From 625a3526f1ebaaa014bb563239cc33829f616232 Mon Sep 17 00:00:00 2001 From: William Roberts Date: Mon, 4 May 2015 18:22:45 -0700 Subject: [PATCH] Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts --- adbd.te | 7 +++---- bluetooth.te | 9 +++------ dhcp.te | 6 +++--- healthd.te | 3 +-- mediaserver.te | 4 ++-- netd.te | 7 +++---- nfc.te | 3 +-- radio.te | 11 ++++------- recovery.te | 5 ++--- rild.te | 7 +++---- shell.te | 9 ++++----- surfaceflinger.te | 7 ++----- system_app.te | 13 ++++++------- system_server.te | 21 ++++++++++----------- te_macros | 20 ++++++++++++++++++++ uncrypt.te | 3 +-- vold.te | 9 +++------ 17 files changed, 71 insertions(+), 73 deletions(-) diff --git a/adbd.te b/adbd.te index 57b1e48e0..a74d10bd4 100644 --- a/adbd.te +++ b/adbd.te @@ -42,10 +42,9 @@ allow adbd anr_data_file:dir r_dir_perms; allow adbd anr_data_file:file r_file_perms; # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. -unix_socket_connect(adbd, property, init) -allow adbd shell_prop:property_service set; -allow adbd powerctl_prop:property_service set; -allow adbd ffs_prop:property_service set; +set_prop(adbd, shell_prop) +set_prop(adbd, powerctl_prop) +set_prop(adbd, ffs_prop) # Run /system/bin/bu allow adbd system_file:file rx_file_perms; diff --git a/bluetooth.te b/bluetooth.te index 890c1d98b..847b11eb5 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -38,16 +38,13 @@ allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read allow bluetooth self:tun_socket create_socket_perms; allow bluetooth efs_file:dir search; -# Talk to init over the property socket. -unix_socket_connect(bluetooth, property, init) - # proc access. allow bluetooth proc_bluetooth_writable:file rw_file_perms; # Allow write access to bluetooth specific properties -allow bluetooth bluetooth_prop:property_service set; -allow bluetooth pan_result_prop:property_service set; -allow bluetooth ctl_dhcp_pan_prop:property_service set; +set_prop(bluetooth, bluetooth_prop) +set_prop(bluetooth, pan_result_prop) +set_prop(bluetooth, ctl_dhcp_pan_prop) allow bluetooth bluetooth_service:service_manager find; allow bluetooth mediaserver_service:service_manager find; diff --git a/dhcp.te b/dhcp.te index 32a6cccb1..cbf105c65 100644 --- a/dhcp.te +++ b/dhcp.te @@ -13,9 +13,9 @@ allow dhcp shell_exec:file rx_file_perms; allow dhcp system_file:file rx_file_perms; # For /proc/sys/net/ipv4/conf/*/promote_secondaries allow dhcp proc_net:file write; -allow dhcp dhcp_prop:property_service set; -allow dhcp pan_result_prop:property_service set; -unix_socket_connect(dhcp, property, init) + +set_prop(dhcp, dhcp_prop) +set_prop(dhcp, pan_result_prop) type_transition dhcp system_data_file:{ dir file } dhcp_data_file; allow dhcp dhcp_data_file:dir create_dir_perms; diff --git a/healthd.te b/healthd.te index 2ea825c8f..a1019ee92 100644 --- a/healthd.te +++ b/healthd.te @@ -42,5 +42,4 @@ allow healthd healthd_service:service_manager { add find }; # Healthd needs to tell init to continue the boot # process when running in charger mode. -unix_socket_connect(healthd, property, init) -allow healthd system_prop:property_service set; +set_prop(healthd, system_prop) diff --git a/mediaserver.te b/mediaserver.te index d26909730..cb0995c42 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -6,7 +6,6 @@ typeattribute mediaserver mlstrustedsubject; net_domain(mediaserver) init_daemon_domain(mediaserver) -unix_socket_connect(mediaserver, property, init) r_dir_file(mediaserver, sdcard_type) @@ -27,7 +26,8 @@ allow mediaserver video_device:dir r_dir_perms; allow mediaserver video_device:chr_file rw_file_perms; allow mediaserver audio_device:dir r_dir_perms; allow mediaserver tee_device:chr_file rw_file_perms; -allow mediaserver audio_prop:property_service set; + +set_prop(mediaserver, audio_prop) # Access audio devices at all. allow mediaserver audio_device:chr_file rw_file_perms; diff --git a/netd.te b/netd.te index f84b45279..d4c515317 100644 --- a/netd.te +++ b/netd.te @@ -30,9 +30,8 @@ allow netd proc_net:file write; allow netd sysfs:file write; # Set dhcp lease for PAN connection -unix_socket_connect(netd, property, init) -allow netd dhcp_prop:property_service set; -allow netd system_prop:property_service set; +set_prop(netd, dhcp_prop) +set_prop(netd, system_prop) auditallow netd system_prop:property_service set; # Connect to PAN @@ -62,7 +61,7 @@ allow netd dnsmasq:process signal; domain_auto_trans(netd, clatd_exec, clatd) allow netd clatd:process signal; -allow netd ctl_mdnsd_prop:property_service set; +set_prop(netd, ctl_mdnsd_prop) # Allow netd to operate on sockets that are passed to it. allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; diff --git a/nfc.te b/nfc.te index 8528b4f71..71841be36 100644 --- a/nfc.te +++ b/nfc.te @@ -5,8 +5,7 @@ net_domain(nfc) binder_service(nfc) # Set NFC properties -unix_socket_connect(nfc, property, init) -allow nfc nfc_prop:property_service set; +set_prop(nfc, nfc_prop) # NFC device access. allow nfc nfc_device:chr_file rw_file_perms; diff --git a/radio.te b/radio.te index 92f18d22b..a01a11376 100644 --- a/radio.te +++ b/radio.te @@ -5,9 +5,6 @@ net_domain(radio) bluetooth_domain(radio) binder_service(radio) -# Talks to init via the property socket. -unix_socket_connect(radio, property, init) - # Talks to rild via the rild socket. unix_socket_connect(radio, rild, rild) @@ -21,14 +18,14 @@ allow radio net_data_file:dir search; allow radio net_data_file:file r_file_perms; # Property service -allow radio radio_prop:property_service set; -allow radio net_radio_prop:property_service set; -allow radio system_radio_prop:property_service set; +set_prop(radio, radio_prop) +set_prop(radio, system_radio_prop) +set_prop(radio, net_radio_prop) auditallow radio net_radio_prop:property_service set; auditallow radio system_radio_prop:property_service set; # ctl interface -allow radio ctl_rildaemon_prop:property_service set; +set_prop(radio, ctl_rildaemon_prop) allow radio drmserver_service:service_manager find; allow radio mediaserver_service:service_manager find; diff --git a/recovery.te b/recovery.te index 85763563f..29f1a50ec 100644 --- a/recovery.te +++ b/recovery.te @@ -78,11 +78,10 @@ recovery_only(` allow recovery cache_file:file create_file_perms; # Reboot the device - allow recovery powerctl_prop:property_service set; - unix_socket_connect(recovery, property, init) + set_prop(recovery, powerctl_prop) # Start/stop adbd via ctl.start adbd - allow recovery ctl_default_prop:property_service set; + set_prop(recovery, ctl_default_prop) # Use setfscreatecon() to label files for OTA updates. allow recovery self:process setfscreate; diff --git a/rild.te b/rild.te index d8e48d5e6..549a4aa17 100644 --- a/rild.te +++ b/rild.te @@ -6,7 +6,6 @@ init_daemon_domain(rild) net_domain(rild) allow rild self:netlink_route_socket nlmsg_write; allow rild kernel:system module_request; -unix_socket_connect(rild, property, init) allow rild self:capability { setuid net_admin net_raw }; allow rild alarm_device:chr_file rw_file_perms; allow rild cgroup:dir create_dir_perms; @@ -26,9 +25,9 @@ allow rild system_data_file:file r_file_perms; allow rild system_file:file x_file_perms; # property service -allow rild radio_prop:property_service set; -allow rild net_radio_prop:property_service set; -allow rild system_radio_prop:property_service set; +set_prop(rild, radio_prop) +set_prop(rild, net_radio_prop) +set_prop(rild, system_radio_prop) auditallow rild net_radio_prop:property_service set; auditallow rild system_radio_prop:property_service set; diff --git a/shell.te b/shell.te index e7ea149df..c55ce3e88 100644 --- a/shell.te +++ b/shell.te @@ -41,11 +41,10 @@ allow shell zygote_exec:file rx_file_perms; r_dir_file(shell, apk_data_file) # Set properties. -unix_socket_connect(shell, property, init) -allow shell shell_prop:property_service set; -allow shell ctl_dumpstate_prop:property_service set; -allow shell debug_prop:property_service set; -allow shell powerctl_prop:property_service set; +set_prop(shell, shell_prop) +set_prop(shell, ctl_dumpstate_prop) +set_prop(shell, debug_prop) +set_prop(shell, powerctl_prop) # systrace support - allow atrace to run # debugfs doesn't support labeling individual files, so we have diff --git a/surfaceflinger.te b/surfaceflinger.te index c85df828c..26a4e48cf 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -5,9 +5,6 @@ type surfaceflinger_exec, exec_type, file_type; init_daemon_domain(surfaceflinger) typeattribute surfaceflinger mlstrustedsubject; -# Talk to init over the property socket. -unix_socket_connect(surfaceflinger, property, init) - # Perform Binder IPC. binder_use(surfaceflinger) binder_call(surfaceflinger, binderservicedomain) @@ -37,8 +34,8 @@ allow surfaceflinger video_device:chr_file rw_file_perms; allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms; # Set properties. -allow surfaceflinger system_prop:property_service set; -allow surfaceflinger ctl_bootanim_prop:property_service set; +set_prop(surfaceflinger, system_prop) +set_prop(surfaceflinger, ctl_bootanim_prop) # Use open files supplied by an app. allow surfaceflinger appdomain:fd use; diff --git a/system_app.te b/system_app.te index 964407e6e..407b85e7d 100644 --- a/system_app.te +++ b/system_app.te @@ -31,15 +31,14 @@ auditallow system_app system_data_file:file { create setattr append write link u allow system_app wallpaper_file:file r_file_perms; # Write to properties -unix_socket_connect(system_app, property, init) -allow system_app debug_prop:property_service set; -allow system_app net_radio_prop:property_service set; -allow system_app system_radio_prop:property_service set; +set_prop(system_app, debug_prop) +set_prop(system_app, system_prop) +set_prop(system_app, ctl_bugreport_prop) +set_prop(system_app, logd_prop) +set_prop(system_app, net_radio_prop) +set_prop(system_app, system_radio_prop) auditallow system_app net_radio_prop:property_service set; auditallow system_app system_radio_prop:property_service set; -allow system_app system_prop:property_service set; -allow system_app ctl_bugreport_prop:property_service set; -allow system_app logd_prop:property_service set; # Create /data/anr/traces.txt. allow system_app anr_data_file:dir ra_dir_perms; diff --git a/system_server.te b/system_server.te index d8e59788c..d225b7c86 100644 --- a/system_server.te +++ b/system_server.te @@ -105,7 +105,6 @@ allow system_server self:tun_socket create_socket_perms; allow system_server init:process sigchld; # Talk to init and various daemons via sockets. -unix_socket_connect(system_server, property, init) unix_socket_connect(system_server, installd, installd) unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, mtpd, mtp) @@ -273,18 +272,18 @@ allow system_server system_data_file:dir relabelfrom; allow system_server anr_data_file:dir relabelto; # Property Service write -allow system_server system_prop:property_service set; -allow system_server dhcp_prop:property_service set; -allow system_server net_radio_prop:property_service set; -allow system_server system_radio_prop:property_service set; -allow system_server debug_prop:property_service set; -allow system_server powerctl_prop:property_service set; -allow system_server fingerprint_prop:property_service set; +set_prop(system_server, system_prop) +set_prop(system_server, dhcp_prop) +set_prop(system_server, net_radio_prop) +set_prop(system_server, system_radio_prop) +set_prop(system_server, debug_prop) +set_prop(system_server, powerctl_prop) +set_prop(system_server, fingerprint_prop) # ctl interface -allow system_server ctl_default_prop:property_service set; -allow system_server ctl_dhcp_pan_prop:property_service set; -allow system_server ctl_bugreport_prop:property_service set; +set_prop(system_server, ctl_default_prop) +set_prop(system_server, ctl_dhcp_pan_prop) +set_prop(system_server, ctl_bugreport_prop) # Create a socket for receiving info from wpa. type_transition system_server wifi_data_file:sock_file system_wpa_socket; diff --git a/te_macros b/te_macros index fae0e3a5e..408d9d5fe 100644 --- a/te_macros +++ b/te_macros @@ -118,11 +118,31 @@ typeattribute $1 bluetoothdomain; # unix_socket_connect(clientdomain, socket, serverdomain) # Allow a local socket connection from clientdomain via # socket to serverdomain. +# +# Note: If you see denial records that distill to the +# following allow rules: +# allow clientdomain property_socket:sock_file write; +# allow clientdomain init:unix_stream_socket connectto; +# allow clientdomain something_prop:property_service set; +# +# This sequence is indicative of attempting to set a property. +# use set_prop(sourcedomain, targetproperty) +# define(`unix_socket_connect', ` allow $1 $2_socket:sock_file write; allow $1 $3:unix_stream_socket connectto; ') +##################################### +# set_prop(sourcedomain, targetproperty) +# Allows source domain to set the +# targetproperty. +# +define(`set_prop', ` +unix_socket_connect($1, property, init) +allow $1 $2:property_service set; +') + ##################################### # unix_socket_send(clientdomain, socket, serverdomain) # Allow a local socket send from clientdomain via diff --git a/uncrypt.te b/uncrypt.te index 743236d48..f701084e2 100644 --- a/uncrypt.te +++ b/uncrypt.te @@ -21,8 +21,7 @@ allow uncrypt cache_file:dir rw_dir_perms; allow uncrypt cache_file:file create_file_perms; # Set a property to reboot the device. -unix_socket_connect(uncrypt, property, init) -allow uncrypt powerctl_prop:property_service set; +set_prop(uncrypt, powerctl_prop) # Raw writes to block device allow uncrypt self:capability sys_rawio; diff --git a/vold.te b/vold.te index 14e8a16bc..b3b4ba803 100644 --- a/vold.te +++ b/vold.te @@ -94,9 +94,6 @@ allow vold fscklogs:file create_file_perms; # Rules to support encrypted fs support. # -# Set property. -unix_socket_connect(vold, property, init) - # Unmount and mount the fs. allow vold labeledfs:filesystem { mount unmount remount }; @@ -111,9 +108,9 @@ allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; allow vold kernel:process setsched; # Property Service -allow vold vold_prop:property_service set; -allow vold powerctl_prop:property_service set; -allow vold ctl_fuse_prop:property_service set; +set_prop(vold, vold_prop) +set_prop(vold, powerctl_prop) +set_prop(vold, ctl_fuse_prop) # ASEC allow vold asec_image_file:file create_file_perms;