Address system_server denials.
Label /proc/sysrq-trigger and allow access.
Label /dev/socket/mtpd and allow access.
Resolves denials such as:
avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket
avc: denied { call } for pid=1007 comm="Binder_8" scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=binder
avc: denied { write } for pid=1024 comm="watchdog" name="sysrq-trigger" dev="proc" ino=4026533682 scontext=u:r:system_server:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { write } for pid=11567 comm="LegacyVpnRunner" name="mtpd" dev="tmpfs" ino=36627 scontext=u:r:system_server:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file
avc: denied { ptrace } for pid=10924 comm=5369676E616C2043617463686572 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=process
avc: denied { sigkill } for pid=26077 comm="NativeCrashRepo" scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=process
avc: denied { write } for pid=1024 comm="android.bg" scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=netlink_socket
avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[11467]" dev="sockfs" ino=11467 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket
avc: denied { getattr } for pid=473 comm="FinalizerDaemon" path="socket:[12076]" dev="sockfs" ino=12076 scontext=u:r:system_server:s0 tcontext=u:r:mediaserv
er:s0 tclass=udp_socket
avc: denied { getopt } for pid=473 comm="FinalizerDaemon" laddr=192.168.159.172 lport=51576 faddr=93.127.173.40 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket
avc: denied { getopt } for pid=473 comm="FinalizerDaemon" lport=15658 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket
avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[443742]"
dev="sockfs" ino=443742 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s
0 tclass=tcp_socket
avc: denied { read write } for pid=21384 comm="rtsp" path="socket:[444842]" dev="sockfs" ino=444842 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket
avc: denied { setopt } for pid=1326 comm="Binder_9" lport=16216 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=udp_socket
avc: denied { setopt } for pid=1676 comm="Binder_6" laddr=192.168.156.130 lport=51044 faddr=74.125.214.81 fport=554 scontext=u:r:system_server:s0 tcontext=u:r:mediaserver:s0 tclass=tcp_socket
avc: denied { getattr } for pid=10915 comm="system_server" path="/dev/mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
avc: denied { read } for pid=10915 comm="system_server" name="mdm" dev="tmpfs" ino=7484 scontext=u:r:system_server:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
avc: denied { unlink } for pid=14866 comm="system_server" name="wallpaper" dev="mmcblk0p9" ino=285715 scontext=u:r:system_server:s0 tcontext=u:object_r:wallpaper_file:s0 tclass=file
avc: denied { getattr } for pid=12114 comm="Binder_2" path="socket:[219779]" dev="sockfs" ino=219779 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket
avc: denied { getopt } for pid=32300 comm="Binder_1" laddr=::ffff:127.0.0.1 lport=4939 faddr=::ffff:127.0.0.1 fport=53318 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket
avc: denied { read write } for pid=10840 comm="pool-17-thread-" path="socket:[205990]" dev="sockfs" ino=205990 scontext=u:r:untrusted_app:s0 tcontext=u:r:system_server:s0 tclass=tcp_socket
avc: denied { write } for pid=20817 comm="dumpsys" path="/mnt/shell/emulated/0/aupt-output/bugreport-2014-02-22-11-17-16.txt.tmp" dev="fuse" ino=3100784040 scontext=u:r:system_server:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=file
Change-Id: I481ac26667b487031a5d3317b0a028a027a8e641
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
23a52e6b30
commit
3dad7b611a
6 changed files with 37 additions and 8 deletions
5
app.te
5
app.te
|
|
@ -33,9 +33,10 @@ allow appdomain adbd:process sigchld;
|
|||
# child shell or gdbserver pty access for runas.
|
||||
allow appdomain devpts:chr_file { getattr read write ioctl };
|
||||
|
||||
# Communicate with system_server.
|
||||
# Use pipes and sockets provided by system_server via binder or local socket.
|
||||
allow appdomain system_server:fifo_file rw_file_perms;
|
||||
allow appdomain system_server:unix_stream_socket { read write setopt };
|
||||
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
|
||||
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
|
||||
|
||||
# Communication with other apps via fifos
|
||||
allow appdomain appdomain:fifo_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -35,6 +35,8 @@ userdebug_or_eng(`
|
|||
allow domain su:fd use;
|
||||
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
|
||||
|
||||
binder_call(domain, su)
|
||||
|
||||
# Running something like "pm dump com.android.bluetooth" requires
|
||||
# fifo writes
|
||||
allow domain su:fifo_file { write getattr };
|
||||
|
|
|
|||
2
file.te
2
file.te
|
|
@ -11,6 +11,7 @@ type usermodehelper, fs_type, sysfs_type;
|
|||
type qtaguid_proc, fs_type, mlstrustedobject;
|
||||
type proc_bluetooth_writable, fs_type;
|
||||
type proc_net, fs_type;
|
||||
type proc_sysrq, fs_type;
|
||||
type selinuxfs, fs_type;
|
||||
type cgroup, fs_type, mlstrustedobject;
|
||||
type sysfs, fs_type, mlstrustedobject;
|
||||
|
|
@ -116,6 +117,7 @@ type logdr_socket, file_type;
|
|||
type logdw_socket, file_type;
|
||||
type mdns_socket, file_type;
|
||||
type mdnsd_socket, file_type;
|
||||
type mtpd_socket, file_type;
|
||||
type netd_socket, file_type;
|
||||
type property_socket, file_type;
|
||||
type racoon_socket, file_type;
|
||||
|
|
|
|||
|
|
@ -85,6 +85,7 @@
|
|||
/dev/socket/logdw u:object_r:logdw_socket:s0
|
||||
/dev/socket/mdns u:object_r:mdns_socket:s0
|
||||
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
|
||||
/dev/socket/mtpd u:object_r:mtpd_socket:s0
|
||||
/dev/socket/netd u:object_r:netd_socket:s0
|
||||
/dev/socket/property_service u:object_r:property_socket:s0
|
||||
/dev/socket/racoon u:object_r:racoon_socket:s0
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ genfscon rootfs / u:object_r:rootfs:s0
|
|||
genfscon proc / u:object_r:proc:s0
|
||||
genfscon proc /net u:object_r:proc_net:s0
|
||||
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
|
||||
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
|
||||
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
|
||||
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
|
||||
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
|
||||
|
|
|
|||
|
|
@ -16,11 +16,20 @@ allow system_server system_server_tmpfs:file execute;
|
|||
# For art.
|
||||
allow system_server dalvikcache_data_file:file execute;
|
||||
|
||||
# ptrace to processes in the same domain for debugging crashes.
|
||||
allow system_server self:process ptrace;
|
||||
|
||||
# Child of the zygote.
|
||||
allow system_server zygote:fd use;
|
||||
allow system_server zygote:process sigchld;
|
||||
allow system_server zygote_tmpfs:file read;
|
||||
|
||||
# May kill zygote on crashes.
|
||||
allow system_server zygote:process sigkill;
|
||||
|
||||
# Read /system/bin/app_process.
|
||||
allow system_server zygote_exec:file r_file_perms;
|
||||
|
||||
# Needed to close the zygote socket, which involves getopt / getattr
|
||||
allow system_server zygote:unix_stream_socket { getopt getattr };
|
||||
|
||||
|
|
@ -55,6 +64,9 @@ allow system_server kernel:system module_request;
|
|||
# Use netlink uevent sockets.
|
||||
allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
# Use generic netlink sockets.
|
||||
allow system_server self:netlink_socket create_socket_perms;
|
||||
|
||||
# Kill apps.
|
||||
allow system_server appdomain:process { sigkill signal };
|
||||
|
||||
|
|
@ -70,6 +82,9 @@ allow system_server appdomain:{ file lnk_file } rw_file_perms;
|
|||
allow system_server qtaguid_proc:file rw_file_perms;
|
||||
allow system_server qtaguid_device:chr_file rw_file_perms;
|
||||
|
||||
# Write to /proc/sysrq-trigger.
|
||||
allow system_server proc_sysrq:file rw_file_perms;
|
||||
|
||||
# Read /sys/kernel/debug/wakeup_sources.
|
||||
allow system_server debugfs:file r_file_perms;
|
||||
|
||||
|
|
@ -86,6 +101,7 @@ allow system_server init:process sigchld;
|
|||
unix_socket_connect(system_server, property, init)
|
||||
unix_socket_connect(system_server, installd, installd)
|
||||
unix_socket_connect(system_server, lmkd, lmkd)
|
||||
unix_socket_connect(system_server, mtpd, mtp)
|
||||
unix_socket_connect(system_server, netd, netd)
|
||||
unix_socket_connect(system_server, vold, vold)
|
||||
unix_socket_connect(system_server, zygote, zygote)
|
||||
|
|
@ -109,6 +125,10 @@ r_dir_file(system_server, mediaserver)
|
|||
allow system_server appdomain:process getattr;
|
||||
allow system_server mediaserver:process getattr;
|
||||
|
||||
# Use sockets received over binder from various services.
|
||||
allow system_server mediaserver:tcp_socket rw_socket_perms;
|
||||
allow system_server mediaserver:udp_socket rw_socket_perms;
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(system_server)
|
||||
|
||||
|
|
@ -126,6 +146,7 @@ allow system_server graphics_device:chr_file rw_file_perms;
|
|||
allow system_server iio_device:chr_file rw_file_perms;
|
||||
allow system_server input_device:dir r_dir_perms;
|
||||
allow system_server input_device:chr_file rw_file_perms;
|
||||
allow system_server radio_device:chr_file r_file_perms;
|
||||
allow system_server tty_device:chr_file rw_file_perms;
|
||||
allow system_server urandom_device:chr_file rw_file_perms;
|
||||
allow system_server usbaccessory_device:chr_file rw_file_perms;
|
||||
|
|
@ -151,7 +172,7 @@ allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom r
|
|||
# Relabel wallpaper.
|
||||
allow system_server system_data_file:file relabelfrom;
|
||||
allow system_server wallpaper_file:file relabelto;
|
||||
allow system_server wallpaper_file:file rw_file_perms;
|
||||
allow system_server wallpaper_file:file { rw_file_perms unlink };
|
||||
|
||||
# Relabel /data/anr.
|
||||
allow system_server system_data_file:dir relabelfrom;
|
||||
|
|
@ -199,15 +220,13 @@ allow system_server domain:file r_file_perms;
|
|||
allow system_server gps_device:chr_file rw_file_perms;
|
||||
allow system_server gps_control:file rw_file_perms;
|
||||
|
||||
# Allow system_server to use app-created sockets.
|
||||
allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
|
||||
# Allow system_server to use app-created sockets and pipes.
|
||||
allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
|
||||
allow system_server appdomain:fifo_file { getattr read write };
|
||||
|
||||
# Allow abstract socket connection
|
||||
allow system_server rild:unix_stream_socket connectto;
|
||||
|
||||
# connect to vpn tunnel
|
||||
allow system_server mtp:unix_stream_socket { connectto };
|
||||
|
||||
# BackupManagerService lets PMS create a data backup file
|
||||
allow system_server cache_backup_file:file create_file_perms;
|
||||
# Relabel /data/backup
|
||||
|
|
@ -217,6 +236,9 @@ allow system_server cache_backup_file:file { relabelto relabelfrom };
|
|||
# LocalTransport creates and relabels /cache/backup
|
||||
allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
|
||||
|
||||
# Access SDcard files passed via binder or sockets.
|
||||
allow system_server sdcard_type:file { read write getattr };
|
||||
|
||||
# Allow system to talk to usb device
|
||||
allow system_server usb_device:chr_file rw_file_perms;
|
||||
allow system_server usb_device:dir r_dir_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue