From 2dd4e51d5c2a2dfc0bfdee9303269f5a665f6e35 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 4 Jan 2012 12:33:27 -0500 Subject: [PATCH] SE Android policy. --- Android.mk | 34 ++ access_vectors | 882 ++++++++++++++++++++++++++++++++++++++++++++ adbd.te | 29 ++ app.te | 107 ++++++ attributes | 57 +++ bluetooth.te | 4 + bluetoothd.te | 10 + cts.te | 42 +++ dbusd.te | 8 + debuggerd.te | 14 + device.te | 38 ++ domain.te | 96 +++++ drmserver.te | 10 + file.te | 75 ++++ file_contexts | 129 +++++++ global_macros | 40 ++ gpsd.te | 14 + init.te | 5 + initial_sids | 35 ++ installd.te | 21 ++ kernel.te | 4 + keystore.te | 7 + mediaserver.te | 26 ++ mls | 112 ++++++ mls_macros | 54 +++ net.te | 18 + netd.te | 30 ++ nfc.te | 10 + ocontexts | 65 ++++ policy_capabilities | 5 + qemud.te | 6 + radio.te | 17 + rild.te | 21 ++ roles | 1 + seapp_contexts | 37 ++ security_classes | 137 +++++++ servicemanager.te | 14 + shell.te | 30 ++ su.te | 6 + surfaceflinger.te | 24 ++ system.te | 134 +++++++ te_macros | 207 +++++++++++ ueventd.te | 19 + unconfined.te | 23 ++ users | 1 + vold.te | 56 +++ wpa_supplicant.te | 16 + zygote.te | 31 ++ 48 files changed, 2761 insertions(+) create mode 100644 Android.mk create mode 100644 access_vectors create mode 100644 adbd.te create mode 100644 app.te create mode 100644 attributes create mode 100644 bluetooth.te create mode 100644 bluetoothd.te create mode 100644 cts.te create mode 100644 dbusd.te create mode 100644 debuggerd.te create mode 100644 device.te create mode 100644 domain.te create mode 100644 drmserver.te create mode 100644 file.te create mode 100644 file_contexts create mode 100644 global_macros create mode 100644 gpsd.te create mode 100644 init.te create mode 100644 initial_sids create mode 100644 installd.te create mode 100644 kernel.te create mode 100644 keystore.te create mode 100644 mediaserver.te create mode 100644 mls create mode 100644 mls_macros create mode 100644 net.te create mode 100644 netd.te create mode 100644 nfc.te create mode 100644 ocontexts create mode 100644 policy_capabilities create mode 100644 qemud.te create mode 100644 radio.te create mode 100644 rild.te create mode 100644 roles create mode 100644 seapp_contexts create mode 100644 security_classes create mode 100644 servicemanager.te create mode 100644 shell.te create mode 100644 su.te create mode 100644 surfaceflinger.te create mode 100644 system.te create mode 100644 te_macros create mode 100644 ueventd.te create mode 100644 unconfined.te create mode 100644 users create mode 100644 vold.te create mode 100644 wpa_supplicant.te create mode 100644 zygote.te diff --git a/Android.mk b/Android.mk new file mode 100644 index 000000000..8b92edaf9 --- /dev/null +++ b/Android.mk @@ -0,0 +1,34 @@ +LOCAL_PATH:= $(call my-dir) +include $(CLEAR_VARS) + +# SELinux policy version. +# Must be <= /selinux/policyvers reported by the Android kernel. +# Must be within the compatibility range reported by checkpolicy -V. +POLICYVERS := 24 + +MLS_SENS=1 +MLS_CATS=1024 + +file := $(TARGET_ROOT_OUT)/policy.$(POLICYVERS) +$(file) : $(LOCAL_PATH)/policy.$(POLICYVERS) | $(ACP) + $(transform-prebuilt-to-target) +ALL_PREBUILT += $(file) +$(INSTALLED_RAMDISK_TARGET): $(file) + +$(LOCAL_PATH)/policy.$(POLICYVERS): $(LOCAL_PATH)/policy.conf + checkpolicy -M -c $(POLICYVERS) -o $@ $< + +$(LOCAL_PATH)/policy.conf: $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users ocontexts)) + m4 -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -s $^ > $@ + +file := $(TARGET_ROOT_OUT)/file_contexts +$(file) : $(LOCAL_PATH)/file_contexts | $(ACP) + $(transform-prebuilt-to-target) +ALL_PREBUILT += $(file) +$(INSTALLED_RAMDISK_TARGET): $(file) + +file := $(TARGET_ROOT_OUT)/seapp_contexts +$(file) : $(LOCAL_PATH)/seapp_contexts | $(ACP) + $(transform-prebuilt-to-target) +ALL_PREBUILT += $(file) +$(INSTALLED_RAMDISK_TARGET): $(file) diff --git a/access_vectors b/access_vectors new file mode 100644 index 000000000..90927e7e0 --- /dev/null +++ b/access_vectors @@ -0,0 +1,882 @@ +# +# Define common prefixes for access vectors +# +# common common_name { permission_name ... } + + +# +# Define a common prefix for file access vectors. +# + +common file +{ + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append + unlink + link + rename + execute + swapon + quotaon + mounton +} + + +# +# Define a common prefix for socket access vectors. +# + +common socket +{ +# inherited from file + ioctl + read + write + create + getattr + setattr + lock + relabelfrom + relabelto + append +# socket-specific + bind + connect + listen + accept + getopt + setopt + shutdown + recvfrom + sendto + recv_msg + send_msg + name_bind +} + +# +# Define a common prefix for ipc access vectors. +# + +common ipc +{ + create + destroy + getattr + setattr + read + write + associate + unix_read + unix_write +} + +# +# Define a common prefix for userspace database object access vectors. +# + +common database +{ + create + drop + getattr + setattr + relabelfrom + relabelto +} + +# +# Define a common prefix for pointer and keyboard access vectors. +# + +common x_device +{ + getattr + setattr + use + read + write + getfocus + setfocus + bell + force_cursor + freeze + grab + manage + list_property + get_property + set_property + add + remove + create + destroy +} + +# +# Define the access vectors. +# +# class class_name [ inherits common_name ] { permission_name ... } + + +# +# Define the access vector interpretation for file-related objects. +# + +class filesystem +{ + mount + remount + unmount + getattr + relabelfrom + relabelto + transition + associate + quotamod + quotaget +} + +class dir +inherits file +{ + add_name + remove_name + reparent + search + rmdir + open + audit_access + execmod +} + +class file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class lnk_file +inherits file +{ + open + audit_access + execmod +} + +class chr_file +inherits file +{ + execute_no_trans + entrypoint + execmod + open + audit_access +} + +class blk_file +inherits file +{ + open + audit_access + execmod +} + +class sock_file +inherits file +{ + open + audit_access + execmod +} + +class fifo_file +inherits file +{ + open + audit_access + execmod +} + +class fd +{ + use +} + + +# +# Define the access vector interpretation for network-related objects. +# + +class socket +inherits socket + +class tcp_socket +inherits socket +{ + connectto + newconn + acceptfrom + node_bind + name_connect +} + +class udp_socket +inherits socket +{ + node_bind +} + +class rawip_socket +inherits socket +{ + node_bind +} + +class node +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + enforce_dest + dccp_recv + dccp_send + recvfrom + sendto +} + +class netif +{ + tcp_recv + tcp_send + udp_recv + udp_send + rawip_recv + rawip_send + dccp_recv + dccp_send + ingress + egress +} + +class netlink_socket +inherits socket + +class packet_socket +inherits socket + +class key_socket +inherits socket + +class unix_stream_socket +inherits socket +{ + connectto + newconn + acceptfrom +} + +class unix_dgram_socket +inherits socket + +# +# Define the access vector interpretation for process-related objects +# + +class process +{ + fork + transition + sigchld # commonly granted from child to parent + sigkill # cannot be caught or ignored + sigstop # cannot be caught or ignored + signull # for kill(pid, 0) + signal # all other signals + ptrace + getsched + setsched + getsession + getpgid + setpgid + getcap + setcap + share + getattr + setexec + setfscreate + noatsecure + siginh + setrlimit + rlimitinh + dyntransition + setcurrent + execmem + execstack + execheap + setkeycreate + setsockcreate +} + + +# +# Define the access vector interpretation for ipc-related objects +# + +class ipc +inherits ipc + +class sem +inherits ipc + +class msgq +inherits ipc +{ + enqueue +} + +class msg +{ + send + receive +} + +class shm +inherits ipc +{ + lock +} + + +# +# Define the access vector interpretation for the security server. +# + +class security +{ + compute_av + compute_create + compute_member + check_context + load_policy + compute_relabel + compute_user + setenforce # was avc_toggle in system class + setbool + setsecparam + setcheckreqprot + read_policy +} + + +# +# Define the access vector interpretation for system operations. +# + +class system +{ + ipc_info + syslog_read + syslog_mod + syslog_console + module_request +} + +# +# Define the access vector interpretation for controling capabilies +# + +class capability +{ + # The capabilities are defined in include/linux/capability.h + # Capabilities >= 32 are defined in the capability2 class. + # Care should be taken to ensure that these are consistent with + # those definitions. (Order matters) + + chown + dac_override + dac_read_search + fowner + fsetid + kill + setgid + setuid + setpcap + linux_immutable + net_bind_service + net_broadcast + net_admin + net_raw + ipc_lock + ipc_owner + sys_module + sys_rawio + sys_chroot + sys_ptrace + sys_pacct + sys_admin + sys_boot + sys_nice + sys_resource + sys_time + sys_tty_config + mknod + lease + audit_write + audit_control + setfcap +} + +class capability2 +{ + mac_override # unused by SELinux + mac_admin # unused by SELinux + syslog +} + +# +# Define the access vector interpretation for controlling +# changes to passwd information. +# +class passwd +{ + passwd # change another user passwd + chfn # change another user finger info + chsh # change another user shell + rootok # pam_rootok check (skip auth) + crontab # crontab on another user +} + +# +# SE-X Windows stuff +# +class x_drawable +{ + create + destroy + read + write + blend + getattr + setattr + list_child + add_child + remove_child + list_property + get_property + set_property + manage + override + show + hide + send + receive +} + +class x_screen +{ + getattr + setattr + hide_cursor + show_cursor + saver_getattr + saver_setattr + saver_hide + saver_show +} + +class x_gc +{ + create + destroy + getattr + setattr + use +} + +class x_font +{ + create + destroy + getattr + add_glyph + remove_glyph + use +} + +class x_colormap +{ + create + destroy + read + write + getattr + add_color + remove_color + install + uninstall + use +} + +class x_property +{ + create + destroy + read + write + append + getattr + setattr +} + +class x_selection +{ + read + write + getattr + setattr +} + +class x_cursor +{ + create + destroy + read + write + getattr + setattr + use +} + +class x_client +{ + destroy + getattr + setattr + manage +} + +class x_device +inherits x_device + +class x_server +{ + getattr + setattr + record + debug + grab + manage +} + +class x_extension +{ + query + use +} + +class x_resource +{ + read + write +} + +class x_event +{ + send + receive +} + +class x_synthetic_event +{ + send + receive +} + +# +# Extended Netlink classes +# +class netlink_route_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_firewall_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_tcpdiag_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_nflog_socket +inherits socket + +class netlink_xfrm_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_selinux_socket +inherits socket + +class netlink_audit_socket +inherits socket +{ + nlmsg_read + nlmsg_write + nlmsg_relay + nlmsg_readpriv + nlmsg_tty_audit +} + +class netlink_ip6fw_socket +inherits socket +{ + nlmsg_read + nlmsg_write +} + +class netlink_dnrt_socket +inherits socket + +# Define the access vector interpretation for controlling +# access and communication through the D-BUS messaging +# system. +# +class dbus +{ + acquire_svc + send_msg +} + +# Define the access vector interpretation for controlling +# access through the name service cache daemon (nscd). +# +class nscd +{ + getpwd + getgrp + gethost + getstat + admin + shmempwd + shmemgrp + shmemhost + getserv + shmemserv +} + +# Define the access vector interpretation for controlling +# access to IPSec network data by association +# +class association +{ + sendto + recvfrom + setcontext + polmatch +} + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket +inherits socket + +class appletalk_socket +inherits socket + +class packet +{ + send + recv + relabelto + flow_in # deprecated + flow_out # deprecated + forward_in + forward_out +} + +class key +{ + view + read + write + search + link + setattr + create +} + +class context +{ + translate + contains +} + +class dccp_socket +inherits socket +{ + node_bind + name_connect +} + +class memprotect +{ + mmap_zero +} + +class db_database +inherits database +{ + access + install_module + load_module + get_param # deprecated + set_param # deprecated +} + +class db_table +inherits database +{ + use # deprecated + select + update + insert + delete + lock +} + +class db_procedure +inherits database +{ + execute + entrypoint + install +} + +class db_column +inherits database +{ + use # deprecated + select + update + insert +} + +class db_tuple +{ + relabelfrom + relabelto + use # deprecated + select + update + insert + delete +} + +class db_blob +inherits database +{ + read + write + import + export +} + +# network peer labels +class peer +{ + recv +} + +class x_application_data +{ + paste + paste_after_confirm + copy +} + +class kernel_service +{ + use_as_override + create_files_as +} + +class tun_socket +inherits socket + +class x_pointer +inherits x_device + +class x_keyboard +inherits x_device + +class db_schema +inherits database +{ + search + add_name + remove_name +} + +class db_view +inherits database +{ + expand +} + +class db_sequence +inherits database +{ + get_value + next_value + set_value +} + +class db_language +inherits database +{ + implement + execute +} + +class binder +{ + impersonate + call + set_context_mgr + transfer + receive +} + +class zygote +{ + specifyids + specifyrlimits + specifycapabilities + specifyinvokewith + specifyseinfo +} diff --git a/adbd.te b/adbd.te new file mode 100644 index 000000000..3a0aa3b01 --- /dev/null +++ b/adbd.te @@ -0,0 +1,29 @@ +# adbd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type adbd, domain, mlstrustedsubject; +allow adbd adb_device:chr_file rw_file_perms; +allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin }; +allow adbd rootfs:file entrypoint; +allow adbd init:process sigchld; +allow adbd self:tcp_socket *; +allow adbd self:unix_stream_socket *; +allow adbd node:tcp_socket node_bind; +allow adbd port:tcp_socket name_bind; +allow adbd devpts:chr_file rw_file_perms; +allow adbd cgroup:dir { write add_name create }; +allow adbd labeledfs:filesystem remount; +allow adbd shell_data_file:dir rw_dir_perms; +allow adbd shell_data_file:file create_file_perms; +allow adbd graphics_device:dir search; +allow adbd graphics_device:chr_file r_file_perms; +allow adbd log_device:chr_file r_file_perms; +# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? +allow adbd system_file:file rx_file_perms; +unix_socket_connect(adbd, vold, vold) +# Talk to init via the property socket. +unix_socket_connect(adbd, property, init) + +# Perform binder IPC to surfaceflinger (screencap) +# XXX Run screencap in a separate domain? +binder_use(adbd) +binder_call(adbd, surfaceflinger) diff --git a/app.te b/app.te new file mode 100644 index 000000000..b2bd81750 --- /dev/null +++ b/app.te @@ -0,0 +1,107 @@ +# +# Domains for apps that do not run with one of the predefined +# platform UIDs (system, radio, nfc, ...). +# + +# +# Trusted apps. +# +type trusted_app, domain; +app_domain(trusted_app) +# Access the network. +net_domain(trusted_app) +# Access bluetooth. +bluetooth_domain(trusted_app) +# Read logs. +allow trusted_app log_device:chr_file read; +# Write to /cache. +allow trusted_app cache_file:dir rw_dir_perms; +allow trusted_app cache_file:file create_file_perms; +# Read from /data/local. +allow trusted_app shell_data_file:dir search; +allow trusted_app shell_data_file:file { open getattr read }; +allow trusted_app shell_data_file:lnk_file read; +# Access the sdcard. +allow trusted_app sdcard:dir create_dir_perms; +allow trusted_app sdcard:file create_file_perms; +# Populate /data/app/vmdl*.tmp file created by system server. +# It would be better if this was labeled differently. +allow trusted_app apk_data_file:file write; +# Perform binder IPC to any app domain. +binder_call(trusted_app, appdomain) +binder_transfer(trusted_app, appdomain) + +# +# An example of a specific domain for a specific app +# A domain for com.android.browser. +type browser_app, domain; +app_domain(browser_app) +# Access the network. +net_domain(browser_app) + +# +# Untrusted apps. +# +type untrusted_app, domain; +app_domain(untrusted_app) +# Boolean-controlled options for untrusted apps. +# Network access. +bool app_network true; +if (app_network) { +# Cannot use net_domain within a conditional - type attribute. +allow untrusted_app self:{ tcp_socket udp_socket } *; +allow untrusted_app port_type:tcp_socket name_connect; +allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind; +allow untrusted_app port_type:udp_socket name_bind; +allow untrusted_app port_type:tcp_socket name_bind; +unix_socket_connect(untrusted_app, dnsproxyd, netd) +} +# Bluetooth access. +bool app_bluetooth false; +if (app_bluetooth) { +# No specific SELinux class for bluetooth sockets presently. +allow untrusted_app self:socket *; +} +# SDCard rw access. +bool app_sdcard_rw true; +if (app_sdcard_rw) { +allow untrusted_app sdcard:dir create_dir_perms; +allow untrusted_app sdcard:file create_file_perms; +} +# Native app support. +bool app_ndk false; +if (app_ndk) { +allow untrusted_app app_data_file:file execute; +} + +# +# Rules for all app domains. +# + +# Receive and use open file descriptors inherited from zygote. +allow appdomain zygote:fd use; + +# Read system properties managed by zygote. +allow appdomain zygote_tmpfs:file read; + +# Notify zygote of death; +allow appdomain zygote:process sigchld; + +# Communicate over a FIFO to system processes. +allow appdomain system:fifo_file rw_file_perms; + +# App sandbox file accesses. +allow appdomain app_data_file:dir create_dir_perms; +allow appdomain app_data_file:notdevfile_class_set create_file_perms; + +# lib subdirectory of /data/data dir is system-owned. +allow appdomain system_data_file:dir r_dir_perms; + +# Use the Binder. +binder_use(appdomain) +# Perform binder IPC to binder services. +binder_call(appdomain, binderservicedomain) +binder_transfer(appdomain, binderservicedomain) +# Perform binder IPC to apps in the trusted_app domain. +binder_call(appdomain, trusted_app) +binder_transfer(appdomain, trusted_app) diff --git a/attributes b/attributes new file mode 100644 index 000000000..f2ea0c53a --- /dev/null +++ b/attributes @@ -0,0 +1,57 @@ +###################################### +# Attribute declarations +# + +# All types used for devices. +attribute dev_type; + +# All types used for processes. +attribute domain; + +# All types used for filesystems. +attribute fs_type; + +# All types used for files that can exist on a labeled fs. +# Do not use for pseudo file types. +attribute file_type; + +# All types used for domain entry points. +attribute exec_type; + +# All types used for /data files. +attribute data_file_type; + +# All types use for sysfs files. +attribute sysfs_type; + +# All types used for nodes/hosts. +attribute node_type; + +# All types used for network interfaces. +attribute netif_type; + +# All types used for network ports. +attribute port_type; + +# All domains that can override MLS restrictions. +# i.e. processes that can read up and write down. +attribute mlstrustedsubject; + +# All types that can override MLS restrictions. +# i.e. files that can be read by lower and written by higher +attribute mlstrustedobject; + +# Domains that are allowed all permissions ("unconfined"). +attribute unconfineddomain; + +# All domains used for apps. +attribute appdomain; + +# All domains used for apps with network access. +attribute netdomain; + +# All domains used for apps with bluetooth access. +attribute bluetoothdomain; + +# All domains used for binder service domains. +attribute binderservicedomain; diff --git a/bluetooth.te b/bluetooth.te new file mode 100644 index 000000000..f43543c1f --- /dev/null +++ b/bluetooth.te @@ -0,0 +1,4 @@ +# Domains that can create and use bluetooth sockets. +# SELinux does not presently define a specific socket class for +# bluetooth sockets, nor does it distinguish among the bluetooth protocols. +allow bluetoothdomain self:socket *; diff --git a/bluetoothd.te b/bluetoothd.te new file mode 100644 index 000000000..640a1da2e --- /dev/null +++ b/bluetoothd.te @@ -0,0 +1,10 @@ +# bluetoothd - bluetooth daemon +type bluetoothd, domain; +type bluetoothd_exec, exec_type, file_type; + +init_daemon_domain(bluetoothd) +allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin }; +allow bluetoothd self:socket *; +allow bluetoothd bluetoothd_data_file:dir create_dir_perms; +allow bluetoothd bluetoothd_data_file:file create_file_perms; +unix_socket_connect(bluetoothd, dbus, dbusd) diff --git a/cts.te b/cts.te new file mode 100644 index 000000000..3600e944a --- /dev/null +++ b/cts.te @@ -0,0 +1,42 @@ +# +# Rules to allow the Android CTS to run. +# Do not enable in production policy. +# + +bool android_cts false; +if (android_cts) { +# Reads /proc/pid entries to check that no unexpected root +# processes are running. +allow appdomain domain:dir r_dir_perms; +allow appdomain domain:{ file lnk_file } r_file_perms; + +# Will still fail when trying to read other app /proc/pid +# entries due to MLS constraints. Just silence the denials. +dontaudit appdomain appdomain:dir r_dir_perms; +dontaudit appdomain appdomain:file r_file_perms; + +# Walk the file tree, stat any file. +allow appdomain file_type:dir r_dir_perms; +allow appdomain fs_type:dir r_dir_perms; +allow appdomain dev_type:dir r_dir_perms; +allow appdomain file_type:dir_file_class_set getattr; +allow appdomain dev_type:dir_file_class_set getattr; +allow appdomain fs_type:dir_file_class_set getattr; + +# Execute the shell or other system executables. +allow appdomain shell_exec:file rx_file_perms; +allow appdomain system_file:file rx_file_perms; + +# Read routing information. +allow netdomain self:netlink_route_socket { create read write nlmsg_read }; + +# Tries to open /dev/alarm for writing but expects failure. +dontaudit appdomain alarm_device:chr_file write; + +# Tries to create and use a netlink kobject uevent socket +# to test for a vulnerable vold. +dontaudit appdomain self:netlink_kobject_uevent_socket create; + +# Tries to override DAC restrictions but expects to fail. +dontaudit shell self:capability dac_override; +} diff --git a/dbusd.te b/dbusd.te new file mode 100644 index 000000000..6ffc836ef --- /dev/null +++ b/dbusd.te @@ -0,0 +1,8 @@ +# dbus daemon +type dbusd, domain; +type dbusd_exec, exec_type, file_type; + +init_daemon_domain(dbusd) +# Reads /proc/pid/cmdline of clients +r_dir_file(dbusd, system) +r_dir_file(dbusd, bluetoothd) diff --git a/debuggerd.te b/debuggerd.te new file mode 100644 index 000000000..f808ea9b9 --- /dev/null +++ b/debuggerd.te @@ -0,0 +1,14 @@ +# debugger interface +type debuggerd, domain; +type debuggerd_exec, exec_type, file_type; + +init_daemon_domain(debuggerd) +typeattribute debuggerd mlstrustedsubject; +allow debuggerd self:capability { dac_override sys_ptrace chown kill }; +allow debuggerd domain:dir r_dir_perms; +allow debuggerd domain:file r_file_perms; +allow debuggerd domain:process ptrace; +allow debuggerd tombstone_data_file:dir create_dir_perms; +allow debuggerd tombstone_data_file:file create_file_perms; +allow debuggerd domain:process { sigstop signal }; +allow debuggerd exec_type:file r_file_perms; diff --git a/device.te b/device.te new file mode 100644 index 000000000..1b9df4f54 --- /dev/null +++ b/device.te @@ -0,0 +1,38 @@ +# Device types +type device, dev_type, fs_type; +type akm_device, dev_type; +type accelerometer_device, dev_type; +type alarm_device, dev_type, mlstrustedobject; +type adb_device, dev_type; +type ashmem_device, dev_type, mlstrustedobject; +type audio_device, dev_type; +type binder_device, dev_type, mlstrustedobject; +type block_device, dev_type; +type camera_device, dev_type; +type dm_device, dev_type; +type loop_device, dev_type; +type radio_device, dev_type; +type ram_device, dev_type; +type console_device, dev_type; +type cpuctl_device, dev_type; +type full_device, dev_type; +type graphics_device, dev_type; +type input_device, dev_type; +type kmem_device, dev_type; +type log_device, dev_type, mlstrustedobject; +type mtd_device, dev_type; +type nfc_device, dev_type; +type nv_device, dev_type, mlstrustedobject; +type powervr_device, dev_type, mlstrustedobject; +type ptmx_device, dev_type, mlstrustedobject; +type qemu_device, dev_type; +type kmsg_device, dev_type; +type null_device, dev_type, mlstrustedobject; +type random_device, dev_type; +type serial_device, dev_type; +type socket_device, dev_type; +type tty_device, dev_type; +type urandom_device, dev_type; +type video_device, dev_type; +type vcs_device, dev_type; +type zero_device, dev_type; diff --git a/domain.te b/domain.te new file mode 100644 index 000000000..55c9ecd4c --- /dev/null +++ b/domain.te @@ -0,0 +1,96 @@ +# Rules for all domains. + +# Allow reaping by init. +allow domain init:process sigchld; + +# binder adjusts the nice value during IPC. +allow domain self:capability sys_nice; + +# Intra-domain accesses. +allow domain self:process ~{ execstack execheap }; +allow domain self:fd use; +allow domain self:dir r_dir_perms; +allow domain self:lnk_file r_file_perms; +allow domain self:{ fifo_file file } rw_file_perms; +allow domain self:{ unix_dgram_socket unix_stream_socket } *; + +# Inherit or receive open files from others. +allow domain init:fd use; +allow domain system:fd use; + +# Connect to adbd and use a socket transferred from it. +allow domain adbd:unix_stream_socket connectto; +allow domain adbd:fd use; +allow domain adbd:unix_stream_socket { getattr read write shutdown }; + +# Talk to debuggerd. +allow domain debuggerd:process sigchld; +allow domain debuggerd:unix_stream_socket connectto; + +# Root fs. +allow domain rootfs:dir r_dir_perms; +allow domain rootfs:lnk_file read; + +# Device accesses. +allow domain device:dir search; +allow domain devpts:dir search; +allow domain device:file read; +allow domain socket_device:dir search; +allow domain null_device:chr_file rw_file_perms; +allow domain zero_device:chr_file r_file_perms; +allow domain ashmem_device:chr_file rw_file_perms; +allow domain binder_device:chr_file rw_file_perms; +allow domain ptmx_device:chr_file rw_file_perms; +allow domain powervr_device:chr_file rw_file_perms; +allow domain log_device:dir search; +allow domain log_device:chr_file w_file_perms; +allow domain nv_device:chr_file rw_file_perms; +allow domain alarm_device:chr_file r_file_perms; +allow domain urandom_device:chr_file r_file_perms; + +# Filesystem accesses. +allow domain fs_type:filesystem getattr; + +# System file accesses. +allow domain system_file:dir r_dir_perms; +allow domain system_file:file r_file_perms; +allow domain system_file:file execute; +allow domain system_file:lnk_file read; + +# Read files already opened under /data. +allow domain system_data_file:dir { search getattr }; +allow domain system_data_file:file { getattr read }; +allow domain system_data_file:lnk_file read; + +# Read apk files under /data/app. +allow domain apk_data_file:dir search; +allow domain apk_data_file:file r_file_perms; + +# Read /data/dalvik-cache. +allow domain dalvikcache_data_file:dir { search getattr }; +allow domain dalvikcache_data_file:file r_file_perms; + +# Read already opened /cache files. +allow domain cache_file:dir r_dir_perms; +allow domain cache_file:file { getattr read }; +allow domain cache_file:lnk_file read; + +# For /acct/uid/*/tasks. +allow domain cgroup:dir search; +allow domain cgroup:file w_file_perms; + +# For /sys/qemu_trace files in the emulator. +bool in_qemu false; +if (in_qemu) { +allow domain sysfs:file rw_file_perms; +} +allow domain sysfs_writable:file rw_file_perms; + +# Read access to pseudo filesystems. +r_dir_file(domain, proc) +r_dir_file(domain, sysfs) +r_dir_file(domain, inotify) +r_dir_file(domain, cgroup) + +# Ignore /sys/kernel/debug +dontaudit domain debugfs:dir search; diff --git a/drmserver.te b/drmserver.te new file mode 100644 index 000000000..5b46ea88c --- /dev/null +++ b/drmserver.te @@ -0,0 +1,10 @@ +# drmserver - DRM service +type drmserver, domain; +type drmserver_exec, exec_type, file_type; + +init_daemon_domain(drmserver) +typeattribute drmserver mlstrustedsubject; + +# Perform Binder IPC to system server. +binder_use(drmserver) +binder_call(drmserver, system) diff --git a/file.te b/file.te new file mode 100644 index 000000000..11c3ef649 --- /dev/null +++ b/file.te @@ -0,0 +1,75 @@ +# Filesystem types +type labeledfs, fs_type; +type pipefs, fs_type; +type sockfs, fs_type; +type rootfs, fs_type; +type proc, fs_type; +type selinuxfs, fs_type; +type cgroup, fs_type, mlstrustedobject; +type sysfs, fs_type, mlstrustedobject; +type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type inotify, fs_type, mlstrustedobject; +type devpts, fs_type; +type tmpfs, fs_type; +type shm, fs_type; +type mqueue, fs_type; +type sdcard, fs_type, mlstrustedobject; +type debugfs, fs_type, mlstrustedobject; + +# File types +type unlabeled, file_type; +# Default type for anything under /system. +type system_file, file_type; +# Default type for anything under /data. +type system_data_file, file_type, data_file_type; +# /data/anr - ANR traces +type anr_data_file, file_type, data_file_type; +# /data/tombstones - core dumps +type tombstone_data_file, file_type, data_file_type; +# /data/app - user-installed apps +type apk_data_file, file_type, data_file_type, mlstrustedobject; +# /data/dalvik-cache +type dalvikcache_data_file, file_type, data_file_type; +# /data/local - writable by shell +type shell_data_file, file_type, data_file_type; +# /data/gps +type gps_data_file, file_type, data_file_type; +# /data/misc subdirectories +type bluetoothd_data_file, file_type, data_file_type; +type bluetooth_data_file, file_type, data_file_type; +type keystore_data_file, file_type, data_file_type; +type vpn_data_file, file_type, data_file_type; +type systemkeys_data_file, file_type, data_file_type; +type wifi_data_file, file_type, data_file_type; +type radio_data_file, file_type, data_file_type; +type nfc_data_file, file_type, data_file_type; +# /data/data subdirectories - app sandboxes +type app_data_file, file_type, data_file_type; +# Default type for anything under /cache +type cache_file, file_type, mlstrustedobject; +# Default type for anything under /efs +type efs_file, file_type; + +# Socket types +type bluetooth_socket, file_type; +type dbus_socket, file_type; +type dnsproxyd_socket, file_type, mlstrustedobject; +type gps_socket, file_type; +type installd_socket, file_type; +type keystore_socket, file_type; +type netd_socket, file_type; +type property_socket, file_type; +type qemud_socket, file_type; +type rild_socket, file_type; +type rild_debug_socket, file_type; +type system_wpa_socket, file_type; +type vold_socket, file_type; +type wpa_socket, file_type; +type zygote_socket, file_type; + +# Allow files to be created in their appropriate filesystems. +allow fs_type self:filesystem associate; +allow sysfs_type sysfs:filesystem associate; +allow file_type labeledfs:filesystem associate; +allow file_type tmpfs:filesystem associate; +allow dev_type tmpfs:filesystem associate; diff --git a/file_contexts b/file_contexts new file mode 100644 index 000000000..332017d70 --- /dev/null +++ b/file_contexts @@ -0,0 +1,129 @@ +########################################### +# Root +# +# Nothing required since it is initramfs and implicitly labeled +# by genfscon rootfs in ocontexts. +# +########################## +# Devices +# +/dev(/.*)? u:object_r:device:s0 +/dev/akm8973.* u:object_r:akm_device:s0 +/dev/accelerometer u:object_r:accelerometer_device:s0 +/dev/alarm u:object_r:alarm_device:s0 +/dev/android_adb.* u:object_r:adb_device:s0 +/dev/ashmem u:object_r:ashmem_device:s0 +/dev/audio.* u:object_r:audio_device:s0 +/dev/binder u:object_r:binder_device:s0 +/dev/block(/.*)? u:object_r:block_device:s0 +/dev/block/loop[0-9]* u:object_r:loop_device:s0 +/dev/block/ram[0-9]* u:object_r:ram_device:s0 +/dev/block/mtdblock5 u:object_r:radio_device:s0 +/dev/cam u:object_r:camera_device:s0 +/dev/console u:object_r:console_device:s0 +/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 +/dev/device-mapper u:object_r:dm_device:s0 +/dev/full u:object_r:full_device:s0 +/dev/graphics(/.*)? u:object_r:graphics_device:s0 +/dev/input(/.*) u:object_r:input_device:s0 +/dev/kmem u:object_r:kmem_device:s0 +/dev/log(/.*)? u:object_r:log_device:s0 +/dev/mem u:object_r:kmem_device:s0 +/dev/modem.* u:object_r:radio_device:s0 +/dev/mtd(/.*)? u:object_r:mtd_device:s0 +/dev/mtd/mtd5 u:object_r:radio_device:s0 +/dev/mtd/mtd5ro u:object_r:radio_device:s0 +/dev/pn544 u:object_r:nfc_device:s0 +/dev/ptmx u:object_r:ptmx_device:s0 +/dev/pvrsrvkm u:object_r:powervr_device:s0 +/dev/qemu_.* u:object_r:qemu_device:s0 +/dev/kmsg u:object_r:kmsg_device:s0 +/dev/null u:object_r:null_device:s0 +/dev/nvhdcp1 u:object_r:video_device:s0 +/dev/nvmap u:object_r:nv_device:s0 +/dev/nvhost-.* u:object_r:nv_device:s0 +/dev/random u:object_r:random_device:s0 +/dev/s3c-jpg u:object_r:camera_device:s0 +/dev/s3c-mem u:object_r:camera_device:s0 +/dev/s3c-mfc u:object_r:graphics_device:s0 +/dev/snd(/.*)? u:object_r:audio_device:s0 +/dev/socket u:object_r:socket_device:s0 +/dev/socket/bluetooth u:object_r:bluetooth_socket:s0 +/dev/socket/dbus_bluetooth u:object_r:bluetooth_socket:s0 +/dev/socket/dbus u:object_r:dbus_socket:s0 +/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0 +/dev/socket/installd u:object_r:installd_socket:s0 +/dev/socket/keystore u:object_r:keystore_socket:s0 +/dev/socket/netd u:object_r:netd_socket:s0 +/dev/socket/property_service u:object_r:property_socket:s0 +/dev/socket/qemud u:object_r:qemud_socket:s0 +/dev/socket/rild u:object_r:rild_socket:s0 +/dev/socket/rild-debug u:object_r:rild_debug_socket:s0 +/dev/socket/vold u:object_r:vold_socket:s0 +/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0 +/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 +/dev/socket/zygote u:object_r:zygote_socket:s0 +/dev/spdif_out.* u:object_r:audio_device:s0 +/dev/tegra.* u:object_r:video_device:s0 +/dev/tty[0-9]* u:object_r:tty_device:s0 +/dev/ttyS[0-9]* u:object_r:serial_device:s0 +/dev/uinput u:object_r:input_device:s0 +/dev/urandom u:object_r:urandom_device:s0 +/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0 +/dev/video[0-9]* u:object_r:video_device:s0 +/dev/zero u:object_r:zero_device:s0 +############################# +# System files +# +/system(/.*)? u:object_r:system_file:s0 +/system/bin/ash u:object_r:shell_exec:s0 +/system/bin/mksh u:object_r:shell_exec:s0 +/system/bin/sh -- u:object_r:shell_exec:s0 +/system/bin/app_process u:object_r:zygote_exec:s0 +/system/bin/servicemanager u:object_r:servicemanager_exec:s0 +/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 +/system/bin/drmserver u:object_r:drmserver_exec:s0 +/system/bin/vold u:object_r:vold_exec:s0 +/system/bin/netd u:object_r:netd_exec:s0 +/system/bin/rild u:object_r:rild_exec:s0 +/system/bin/mediaserver u:object_r:mediaserver_exec:s0 +/system/bin/dbus-daemon u:object_r:dbusd_exec:s0 +/system/bin/installd u:object_r:installd_exec:s0 +/system/bin/keystore u:object_r:keystore_exec:s0 +/system/bin/debuggerd u:object_r:debuggerd_exec:s0 +/system/bin/bluetoothd u:object_r:bluetoothd_exec:s0 +/system/bin/wpa_supplicant u:object_r:wpa_exec:s0 +/system/bin/qemud u:object_r:qemud_exec:s0 +/system/xbin/su u:object_r:su_exec:s0 +/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0 +############################# +# Data files +# +/data(/.*)? u:object_r:system_data_file:s0 +/data/gps(/.*)? u:object_r:gps_data_file:s0 +/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/anr(/.*)? u:object_r:anr_data_file:s0 +/data/app(/.*)? u:object_r:apk_data_file:s0 +/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 +/data/local(/.*)? u:object_r:shell_data_file:s0 +# Misc data +/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0 +/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 +/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 +/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0 +/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0 +/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 +# App sandboxes +/data/data/.* u:object_r:app_data_file:s0 +############################# +# efs files +# +/efs(/.*)? u:object_r:efs_file:s0 +############################# +# Cache files +# +/cache(/.*)? u:object_r:cache_file:s0 +############################# +# sysfs files +# +/sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0 diff --git a/global_macros b/global_macros new file mode 100644 index 000000000..15e09ed7e --- /dev/null +++ b/global_macros @@ -0,0 +1,40 @@ +##################################### +# Common groupings of object classes. +# +define(`capability_class_set', `{ capability capability2 }') + +define(`dir_file_class_set', `{ dir file lnk_file sock_file fifo_file chr_file blk_file }') +define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file }') +define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') +define(`devfile_class_set', `{ chr_file blk_file }') + +define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') +define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') + +define(`ipc_class_set', `{ sem msgq shm ipc }') + +##################################### +# Common groupings of permissions. +# +define(`x_file_perms', `{ getattr execute execute_no_trans }') +define(`r_file_perms', `{ getattr open read ioctl lock }') +define(`w_file_perms', `{ open append write }') +define(`rx_file_perms', `{ r_file_perms x_file_perms }') +define(`ra_file_perms', `{ r_file_perms append }') +define(`rw_file_perms', `{ r_file_perms w_file_perms }') +define(`rwx_file_perms', `{ rw_file_perms x_file_perms }') +define(`link_file_perms', `{ getattr link unlink rename }') +define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }') + +define(`r_dir_perms', `{ open getattr read search ioctl }') +define(`w_dir_perms', `{ open search write add_name remove_name }') +define(`ra_dir_perms', `{ r_dir_perms add_name write }') +define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }') +define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }') + +define(`r_ipc_perms', `{ getattr read associate unix_read }') +define(`w_ipc_perms', `{ write unix_write }') +define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }') +define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') diff --git a/gpsd.te b/gpsd.te new file mode 100644 index 000000000..bc2893d1e --- /dev/null +++ b/gpsd.te @@ -0,0 +1,14 @@ +# gpsd - GPS daemon +type gpsd, domain; +type gpsd_exec, exec_type, file_type; + +init_daemon_domain(gpsd) +net_domain(gpsd) +allow gpsd gps_data_file:dir rw_dir_perms; +allow gpsd gps_data_file:notdevfile_class_set create_file_perms; +# Socket is created by the daemon, not by init, and under /data/gps, +# not under /dev/socket. +type_transition gpsd gps_data_file:sock_file gps_socket; +allow gpsd gps_socket:sock_file create_file_perms; +# XXX Label sysfs files with a specific type? +allow gpsd sysfs:file rw_file_perms; diff --git a/init.te b/init.te new file mode 100644 index 000000000..0f9b69730 --- /dev/null +++ b/init.te @@ -0,0 +1,5 @@ +# init switches to init domain (via init.rc). +type init, domain; +# init is unconfined. +unconfined_domain(init) +tmpfs_domain(init) diff --git a/initial_sids b/initial_sids new file mode 100644 index 000000000..91ac816ba --- /dev/null +++ b/initial_sids @@ -0,0 +1,35 @@ +# FLASK + +# +# Define initial security identifiers +# + +sid kernel +sid security +sid unlabeled +sid fs +sid file +sid file_labels +sid init +sid any_socket +sid port +sid netif +sid netmsg +sid node +sid igmp_packet +sid icmp_socket +sid tcp_socket +sid sysctl_modprobe +sid sysctl +sid sysctl_fs +sid sysctl_kernel +sid sysctl_net +sid sysctl_net_unix +sid sysctl_vm +sid sysctl_dev +sid kmod +sid policy +sid scmp_packet +sid devnull + +# FLASK diff --git a/installd.te b/installd.te new file mode 100644 index 000000000..e4b0b1828 --- /dev/null +++ b/installd.te @@ -0,0 +1,21 @@ +# installer daemon +type installd, domain; +type installd_exec, exec_type, file_type; + +init_daemon_domain(installd) +typeattribute installd mlstrustedsubject; +allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; +allow installd system_data_file:file create_file_perms; +allow installd system_data_file:lnk_file create; +allow installd dalvikcache_data_file:file create_file_perms; +allow installd data_file_type:dir create_dir_perms; +allow installd data_file_type:dir { relabelfrom relabelto }; +allow installd data_file_type:file { getattr unlink }; +allow installd apk_data_file:file r_file_perms; +allow installd system_file:file x_file_perms; +allow installd cgroup:dir create_dir_perms; +dontaudit installd self:capability sys_admin; +# Check validity of SELinux context before use. +selinux_check_context(installd) +# Read /seapp_contexts, presently on the rootfs. +allow installd rootfs:file r_file_perms; diff --git a/kernel.te b/kernel.te new file mode 100644 index 000000000..66c7b13f9 --- /dev/null +++ b/kernel.te @@ -0,0 +1,4 @@ +# Life begins with the kernel. +type kernel, domain; +# The kernel is unconfined. +unconfined_domain(kernel) diff --git a/keystore.te b/keystore.te new file mode 100644 index 000000000..43c913a85 --- /dev/null +++ b/keystore.te @@ -0,0 +1,7 @@ +type keystore, domain; +type keystore_exec, exec_type, file_type; + +# keystore daemon +init_daemon_domain(keystore) +allow keystore keystore_data_file:dir create_dir_perms; +allow keystore keystore_data_file:notdevfile_class_set create_file_perms; diff --git a/mediaserver.te b/mediaserver.te new file mode 100644 index 000000000..16bbefa21 --- /dev/null +++ b/mediaserver.te @@ -0,0 +1,26 @@ +# mediaserver - multimedia daemon +type mediaserver, domain; +type mediaserver_exec, exec_type, file_type; + +init_daemon_domain(mediaserver) +net_domain(mediaserver) +typeattribute mediaserver mlstrustedsubject; +allow mediaserver kernel:system module_request; +binder_use(mediaserver) +binder_call(mediaserver, binderservicedomain) +binder_call(mediaserver, appdomain) +binder_service(mediaserver) +allow mediaserver app_data_file:dir search; +allow mediaserver app_data_file:file { read getattr }; +r_dir_file(mediaserver, sdcard) +allow mediaserver sdcard:file write; +allow mediaserver camera_device:chr_file rw_file_perms; +allow mediaserver graphics_device:chr_file rw_file_perms; +allow mediaserver video_device:chr_file rw_file_perms; +allow mediaserver audio_device:dir r_dir_perms; +allow mediaserver audio_device:chr_file rw_file_perms; +allow mediaserver qemu_device:chr_file rw_file_perms; +# XXX Label with a specific type? +allow mediaserver sysfs:file rw_file_perms; +# XXX Why? +allow mediaserver apk_data_file:file { read getattr }; diff --git a/mls b/mls new file mode 100644 index 000000000..9bb40680c --- /dev/null +++ b/mls @@ -0,0 +1,112 @@ +######################################### +# MLS declarations +# + +# Generate the desired number of sensitivities and categories. +gen_sens(mls_num_sens) +gen_cats(mls_num_cats) + +# Generate level definitions for each sensitivity and category. +gen_levels(mls_num_sens,mls_num_cats) + + +################################################# +# MLS policy constraints +# + +# +# Process constraints +# + +# Process transition: Require equivalence unless the subject is trusted. +mlsconstrain process { transition dyntransition } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); + +# Process read operations: No read up unless trusted. +mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } + (l1 dom l2 or t1 == mlstrustedsubject); + +# Process write operations: No write down unless trusted. +mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } + (l1 domby l2 or t1 == mlstrustedsubject); + +# +# Socket constraints +# + +# These permissions are between the process and its local socket, +# not between a process/socket and its peer. +# Equivalence is the normal situation; anything else requires trust. +mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown } + ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Datagram send: Sender must be dominated by receiver unless one of them is +# trusted. +mlsconstrain unix_dgram_socket { sendto } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# Stream connect: Client must be equivalent to server unless one of them +# is trusted. +mlsconstrain unix_stream_socket { connectto } + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + +# +# Directory/file constraints +# + +# Create/relabel operations: Subject must be equivalent to object unless +# the subject is trusted. Also, files should always be single-level. +# Do NOT exempt mlstrustedobject types from this constraint. +mlsconstrain dir_file_class_set { create relabelfrom relabelto } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# Read operations: Subject must dominate object unless the subject +# or the object is trusted. +mlsconstrain dir { read getattr search } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Write operations: Subject must be dominated by the object unless the +# subject or the object is trusted. +mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + +# Special case for FIFOs. +# These can be unnamed pipes, in which case they will be labeled with the +# creating process' label. Thus we also have an exemption when the "object" +# is a MLS trusted subject and can receive data at any level. +mlsconstrain fifo_file { read getattr } + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); + +mlsconstrain fifo_file { write setattr append unlink link rename } + (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); + +# +# IPC constraints +# + +# Create/destroy: equivalence or trusted. +mlsconstrain ipc_class_set { create destroy } + (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); + +# Read ops: No read up unless trusted. +mlsconstrain ipc_class_set r_ipc_perms + (l1 dom l2 or t1 == mlstrustedsubject); + +# Write ops: No write down unless trusted. +mlsconstrain ipc_class_set w_ipc_perms + (l1 domby l2 or t1 == mlstrustedsubject); + +# +# Binder IPC constraints +# +# Presently commented out, as apps are expected to call one another. +# This would only make sense if apps were assigned categories +# based on allowable communications rather than per-app categories. +#mlsconstrain binder call +# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); diff --git a/mls_macros b/mls_macros new file mode 100644 index 000000000..83e05425b --- /dev/null +++ b/mls_macros @@ -0,0 +1,54 @@ +######################################## +# +# gen_cats(N) +# +# declares categores c0 to c(N-1) +# +define(`decl_cats',`dnl +category c$1; +ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl +') + +define(`gen_cats',`decl_cats(0,decr($1))') + +######################################## +# +# gen_sens(N) +# +# declares sensitivites s0 to s(N-1) with dominance +# in increasing numeric order with s0 lowest, s(N-1) highest +# +define(`decl_sens',`dnl +sensitivity s$1; +ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl +') + +define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') + +define(`gen_sens',` +# Each sensitivity has a name and zero or more aliases. +decl_sens(0,decr($1)) + +# Define the ordering of the sensitivity levels (least to greatest) +dominance { gen_dominance(0,decr($1)) } +') + +######################################## +# +# gen_levels(N,M) +# +# levels from s0 to (N-1) with categories c0 to (M-1) +# +define(`decl_levels',`dnl +level s$1:c0.c$3; +ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl +') + +define(`gen_levels',`decl_levels(0,decr($1),decr($2))') + +######################################## +# +# Basic level names for system low and high +# +define(`mls_systemlow',`s0') +define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') diff --git a/net.te b/net.te new file mode 100644 index 000000000..b10cecdaa --- /dev/null +++ b/net.te @@ -0,0 +1,18 @@ +# Network types +type node, node_type; +type netif, netif_type; +type port, port_type; + +# Use network sockets. +allow netdomain self:{ tcp_socket udp_socket } *; +# Connect to ports. +allow netdomain port_type:tcp_socket name_connect; +# Bind to ports. +allow netdomain node_type:{ tcp_socket udp_socket } node_bind; +allow netdomain port_type:udp_socket name_bind; +allow netdomain port_type:tcp_socket name_bind; +# Get route information. +allow netdomain self:netlink_route_socket { create bind read nlmsg_read }; + +# Talks to netd via dnsproxyd socket. +unix_socket_connect(netdomain, dnsproxyd, netd) diff --git a/netd.te b/netd.te new file mode 100644 index 000000000..94c960412 --- /dev/null +++ b/netd.te @@ -0,0 +1,30 @@ +# network manager +type netd, domain; +type netd_exec, exec_type, file_type; + +init_daemon_domain(netd) +typeattribute netd mlstrustedsubject; +allow netd self:capability { net_admin net_raw sys_module }; +allow netd self:netlink_kobject_uevent_socket *; +allow netd self:netlink_route_socket *; +allow netd self:netlink_nflog_socket *; +allow netd self:rawip_socket *; +allow netd self:udp_socket *; +allow netd node:udp_socket node_bind; +allow netd port:udp_socket name_bind; +allow netd self:unix_stream_socket *; +allow netd shell_exec:file rx_file_perms; +allow netd system_file:file x_file_perms; +allow netd devpts:chr_file rw_file_perms; + +# For /proc/sys/net/ipv[46]/route/flush. +# XXX Split /proc/sys/net into its own type. +allow netd proc:file write; + +# For firmware_path +# XXX Split into its own type. +allow netd sysfs:file write; + +# Load network drivers. +allow netd kernel:system module_request; + diff --git a/nfc.te b/nfc.te new file mode 100644 index 000000000..b20d23699 --- /dev/null +++ b/nfc.te @@ -0,0 +1,10 @@ +# nfc subsystem +type nfc, domain; +app_domain(nfc) + +# NFC device access. +allow nfc nfc_device:chr_file rw_file_perms; + +# Data file accesses. +allow nfc nfc_data_file:dir create_dir_perms; +allow nfc nfc_data_file:notdevfile_class_set create_file_perms; diff --git a/ocontexts b/ocontexts new file mode 100644 index 000000000..ddd57b63c --- /dev/null +++ b/ocontexts @@ -0,0 +1,65 @@ +sid kernel u:r:kernel:s0 +sid security u:object_r:kernel:s0 +sid unlabeled u:object_r:unlabeled:s0 +sid fs u:object_r:labeledfs:s0 +sid file u:object_r:unlabeled:s0 +sid file_labels u:object_r:unlabeled:s0 +sid init u:object_r:unlabeled:s0 +sid any_socket u:object_r:unlabeled:s0 +sid port u:object_r:port:s0 +sid netif u:object_r:netif:s0 +sid netmsg u:object_r:unlabeled:s0 +sid node u:object_r:node:s0 +sid igmp_packet u:object_r:unlabeled:s0 +sid icmp_socket u:object_r:unlabeled:s0 +sid tcp_socket u:object_r:unlabeled:s0 +sid sysctl_modprobe u:object_r:unlabeled:s0 +sid sysctl u:object_r:proc:s0 +sid sysctl_fs u:object_r:unlabeled:s0 +sid sysctl_kernel u:object_r:unlabeled:s0 +sid sysctl_net u:object_r:unlabeled:s0 +sid sysctl_net_unix u:object_r:unlabeled:s0 +sid sysctl_vm u:object_r:unlabeled:s0 +sid sysctl_dev u:object_r:unlabeled:s0 +sid kmod u:object_r:unlabeled:s0 +sid policy u:object_r:unlabeled:s0 +sid scmp_packet u:object_r:unlabeled:s0 +sid devnull u:object_r:null_device:s0 + +# Label inodes via getxattr. +fs_use_xattr yaffs2 u:object_r:labeledfs:s0; +fs_use_xattr jffs2 u:object_r:labeledfs:s0; +fs_use_xattr ext2 u:object_r:labeledfs:s0; +fs_use_xattr ext3 u:object_r:labeledfs:s0; +fs_use_xattr ext4 u:object_r:labeledfs:s0; +fs_use_xattr xfs u:object_r:labeledfs:s0; +fs_use_xattr btrfs u:object_r:labeledfs:s0; + +# Label inodes from task label. +fs_use_task pipefs u:object_r:pipefs:s0; +fs_use_task sockfs u:object_r:sockfs:s0; + +# Label inodes from combination of task label and fs label. +# Define type_transition rules if you want per-domain types. +fs_use_trans devpts u:object_r:devpts:s0; +fs_use_trans tmpfs u:object_r:tmpfs:s0; +fs_use_trans devtmpfs u:object_r:device:s0; +fs_use_trans shm u:object_r:shm:s0; +fs_use_trans mqueue u:object_r:mqueue:s0; + +# Label inodes with the fs label. +genfscon rootfs / u:object_r:rootfs:s0 +# proc labeling can be further refined (longest matching prefix). +genfscon proc / u:object_r:proc:s0 +# selinuxfs booleans can be individually labeled. +genfscon selinuxfs / u:object_r:selinuxfs:s0 +genfscon cgroup / u:object_r:cgroup:s0 +# sysfs labels can be set by userspace. +genfscon sysfs / u:object_r:sysfs:s0 +genfscon inotifyfs / u:object_r:inotify:s0 +genfscon vfat / u:object_r:sdcard:s0 +genfscon debugfs / u:object_r:debugfs:s0 +genfscon fuse / u:object_r:sdcard:s0 + +# portcon statements go here, e.g. +# portcon tcp 80 u:object_r:http_port:s0 diff --git a/policy_capabilities b/policy_capabilities new file mode 100644 index 000000000..c7b9d9ca4 --- /dev/null +++ b/policy_capabilities @@ -0,0 +1,5 @@ +# Enable new networking controls. +policycap network_peer_controls; + +# Enable open permission check. +policycap open_perms; diff --git a/qemud.te b/qemud.te new file mode 100644 index 000000000..ec6c816d0 --- /dev/null +++ b/qemud.te @@ -0,0 +1,6 @@ +# qemu support daemon +type qemud, domain; +type qemud_exec, exec_type, file_type; + +init_daemon_domain(qemud) +allow qemud serial_device:chr_file rw_file_perms; diff --git a/radio.te b/radio.te new file mode 100644 index 000000000..9094cce10 --- /dev/null +++ b/radio.te @@ -0,0 +1,17 @@ +# phone subsystem +type radio, domain; +app_domain(radio) +net_domain(radio) +bluetooth_domain(radio) + +# Talks to init via the property socket. +unix_socket_connect(radio, property, init) + +# Talks to rild via the rild socket. +unix_socket_connect(radio, rild, rild) + +# Data file accesses. +allow radio radio_data_file:dir create_dir_perms; +allow radio radio_data_file:notdevfile_class_set create_file_perms; + +allow radio alarm_device:chr_file rw_file_perms; diff --git a/rild.te b/rild.te new file mode 100644 index 000000000..2857892df --- /dev/null +++ b/rild.te @@ -0,0 +1,21 @@ +# rild - radio interface layer daemon +type rild, domain; +type rild_exec, exec_type, file_type; + +init_daemon_domain(rild) +net_domain(rild) +allow rild kernel:system module_request; +unix_socket_connect(rild, property, init) +unix_socket_connect(rild, qemud, qemud) +allow rild self:capability { setuid net_admin net_raw }; +allow rild alarm_device:chr_file rw_file_perms; +allow rild cgroup:dir create_dir_perms; +allow rild radio_device:chr_file rw_file_perms; +allow rild qemu_device:chr_file rw_file_perms; +allow rild mtd_device:dir search; +allow rild efs_file:dir create_dir_perms; +allow rild efs_file:file create_file_perms; +allow rild shell_exec:file rx_file_perms; +dontaudit rild self:capability sys_admin; +# XXX Label sysfs files with a specific type? +allow rild sysfs:file rw_file_perms; diff --git a/roles b/roles new file mode 100644 index 000000000..ca9293439 --- /dev/null +++ b/roles @@ -0,0 +1 @@ +role r types domain; diff --git a/seapp_contexts b/seapp_contexts new file mode 100644 index 000000000..c30179251 --- /dev/null +++ b/seapp_contexts @@ -0,0 +1,37 @@ +# Input selectors: +# isSystemServer (boolean) +# user (string) +# seinfo (string) +# name (string) +# isSystemServer=true can only be used once. +# An unspecified boolean defaults to false. +# An unspecified string selector will match any value. +# A user string selector that ends in * will perform a prefix match. +# seinfo= is only used when looking up app process security contexts. +# All specified input selectors in an entry must match (i.e. logical AND). +# Matching is case-insensitive. +# Precedence rules: +# (1) isSystemServer=true before isSystemServer=false. +# (2) Specified user= string before unspecified user= string. +# (3) Fixed user= string before user= prefix (i.e. ending in *). +# (4) Longer user= prefix before shorter user= prefix. +# (5) Specified seinfo= string before unspecified seinfo= string. +# (6) Specified name= string before unspecified name= string. +# +# Outputs: +# domain (string) +# type (string) +# levelFromUid (boolean) +# level (string) +# Only entries that specify domain= will be used for app process labeling. +# Only entries that specify type= will be used for app directory labeling. +# levelfromUid is only supported for app UIDs presently. +# level may be used to specify a fixed level for any UID. +# +isSystemServer=true domain=system +user=system domain=system_app type=system_data_file +user=nfc domain=nfc type=nfc_data_file +user=radio domain=radio type=radio_data_file +user=app_* domain=untrusted_app type=app_data_file levelFromUid=true +user=app_* seinfo=systemApp domain=trusted_app levelFromUid=true +user=app_* seinfo=systemApp name=com.android.browser domain=browser_app levelFromUid=true diff --git a/security_classes b/security_classes new file mode 100644 index 000000000..38d78eb7a --- /dev/null +++ b/security_classes @@ -0,0 +1,137 @@ +# FLASK + +# +# Define the security object classes +# + +# Classes marked as userspace are classes +# for userspace object managers + +class security +class process +class system +class capability + +# file-related classes +class filesystem +class file +class dir +class fd +class lnk_file +class chr_file +class blk_file +class sock_file +class fifo_file + +# network-related classes +class socket +class tcp_socket +class udp_socket +class rawip_socket +class node +class netif +class netlink_socket +class packet_socket +class key_socket +class unix_stream_socket +class unix_dgram_socket + +# sysv-ipc-related classes +class sem +class msg +class msgq +class shm +class ipc + +# +# userspace object manager classes +# + +# passwd/chfn/chsh +class passwd # userspace + +# SE-X Windows stuff (more classes below) +class x_drawable # userspace +class x_screen # userspace +class x_gc # userspace +class x_font # userspace +class x_colormap # userspace +class x_property # userspace +class x_selection # userspace +class x_cursor # userspace +class x_client # userspace +class x_device # userspace +class x_server # userspace +class x_extension # userspace + +# extended netlink sockets +class netlink_route_socket +class netlink_firewall_socket +class netlink_tcpdiag_socket +class netlink_nflog_socket +class netlink_xfrm_socket +class netlink_selinux_socket +class netlink_audit_socket +class netlink_ip6fw_socket +class netlink_dnrt_socket + +class dbus # userspace +class nscd # userspace + +# IPSec association +class association + +# Updated Netlink class for KOBJECT_UEVENT family. +class netlink_kobject_uevent_socket + +class appletalk_socket + +class packet + +# Kernel access key retention +class key + +class context # userspace + +class dccp_socket + +class memprotect + +class db_database # userspace +class db_table # userspace +class db_procedure # userspace +class db_column # userspace +class db_tuple # userspace +class db_blob # userspace + +# network peer labels +class peer + +# Capabilities >= 32 +class capability2 + +# More SE-X Windows stuff +class x_resource # userspace +class x_event # userspace +class x_synthetic_event # userspace +class x_application_data # userspace + +# kernel services that need to override task security, e.g. cachefiles +class kernel_service + +class tun_socket + +# Still More SE-X Windows stuff +class x_pointer # userspace +class x_keyboard # userspace + +# More Database stuff +class db_schema # userspace +class db_view # userspace +class db_sequence # userspace +class db_language # userspace + +class binder +class zygote + +# FLASK diff --git a/servicemanager.te b/servicemanager.te new file mode 100644 index 000000000..fefbe080d --- /dev/null +++ b/servicemanager.te @@ -0,0 +1,14 @@ +# servicemanager - the Binder context manager +type servicemanager, domain; +type servicemanager_exec, exec_type, file_type; + +init_daemon_domain(servicemanager) + +# Note that we do not use the binder_* macros here. +# servicemanager is unique in that it only provides +# name service (aka context manager) for Binder. +# As such, it only ever receives and transfers other references +# created by other domains. It never passes its own references +# or initiates a Binder IPC. +allow servicemanager self:binder set_context_mgr; +allow servicemanager domain:binder { receive transfer }; diff --git a/shell.te b/shell.te new file mode 100644 index 000000000..e7e3b3569 --- /dev/null +++ b/shell.te @@ -0,0 +1,30 @@ +type shell, domain; +type shell_exec, file_type; +domain_auto_trans(adbd, shell_exec, shell) +domain_auto_trans(init, shell_exec, shell) +allow shell rootfs:dir r_dir_perms; +allow shell devpts:chr_file rw_file_perms; +allow shell tty_device:chr_file rw_file_perms; +allow shell console_device:chr_file rw_file_perms; +allow shell system_file:file x_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; +allow shell shell_data_file:dir create_dir_perms; +allow shell shell_data_file:file create_file_perms; +allow shell shell_data_file:file rx_file_perms; + +r_dir_file(shell, apk_data_file) +allow shell dalvikcache_data_file:file write; + +# Run dmesg. +allow shell kernel:system syslog_read; + +# Run cat /proc/kmsg. +allow shell kernel:system syslog_mod; + +# Run logcat. +allow shell log_device:chr_file r_file_perms; + +# Run app_process. +# XXX Split into its own domain? +app_domain(shell) diff --git a/su.te b/su.te new file mode 100644 index 000000000..75e621406 --- /dev/null +++ b/su.te @@ -0,0 +1,6 @@ +type su, domain; +type su_exec, file_type; +domain_auto_trans(shell, su_exec, su) + +# su is unconfined. +unconfined_domain(su) diff --git a/surfaceflinger.te b/surfaceflinger.te new file mode 100644 index 000000000..80607da94 --- /dev/null +++ b/surfaceflinger.te @@ -0,0 +1,24 @@ +# surfaceflinger - display compositor service +type surfaceflinger, domain; +type surfaceflinger_exec, exec_type, file_type; + +init_daemon_domain(surfaceflinger) +typeattribute surfaceflinger mlstrustedsubject; + +# Talk to init over the property socket. +unix_socket_connect(surfaceflinger, property, init) + +# Perform Binder IPC. +binder_use(surfaceflinger) +binder_call(surfaceflinger, system) +binder_service(surfaceflinger) + +# Access /dev/graphics/fb0. +allow surfaceflinger graphics_device:dir search; +allow surfaceflinger graphics_device:chr_file rw_file_perms; + +# Access /dev/video1. +allow surfaceflinger video_device:chr_file rw_file_perms; + +# Create and use netlink kobject uevent sockets. +allow surfaceflinger self:netlink_kobject_uevent_socket *; diff --git a/system.te b/system.te new file mode 100644 index 000000000..eff738670 --- /dev/null +++ b/system.te @@ -0,0 +1,134 @@ +# +# Apps that run with the system UID, e.g. com.android.system.ui, +# com.android.settings. These are not as privileged as the system +# server. +# +type system_app, domain; +app_domain(system_app) + +# Perform binder IPC to any app domain. +binder_call(system_app, appdomain) +binder_transfer(system_app, appdomain) + +# Read and write system data files. +# May want to split into separate types. +allow system_app system_data_file:dir create_dir_perms; +allow system_app system_data_file:file create_file_perms; + +# Write to dalvikcache. +allow system_app dalvikcache_data_file:file { write setattr }; + +# Talk to keystore. +unix_socket_connect(system_app, keystore, keystore) + +# Read SELinux enforcing status. +selinux_getenforce(system_app) + +# +# System Server aka system_server spawned by zygote. +# Most of the framework services run in this process. +# +type system, domain, mlstrustedsubject; + +# Child of the zygote. +allow system zygote:fd use; +allow system zygote:process sigchld; +allow system zygote_tmpfs:file read; + +# system server gets network and bluetooth permissions. +net_domain(system) +bluetooth_domain(system) + +# These are the capabilities assigned by the zygote to the +# system server. +# XXX See if we can remove some of these. +allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; + +# Use netlink uevent sockets. +allow system self:netlink_kobject_uevent_socket *; + +# Kill apps. +allow system appdomain:process { sigkill signal }; + +# Read /proc data for apps. +allow system appdomain:dir r_dir_perms; +allow system appdomain:{ file lnk_file } rw_file_perms; + +# Write to /proc/net/xt_qtaguid/ctrl. +# XXX Split /proc/net into its own type. +allow system proc:file write; + +# Notify init of death. +allow system init:process sigchld; + +# Talk to init and various daemons via sockets. +unix_socket_connect(system, property, init) +unix_socket_connect(system, qemud, qemud) +unix_socket_connect(system, installd, installd) +unix_socket_connect(system, netd, netd) +unix_socket_connect(system, vold, vold) +unix_socket_connect(system, zygote, zygote) +unix_socket_connect(system, keystore, keystore) +unix_socket_connect(system, dbus, dbusd) +unix_socket_connect(system, gps, gpsd) +unix_socket_connect(system, bluetooth, bluetoothd) +unix_socket_send(system, wpa, wpa) + +# Perform Binder IPC. +tmpfs_domain(system) +binder_use(system) +binder_call(system, binderservicedomain) +binder_call(system, appdomain) +binder_service(system) +# Transfer other Binder references. +binder_transfer(system, binderservicedomain) +binder_transfer(system, appdomain) + +# Read /proc/pid files for Binder clients. +r_dir_file(system, appdomain) +r_dir_file(system, mediaserver) +allow system appdomain:process getattr; +allow system mediaserver:process getattr; + +# Specify any arguments to zygote. +allow system self:zygote *; + +# Check SELinux permissions. +selinux_check_access(system) + +# XXX Label sysfs files with a specific type? +allow system sysfs:file rw_file_perms; + +# Access devices. +allow system device:chr_file rw_file_perms; +allow system akm_device:chr_file rw_file_perms; +allow system accelerometer_device:chr_file rw_file_perms; +allow system alarm_device:chr_file rw_file_perms; +allow system graphics_device:dir search; +allow system graphics_device:chr_file rw_file_perms; +allow system input_device:dir r_dir_perms; +allow system input_device:chr_file rw_file_perms; +allow system tty_device:chr_file rw_file_perms; +allow system urandom_device:chr_file rw_file_perms; +allow system video_device:chr_file rw_file_perms; +allow system qemu_device:chr_file rw_file_perms; + +# Manage data files. +allow system data_file_type:dir create_dir_perms; +allow system data_file_type:notdevfile_class_set create_file_perms; + +# Create a socket for receiving info from wpa. +type_transition system wifi_data_file:sock_file system_wpa_socket; +allow system system_wpa_socket:sock_file create_file_perms; + +# Manage cache files. +allow system cache_file:dir create_dir_perms; +allow system cache_file:file create_file_perms; + +# Run system programs, e.g. dexopt. +allow system system_file:file x_file_perms; + +# Silently deny any /proc accesses that are not allowed. +# This suppresses noise from walking the process list. +dontaudit system domain:dir r_dir_perms; +dontaudit system domain:file r_file_perms; diff --git a/te_macros b/te_macros new file mode 100644 index 000000000..545ba4e20 --- /dev/null +++ b/te_macros @@ -0,0 +1,207 @@ +##################################### +# domain_trans(olddomain, type, newdomain) +# Allow a transition from olddomain to newdomain +# upon executing a file labeled with type. +# This only allows the transition; it does not +# cause it to occur automatically - use domain_auto_trans +# if that is what you want. +# +define(`domain_trans', ` +# Old domain may exec the file and transition to the new domain. +allow $1 $2:file { getattr open read execute }; +allow $1 $3:process transition; +# New domain is entered by executing the file. +allow $3 $2:file { entrypoint read execute }; +# New domain can send SIGCHLD to its caller. +allow $3 $1:process sigchld; +# Enable AT_SECURE, i.e. libc secure mode. +dontaudit $1 $3:process noatsecure; +# XXX dontaudit candidate but requires further study. +allow $1 $3:process { siginh rlimitinh }; +') + +##################################### +# domain_auto_trans(olddomain, type, newdomain) +# Automatically transition from olddomain to newdomain +# upon executing a file labeled with type. +# +define(`domain_auto_trans', ` +# Allow the necessary permissions. +domain_trans($1,$2,$3) +# Make the transition occur by default. +type_transition $1 $2:process $3; +') + +##################################### +# file_type_trans(domain, dir_type, file_type) +# Allow domain to create a file labeled file_type in a +# directory labeled dir_type. +# This only allows the transition; it does not +# cause it to occur automatically - use file_type_auto_trans +# if that is what you want. +# +define(`file_type_trans', ` +# Allow the domain to add entries to the directory. +allow $1 $2:dir ra_dir_perms; +# Allow the domain to create the file. +allow $1 $3:notdevfile_class_set create_file_perms; +allow $1 $3:dir create_dir_perms; +') + +##################################### +# file_type_auto_trans(domain, dir_type, file_type) +# Automatically label new files with file_type when +# they are created by domain in directories labeled dir_type. +# +define(`file_type_auto_trans', ` +# Allow the necessary permissions. +file_type_trans($1, $2, $3) +# Make the transition occur by default. +type_transition $1 $2:dir $3; +type_transition $1 $2:notdevfile_class_set $3; +') + +##################################### +# r_dir_file(domain, type) +# Allow the specified domain to read directories, files +# and symbolic links of the specified type. +define(`r_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:{ file lnk_file } r_file_perms; +') + +##################################### +# unconfined_domain(domain) +# Allow the specified domain to do anything. +# +define(`unconfined_domain', ` +typeattribute $1 mlstrustedsubject; +typeattribute $1 unconfineddomain; +') + +##################################### +# tmpfs_domain(domain) +# Define and allow access to a unique type for +# this domain when creating tmpfs / shmem / ashmem files. +define(`tmpfs_domain', ` +type $1_tmpfs, file_type; +type_transition $1 tmpfs:file $1_tmpfs; +# Map with PROT_EXEC. +allow $1 $1_tmpfs:file { read execute execmod }; +') + +##################################### +# init_daemon_domain(domain) +# Set up a transition from init to the daemon domain +# upon executing its binary. +define(`init_daemon_domain', ` +domain_auto_trans(init, $1_exec, $1) +tmpfs_domain($1) +') + +##################################### +# app_domain(domain) +# Allow a base set of permissions required for all apps. +define(`app_domain', ` +typeattribute $1 appdomain; +# Label ashmem objects with our own unique type. +tmpfs_domain($1) +') + +##################################### +# net_domain(domain) +# Allow a base set of permissions required for network access. +define(`net_domain', ` +typeattribute $1 netdomain; +') + +##################################### +# bluetooth_domain(domain) +# Allow a base set of permissions required for bluetooth access. +define(`bluetooth_domain', ` +typeattribute $1 bluetoothdomain; +') + +##################################### +# unix_socket_connect(clientdomain, socket, serverdomain) +# Allow a local socket connection from clientdomain via +# socket to serverdomain. +define(`unix_socket_connect', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_stream_socket connectto; +') + +##################################### +# unix_socket_send(clientdomain, socket, serverdomain) +# Allow a local socket send from clientdomain via +# socket to serverdomain. +define(`unix_socket_send', ` +allow $1 $2_socket:sock_file write; +allow $1 $3:unix_dgram_socket sendto; +') + +##################################### +# binder_use(domain) +# Allow domain to use Binder IPC. +define(`binder_use', ` +# Get Binder references from the servicemanager. +allow $1 servicemanager:binder call; +# Transfer and receive own Binder references. +allow $1 self:binder { transfer receive }; +# Map /dev/ashmem with PROT_EXEC. +allow $1 ashmem_device:chr_file execute; +# rw access to /dev/binder and /dev/ashmem is presently granted to +# all domains in domain.te. +') + +##################################### +# binder_call(clientdomain, serverdomain) +# Allow clientdomain to perform binder IPC to serverdomain. +define(`binder_call', ` +# First we receive a Binder ref to the server, then we call it. +allow $1 $2:binder { receive call }; +# Receive and use open files from the server. +allow $1 $2:fd use; +') + +##################################### +# binder_transfer(clientdomain, serverdomain) +# Allow clientdomain to transfer Binder references created by serverdomain. +define(`binder_transfer', ` +allow $1 $2:binder transfer; +') + +##################################### +# binder_service(domain) +# Mark a domain as being a Binder service domain. +# Used to allow binder IPC to the various system services. +define(`binder_service', ` +typeattribute $1 binderservicedomain; +') + +##################################### +# selinux_check_access(domain) +# Allow domain to check SELinux permissions via selinuxfs. +define(`selinux_check_access', ` +allow $1 selinuxfs:dir r_dir_perms; +allow $1 selinuxfs:file rw_file_perms; +allow $1 kernel:security compute_av; +allow $1 self:netlink_selinux_socket *; +') + +##################################### +# selinux_check_context(domain) +# Allow domain to check SELinux contexts via selinuxfs. +define(`selinux_check_context', ` +allow $1 selinuxfs:dir r_dir_perms; +allow $1 selinuxfs:file rw_file_perms; +allow $1 kernel:security check_context; +') + +##################################### +# selinux_getenforce(domain) +# Allow domain to check whether SELinux is enforcing. +define(`selinux_getenforce', ` +allow $1 selinuxfs:dir r_dir_perms; +allow $1 selinuxfs:file r_file_perms; +') diff --git a/ueventd.te b/ueventd.te new file mode 100644 index 000000000..34e07fd0d --- /dev/null +++ b/ueventd.te @@ -0,0 +1,19 @@ +# ueventd seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type ueventd, domain; +tmpfs_domain(ueventd) +allow ueventd rootfs:file r_file_perms; +allow ueventd rootfs:file entrypoint; +allow ueventd init:process sigchld; +allow ueventd self:capability { chown mknod net_admin setgid fsetid }; +allow ueventd kernel:fd use; +allow ueventd device:file create_file_perms; +allow ueventd device:chr_file rw_file_perms; +allow ueventd sysfs:file rw_file_perms; +allow ueventd sysfs:file setattr; +allow ueventd tmpfs:chr_file rw_file_perms; +allow ueventd dev_type:dir create_dir_perms; +allow ueventd dev_type:lnk_file { create unlink }; +allow ueventd dev_type:chr_file { create setattr unlink }; +allow ueventd dev_type:blk_file { create setattr unlink }; +allow ueventd self:netlink_kobject_uevent_socket *; diff --git a/unconfined.te b/unconfined.te new file mode 100644 index 000000000..71cdfddcd --- /dev/null +++ b/unconfined.te @@ -0,0 +1,23 @@ +allow unconfineddomain self:capability_class_set *; +allow unconfineddomain kernel:security *; +allow unconfineddomain kernel:system *; +allow unconfineddomain self:memprotect *; +allow unconfineddomain domain:process *; +allow unconfineddomain domain:fd *; +allow unconfineddomain domain:dir r_dir_perms; +allow unconfineddomain domain:lnk_file r_file_perms; +allow unconfineddomain domain:{ fifo_file file } rw_file_perms; +allow unconfineddomain domain:socket_class_set *; +allow unconfineddomain domain:ipc_class_set *; +allow unconfineddomain domain:key *; +allow unconfineddomain fs_type:filesystem *; +allow unconfineddomain fs_type:dir_file_class_set *; +allow unconfineddomain dev_type:dir_file_class_set *; +allow unconfineddomain file_type:dir_file_class_set *; +allow unconfineddomain node_type:node *; +allow unconfineddomain node_type:{ tcp_socket udp_socket } node_bind; +allow unconfineddomain netif_type:netif *; +allow unconfineddomain port_type:socket_class_set name_bind; +allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; +allow unconfineddomain domain:peer recv; +allow unconfineddomain domain:binder { call transfer receive }; diff --git a/users b/users new file mode 100644 index 000000000..51b7b57e6 --- /dev/null +++ b/users @@ -0,0 +1 @@ +user u roles { r } level s0 range s0 - mls_systemhigh; diff --git a/vold.te b/vold.te new file mode 100644 index 000000000..85a58f99d --- /dev/null +++ b/vold.te @@ -0,0 +1,56 @@ +# volume manager +type vold, domain; +type vold_exec, exec_type, file_type; + +init_daemon_domain(vold) +typeattribute vold mlstrustedsubject; +allow vold system_file:file x_file_perms; +allow vold block_device:dir create_dir_perms; +allow vold block_device:blk_file create_file_perms; +allow vold block_device:lnk_file read; +allow vold devpts:chr_file rw_file_perms; +allow vold rootfs:dir mounton; +allow vold sdcard:dir mounton; +allow vold sdcard:filesystem { mount remount unmount }; +allow vold sdcard:dir create_dir_perms; +allow vold tmpfs:filesystem { mount unmount }; +allow vold tmpfs:dir create_dir_perms; +allow vold tmpfs:dir mounton; +allow vold self:capability { net_admin dac_override mknod sys_admin }; +allow vold self:netlink_kobject_uevent_socket *; +allow vold app_data_file:dir search; +allow vold app_data_file:file rw_file_perms; +allow vold loop_device:blk_file rw_file_perms; +allow vold dm_device:chr_file rw_file_perms; +# For vold Process::killProcessesWithOpenFiles function. +allow vold domain:dir r_dir_perms; +allow vold domain:{ file lnk_file } r_file_perms; +allow vold domain:process { signal sigkill }; +allow vold self:capability { sys_ptrace }; + +# XXX Label sysfs files with a specific type? +allow vold sysfs:file rw_file_perms; + +# +# Rules to support encrypted fs support. +# + +# Set property. +unix_socket_connect(vold, property, init) + +# Unmount and mount the fs. +allow vold labeledfs:filesystem { mount unmount }; + +# Access /efs/userdata_footer. +# XXX Split into a separate type? +allow vold efs_file:file rw_file_perms; + +# Request AES module. +allow vold kernel:system module_request; + +# Write to /proc/sysrq-trigger +# XXX Label with a distinct type? +allow vold proc:file write; + +# Create and mount on /data/tmp_mnt. +allow vold system_data_file:dir { write create add_name mounton }; diff --git a/wpa_supplicant.te b/wpa_supplicant.te new file mode 100644 index 000000000..8860ef9dd --- /dev/null +++ b/wpa_supplicant.te @@ -0,0 +1,16 @@ +# wpa - wpa supplicant or equivalent +type wpa, domain; +type wpa_exec, exec_type, file_type; + +init_daemon_domain(wpa) +allow wpa kernel:system module_request; +allow wpa self:capability { setuid net_admin setgid net_raw }; +allow wpa cgroup:dir create_dir_perms; +allow wpa self:netlink_route_socket *; +allow wpa self:netlink_socket *; +allow wpa self:packet_socket *; +allow wpa self:udp_socket *; +allow wpa wifi_data_file:dir create_dir_perms; +allow wpa wifi_data_file:file create_file_perms; +unix_socket_send(wpa, system_wpa, system) +allow wpa random_device:chr_file r_file_perms; diff --git a/zygote.te b/zygote.te new file mode 100644 index 000000000..0601707db --- /dev/null +++ b/zygote.te @@ -0,0 +1,31 @@ +# zygote +type zygote, domain; +type zygote_exec, exec_type, file_type; + +init_daemon_domain(zygote) +typeattribute zygote mlstrustedsubject; +# Override DAC on files and switch uid/gid. +allow zygote self:capability { dac_override setgid setuid }; +# Switch SELinux context to app domains. +allow zygote system:process dyntransition; +allow zygote appdomain:process dyntransition; +# Move children into the peer process group. +allow zygote system:process { getpgid setpgid }; +allow zygote appdomain:process { getpgid setpgid }; +# Write to system data. +allow zygote system_data_file:dir rw_dir_perms; +allow zygote system_data_file:file create_file_perms; +allow zygote dalvikcache_data_file:dir rw_dir_perms; +allow zygote dalvikcache_data_file:file create_file_perms; +# Execute dexopt. +allow zygote system_file:file x_file_perms; +# Control cgroups. +allow zygote cgroup:dir create_dir_perms; +allow zygote self:capability sys_admin; +# Check validity of SELinux context before use. +selinux_check_context(zygote) +# Check SELinux permissions. +selinux_check_access(zygote) +# Read /seapp_contexts, presently on the rootfs. +allow zygote rootfs:file r_file_perms; +