +# All types used for network ports. +attribute port_type; + +# All domains that can override MLS restrictions. +# i.e. processes that can read up and write down. +attribute mlstrustedsubject; + +# All types that can override MLS restrictions. +# i.e. files that can be read by lower and written by higher +attribute mlstrustedobject; + +# Domains that are allowed all permissions ("unconfined"). +attribute unconfineddomain; + +# All domains used for apps. +attribute appdomain; + +# All domains used for apps with network access. +attribute netdomain; + +# All domains used for apps with bluetooth access. +attribute bluetoothdomain; + +# All domains used for binder service domains. +attribute binderservicedomain; diff --git a/bluetooth.te b/bluetooth.te new file mode 100644 index 000000000..f43543c1f --- /dev/null +++ b/bluetooth.te @@ -0,0 +1,4 @@ +# Domains that can create and use bluetooth sockets. +# SELinux does not presently define a specific socket class for +# bluetooth sockets, nor does it distinguish among the bluetooth protocols. +allow bluetoothdomain self:socket *; diff --git a/bluetoothd.te b/bluetoothd.te new file mode 100644 index 000000000..640a1da2e --- /dev/null +++ b/bluetoothd.te @@ -0,0 +1,10 @@ +# bluetoothd - bluetooth daemon +type bluetoothd, domain; +type bluetoothd_exec, exec_type, file_type; + +init_daemon_domain(bluetoothd) +allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin }; +allow bluetoothd self:socket *; +allow bluetoothd bluetoothd_data_file:dir create_dir_perms; +allow bluetoothd bluetoothd_data_file:file create_file_perms; +unix_socket_connect(bluetoothd, dbus, dbusd) diff --git a/cts.te b/cts.te new file mode 100644 index 000000000..3600e944a --- /dev/null +++ b/cts.te @@ -0,0 +1,42 @@ +# +# Rules to allow the Android CTS to run. +# Do not enable in production policy. +# + +bool android_cts false; +if (android_cts) { +# Reads /proc/pid entries to check that no unexpected root +# processes are running. +allow appdomain domain:dir r_dir_perms; +allow appdomain domain:{ file lnk_file } r_file_perms; + +# Will still fail when trying to read other app /proc/pid +# entries due to MLS constraints. Just silence the denials. +dontaudit appdomain appdomain:dir r_dir_perms; +dontaudit appdomain appdomain:file r_file_perms; + +# Walk the file tree, stat any file. +allow appdomain file_type:dir r_dir_perms; +allow appdomain fs_type:dir r_dir_perms; +allow appdomain dev_type:dir r_dir_perms; +allow appdomain file_type:dir_file_class_set getattr; +allow appdomain dev_type:dir_file_class_set getattr; +allow appdomain fs_type:dir_file_class_set getattr; + +# Execute the shell or other system executables. +allow appdomain shell_exec:file rx_file_perms; +allow appdomain system_file:file rx_file_perms; + +# Read routing information. +allow netdomain self:netlink_route_socket { create read write nlmsg_read }; + +# Tries to open /dev/alarm for writing but expects failure. +dontaudit appdomain alarm_device:chr_file write; + +# Tries to create and use a netlink kobject uevent socket +# to test for a vulnerable vold. +dontaudit appdomain self:netlink_kobject_uevent_socket create; + +# Tries to override DAC restrictions but expects to fail. +dontaudit shell self:capability dac_override; +} diff --git a/dbusd.te b/dbusd.te new file mode 100644 index 000000000..6ffc836ef --- /dev/null +++ b/dbusd.te @@ -0,0 +1,8 @@ +# dbus daemon +type dbusd, domain; +type dbusd_exec, exec_type, file_type; + +init_daemon_domain(dbusd) +# Reads /proc/pid/cmdline of clients +r_dir_file(dbusd, system) +r_dir_file(dbusd, bluetoothd) diff --git a/debuggerd.te b/debuggerd.te new file mode 100644 index 000000000..f808ea9b9 --- /dev/null +++ b/debuggerd.te @@ -0,0 +1,14 @@ +# debugger interface +type debuggerd, domain; +type debuggerd_exec, exec_type, file_type; + +init_daemon_domain(debuggerd) +typeattribute debuggerd mlstrustedsubject; +allow debuggerd self:capability { dac_override sys_ptrace chown kill }; +allow debuggerd domain:dir r_dir_perms; +allow debuggerd domain:file r_file_perms; +allow debuggerd domain:process ptrace; +allow debuggerd tombstone_data_file:dir create_dir_perms; +allow debuggerd tombstone_data_file:file create_file_perms; +allow debuggerd domain:process { sigstop signal }; +allow debuggerd exec_type:file r_file_perms; diff --git a/device.te b/device.te new file mode 100644 index 000000000..1b9df4f54 --- /dev/null +++ b/device.te @@ -0,0 +1,38 @@ +# Device types +type device, dev_type, fs_type; +type akm_device, dev_type; +type accelerometer_device, dev_type; +type alarm_device, dev_type, mlstrustedobject; +type adb_device, dev_type; +type ashmem_device, dev_type, mlstrustedobject; +type audio_device, dev_type; +type binder_device, dev_type, mlstrustedobject; +type block_device, dev_type; +type camera_device, dev_type; +type dm_device, dev_type; +type loop_device, dev_type; +type radio_device, dev_type; +type ram_device, dev_type; +type console_device, dev_type; +type cpuctl_device, dev_type; +type full_device, dev_type; +type graphics_device, dev_type; +type input_device, dev_type; +type kmem_device, dev_type; +type log_device, dev_type, mlstrustedobject; +type mtd_device, dev_type; +type nfc_device, dev_type; +type nv_device, dev_type, mlstrustedobject; +type powervr_device, dev_type, mlstrustedobject; +type ptmx_device, dev_type, mlstrustedobject; +type qemu_device, dev_type; +type kmsg_device, dev_type; +type null_device, dev_type, mlstrustedobject; +type random_device, dev_type; +type serial_device, dev_type; +type socket_device, dev_type; +type tty_device, dev_type; +type urandom_device, dev_type; +type video_device, dev_type; +type vcs_device, dev_type; +type zero_device, dev_type; diff --git a/domain.te b/domain.te new file mode 100644 index 000000000..55c9ecd4c --- /dev/null +++ b/domain.te @@ -0,0 +1,96 @@ +# Rules for all domains. + +# Allow reaping by init. +allow domain init:process sigchld; + +# binder adjusts the nice value during IPC. +allow domain self:capability sys_nice; + +# Intra-domain accesses. +allow domain self:process ~{ execstack execheap }; +allow domain self:fd use; +allow domain self:dir r_dir_perms; +allow domain self:lnk_file r_file_perms; +allow domain self:{ fifo_file file } rw_file_perms; +allow domain self:{ unix_dgram_socket unix_stream_socket } *; + +# Inherit or receive open files from others. +allow domain init:fd use; +allow domain system:fd use; + +# Connect to adbd and use a socket transferred from it. +allow domain adbd:unix_stream_socket connectto; +allow domain adbd:fd use; +allow domain adbd:unix_stream_socket { getattr read write shutdown }; + +# Talk to debuggerd. +allow domain debuggerd:process sigchld; +allow domain debuggerd:unix_stream_socket connectto; + +# Root fs. +allow domain rootfs:dir r_dir_perms; +allow domain rootfs:lnk_file read; + +# Device accesses. +allow domain device:dir search; +allow domain devpts:dir search; +allow domain device:file read; +allow domain socket_device:dir search; +allow domain null_device:chr_file rw_file_perms; +allow domain zero_device:chr_file r_file_perms; +allow domain ashmem_device:chr_file rw_file_perms; +allow domain binder_device:chr_file rw_file_perms; +allow domain ptmx_device:chr_file rw_file_perms; +allow domain powervr_device:chr_file rw_file_perms; +allow domain log_device:dir search; +allow domain log_device:chr_file w_file_perms; +allow domain nv_device:chr_file rw_file_perms; +allow domain alarm_device:chr_file r_file_perms; +allow domain urandom_device:chr_file r_file_perms; + +# Filesystem accesses. +allow domain fs_type:filesystem getattr; + +# System file accesses. +allow domain system_file:dir r_dir_perms; +allow domain system_file:file r_file_perms; +allow domain system_file:file execute; +allow domain system_file:lnk_file read; + +# Read files already opened under /data. +allow domain system_data_file:dir { search getattr }; +allow domain system_data_file:file { getattr read }; +allow domain system_data_file:lnk_file read; + +# Read apk files under /data/app. +allow domain apk_data_file:dir search; +allow domain apk_data_file:file r_file_perms; + +# Read /data/dalvik-cache. +allow domain dalvikcache_data_file:dir { search getattr }; +allow domain dalvikcache_data_file:file r_file_perms; + +# Read already opened /cache files. +allow domain cache_file:dir r_dir_perms; +allow domain cache_file:file { getattr read }; +allow domain cache_file:lnk_file read; + +# For /acct/uid/*/tasks. +allow domain cgroup:dir search; +allow domain cgroup:file w_file_perms; + +# For /sys/qemu_trace files in the emulator. +bool in_qemu false; +if (in_qemu) { +allow domain sysfs:file rw_file_perms; +} +allow domain sysfs_writable:file rw_file_perms; + +# Read access to pseudo filesystems. +r_dir_file(domain, proc) +r_dir_file(domain, sysfs) +r_dir_file(domain, inotify) +r_dir_file(domain, cgroup) + +# Ignore /sys/kernel/debug +dontaudit domain debugfs:dir search; diff --git a/drmserver.te b/drmserver.te new file mode 100644 index 000000000..5b46ea88c --- /dev/null +++ b/drmserver.te @@ -0,0 +1,10 @@ +# drmserver - DRM service +type drmserver, domain; +type drmserver_exec, exec_type, file_type; + +init_daemon_domain(drmserver) +typeattribute drmserver mlstrustedsubject; + +# Perform Binder IPC to system server. +binder_use(drmserver) +binder_call(drmserver, system) diff --git a/file.te b/file.te new file mode 100644 index 000000000..11c3ef649 --- /dev/null +++ b/file.te @@ -0,0 +1,75 @@ +# Filesystem types +type labeledfs, fs_type; +type pipefs, fs_type; +type sockfs, fs_type; +type rootfs, fs_type; +type proc, fs_type; +type selinuxfs, fs_type; +type cgroup, fs_type, mlstrustedobject; +type sysfs, fs_type, mlstrustedobject; +type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type inotify, fs_type, mlstrustedobject; +type devpts, fs_type; +type tmpfs, fs_type; +type shm, fs_type; +type mqueue, fs_type; +type sdcard, fs_type, mlstrustedobject; +type debugfs, fs_type, mlstrustedobject; + +# File types +type unlabeled, file_type; +# Default type for anything under /system. +type system_file, file_type; +# Default type for anything under /data. +type system_data_file, file_type, data_file_type; +# /data/anr - ANR traces +type anr_data_file, file_type, data_file_type; +# /data/tombstones - core dumps +type tombstone_data_file, file_type, data_file_type; +# /data/app - user-installed apps +type apk_data_file, file_type, data_file_type, mlstrustedobject; +# /data/dalvik-cache +type dalvikcache_data_file, file_type, data_file_type; +# /data/local - writable by shell +type shell_data_file, file_type, data_file_type; +# /data/gps +type gps_data_file, file_type, data_file_type; +# /data/misc subdirectories +type bluetoothd_data_file, file_type, data_file_type; +type bluetooth_data_file, file_type, data_file_type; +type keystore_data_file, file_type, data_file_type; +type vpn_data_file, file_type, data_file_type; +type systemkeys_data_file, file_type, data_file_type; +type wifi_data_file, file_type, data_file_type; +type radio_data_file, file_type, data_file_type; +type nfc_data_file, file_type, data_file_type; +# /data/data subdirectories - app sandboxes +type app_data_file, file_type, data_file_type; +# Default type for anything under /cache +type cache_file, file_type, mlstrustedobject; +# Default type for anything under /efs +type efs_file, file_type; + +# Socket types +type bluetooth_socket, file_type; +type dbus_socket, file_type; +type dnsproxyd_socket, file_type, mlstrustedobject; +type gps_socket, file_type; +type installd_socket, file_type; +type keystore_socket, file_type; +type netd_socket, file_type; +type property_socket, file_type; +type qemud_socket, file_type; +type rild_socket, file_type; +type rild_debug_socket, file_type; +type system_wpa_socket, file_type; +type vold_socket, file_type; +type wpa_socket, file_type; +type zygote_socket, file_type; + +# Allow files to be created in their appropriate filesystems. +allow fs_type self:filesystem associate; +allow sysfs_type sysfs:filesystem associate; +allow file_type labeledfs:filesystem associate; +allow file_type tmpfs:filesystem associate; +allow dev_type tmpfs:filesystem associate; diff --git a/file_contexts b/file_contexts new file mode 100644 index 000000000..332017d70 --- /dev/null +++ b/file_contexts @@ -0,0 +1,129 @@ +########################################### +# Root +# +# Nothing required since it is initramfs and implicitly labeled +# by genfscon rootfs in ocontexts. +# +########################## +# Devices +# +/dev(/.*)? u:object_r:device:s0 +/dev/akm8973.* u:object_r:akm_device:s0 +/dev/accelerometer u:object_r:accelerometer_device:s0 +/dev/alarm u:object_r:alarm_device:s0 +/dev/android_adb.* u:object_r:adb_device:s0 +/dev/ashmem u:object_r:ashmem_device:s0 +/dev/audio.* u:object_r:audio_device:s0 +/dev/binder u:object_r:binder_device:s0 +/dev/block(/.*)? u:object_r:block_device:s0 +/dev/block/loop[0-9]* u:object_r:loop_device:s0 +/dev/block/ram[0-9]* u:object_r:ram_device:s0 +/dev/block/mtdblock5 u:object_r:radio_device:s0 +/dev/cam u:object_r:camera_device:s0 +/dev/console u:object_r:console_device:s0 +/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 +/dev/device-mapper u:object_r:dm_device:s0 +/dev/full u:object_r:full_device:s0 +/dev/graphics(/.*)? u:object_r:graphics_device:s0 +/dev/input(/.*) u:object_r:input_device:s0 +/dev/kmem u:object_r:kmem_device:s0 +/dev/log(/.*)? u:object_r:log_device:s0 +/dev/mem u:object_r:kmem_device:s0 +/dev/modem.* u:object_r:radio_device:s0 +/dev/mtd(/.*)? u:object_r:mtd_device:s0 +/dev/mtd/mtd5 u:object_r:radio_device:s0 +/dev/mtd/mtd5ro u:object_r:radio_device:s0 +/dev/pn544 u:object_r:nfc_device:s0 +/dev/ptmx u:object_r:ptmx_device:s0 +/dev/pvrsrvkm u:object_r:powervr_device:s0 +/dev/qemu_.* u:object_r:qemu_device:s0 +/dev/kmsg u:object_r:kmsg_device:s0 +/dev/null u:object_r:null_device:s0 +/dev/nvhdcp1 u:object_r:video_device:s0 +/dev/nvmap u:object_r:nv_device:s0 +/dev/nvhost-.* u:object_r:nv_device:s0 +/dev/random u:object_r:random_device:s0 +/dev/s3c-jpg u:object_r:camera_device:s0 +/dev/s3c-mem u:object_r:camera_device:s0 +/dev/s3c-mfc u:object_r:graphics_device:s0 +/dev/snd(/.*)? u:object_r:audio_device:s0 +/dev/socket u:object_r:socket_device:s0 +/dev/socket/bluetooth u:object_r:bluetooth_socket:s0 +/dev/socket/dbus_bluetooth u:object_r:bluetooth_socket:s0 +/dev/socket/dbus u:object_r:dbus_socket:s0 +/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0 +/dev/socket/installd u:object_r:installd_socket:s0 +/dev/socket/keystore u:object_r:keystore_socket:s0 +/dev/socket/netd u:object_r:netd_socket:s0 +/dev/socket/property_service u:object_r:property_socket:s0 +/dev/socket/qemud u:object_r:qemud_socket:s0 +/dev/socket/rild u:object_r:rild_socket:s0 +/dev/socket/rild-debug u:object_r:rild_debug_socket:s0 +/dev/socket/vold u:object_r:vold_socket:s0 +/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0 +/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 +/dev/socket/zygote u:object_r:zygote_socket:s0 +/dev/spdif_out.* u:object_r:audio_device:s0 +/dev/tegra.* u:object_r:video_device:s0 +/dev/tty[0-9]* u:object_r:tty_device:s0 +/dev/ttyS[0-9]* u:object_r:serial_device:s0 +/dev/uinput u:object_r:input_device:s0 +/dev/urandom u:object_r:urandom_device:s0 +/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0 +/dev/video[0-9]* u:object_r:video_device:s0 +/dev/zero u:object_r:zero_device:s0 +############################# +# System files +# +/system(/.*)? u:object_r:system_file:s0 +/system/bin/ash u:object_r:shell_exec:s0 +/system/bin/mksh u:object_r:shell_exec:s0 +/system/bin/sh -- u:object_r:shell_exec:s0 +/system/bin/app_process u:object_r:zygote_exec:s0 +/system/bin/servicemanager u:object_r:servicemanager_exec:s0 +/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 +/system/bin/drmserver u:object_r:drmserver_exec:s0 +/system/bin/vold u:object_r:vold_exec:s0 +/system/bin/netd u:object_r:netd_exec:s0 +/system/bin/rild u:object_r:rild_exec:s0 +/system/bin/mediaserver u:object_r:mediaserver_exec:s0 +/system/bin/dbus-daemon u:object_r:dbusd_exec:s0 +/system/bin/installd u:object_r:installd_exec:s0 +/system/bin/keystore u:object_r:keystore_exec:s0 +/system/bin/debuggerd u:object_r:debuggerd_exec:s0 +/system/bin/bluetoothd u:object_r:bluetoothd_exec:s0 +/system/bin/wpa_supplicant u:object_r:wpa_exec:s0 +/system/bin/qemud u:object_r:qemud_exec:s0 +/system/xbin/su u:object_r:su_exec:s0 +/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0 +############################# +# Data files +# +/data(/.*)? u:object_r:system_data_file:s0 +/data/gps(/.*)? u:object_r:gps_data_file:s0 +/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/anr(/.*)? u:object_r:anr_data_file:s0 +/data/app(/.*)? u:object_r:apk_data_file:s0 +/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 +/data/local(/.*)? u:object_r:shell_data_file:s0 +# Misc data +/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0 +/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 +/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 +/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0 +/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0 +/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 +# App sandboxes +/data/data/.* u:object_r:app_data_file:s0 +############################# +# efs files +# +/efs(/.*)? u:object_r:efs_file:s0 +############################# +# Cache files +# +/cache(/.*)? u:object_r:cache_file:s0 +############################# +# sysfs files +# +/sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0 diff --git a/global_macros b/global_macros new file mode 100644 index 000000000..15e09ed7e --- /dev/null +++ b/global_macros @@ -0,0 +1,40 @@ +##################################### +# Common groupings of object classes. +# +define(`capability_class_set', `{ capability capability2 }') + +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') +define(`devfile_class_set', `{ chr_file blk_file }') + +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + +define(`ipc_class_set', `{ sem msgq shm ipc }') + +##################################### +# Common groupings of permissions. +# +define(`x_file_perms', `{ getattr execute execute_no_trans }') +define(`r_file_perms', `{ getattr open read ioctl lock }') +define(`w_file_perms', `{ open append write }') +define(`rx_file_perms', `{ r_file_perms x_file_perms }') +define(`ra_file_perms', `{ r_file_perms append }') +define(`rw_file_perms', `{ r_file_perms w_file_perms }') +define(`rwx_file_perms', `{ rw_file_perms x_file_perms }') +define(`link_file_perms', `{ getattr link unlink rename }') +define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }') + +define(`r_dir_perms', `{ open getattr read search ioctl }') +define(`w_dir_perms', `{ open search write add_name remove_name }') +define(`ra_dir_perms', `{ r_dir_perms add_name write }') +define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }') +define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }') + +define(`r_ipc_perms', `{ getattr read associate unix_read }') +define(`w_ipc_perms', `{ write unix_write }') +define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }') +define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') diff --git a/gpsd.te b/gpsd.te new file mode 100644 index 000000000..bc2893d1e --- /dev/null +++ b/gpsd.te @@ -0,0 +1,14 @@ +# gpsd - GPS daemon +type gpsd, domain; +type gpsd_exec, exec_type, file_type; + +init_daemon_domain(gpsd) +net_domain(gpsd) +allow gpsd gps_data_file:dir rw_dir_perms; +allow gpsd gps_data_file:notdevfile_class_set create_file_perms; +# Socket is created by the daemon, not by init, and under /data/gps, +# not under /dev/socket. +type_transition gpsd gps_data_file:sock_file gps_socket; +allow gpsd gps_socket:sock_file create_file_perms; +# XXX Label sysfs files with a specific type? +allow gpsd sysfs:file rw_file_perms; diff --git a/init.te b/init.te new file mode 100644 index 000000000..0f9b69730 --- /dev/null +++ b/init.te @@ -0,0 +1,5 @@ +# init switches to init domain (via init.rc). +type init, domain; +# init is unconfined. +unconfined_domain(init) +tmpfs_domain(init) diff --git a/initial_sids b/initial_sids new file mode 100644 index 000000000..91ac816ba --- /dev/null +++ b/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/installd.te b/installd.te new file mode 100644 index 000000000..e4b0b1828 --- /dev/null +++ b/installd.te @@ -0,0 +1,21 @@ +# installer daemon +type installd, domain; +type installd_exec, exec_type, file_type; + +init_daemon_domain(installd) +typeattribute installd mlstrustedsubject; +allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; +allow installd system_data_file:file create_file_perms; +allow installd system_data_file:lnk_file create; +allow installd dalvikcache_data_file:file create_file_perms; +allow installd data_file_type:dir create_dir_perms; +allow installd data_file_type:dir { relabelfrom relabelto }; +allow installd data_file_type:file { getattr unlink }; +allow installd apk_data_file:file r_file_perms; +allow installd system_file:file x_file_perms; +allow installd cgroup:dir create_dir_perms; +dontaudit installd self:capability sys_admin; +# Check validity of SELinux context before use. +selinux_check_context(installd) +# Read /seapp_contexts, presently on the rootfs. +allow installd rootfs:file r_file_perms; diff --git a/kernel.te b/kernel.te new file mode 100644 index 000000000..66c7b13f9 --- /dev/null +++ b/kernel.te @@ -0,0 +1,4 @@ +# Life begins with the kernel. +type kernel, domain; +# The kernel is unconfined. +unconfined_domain(kernel) diff --git a/keystore.te b/keystore.te new file mode 100644 index 000000000..43c913a85 --- /dev/null +++ b/keystore.te @@ -0,0 +1,7 @@ +type keystore, domain; +type keystore_exec, exec_type, file_type; + +# keystore daemon +init_daemon_domain(keystore) +allow keystore keystore_data_file:dir create_dir_perms; +allow keystore keystore_data_file:notdevfile_class_set create_file_perms; diff --git a/mediaserver.te b/mediaserver.te new file mode 100644 index 000000000..16bbefa21 --- /dev/null +++ b/mediaserver.te @@ -0,0 +1,26 @@ +# mediaserver - multimedia daemon +type mediaserver, domain; +type mediaserver_exec, exec_type, file_type; + +init_daemon_domain(mediaserver) +net_domain(mediaserver) +typeattribute mediaserver mlstrustedsubject; +allow mediaserver kernel:system module_request; +binder_use(mediaserver) +binder_call(mediaserver, binderservicedomain) +binder_call(mediaserver, appdomain) +binder_service(mediaserver) +allow mediaserver app_data_file:dir search; +allow mediaserver app_data_file:file { read getattr }; +r_dir_file(mediaserver, sdcard) +allow mediaserver sdcard:file write; +allow mediaserver camera_device:chr_file rw_file_perms; +allow mediaserver graphics_device:chr_file rw_file_perms; +allow mediaserver video_device:chr_file rw_file_perms; +allow mediaserver audio_device:dir r_dir_perms; +allow mediaserver audio_device:chr_file rw_file_perms; +allow mediaserver qemu_device:chr_file rw_file_perms; +# XXX Label with a specific type? +allow mediaserver sysfs:file rw_file_perms; +# XXX Why? +allow mediaserver apk_data_file:file { read getattr }; diff --git a/mls b/mls new file mode 100644 index 000000000..9bb40680c --- /dev/null +++ b/mls @@ -0,0 +1,112 @@ +######################################### +# MLS declarations +# + +# Generate the desired number of sensitivities and categories. +gen_sens(mls_num_sens) +gen_cats(mls_num_cats) + +# Generate level definitions for each sensitivity and category. +gen_levels(mls_num_sens,mls_num_cats) + + +################################################# +# MLS policy constraints +# + +# +# Process constraints +# + +# Process transition: Require equivalence unless the subject is trusted. +mlsconstrain process { transition dyntransition } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); + +# Process read operations: No read up unless trusted. +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (l1 dom l2 or t1 == mlstrustedsubject); + +# Process write operations: No write down unless trusted. +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } + (l1 domby l2 or t1 == mlstrustedsubject); + +# +# Socket constraints +# + +# These permissions are between the process and its local socket, +# not between a process/socket and its peer. +# Equivalence is the normal situation; anything else requires trust. +mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Datagram send: Sender must be dominated by receiver unless one of them is +# trusted. +mlsconstrain unix_dgram_socket { sendto } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Stream connect: Client must be equivalent to server unless one of them +# is trusted. +mlsconstrain unix_stream_socket { connectto } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# +# Directory/file constraints +# + +# Create/relabel operations: Subject must be equivalent to object unless +# the subject is trusted. Also, files should always be single-level. +# Do NOT exempt mlstrustedobject types from this constraint. +mlsconstrain dir_file_class_set { create relabelfrom relabelto } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# Read operations: Subject must dominate object unless the subject +# or the object is trusted. +mlsconstrain dir { read getattr search } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Write operations: Subject must be dominated by the object unless the +# subject or the object is trusted. +mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Special case for FIFOs. +# These can be unnamed pipes, in which case they will be labeled with the +# creating process' label. Thus we also have an exemption when the "object" +# is a MLS trusted subject and can receive data at any level. +mlsconstrain fifo_file { read getattr } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); + +mlsconstrain fifo_file { write setattr append unlink link rename } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); + +# +# IPC constraints +# + +# Create/destroy: equivalence or trusted. +mlsconstrain ipc_class_set { create destroy } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# Read ops: No read up unless trusted. +mlsconstrain ipc_class_set r_ipc_perms + (l1 dom l2 or t1 == mlstrustedsubject); + +# Write ops: No write down unless trusted. +mlsconstrain ipc_class_set w_ipc_perms + (l1 domby l2 or t1 == mlstrustedsubject); + +# +# Binder IPC constraints +# +# Presently commented out, as apps are expected to call one another. +# This would only make sense if apps were assigned categories +# based on allowable communications rather than per-app categories. +#mlsconstrain binder call +# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); diff --git a/mls_macros b/mls_macros new file mode 100644 index 000000000..83e05425b --- /dev/null +++ b/mls_macros @@ -0,0 +1,54 @@ +######################################## +# +# gen_cats(N) +# +# declares categores c0 to c(N-1) +# +define(`decl_cats',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl +') + +define(`gen_cats',`decl_cats(0,decr($1))') + +######################################## +# +# gen_sens(N) +# +# declares sensitivites s0 to s(N-1) with dominance +# in increasing numeric order with s0 lowest, s(N-1) highest +# +define(`decl_sens',`dnl +sensitivity s$1; +ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl +') + +define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') + +define(`gen_sens',` +# Each sensitivity has a name and zero or more aliases. +decl_sens(0,decr($1)) + +# Define the ordering of the sensitivity levels (least to greatest) +dominance { gen_dominance(0,decr($1)) } +') + +######################################## +# +# gen_levels(N,M) +# +# levels from s0 to (N-1) with categories c0 to (M-1) +# +define(`decl_levels',`dnl +level s$1:c0.c$3; +ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl +') + +define(`gen_levels',`decl_levels(0,decr($1),decr($2))') + +######################################## +# +# Basic level names for system low and high +# +define(`mls_systemlow',`s0') +define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') diff --git a/net.te b/net.te new file mode 100644 index 000000000..b10cecdaa --- /dev/null +++ b/net.te @@ -0,0 +1,18 @@ +# Network types +type node, node_type; +type netif, netif_type; +type port, port_type; + +# Use network sockets. +allow netdomain self:{ tcp_socket udp_socket } *; +# Connect to ports. +allow netdomain port_type:tcp_socket name_connect; +# Bind to ports. +allow netdomain node_type:{ tcp_socket udp_socket } node_bind; +allow netdomain port_type:udp_socket name_bind; +allow netdomain port_type:tcp_socket name_bind; +# Get route information. +allow netdomain self:netlink_route_socket { create bind read nlmsg_read }; + +# Talks to netd via dnsproxyd socket. +unix_socket_connect(netdomain, dnsproxyd, netd) diff --git a/netd.te b/netd.te new file mode 100644 index 000000000..94c960412 --- /dev/null +++ b/netd.te @@ -0,0 +1,30 @@ +# network manager +type netd, domain; +type netd_exec, exec_type, file_type; + +init_daemon_domain(netd) +typeattribute netd mlstrustedsubject; +allow netd self:capability { net_admin net_raw sys_module }; +allow netd self:netlink_kobject_uevent_socket *; +allow netd self:netlink_route_socket *; +allow netd self:netlink_nflog_socket *; +allow netd self:rawip_socket *; +allow netd self:udp_socket *; +allow netd node:udp_socket node_bind; +allow netd port:udp_socket name_bind; +allow netd self:unix_stream_socket *; +allow netd shell_exec:file rx_file_perms; +allow netd system_file:file x_file_perms; +allow netd devpts:chr_file rw_file_perms; + +# For /proc/sys/net/ipv[46]/route/flush. +# XXX Split /proc/sys/net into its own type. +allow netd proc:file write; + +# For firmware_path +# XXX Split into its own type. +allow netd sysfs:file write; + +# Load network drivers. +allow netd kernel:system module_request; + diff --git a/nfc.te b/nfc.te new file mode 100644 index 000000000..b20d23699 --- /dev/null +++ b/nfc.te @@ -0,0 +1,10 @@ +# nfc subsystem +type nfc, domain; +app_domain(nfc) + +# NFC device access. +allow nfc nfc_device:chr_file rw_file_perms; + +# Data file accesses. +allow nfc nfc_data_file:dir create_dir_perms; +allow nfc nfc_data_file:notdevfile_class_set create_file_perms; diff --git a/ocontexts b/ocontexts new file mode 100644 index 000000000..ddd57b63c --- /dev/null +++ b/ocontexts @@ -0,0 +1,65 @@ +sid kernel u:r:kernel:s0 +sid security u:object_r:kernel:s0 +sid unlabeled u:object_r:unlabeled:s0 +sid fs u:object_r:labeledfs:s0 +sid file u:object_r:unlabeled:s0 +sid file_labels u:object_r:unlabeled:s0 +sid init u:object_r:unlabeled:s0 +sid any_socket u:object_r:unlabeled:s0 +sid port u:object_r:port:s0 +sid netif u:object_r:netif:s0 +sid netmsg u:object_r:unlabeled:s0 +sid node u:object_r:node:s0 +sid igmp_packet u:object_r:unlabeled:s0 +sid icmp_socket u:object_r:unlabeled:s0 +sid tcp_socket u:object_r:unlabeled:s0 +sid sysctl_modprobe u:object_r:unlabeled:s0 +sid sysctl u:object_r:proc:s0 +sid sysctl_fs u:object_r:unlabeled:s0 +sid sysctl_kernel u:object_r:unlabeled:s0 +sid sysctl_net u:object_r:unlabeled:s0 +sid sysctl_net_unix u:object_r:unlabeled:s0 +sid sysctl_vm u:object_r:unlabeled:s0 +sid sysctl_dev u:object_r:unlabeled:s0 +sid kmod u:object_r:unlabeled:s0 +sid policy u:object_r:unlabeled:s0 +sid scmp_packet u:object_r:unlabeled:s0 +sid devnull u:object_r:null_device:s0 + +# Label inodes via getxattr. +fs_use_xattr yaffs2 u:object_r:labeledfs:s0; +fs_use_xattr jffs2 u:object_r:labeledfs:s0; +fs_use_xattr ext2 u:object_r:labeledfs:s0; +fs_use_xattr ext3 u:object_r:labeledfs:s0; +fs_use_xattr ext4 u:object_r:labeledfs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; + +# Label inodes from task label. +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_task sockfs u:object_r:sockfs:s0; + +# Label inodes from combination of task label and fs label. +# Define type_transition rules if you want per-domain types. +fs_use_trans devpts u:object_r:devpts:s0; +fs_use_trans tmpfs u:object_r:tmpfs:s0; +fs_use_trans devtmpfs u:object_r:device:s0; +fs_use_trans shm u:object_r:shm:s0; +fs_use_trans mqueue u:object_r:mqueue:s0; + +# Label inodes with the fs label. +genfscon rootfs / u:object_r:rootfs:s0 +# proc labeling can be further refined (longest matching prefix). +genfscon proc / u:object_r:proc:s0 +# selinuxfs booleans can be individually labeled. +genfscon selinuxfs / u:object_r:selinuxfs:s0 +genfscon cgroup / u:object_r:cgroup:s0 +# sysfs labels can be set by userspace. +genfscon sysfs / u:object_r:sysfs:s0 +genfscon inotifyfs / u:object_r:inotify:s0 +genfscon vfat / u:object_r:sdcard:s0 +genfscon debugfs / u:object_r:debugfs:s0 +genfscon fuse / u:object_r:sdcard:s0 + +# portcon statements go here, e.g. +# portcon tcp 80 u:object_r:http_port:s0 diff --git a/policy_capabilities b/policy_capabilities new file mode 100644 index 000000000..c7b9d9ca4 --- /dev/null +++ b/policy_capabilities @@ -0,0 +1,5 @@ +# Enable new networking controls. +policycap network_peer_controls; + +# Enable open permission check. +policycap open_perms; diff --git a/qemud.te b/qemud.te new file mode 100644 index 000000000..ec6c816d0 --- /dev/null +++ b/qemud.te @@ -0,0 +1,6 @@ +# qemu support daemon +type qemud, domain; +type qemud_exec, exec_type, file_type; + +init_daemon_domain(qemud) +allow qemud serial_device:chr_file rw_file_perms; diff --git a/radio.te b/radio.te new file mode 100644 index 000000000..9094cce10 --- /dev/null +++ b/radio.te @@ -0,0 +1,17 @@ +# phone subsystem +type radio, domain; +app_domain(radio) +net_domain(radio) +bluetooth_domain(radio) + +# Talks to init via the property socket. +unix_socket_connect(radio, property, init) + +# Talks to rild via the rild socket. +unix_socket_connect(radio, rild, rild) + +# Data file accesses. +allow radio radio_data_file:dir create_dir_perms; +allow radio radio_data_file:notdevfile_class_set create_file_perms; + +allow radio alarm_device:chr_file rw_file_perms; diff --git a/rild.te b/rild.te new file mode 100644 index 000000000..2857892df --- /dev/null +++ b/rild.te @@ -0,0 +1,21 @@ +# rild - radio interface layer daemon +type rild, domain; +type rild_exec, exec_type, file_type; + +init_daemon_domain(rild) +net_domain(rild) +allow rild kernel:system module_request; +unix_socket_connect(rild, property, init) +unix_socket_connect(rild, qemud, qemud) +allow rild self:capability { setuid net_admin net_raw }; +allow rild alarm_device:chr_file rw_file_perms; +allow rild cgroup:dir create_dir_perms; +allow rild radio_device:chr_file rw_file_perms; +allow rild qemu_device:chr_file rw_file_perms; +allow rild mtd_device:dir search; +allow rild efs_file:dir create_dir_perms; +allow rild efs_file:file create_file_perms; +allow rild shell_exec:file rx_file_perms; +dontaudit rild self:capability sys_admin; +# XXX Label sysfs files with a specific type? +allow rild sysfs:file rw_file_perms; diff --git a/roles b/roles new file mode 100644 index 000000000..ca9293439 --- /dev/null +++ b/roles @@ -0,0 +1 @@ +role r types domain; diff --git a/seapp_contexts b/seapp_contexts new file mode 100644 index 000000000..c30179251 --- /dev/null +++ b/seapp_contexts @@ -0,0 +1,37 @@ +# Input selectors: +# isSystemServer (boolean) +# user (string) +# seinfo (string) +# name (string) +# isSystemServer=true can only be used once. +# An unspecified boolean defaults to false. +# An unspecified string selector will match any value. +# A user string selector that ends in * will perform a prefix match. +# seinfo= is only used when looking up app process security contexts. +# All specified input selectors in an entry must match (i.e. logical AND). +# Matching is case-insensitive. +# Precedence rules: +# (1) isSystemServer=true before isSystemServer=false. +# (2) Specified user= string before unspecified user= string. +# (3) Fixed user= string before user= prefix (i.e. ending in *). +# (4) Longer user= prefix before shorter user= prefix. +# (5) Specified seinfo= string before unspecified seinfo= string. +# (6) Specified name= string before unspecified name= string. +# +# Outputs: +# domain (string) +# type (string) +# levelFromUid (boolean) +# level (string) +# Only entries that specify domain= will be used for app process labeling. +# Only entries that specify type= will be used for app directory labeling. +# levelfromUid is only supported for app UIDs presently. +# level may be used to specify a fixed level for any UID. +# +isSystemServer=true domain=system +user=system domain=system_app type=system_data_file +user=nfc domain=nfc type=nfc_data_file +user=radio domain=radio type=radio_data_file +user=app_* domain=untrusted_app type=app_data_file levelFromUid=true +user=app_* seinfo=systemApp domain=trusted_app levelFromUid=true +user=app_* seinfo=systemApp name=com.android.browser domain=browser_app levelFromUid=true diff --git a/security_classes b/security_classes new file mode 100644 index 000000000..38d78eb7a --- /dev/null +++ b/security_classes @@ -0,0 +1,137 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# +# userspace object manager classes +# + +# passwd/chfn/chsh +class passwd # userspace + +# SE-X Windows stuff (more classes below) +class x_drawable # userspace +class x_screen # userspace +class x_gc # userspace +class x_font # userspace +class x_colormap # userspace +class x_property # userspace +class x_selection # userspace +class x_cursor # userspace +class x_client # userspace +class x_device # userspace +class x_server # userspace +class x_extension # userspace + +# extended netlink sockets +class netlink_route_socket +class netlink_firewall_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_ip6fw_socket +class netlink_dnrt_socket + +class dbus # userspace +class nscd # userspace + +# IPSec association +class association + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket + +class appletalk_socket + +class packet + +# Kernel access key retention +class key + +class context # userspace + +class dccp_socket + +class memprotect + +class db_database # userspace +class db_table # userspace +class db_procedure # userspace +class db_column # userspace +class db_tuple # userspace +class db_blob # userspace + +# network peer labels +class peer + +# Capabilities >= 32 +class capability2 + +# More SE-X Windows stuff +class x_resource # userspace +class x_event # userspace +class x_synthetic_event # userspace +class x_application_data # userspace + +# kernel services that need to override task security, e.g. cachefiles +class kernel_service + +class tun_socket + +# Still More SE-X Windows stuff +class x_pointer # userspace +class x_keyboard # userspace + +# More Database stuff +class db_schema # userspace +class db_view # userspace +class db_sequence # userspace +class db_language # userspace + +class binder +class zygote + +# FLASK diff --git a/servicemanager.te b/servicemanager.te new file mode 100644 index 000000000..fefbe080d --- /dev/null +++ b/servicemanager.te @@ -0,0 +1,14 @@ +# servicemanager - the Binder context manager +type servicemanager, domain; +type servicemanager_exec, exec_type, file_type; + +init_daemon_domain(servicemanager) + +# Note that we do not use the binder_* macros here. +# servicemanager is unique in that it only provides +# name service (aka context manager) for Binder. +# As such, it only ever receives and transfers other references +# created by other domains. It never passes its own references +# or initiates a Binder IPC. +allow servicemanager self:binder set_context_mgr; +allow servicemanager domain:binder { receive transfer }; diff --git a/shell.te b/shell.te new file mode 100644 index 000000000..e7e3b3569 --- /dev/null +++ b/shell.te @@ -0,0 +1,30 @@ +type shell, domain; +type shell_exec, file_type; +domain_auto_trans(adbd, shell_exec, shell) +domain_auto_trans(init, shell_exec, shell) +allow shell rootfs:dir r_dir_perms; +allow shell devpts:chr_file rw_file_perms; +allow shell tty_device:chr_file rw_file_perms; +allow shell console_device:chr_file rw_file_perms; +allow shell system_file:file x_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; +allow shell shell_data_file:dir create_dir_perms; +allow shell shell_data_file:file create_file_perms; +allow shell shell_data_file:file rx_file_perms; + +r_dir_file(shell, apk_data_file) +allow shell dalvikcache_data_file:file write; + +# Run dmesg. +allow shell kernel:system syslog_read; + +# Run cat /proc/kmsg. +allow shell kernel:system syslog_mod; + +# Run logcat. +allow shell log_device:chr_file r_file_perms; + +# Run app_process. +# XXX Split into its own domain? +app_domain(shell) diff --git a/su.te b/su.te new file mode 100644 index 000000000..75e621406 --- /dev/null +++ b/su.te @@ -0,0 +1,6 @@ +type su, domain; +type su_exec, file_type; +domain_auto_trans(shell, su_exec, su) + +# su is unconfined. +unconfined_domain(su) diff --git a/surfaceflinger.te b/surfaceflinger.te new file mode 100644 index 000000000..80607da94 --- /dev/null +++ b/surfaceflinger.te @@ -0,0 +1,24 @@ +# surfaceflinger - display compositor service +type surfaceflinger, domain; +type surfaceflinger_exec, exec_type, file_type; + +init_daemon_domain(surfaceflinger) +typeattribute surfaceflinger mlstrustedsubject; + +# Talk to init over the property socket. +unix_socket_connect(surfaceflinger, property, init) + +# Perform Binder IPC. +binder_use(surfaceflinger) +binder_call(surfaceflinger, system) +binder_service(surfaceflinger) + +# Access /dev/graphics/fb0. +allow surfaceflinger graphics_device:dir search; +allow surfaceflinger graphics_device:chr_file rw_file_perms; + +# Access /dev/video1. +allow surfaceflinger video_device:chr_file rw_file_perms; + +# Create and use netlink kobject uevent sockets. +allow surfaceflinger self:netlink_kobject_uevent_socket *; diff --git a/system.te b/system.te new file mode 100644 index 000000000..eff738670 --- /dev/null +++ b/system.te @@ -0,0 +1,134 @@ +# +# Apps that run with the system UID, e.g. com.android.system.ui, +# com.android.settings. These are not as privileged as the system +# server. +# +type system_app, domain; +app_domain(system_app) + +# Perform binder IPC to any app domain. +binder_call(system_app, appdomain) +binder_transfer(system_app, appdomain) + +# Read and write system data files. +# May want to split into separate types. +allow system_app system_data_file:dir create_dir_perms; +allow system_app system_data_file:file create_file_perms; + +# Write to dalvikcache. +allow system_app dalvikcache_data_file:file { write setattr }; + +# Talk to keystore. +unix_socket_connect(system_app, keystore, keystore) + +# Read SELinux enforcing status. +selinux_getenforce(system_app) + +# +# System Server aka system_server spawned by zygote. +# Most of the framework services run in this process. +# +type system, domain, mlstrustedsubject; + +# Child of the zygote. +allow system zygote:fd use; +allow system zygote:process sigchld; +allow system zygote_tmpfs:file read; + +# system server gets network and bluetooth permissions. +net_domain(system) +bluetooth_domain(system) + +# These are the capabilities assigned by the zygote to the +# system server. +# XXX See if we can remove some of these. +allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; + +# Use netlink uevent sockets. +allow system self:netlink_kobject_uevent_socket *; + +# Kill apps. +allow system appdomain:process { sigkill signal }; + +# Read /proc data for apps. +allow system appdomain:dir r_dir_perms; +allow system appdomain:{ file lnk_file } rw_file_perms; + +# Write to /proc/net/xt_qtaguid/ctrl. +# XXX Split /proc/net into its own type. +allow system proc:file write; + +# Notify init of death. +allow system init:process sigchld; + +# Talk to init and various daemons via sockets. +unix_socket_connect(system, property, init) +unix_socket_connect(system, qemud, qemud) +unix_socket_connect(system, installd, installd) +unix_socket_connect(system, netd, netd) +unix_socket_connect(system, vold, vold) +unix_socket_connect(system, zygote, zygote) +unix_socket_connect(system, keystore, keystore) +unix_socket_connect(system, dbus, dbusd) +unix_socket_connect(system, gps, gpsd) +unix_socket_connect(system, bluetooth, bluetoothd) +unix_socket_send(system, wpa, wpa) + +# Perform Binder IPC. +tmpfs_domain(system) +binder_use(system) +binder_call(system, binderservicedomain) +binder_call(system, appdomain) +binder_service(system) +# Transfer other Binder references. +binder_transfer(system, binderservicedomain) +binder_transfer(system, appdomain) + +# Read /proc/pid files for Binder clients. +r_dir_file(system, appdomain) +r_dir_file(system, mediaserver) +allow system appdomain:process getattr; +allow system mediaserver:process getattr; + +# Specify any arguments to zygote. +allow system self:zygote *; + +# Check SELinux permissions. +selinux_check_access(system) + +# XXX Label sysfs files with a specific type? +allow system sysfs:file rw_file_perms; + +# Access devices. +allow system device:chr_file rw_file_perms; +allow system akm_device:chr_file rw_file_perms; +allow system accelerometer_device:chr_file rw_file_perms; +allow system alarm_device:chr_file rw_file_perms; +allow system graphics_device:dir search; +allow system graphics_device:chr_file rw_file_perms; +allow system input_device:dir r_dir_perms; +allow system input_device:chr_file rw_file_perms; +allow system tty_device:chr_file rw_file_perms; +allow system urandom_device:chr_file rw_file_perms; +allow system video_device:chr_file rw_file_perms; +allow system qemu_device:chr_file rw_file_perms; + +# Manage data files. +allow system data_file_type:dir create_dir_perms; +allow system data_file_type:notdevfile_class_set create_file_perms; + +# Create a socket for receiving info from wpa. +type_transition system wifi_data_file:sock_file system_wpa_socket; +allow system system_wpa_socket:sock_file create_file_perms; + +# Manage cache files. +allow system cache_file:dir create_dir_perms; +allow system cache_file:file create_file_perms; + +# Run system programs, e.g. dexopt. +allow system system_file:file x_file_perms; + +# Silently deny any /proc accesses that are not allowed. +# This suppresses noise from walking the process list. +dontaudit system domain:dir r_dir_perms; +dontaudit system domain:file r_file_perms; diff --git a/te_macros b/te_macros new file mode 100644 index 000000000..545ba4e20 --- /dev/null +++ b/te_macros @@ -0,0 +1,207 @@ +##################################### +# domain_trans(olddomain, type, newdomain) +# Allow a transition from olddomain to newdomain +# upon executing a file labeled with type. +# This only allows the transition; it does not +# cause it to occur automatically - use domain_auto_trans +# if that is what you want. +# +define(`domain_trans', ` +# Old domain may exec the file and transition to the new domain. +allow $1 $2:file { getattr open read execute }; +allow $1 $3:process transition; +# New domain is entered by executing the file. +allow $3 $2:file { entrypoint read execute }; +# New domain can send SIGCHLD to its caller. +allow $3 $1:process sigchld; +# Enable AT_SECURE, i.e. libc secure mode. +dontaudit $1 $3:process noatsecure; +# XXX dontaudit candidate but requires further study. +allow $1 $3:process { siginh rlimitinh }; +') + +##################################### +# domain_auto_trans(olddomain, type, newdomain) +# Automatically transition from olddomain to newdomain +# upon executing a file labeled with type. +# +define(`domain_auto_trans', ` +# Allow the necessary permissions. +domain_trans($1,$2,$3) +# Make the transition occur by default. +type_transition $1 $2:process $3; +') + +##################################### +# file_type_trans(domain, dir_type, file_type) +# Allow domain to create a file labeled file_type in a +# directory labeled dir_type. +# This only allows the transition; it does not +# cause it to occur automatically - use file_type_auto_trans +# if that is what you want. +# +define(`file_type_trans', ` +# Allow the domain to add entries to the directory. +allow $1 $2:dir ra_dir_perms; +# Allow the domain to create the file. +allow $1 $3:notdevfile_class_set create_file_perms; +allow $1 $3:dir create_dir_perms; +') + +##################################### +# file_type_auto_trans(domain, dir_type, file_type) +# Automatically label new files with file_type when +# they are created by domain in directories labeled dir_type. +# +define(`file_type_auto_trans', ` +# Allow the necessary permissions. +file_type_trans($1, $2, $3) +# Make the transition occur by default. +type_transition $1 $2:dir $3; +type_transition $1 $2:notdevfile_class_set $3; +') + +##################################### +# r_dir_file(domain, type) +# Allow the specified domain to read directories, files +# and symbolic links of the specified type. +define(`r_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:{ file lnk_file } r_file_perms; +') + +##################################### +# unconfined_domain(domain) +# Allow the specified domain to do anything. +# +define(`unconfined_domain', ` +typeattribute $1 mlstrustedsubject; +typeattribute $1 unconfineddomain; +') + +##################################### +# tmpfs_domain(domain) +# Define and allow access to a unique type for +# this domain when creating tmpfs / shmem / ashmem files. +define(`tmpfs_domain', ` +type $1_tmpfs, file_type; +type_transition $1 tmpfs:file $1_tmpfs; +# Map with PROT_EXEC. +allow $1 $1_tmpfs:file { read execute execmod }; +') + +##################################### +# init_daemon_domain(domain) +# Set up a transition from init to the daemon domain +# upon executing its binary. +define(`init_daemon_domain', ` +domain_auto_trans(init, $1_exec, $1) +tmpfs_domain($1) +') + +##################################### +# app_domain(domain) +# Allow a base set of permissions required for all apps. +define(`app_domain', ` +typeattribute $1 appdomain; +# Label ashmem objects with our own unique type. +tmpfs_domain($1) +') + +##################################### +# net_domain(domain) +# Allow a base set of permissions required for network access. +define(`net_domain', ` +typeattribute $1 netdomain; +') + +##################################### +# bluetooth_domain(domain) +# Allow a base set of permissions required for bluetooth access. +define(`bluetooth_domain', ` +typeattribute $1 bluetoothdomain; +') + +##################################### +# unix_socket_connect(clientdomain, socket, serverdomain) +# Allow a local socket connection from clientdomain via +# socket to serverdomain. +define(`unix_socket_connect', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_stream_socket connectto; +') + +##################################### +# unix_socket_send(clientdomain, socket, serverdomain) +# Allow a local socket send from clientdomain via +# socket to serverdomain. +define(`unix_socket_send', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_dgram_socket sendto; +') + +##################################### +# binder_use(domain) +# Allow domain to use Binder IPC. +define(`binder_use', ` +# Get Binder references from the servicemanager. +allow $1 servicemanager:binder call; +# Transfer and receive own Binder references. +allow $1 self:binder { transfer receive }; +# Map /dev/ashmem with PROT_EXEC. +allow $1 ashmem_device:chr_file execute; +# rw access to /dev/binder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# binder_call(clientdomain, serverdomain) +# Allow clientdomain to perform binder IPC to serverdomain. +define(`binder_call', ` +# First we receive a Binder ref to the server, then we call it. +allow $1 $2:binder { receive call }; +# Receive and use open files from the server. +allow $1 $2:fd use; +') + +##################################### +# binder_transfer(clientdomain, serverdomain) +# Allow clientdomain to transfer Binder references created by serverdomain. +define(`binder_transfer', ` +allow $1 $2:binder transfer; +') + +##################################### +# binder_service(domain) +# Mark a domain as being a Binder service domain. +# Used to allow binder IPC to the various system services. +define(`binder_service', ` +typeattribute $1 binderservicedomain; +') + +##################################### +# selinux_check_access(domain) +# Allow domain to check SELinux permissions via selinuxfs. +define(`selinux_check_access', ` +allow $1 selinuxfs:dir r_dir_perms; +allow $1 selinuxfs:file rw_file_perms; +allow $1 kernel:security compute_av; +allow $1 self:netlink_selinux_socket *; +') + +##################################### +# selinux_check_context(domain) +# Allow domain to check SELinux contexts via selinuxfs. +define(`selinux_check_context', ` +allow $1 selinuxfs:dir r_dir_perms; +allow $1 selinuxfs:file rw_file_perms; +allow $1 kernel:security check_context; +') + +##################################### +# selinux_getenforce(domain) +# Allow domain to check whether SELinux is enforcing. +define(`selinux_getenforce', ` +allow $1 selinuxfs:dir r_dir_perms; +allow $1 selinuxfs:file r_file_perms; +') diff --git a/ueventd.te b/ueventd.te new file mode 100644 index 000000000..34e07fd0d --- /dev/null +++ b/ueventd.te @@ -0,0 +1,19 @@ +# ueventd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type ueventd, domain; +tmpfs_domain(ueventd) +allow ueventd rootfs:file r_file_perms; +allow ueventd rootfs:file entrypoint; +allow ueventd init:process sigchld; +allow ueventd self:capability { chown mknod net_admin setgid fsetid }; +allow ueventd kernel:fd use; +allow ueventd device:file create_file_perms; +allow ueventd device:chr_file rw_file_perms; +allow ueventd sysfs:file rw_file_perms; +allow ueventd sysfs:file setattr; +allow ueventd tmpfs:chr_file rw_file_perms; +allow ueventd dev_type:dir create_dir_perms; +allow ueventd dev_type:lnk_file { create unlink }; +allow ueventd dev_type:chr_file { create setattr unlink }; +allow ueventd dev_type:blk_file { create setattr unlink }; +allow ueventd self:netlink_kobject_uevent_socket *; diff --git a/unconfined.te b/unconfined.te new file mode 100644 index 000000000..71cdfddcd --- /dev/null +++ b/unconfined.te @@ -0,0 +1,23 @@ +allow unconfineddomain self:capability_class_set *; +allow unconfineddomain kernel:security *; +allow unconfineddomain kernel:system *; +allow unconfineddomain self:memprotect *; +allow unconfineddomain domain:process *; +allow unconfineddomain domain:fd *; +allow unconfineddomain domain:dir r_dir_perms; +allow unconfineddomain domain:lnk_file r_file_perms; +allow unconfineddomain domain:{ fifo_file file } rw_file_perms; +allow unconfineddomain domain:socket_class_set *; +allow unconfineddomain domain:ipc_class_set *; +allow unconfineddomain domain:key *; +allow unconfineddomain fs_type:filesystem *; +allow unconfineddomain fs_type:dir_file_class_set *; +allow unconfineddomain dev_type:dir_file_class_set *; +allow unconfineddomain file_type:dir_file_class_set *; +allow unconfineddomain node_type:node *; +allow unconfineddomain node_type:{ tcp_socket udp_socket } node_bind; +allow unconfineddomain netif_type:netif *; +allow unconfineddomain port_type:socket_class_set name_bind; +allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; +allow unconfineddomain domain:peer recv; +allow unconfineddomain domain:binder { call transfer receive }; diff --git a/users b/users new file mode 100644 index 000000000..51b7b57e6 --- /dev/null +++ b/users @@ -0,0 +1 @@ +user u roles { r } level s0 range s0 - mls_systemhigh; diff --git a/vold.te b/vold.te new file mode 100644 index 000000000..85a58f99d --- /dev/null +++ b/vold.te @@ -0,0 +1,56 @@ +# volume manager +type vold, domain; +type vold_exec, exec_type, file_type; + +init_daemon_domain(vold) +typeattribute vold mlstrustedsubject; +allow vold system_file:file x_file_perms; +allow vold block_device:dir create_dir_perms; +allow vold block_device:blk_file create_file_perms; +allow vold block_device:lnk_file read; +allow vold devpts:chr_file rw_file_perms; +allow vold rootfs:dir mounton; +allow vold sdcard:dir mounton; +allow vold sdcard:filesystem { mount remount unmount }; +allow vold sdcard:dir create_dir_perms; +allow vold tmpfs:filesystem { mount unmount }; +allow vold tmpfs:dir create_dir_perms; +allow vold tmpfs:dir mounton; +allow vold self:capability { net_admin dac_override mknod sys_admin }; +allow vold self:netlink_kobject_uevent_socket *; +allow vold app_data_file:dir search; +allow vold app_data_file:file rw_file_perms; +allow vold loop_device:blk_file rw_file_perms; +allow vold dm_device:chr_file rw_file_perms; +# For vold Process::killProcessesWithOpenFiles function. +allow vold domain:dir r_dir_perms; +allow vold domain:{ file lnk_file } r_file_perms; +allow vold domain:process { signal sigkill }; +allow vold self:capability { sys_ptrace }; + +# XXX Label sysfs files with a specific type? +allow vold sysfs:file rw_file_perms; + +# +# Rules to support encrypted fs support. +# + +# Set property. +unix_socket_connect(vold, property, init) + +# Unmount and mount the fs. +allow vold labeledfs:filesystem { mount unmount }; + +# Access /efs/userdata_footer. +# XXX Split into a separate type? +allow vold efs_file:file rw_file_perms; + +# Request AES module. +allow vold kernel:system module_request; + +# Write to /proc/sysrq-trigger +# XXX Label with a distinct type? +allow vold proc:file write; + +# Create and mount on /data/tmp_mnt. +allow vold system_data_file:dir { write create add_name mounton }; diff --git a/wpa_supplicant.te b/wpa_supplicant.te new file mode 100644 index 000000000..8860ef9dd --- /dev/null +++ b/wpa_supplicant.te @@ -0,0 +1,16 @@ +# wpa - wpa supplicant or equivalent +type wpa, domain; +type wpa_exec, exec_type, file_type; + +init_daemon_domain(wpa) +allow wpa kernel:system module_request; +allow wpa self:capability { setuid net_admin setgid net_raw }; +allow wpa cgroup:dir create_dir_perms; +allow wpa self:netlink_route_socket *; +allow wpa self:netlink_socket *; +allow wpa self:packet_socket *; +allow wpa self:udp_socket *; +allow wpa wifi_data_file:dir create_dir_perms; +allow wpa wifi_data_file:file create_file_perms; +unix_socket_send(wpa, system_wpa, system) +allow wpa random_device:chr_file r_file_perms; diff --git a/zygote.te b/zygote.te new file mode 100644 index 000000000..0601707db --- /dev/null +++ b/zygote.te @@ -0,0 +1,31 @@ +# zygote +type zygote, domain; +type zygote_exec, exec_type, file_type; + +init_daemon_domain(zygote) +typeattribute zygote mlstrustedsubject; +# Override DAC on files and switch uid/gid. +allow zygote self:capability { dac_override setgid setuid }; +# Switch SELinux context to app domains. +allow zygote system:process dyntransition; +allow zygote appdomain:process dyntransition; +# Move children into the peer process group. +allow zygote system:process { getpgid setpgid }; +allow zygote appdomain:process { getpgid setpgid }; +# Write to system data. +allow zygote system_data_file:dir rw_dir_perms; +allow zygote system_data_file:file create_file_perms; +allow zygote dalvikcache_data_file:dir rw_dir_perms; +allow zygote dalvikcache_data_file:file create_file_perms; +# Execute dexopt. +allow zygote system_file:file x_file_perms; +# Control cgroups. +allow zygote cgroup:dir create_dir_perms; +allow zygote self:capability sys_admin; +# Check validity of SELinux context before use. +selinux_check_context(zygote) +# Check SELinux permissions. +selinux_check_access(zygote) +# Read /seapp_contexts, presently on the rootfs. +allow zygote rootfs:file r_file_perms; +