From 5637099a252c7ef647ca22d1d1094d67f54bb916 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 23 Oct 2013 13:12:55 -0400 Subject: [PATCH] Confine all app domains, but make them permissive for now. As has already been done for untrusted_app, isolated_app, and bluetooth, make all the other domains used for app processes confined while making them permissive until sufficient testing has been done. Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5 Signed-off-by: Stephen Smalley --- media_app.te | 19 ++++++++++++++++++- nfc.te | 12 +++++++++++- platform_app.te | 31 ++++++++++++++++++++++++++++++- radio.te | 19 ++++++++++++++++++- release_app.te | 6 +++++- shared_app.te | 4 +++- system_app.te | 29 ++++++++++++++++++++++++++++- 7 files changed, 113 insertions(+), 7 deletions(-) diff --git a/media_app.te b/media_app.te index 1fe06ddc0..5f09a63e9 100644 --- a/media_app.te +++ b/media_app.te @@ -3,10 +3,27 @@ ### type media_app, domain; +permissive media_app; app_domain(media_app) platform_app_domain(media_app) # Access the network. net_domain(media_app) -unconfined_domain(media_app) +# Access /dev/mtp_usb. +allow media_app mtp_device:chr_file rw_file_perms; +# Write to /cache. +allow media_app cache_file:dir rw_dir_perms; +allow media_app cache_file:file create_file_perms; +# Stat /cache/lost+found +allow media_app unlabeled:file getattr; +allow media_app unlabeled:dir getattr; +# Stat /cache/backup +allow media_app cache_backup_file:file getattr; +allow media_app cache_backup_file:dir getattr; +# Read files in the rootdir (in particular, file_contexts for restorecon). +allow media_app rootfs:file r_file_perms; +allow media_app download_file:dir rw_dir_perms; +allow media_app download_file:file create_file_perms; +# Allow platform apps to mark platform app data files as download files relabelto_domain(media_app) +allow media_app platform_app_data_file:dir relabelfrom; allow media_app download_file:dir relabelto; diff --git a/nfc.te b/nfc.te index 31b914433..efb1a14b5 100644 --- a/nfc.te +++ b/nfc.te @@ -1,4 +1,14 @@ # nfc subsystem type nfc, domain; +permissive nfc; app_domain(nfc) -unconfined_domain(nfc) + +# NFC device access. +allow nfc nfc_device:chr_file rw_file_perms; + +# Data file accesses. +allow nfc nfc_data_file:dir create_dir_perms; +allow nfc nfc_data_file:notdevfile_class_set create_file_perms; + +allow nfc sysfs_nfc_power_writable:file rw_file_perms; +allow nfc sysfs:file write; diff --git a/platform_app.te b/platform_app.te index 042d49540..1e89760e0 100644 --- a/platform_app.te +++ b/platform_app.te @@ -3,10 +3,39 @@ ### type platform_app, domain; +permissive platform_app; app_domain(platform_app) platform_app_domain(platform_app) # Access the network. net_domain(platform_app) # Access bluetooth. bluetooth_domain(platform_app) -unconfined_domain(platform_app) +# Write to /cache. +allow platform_app cache_file:dir rw_dir_perms; +allow platform_app cache_file:file create_file_perms; +# Read from /data/local. +allow platform_app shell_data_file:dir search; +allow platform_app shell_data_file:file { open getattr read }; +allow platform_app shell_data_file:lnk_file read; +# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files +# created by system server. +allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms; +allow platform_app apk_private_data_file:dir search; +# ASEC +allow platform_app asec_apk_file:dir create_dir_perms; +allow platform_app asec_apk_file:file create_file_perms; +# Access download files. +allow platform_app download_file:file rw_file_perms; +# Allow BackupManagerService to backup all app domains +allow platform_app appdomain:fifo_file write; + +# +# Rules for all platform app domains. +# + +# App sandbox file accesses. +allow platformappdomain platform_app_data_file:dir create_dir_perms; +allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms; +# App sdcard file accesses +allow platformappdomain sdcard_type:dir create_dir_perms; +allow platformappdomain sdcard_type:file create_file_perms; diff --git a/radio.te b/radio.te index feea2cc6d..9de8aba22 100644 --- a/radio.te +++ b/radio.te @@ -1,7 +1,24 @@ # phone subsystem type radio, domain; +permissive radio; app_domain(radio) net_domain(radio) bluetooth_domain(radio) -unconfined_domain(radio) \ No newline at end of file +# Talks to init via the property socket. +unix_socket_connect(radio, property, init) + +# Talks to rild via the rild socket. +unix_socket_connect(radio, rild, rild) + +# Data file accesses. +allow radio radio_data_file:dir create_dir_perms; +allow radio radio_data_file:notdevfile_class_set create_file_perms; + +allow radio alarm_device:chr_file rw_file_perms; + +# Property service +allow radio radio_prop:property_service set; + +# ctl interface +allow radio ctl_rildaemon_prop:property_service set; diff --git a/release_app.te b/release_app.te index e7e4b3537..6be3620ac 100644 --- a/release_app.te +++ b/release_app.te @@ -3,10 +3,14 @@ ### type release_app, domain; +permissive release_app; app_domain(release_app) platform_app_domain(release_app) # Access the network. net_domain(release_app) # Access bluetooth. bluetooth_domain(release_app) -unconfined_domain(release_app) + +# Write to /cache. +allow release_app cache_file:dir rw_dir_perms; +allow release_app cache_file:file create_file_perms; diff --git a/shared_app.te b/shared_app.te index 8475e0c9a..e469bddb3 100644 --- a/shared_app.te +++ b/shared_app.te @@ -3,10 +3,12 @@ ### type shared_app, domain; +permissive shared_app; app_domain(shared_app) platform_app_domain(shared_app) # Access the network. net_domain(shared_app) # Access bluetooth. bluetooth_domain(shared_app) -unconfined_domain(shared_app) +# ASEC +r_dir_file(shared_app, asec_apk_file) diff --git a/system_app.te b/system_app.te index d274ac107..a8ad762c8 100644 --- a/system_app.te +++ b/system_app.te @@ -4,5 +4,32 @@ # server. # type system_app, domain; +permissive system_app; app_domain(system_app) -unconfined_domain(system_app) + +# Perform binder IPC to any app domain. +binder_call(system_app, appdomain) + +# Read and write system data files. +# May want to split into separate types. +allow system_app system_data_file:dir create_dir_perms; +allow system_app system_data_file:file create_file_perms; + +# Read wallpaper file. +allow system_app wallpaper_file:file r_file_perms; + +# Write to dalvikcache. +allow system_app dalvikcache_data_file:file { write setattr }; + +# Talk to keystore. +unix_socket_connect(system_app, keystore, keystore) + +# Read SELinux enforcing status. +selinux_getenforce(system_app) + +# Settings app reads sdcard for storage stats +allow system_app sdcard_type:dir r_dir_perms; + +# Allow settings app to read from asec +allow system_app asec_apk_file:dir search; +allow system_app asec_apk_file:file r_file_perms;