From 77d4731e9d30c8971e076e2469d6957619019921 Mon Sep 17 00:00:00 2001 From: repo sync Date: Fri, 17 May 2013 17:11:29 -0700 Subject: [PATCH] Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11 --- adbd.te | 43 ++------- app.te | 149 ++----------------------------- assert.te | 52 ----------- bluetooth.te | 35 +------- bluetoothd.te | 6 +- cts.te | 39 -------- dbusd.te | 4 +- debuggerd.te | 15 +--- dhcp.te | 25 +----- domain.te | 122 ------------------------- drmserver.te | 27 +----- gpsd.te | 7 +- hci_attach.te | 6 +- init.te | 2 + init_shell.te | 15 +--- installd.te | 22 +---- keystore.te | 7 +- mediaserver.te | 48 +--------- mtp.te | 10 +-- net.te | 14 --- netd.te | 34 +------ nfc.te | 11 +-- ping.te | 10 +-- ppp.te | 12 +-- qemud.te | 2 +- racoon.te | 22 +---- radio.te | 18 +--- rild.te | 40 +-------- runas.te | 66 +------------- sdcardd.te | 9 +- servicemanager.te | 10 +-- shell.te | 30 +------ surfaceflinger.te | 27 +----- system.te | 223 +--------------------------------------------- tee.te | 8 +- ueventd.te | 18 +--- unconfined.te | 2 +- vold.te | 69 +------------- watchdogd.te | 7 +- wpa_supplicant.te | 15 +--- zygote.te | 41 +-------- 41 files changed, 58 insertions(+), 1264 deletions(-) delete mode 100644 assert.te delete mode 100644 cts.te diff --git a/adbd.te b/adbd.te index 8420298a3..8f2ac302c 100644 --- a/adbd.te +++ b/adbd.te @@ -1,41 +1,8 @@ # adbd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. -type adbd, domain, mlstrustedsubject; -allow adbd adb_device:chr_file rw_file_perms; -allow adbd qemu_device:chr_file rw_file_perms; -allow adbd self:capability { net_raw setgid setuid setpcap dac_override sys_boot sys_admin }; -allow adbd rootfs:file { r_file_perms entrypoint }; -allow adbd init:process sigchld; -allow adbd self:tcp_socket *; -allow adbd self:unix_stream_socket *; -allow adbd node:tcp_socket node_bind; -allow adbd port:tcp_socket name_bind; -allow adbd devpts:chr_file rw_file_perms; -allow adbd cgroup:dir { write add_name create }; -allow adbd labeledfs:filesystem remount; -allow adbd shell_data_file:dir rw_dir_perms; -allow adbd shell_data_file:file create_file_perms; -allow adbd sdcard_type:dir create_dir_perms; -allow adbd sdcard_type:file create_file_perms; - -allow adbd graphics_device:dir search; -allow adbd graphics_device:chr_file r_file_perms; -# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? -allow adbd system_file:file rx_file_perms; -unix_socket_connect(adbd, vold, vold) -# Talk to init via the property socket. -unix_socket_connect(adbd, property, init) - -# Run sh in its own domain. +type adbd, domain; +permissive adbd; +unconfined_domain(adbd) domain_auto_trans(adbd, shell_exec, shell) -# Do not sanitize the environment of the shell. -allow adbd shell:process noatsecure; - -# XXX Mostly to access system properties and keys- maybe those should be their own type? -allow adbd system_data_file:file create_file_perms; -allow adbd system_data_file:dir create_dir_perms; - -# Perform binder IPC to surfaceflinger (screencap) -# XXX Run screencap in a separate domain? -binder_use(adbd) -binder_call(adbd, surfaceflinger) +# this is an entrypoint +allow adbd rootfs:file entrypoint; diff --git a/app.te b/app.te index 00ec45031..fb7683183 100644 --- a/app.te +++ b/app.te @@ -14,21 +14,7 @@ platform_app_domain(platform_app) net_domain(platform_app) # Access bluetooth. bluetooth_domain(platform_app) -# Write to /cache. -allow platform_app cache_file:dir rw_dir_perms; -allow platform_app cache_file:file create_file_perms; -# Read from /data/local. -allow platform_app shell_data_file:dir search; -allow platform_app shell_data_file:file { open getattr read }; -allow platform_app shell_data_file:lnk_file read; -# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files -# created by system server. -allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms; -allow platform_app apk_private_data_file:dir search; -# ASEC -allow platform_app asec_apk_file:dir create_dir_perms; -allow platform_app asec_apk_file:file create_file_perms; -allow platform_app download_file:file rw_file_perms; +unconfined_domain(platform_app) # Apps signed with the media key. type media_app, domain; @@ -37,22 +23,7 @@ app_domain(media_app) platform_app_domain(media_app) # Access the network. net_domain(media_app) -# Access /dev/mtp_usb. -allow media_app mtp_device:chr_file rw_file_perms; -# Write to /cache. -allow media_app cache_file:dir rw_dir_perms; -allow media_app cache_file:file create_file_perms; -# Stat /cache/lost+found -allow media_app unlabeled:file getattr; -allow media_app unlabeled:dir getattr; -# Stat /cache/backup -allow media_app cache_backup_file:file getattr; -allow media_app cache_backup_file:dir getattr; -# Read files in the rootdir -allow media_app rootfs:file r_file_perms; -# Allow platform apps to mark platform app data files as download files -allow media_app platform_app_data_file:dir relabelfrom; -allow media_app download_file:dir relabelto; +unconfined_domain(media_app) # Apps signed with the shared key. type shared_app, domain; @@ -63,8 +34,7 @@ platform_app_domain(shared_app) net_domain(shared_app) # Access bluetooth. bluetooth_domain(shared_app) -# ASEC -r_dir_file(shared_app, asec_apk_file) +unconfined_domain(shared_app) # Apps signed with the release key (testkey in AOSP). type release_app, domain; @@ -75,6 +45,7 @@ platform_app_domain(release_app) net_domain(release_app) # Access bluetooth. bluetooth_domain(release_app) +unconfined_domain(release_app) # Services with isolatedProcess=true in their manifest. # In order for isolated_apps to interact with apps that have levelFromUid=true @@ -82,18 +53,7 @@ bluetooth_domain(release_app) type isolated_app, domain, mlstrustedsubject; permissive isolated_app; app_domain(isolated_app) - -# -# Rules for platform app domains. -# - -# App sandbox file accesses. -allow platformappdomain platform_app_data_file:dir create_dir_perms; -allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms; -# App sdcard file accesses -allow platformappdomain sdcard_type:dir create_dir_perms; -allow platformappdomain sdcard_type:file create_file_perms; - +unconfined_domain(isolated_app) # # Untrusted apps. @@ -103,101 +63,4 @@ permissive untrusted_app; app_domain(untrusted_app) net_domain(untrusted_app) bluetooth_domain(untrusted_app) -allow untrusted_app tun_device:chr_file rw_file_perms; - -# Internal SDCard rw access. -bool app_internal_sdcard_rw true; -if (app_internal_sdcard_rw) { -allow untrusted_app sdcard_internal:dir create_dir_perms; -allow untrusted_app sdcard_internal:file create_file_perms; -} -# External SDCard rw access. -bool app_external_sdcard_rw true; -if (app_external_sdcard_rw) { -allow untrusted_app sdcard_external:dir create_dir_perms; -allow untrusted_app sdcard_external:file create_file_perms; -} - -# -# Rules for all app domains. -# - -# Allow apps to connect to the keystore -unix_socket_connect(appdomain, keystore, keystore) - -# Receive and use open file descriptors inherited from zygote. -allow appdomain zygote:fd use; - -# Read system properties managed by zygote. -allow appdomain zygote_tmpfs:file read; - -# Notify zygote of death; -allow appdomain zygote:process sigchld; - -# Communicate over a FIFO or socket created by the system_server. -allow appdomain system:fifo_file rw_file_perms; -allow appdomain system:unix_stream_socket { read write setopt }; - -# Communicate over a socket created by surfaceflinger. -allow appdomain surfaceflinger:unix_stream_socket { read write setopt }; - -# App sandbox file accesses. -allow appdomain app_data_file:dir create_dir_perms; -allow appdomain app_data_file:notdevfile_class_set create_file_perms; - -# Read/write data files created by the platform apps if they -# were passed to the app via binder or local IPC. Do not allow open. -allow appdomain platform_app_data_file:file { getattr read write }; - -# lib subdirectory of /data/data dir is system-owned. -allow appdomain system_data_file:dir r_dir_perms; -allow appdomain system_data_file:file { execute open }; - -# Execute the shell or other system executables. -allow appdomain shell_exec:file rx_file_perms; -allow appdomain system_file:file rx_file_perms; - -# Read/write wallpaper file (opened by system). -allow appdomain wallpaper_file:file { read write }; - -# Write to /data/anr/traces.txt. -allow appdomain anr_data_file:dir search; -allow appdomain anr_data_file:file { open append }; - -# Write to /proc/net/xt_qtaguid/ctrl file. -allow appdomain qtaguid_proc:file rw_file_perms; -# Everybody can read the xt_qtaguid resource tracking misc dev. -# So allow all apps to read from /dev/xt_qtaguid. -allow appdomain qtaguid_device:chr_file r_file_perms; - -# Use the Binder. -binder_use(appdomain) -# Perform binder IPC to binder services. -binder_call(appdomain, binderservicedomain) -# Perform binder IPC to other apps. -binder_call(appdomain, appdomain) - -# Appdomain interaction with isolated apps -r_dir_file(appdomain, isolated_app) - -# Already connected, unnamed sockets being passed over some other IPC -# hence no sock_file or connectto permission. This appears to be how -# Chrome works, may need to be updated as more apps using isolated services -# are examined. -allow appdomain isolated_app:unix_stream_socket { read write }; -allow isolated_app appdomain:unix_stream_socket { read write }; - -# Backup ability for every app. BMS opens and passes the fd -# to any app that has backup ability. Hence, no open permissions here. -allow { appdomain isolated_app } backup_data_file:file { read write }; -allow { appdomain isolated_app } cache_backup_file:file { read write }; -# Backup ability using 'adb backup' -allow { appdomain isolated_app } system_data_file:lnk_file getattr; - -# Allow all applications to read downloaded files -allow appdomain download_file:file r_file_perms; -file_type_auto_trans(appdomain, download_file, download_file) - -# ASEC -allow untrusted_app asec_apk_file:dir { getattr }; -allow untrusted_app asec_apk_file:file r_file_perms; \ No newline at end of file +unconfined_domain(untrusted_app) diff --git a/assert.te b/assert.te deleted file mode 100644 index 6e43519c8..000000000 --- a/assert.te +++ /dev/null @@ -1,52 +0,0 @@ -# Policy assertions. -# These neverallow rules are checked by checkpolicy at policy build time. -# checkpolicy will refuse to generate the kernel policy if any of these -# assertions fail. - -# Superuser capabilities. -# Only exception is sys_nice for binder, might not be necessary. -neverallow { appdomain -bluetooth } self:capability ~sys_nice; -neverallow bluetooth self:capability ~{ sys_nice net_admin }; -neverallow appdomain self:capability2 *; - -# Block device access. -neverallow appdomain dev_type:blk_file { read write }; - -# Kernel memory access. -neverallow appdomain kmem_device:chr_file { read write }; - -# Setting SELinux enforcing status or booleans. -# Conditionally allowed to system_app for SEAndroidManager. -neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool }; - -# Load security policy. -neverallow appdomain kernel:security load_policy; - -# Privileged netlink socket interfaces. -neverallow appdomain self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *; - -# Access to /proc/pid entries for any non-app domain. -# Violated by cts.te rules so commented out for now. -#neverallow appdomain { domain - appdomain }:dir search; -#neverallow appdomain { domain - appdomain }:lnk_file read; -#neverallow appdomain { domain - appdomain }:file { read write }; - -# ptrace access to non-app domains. -neverallow appdomain { domain -appdomain }:process ptrace; - -# Transition to a non-app domain. -# Shell excluded since it has a transition to runas. -neverallow { appdomain -shell } ~appdomain:process { transition dyntransition }; - -# Map low memory. -neverallow appdomain self:memprotect mmap_zero; - -# Write to /system. -neverallow appdomain system_file:dir_file_class_set write; - -# Write to system-owned parts of /data. -# This is the default type for anything under /data not otherwise -# specified in file_contexts. Define a different type for portions -# that should be writable by apps. -# Exception for system_app for Settings. -neverallow { appdomain -system_app } system_data_file:dir_file_class_set write; diff --git a/bluetooth.te b/bluetooth.te index e87065a4b..3b7330475 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -2,37 +2,4 @@ type bluetooth, domain; permissive bluetooth; app_domain(bluetooth) - -# Data file accesses. -allow bluetooth bluetooth_data_file:dir create_dir_perms; -allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; - -# bluetooth factory file accesses. -r_dir_file(bluetooth, bluetooth_efs_file) - -# Device accesses. -allow bluetooth { hci_attach_dev }:chr_file rw_file_perms; -allow bluetooth input_device:chr_file write; - -# sysfs access. -allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; -allow bluetooth self:capability net_admin; - -# Other domains that can create and use bluetooth sockets. -# SELinux does not presently define a specific socket class for -# bluetooth sockets, nor does it distinguish among the bluetooth protocols. -allow bluetoothdomain self:socket *; -allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown }; - -# tethering -allow bluetooth self:{ tun_socket udp_socket } { ioctl create }; -allow bluetooth efs_file:dir search; - -# Talk to init over the property socket. -unix_socket_connect(bluetooth, property, init) - -# Property Service -allow bluetooth bluetooth_prop:property_service set; - -# proc access. -allow bluetooth proc_bluetooth_writable:file rw_file_perms; +unconfined_domain(bluetooth) diff --git a/bluetoothd.te b/bluetoothd.te index 17660384a..a63dfa36f 100644 --- a/bluetoothd.te +++ b/bluetoothd.te @@ -4,8 +4,4 @@ permissive bluetoothd; type bluetoothd_exec, exec_type, file_type; init_daemon_domain(bluetoothd) -allow bluetoothd self:capability { setuid net_raw net_bind_service net_admin }; -allow bluetoothd self:socket *; -allow bluetoothd bluetoothd_data_file:dir create_dir_perms; -allow bluetoothd bluetoothd_data_file:file create_file_perms; -unix_socket_connect(bluetoothd, dbus, dbusd) +unconfined_domain(bluetoothd) diff --git a/cts.te b/cts.te deleted file mode 100644 index 1963e0754..000000000 --- a/cts.te +++ /dev/null @@ -1,39 +0,0 @@ -# -# Rules to allow the Android CTS to run. -# Do not enable in production policy. -# - -bool android_cts false; -if (android_cts) { -# For TestDeviceSetup (RootProcessScanner). -# Reads /proc/pid/status and statm entries to check that -# no unexpected root processes are running. -# Also for android.security.cts.VoldExploitTest. -# Requires ability to read /proc/pid/cmdline of vold. -allow appdomain domain:dir r_dir_perms; -allow appdomain domain:{ file lnk_file } r_file_perms; - -# Will still fail when trying to read other app /proc/pid -# entries due to MLS constraints. Just silence the denials. -dontaudit appdomain appdomain:dir r_dir_perms; -dontaudit appdomain appdomain:file r_file_perms; - -# For android.permission.cts.FileSystemPermissionTest. -# Walk the file tree, stat any file in order to check file permissions. -allow appdomain fs_type:dir r_dir_perms; -allow appdomain dev_type:dir r_dir_perms; -allow appdomain file_type:dir_file_class_set getattr; -allow appdomain dev_type:dir_file_class_set getattr; -allow appdomain fs_type:dir_file_class_set getattr; - -# Tries to open /dev/alarm for writing but expects failure. -dontaudit appdomain alarm_device:chr_file write; - -# For android.security.cts.VoldExploitTest. -# Tries to create and use a netlink kobject uevent socket -# to test for a vulnerable vold. -dontaudit appdomain self:netlink_kobject_uevent_socket create; - -# Tries to override DAC restrictions but expects to fail. -dontaudit shell self:capability dac_override; -} diff --git a/dbusd.te b/dbusd.te index 56b1d75ab..8e9db8fcf 100644 --- a/dbusd.te +++ b/dbusd.te @@ -4,6 +4,4 @@ permissive dbusd; type dbusd_exec, exec_type, file_type; init_daemon_domain(dbusd) -# Reads /proc/pid/cmdline of clients -r_dir_file(dbusd, system) -r_dir_file(dbusd, bluetoothd) +unconfined_domain(dbusd) diff --git a/debuggerd.te b/debuggerd.te index 131c56c52..f78b9028c 100644 --- a/debuggerd.te +++ b/debuggerd.te @@ -4,17 +4,4 @@ permissive debuggerd; type debuggerd_exec, exec_type, file_type; init_daemon_domain(debuggerd) -typeattribute debuggerd mlstrustedsubject; -allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner }; -allow debuggerd self:capability2 { syslog }; -allow debuggerd domain:dir r_dir_perms; -allow debuggerd domain:file r_file_perms; -allow debuggerd domain:process ptrace; -security_access_policy(debuggerd) -allow debuggerd system_data_file:dir create_dir_perms; -allow debuggerd system_data_file:dir relabelfrom; -allow debuggerd tombstone_data_file:dir relabelto; -allow debuggerd tombstone_data_file:dir create_dir_perms; -allow debuggerd tombstone_data_file:file create_file_perms; -allow debuggerd domain:process { sigstop signal }; -allow debuggerd exec_type:file r_file_perms; +unconfined_domain(debuggerd) diff --git a/dhcp.te b/dhcp.te index a6e2036ba..4fe24e70a 100644 --- a/dhcp.te +++ b/dhcp.te @@ -6,29 +6,6 @@ type dhcp_system_file, file_type, data_file_type; init_daemon_domain(dhcp) net_domain(dhcp) - -allow dhcp cgroup:dir { create write add_name }; -allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service }; -allow dhcp self:packet_socket create_socket_perms; -allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write }; -allow dhcp shell_exec:file rx_file_perms; -allow dhcp system_file:file rx_file_perms; -allow dhcp proc:file write; -allow dhcp system_prop:property_service set ; -allow dhcp dhcp_system_file:file rx_file_perms; -allow dhcp dhcp_system_file:dir r_dir_perms; -unix_socket_connect(dhcp, property, init) +unconfined_domain(dhcp) type_transition dhcp system_data_file:{ dir file } dhcp_data_file; -allow dhcp dhcp_data_file:dir create_dir_perms; -allow dhcp dhcp_data_file:file create_file_perms; - -# PAN connections -allow dhcp netd:fd use; -allow dhcp netd:fifo_file rw_file_perms; -allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write }; -allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; -# netdev-bt-pan driver loading -allow dhcp kernel:system module_request; - -allow dhcp tty_device:chr_file { rw_file_perms }; diff --git a/domain.te b/domain.te index a4a06d554..e69de29bb 100644 --- a/domain.te +++ b/domain.te @@ -1,122 +0,0 @@ -# Rules for all domains. - -# Allow reaping by init. -allow domain init:process sigchld; - -# Read access to properties mapping. -allow domain kernel:fd use; -allow domain tmpfs:file { read getattr }; - -# Search /storage/emulated tmpfs mount. -allow domain tmpfs:dir r_dir_perms; - -# binder adjusts the nice value during IPC. -allow domain self:capability sys_nice; - -# Intra-domain accesses. -allow domain self:process ~{ execstack execheap }; -allow domain self:fd use; -allow domain self:dir r_dir_perms; -allow domain self:lnk_file r_file_perms; -allow domain self:{ fifo_file file } rw_file_perms; -allow domain self:{ unix_dgram_socket unix_stream_socket } *; - -# Inherit or receive open files from others. -allow domain init:fd use; -allow domain system:fd use; - -# Connect to adbd and use a socket transferred from it. -allow domain adbd:unix_stream_socket connectto; -allow domain adbd:fd use; -allow domain adbd:unix_stream_socket { getattr read write shutdown }; - -# Talk to debuggerd. -allow domain debuggerd:process sigchld; -allow domain debuggerd:unix_stream_socket connectto; - -# Root fs. -allow domain rootfs:dir r_dir_perms; -allow domain rootfs:lnk_file { read getattr }; - -# Device accesses. -allow domain device:dir search; -allow domain dev_type:lnk_file read; -allow domain devpts:dir search; -allow domain device:file read; -allow domain socket_device:dir search; -allow domain owntty_device:chr_file rw_file_perms; -allow domain null_device:chr_file rw_file_perms; -allow domain zero_device:chr_file r_file_perms; -allow domain ashmem_device:chr_file rw_file_perms; -allow domain binder_device:chr_file rw_file_perms; -allow domain ptmx_device:chr_file rw_file_perms; -allow domain powervr_device:chr_file rw_file_perms; -allow domain log_device:dir search; -allow domain log_device:chr_file rw_file_perms; -allow domain nv_device:chr_file rw_file_perms; -allow domain alarm_device:chr_file r_file_perms; -allow domain urandom_device:chr_file r_file_perms; -allow domain random_device:chr_file r_file_perms; -allow domain properties_device:file r_file_perms; - -# Filesystem accesses. -allow domain fs_type:filesystem getattr; -allow domain fs_type:dir getattr; - -# System file accesses. -allow domain system_file:dir r_dir_perms; -allow domain system_file:file r_file_perms; -allow domain system_file:file execute; -allow domain system_file:lnk_file read; - -# Read files already opened under /data. -allow domain system_data_file:dir { search getattr }; -allow domain system_data_file:file { getattr read }; -allow domain system_data_file:lnk_file read; - -# Read apk files under /data/app. -allow domain apk_data_file:dir search; -allow domain apk_data_file:file r_file_perms; - -# Read /data/dalvik-cache. -allow domain dalvikcache_data_file:dir { search getattr }; -allow domain dalvikcache_data_file:file r_file_perms; - -# Read already opened /cache files. -allow domain cache_file:dir r_dir_perms; -allow domain cache_file:file { getattr read }; -allow domain cache_file:lnk_file read; - -# For /acct/uid/*/tasks. -allow domain cgroup:dir { search write }; -allow domain cgroup:file w_file_perms; - -#Allow access to ion memory allocation device -allow domain ion_device:chr_file rw_file_perms; - -# For /sys/qemu_trace files in the emulator. -bool in_qemu false; -if (in_qemu) { -allow domain sysfs:file rw_file_perms; -} -allow domain sysfs_writable:file rw_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(domain, proc) -r_dir_file(domain, sysfs) -r_dir_file(domain, inotify) -r_dir_file(domain, cgroup) - -# debugfs access -bool debugfs false; -if (debugfs) { -allow domain debugfs:dir r_dir_perms; -allow domain debugfs:file rw_file_perms; -} else { -dontaudit domain debugfs:dir r_dir_perms; -dontaudit domain debugfs:file rw_file_perms; -} - -# security files -allow domain security_file:dir { search getattr }; -allow domain security_file:file getattr; diff --git a/drmserver.te b/drmserver.te index 79f86137d..c9fc5f666 100644 --- a/drmserver.te +++ b/drmserver.te @@ -4,29 +4,4 @@ permissive drmserver; type drmserver_exec, exec_type, file_type; init_daemon_domain(drmserver) -typeattribute drmserver mlstrustedsubject; - -# Perform Binder IPC to system server. -binder_use(drmserver) -binder_call(drmserver, system) -binder_call(drmserver, appdomain) -binder_service(drmserver) - -# Perform Binder IPC to mediaserver -binder_call(drmserver, mediaserver) - -# Talk to the tee -allow drmserver tee:unix_stream_socket { connectto }; - -allow drmserver sdcard_type:dir search; -allow drmserver drm_data_file:dir create_dir_perms; -allow drmserver drm_data_file:file create_file_perms; -allow drmserver self:{ tcp_socket udp_socket } *; -allow drmserver port:tcp_socket name_connect; -allow drmserver tee_device:chr_file rw_file_perms; -allow drmserver platform_app_data_file:file { read write getattr }; -allow drmserver app_data_file:file { read write getattr }; -allow drmserver apk_data_file:dir { write add_name remove_name }; -allow drmserver apk_data_file:sock_file { create setattr unlink }; -allow drmserver sdcard_type:file { read write getattr }; -allow drmserver efs_file:file { open read getattr }; +unconfined_domain(drmserver) diff --git a/gpsd.te b/gpsd.te index a7b2f1e36..6d6fbd75a 100644 --- a/gpsd.te +++ b/gpsd.te @@ -5,13 +5,8 @@ type gpsd_exec, exec_type, file_type; init_daemon_domain(gpsd) net_domain(gpsd) -allow gpsd gps_data_file:dir rw_dir_perms; -allow gpsd gps_data_file:notdevfile_class_set create_file_perms; +unconfined_domain(gpsd) # Socket is created by the daemon, not by init, and under /data/gps, # not under /dev/socket. type_transition gpsd gps_data_file:sock_file gps_socket; -allow gpsd gps_socket:sock_file create_file_perms; -# XXX Label sysfs files with a specific type? -allow gpsd sysfs:file rw_file_perms; -allow gpsd gps_device:chr_file rw_file_perms; diff --git a/hci_attach.te b/hci_attach.te index 2a55d512b..15b73ffee 100644 --- a/hci_attach.te +++ b/hci_attach.te @@ -3,8 +3,4 @@ permissive hci_attach; type hci_attach_exec, exec_type, file_type; init_daemon_domain(hci_attach) - -allow hci_attach kernel:system module_request; -allow hci_attach hci_attach_dev:chr_file rw_file_perms; -allow hci_attach bluetooth_efs_file:dir r_dir_perms; -allow hci_attach bluetooth_efs_file:file r_file_perms; +unconfined_domain(hci_attach) diff --git a/init.te b/init.te index 9c1c8ce94..5b7463e93 100644 --- a/init.te +++ b/init.te @@ -4,3 +4,5 @@ permissive init; # init is unconfined. unconfined_domain(init) tmpfs_domain(init) +# add a rule to handle unlabelled mounts +allow init unlabeled:filesystem mount; diff --git a/init_shell.te b/init_shell.te index a2f6a3c5c..900826efe 100644 --- a/init_shell.te +++ b/init_shell.te @@ -1,14 +1,5 @@ # Restricted domain for shell processes spawned by init -type init_shell, domain, mlstrustedsubject; +type init_shell, domain; +permissive init_shell; domain_auto_trans(init, shell_exec, init_shell) -allow init_shell rootfs:dir r_dir_perms; -allow init_shell devpts:chr_file rw_file_perms; -allow init_shell tty_device:chr_file rw_file_perms; -allow init_shell console_device:chr_file rw_file_perms; -allow init_shell input_device:chr_file rw_file_perms; -allow init_shell system_file:file x_file_perms; -allow init_shell shell_exec:file rx_file_perms; -allow init_shell zygote_exec:file rx_file_perms; - -# setprop toolbox command -unix_socket_connect(init_shell, property, init) +unconfined_domain(init_shell) diff --git a/installd.te b/installd.te index 2b983db12..4ad5513c5 100644 --- a/installd.te +++ b/installd.te @@ -4,24 +4,4 @@ permissive installd; type installd_exec, exec_type, file_type; init_daemon_domain(installd) -typeattribute installd mlstrustedsubject; -allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; -allow installd system_data_file:file create_file_perms; -allow installd system_data_file:lnk_file create; -allow installd dalvikcache_data_file:file create_file_perms; -allow installd data_file_type:dir create_dir_perms; -allow installd data_file_type:dir { relabelfrom relabelto }; -allow installd data_file_type:{ file lnk_file } { getattr unlink }; -allow installd apk_data_file:file r_file_perms; -allow installd apk_tmp_file:file r_file_perms; -allow installd system_file:file x_file_perms; -allow installd cgroup:dir create_dir_perms; -dontaudit installd self:capability sys_admin; -# Check validity of SELinux context before use. -selinux_check_context(installd) -# Read /seapp_contexts and /data/security/seapp_contexts -security_access_policy(installd) -# ASEC -allow installd platform_app_data_file:lnk_file { create setattr }; -allow installd app_data_file:lnk_file { create setattr }; -allow installd asec_apk_file:file r_file_perms; +unconfined_domain(installd) diff --git a/keystore.te b/keystore.te index e6eacf0f9..d438cfa41 100644 --- a/keystore.te +++ b/keystore.te @@ -4,9 +4,4 @@ type keystore_exec, exec_type, file_type; # keystore daemon init_daemon_domain(keystore) -binder_use(keystore) -binder_service(keystore) -allow keystore keystore_data_file:dir create_dir_perms; -allow keystore keystore_data_file:notdevfile_class_set create_file_perms; -allow keystore keystore_exec:file { getattr }; -allow keystore tee_device:chr_file rw_file_perms; +unconfined_domain(keystore) diff --git a/mediaserver.te b/mediaserver.te index 7d2b9cb55..a8e78d21e 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -3,52 +3,6 @@ type mediaserver, domain; permissive mediaserver; type mediaserver_exec, exec_type, file_type; -typeattribute mediaserver mlstrustedsubject; - net_domain(mediaserver) init_daemon_domain(mediaserver) -unix_socket_connect(mediaserver, property, init) - -r_dir_file(mediaserver, sdcard_type) - -binder_use(mediaserver) -binder_call(mediaserver, binderservicedomain) -binder_call(mediaserver, appdomain) -binder_service(mediaserver) - -allow mediaserver kernel:system module_request; -allow mediaserver app_data_file:dir search; -allow mediaserver app_data_file:file rw_file_perms; -allow mediaserver platform_app_data_file:file { getattr read }; -allow mediaserver sdcard_type:file write; -allow mediaserver camera_device:chr_file rw_file_perms; -allow mediaserver graphics_device:chr_file rw_file_perms; -allow mediaserver video_device:chr_file rw_file_perms; -allow mediaserver audio_device:dir r_dir_perms; -allow mediaserver audio_device:chr_file rw_file_perms; -allow mediaserver qemu_device:chr_file rw_file_perms; -allow mediaserver tee_device:chr_file rw_file_perms; -allow mediaserver audio_prop:property_service set; - -# XXX Label with a specific type? -allow mediaserver sysfs:file rw_file_perms; - -# XXX Why? -allow mediaserver apk_data_file:file { read getattr }; - -# To use remote processor -allow mediaserver rpmsg_device:chr_file rw_file_perms; - -# Inter System processes communicate over named pipe (FIFO) -allow mediaserver system:fifo_file r_file_perms; - -# Camera calibration -allow mediaserver camera_calibration_file:dir r_dir_perms; -allow mediaserver camera_calibration_file:file r_file_perms; - -# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid -allow mediaserver qtaguid_proc:file rw_file_perms; -allow mediaserver qtaguid_device:chr_file r_file_perms; - -# Allow abstract socket connection -allow mediaserver rild:unix_stream_socket { connectto read write setopt }; +unconfined_domain(mediaserver) diff --git a/mtp.te b/mtp.te index 4331cbfad..eb893268e 100644 --- a/mtp.te +++ b/mtp.te @@ -5,12 +5,4 @@ type mtp_exec, exec_type, file_type; init_daemon_domain(mtp) net_domain(mtp) - -# pptp policy -allow mtp self:tcp_socket { create setopt connect write read }; -allow mtp self:socket { create connect }; -allow mtp self:rawip_socket create; -allow mtp self:capability net_raw; -allow mtp ppp:process signal; -allow mtp port:tcp_socket name_connect; -allow mtp vpn_data_file:dir search; +unconfined_domain(mtp) diff --git a/net.te b/net.te index b10cecdaa..7e00ed845 100644 --- a/net.te +++ b/net.te @@ -2,17 +2,3 @@ type node, node_type; type netif, netif_type; type port, port_type; - -# Use network sockets. -allow netdomain self:{ tcp_socket udp_socket } *; -# Connect to ports. -allow netdomain port_type:tcp_socket name_connect; -# Bind to ports. -allow netdomain node_type:{ tcp_socket udp_socket } node_bind; -allow netdomain port_type:udp_socket name_bind; -allow netdomain port_type:tcp_socket name_bind; -# Get route information. -allow netdomain self:netlink_route_socket { create bind read nlmsg_read }; - -# Talks to netd via dnsproxyd socket. -unix_socket_connect(netdomain, dnsproxyd, netd) diff --git a/netd.te b/netd.te index 297f57031..6f294edb4 100644 --- a/netd.te +++ b/netd.te @@ -1,38 +1,8 @@ # network manager type netd, domain; -permissive netd; type netd_exec, exec_type, file_type; +permissive netd; +unconfined_domain(netd) init_daemon_domain(netd) -typeattribute netd mlstrustedsubject; -allow netd self:capability { net_admin net_raw sys_module kill }; -allow netd self:netlink_kobject_uevent_socket *; -allow netd self:netlink_route_socket *; -allow netd self:netlink_nflog_socket *; -allow netd self:rawip_socket *; -allow netd self:udp_socket *; -allow netd node:udp_socket node_bind; -allow netd port:udp_socket name_bind; -allow netd self:unix_stream_socket *; -allow netd shell_exec:file rx_file_perms; -allow netd system_file:file x_file_perms; -allow netd devpts:chr_file rw_file_perms; - -# For /proc/sys/net/ipv[46]/route/flush. -# XXX Split /proc/sys/net into its own type. -allow netd proc:file write; - -# For /sys/modules/bcmdhd/parameters/firmware_path -# XXX Split into its own type. -allow netd sysfs:file write; - -# Network driver loading. -allow netd kernel:system module_request; - -# Set dhcp lease for PAN connection -unix_socket_connect(netd, property, init) -allow netd system_prop:property_service set; - -# Connect to PAN domain_auto_trans(netd, dhcp_exec, dhcp) -allow netd dhcp:process signal; diff --git a/nfc.te b/nfc.te index efb1a14b5..f5432f186 100644 --- a/nfc.te +++ b/nfc.te @@ -2,13 +2,4 @@ type nfc, domain; permissive nfc; app_domain(nfc) - -# NFC device access. -allow nfc nfc_device:chr_file rw_file_perms; - -# Data file accesses. -allow nfc nfc_data_file:dir create_dir_perms; -allow nfc nfc_data_file:notdevfile_class_set create_file_perms; - -allow nfc sysfs_nfc_power_writable:file rw_file_perms; -allow nfc sysfs:file write; +unconfined_domain(nfc) diff --git a/ping.te b/ping.te index df9e624ac..3c6254a3d 100644 --- a/ping.te +++ b/ping.te @@ -2,12 +2,4 @@ type ping, domain; permissive ping; type ping_exec, file_type; domain_auto_trans(shell, ping_exec, ping) - -allow ping self:capability net_raw; -allow ping self:rawip_socket create_socket_perms; -allow ping self:udp_socket create_socket_perms; -allow ping node:rawip_socket node_bind; -allow ping dnsproxyd_socket:sock_file write; -allow ping netd:unix_stream_socket connectto; -allow ping devpts:chr_file rw_file_perms; -allow ping shell:fd use; +unconfined_domain(ping) diff --git a/ppp.te b/ppp.te index 85d37a7a2..3387cde2f 100644 --- a/ppp.te +++ b/ppp.te @@ -4,15 +4,5 @@ permissive ppp; type ppp_device, dev_type; type ppp_exec, exec_type, file_type; type ppp_system_file, file_type; - +unconfined_domain(ppp) domain_auto_trans(mtp, ppp_exec, ppp) - -allow ppp mtp:socket { read write ioctl }; -allow ppp ppp_device:chr_file rw_file_perms; -allow ppp self:capability net_admin; -allow ppp self:udp_socket { create ioctl }; -allow ppp ppp_system_file:dir search; -allow ppp ppp_system_file:file rx_file_perms; -allow ppp vpn_data_file:dir w_dir_perms; -allow ppp vpn_data_file:file create_file_perms; -allow ppp mtp:fd use; diff --git a/qemud.te b/qemud.te index ab99291b2..1266e1fd9 100644 --- a/qemud.te +++ b/qemud.te @@ -4,4 +4,4 @@ permissive qemud; type qemud_exec, exec_type, file_type; init_daemon_domain(qemud) -allow qemud serial_device:chr_file rw_file_perms; +unconfined_domain(qemud) \ No newline at end of file diff --git a/racoon.te b/racoon.te index 4cebb7bd2..2d3afb81e 100644 --- a/racoon.te +++ b/racoon.te @@ -3,24 +3,4 @@ type racoon, domain; permissive racoon; type racoon_exec, exec_type, file_type; -init_daemon_domain(racoon) -typeattribute racoon mlstrustedsubject; - -binder_call(racoon, servicemanager) -binder_call(racoon, keystore) - -allow racoon tun_device:chr_file r_file_perms; -allow racoon cgroup:dir { add_name create }; -allow racoon kernel:system module_request; -allow racoon port:udp_socket name_bind; -allow racoon node:udp_socket node_bind; - -allow racoon self:{ key_socket udp_socket } create_socket_perms; -allow racoon self:tun_socket create; -allow racoon self:capability { net_admin net_bind_service net_raw setuid }; - -# XXX: should we give ip-up-vpn its own label (currently racoon domain) -allow racoon ppp_system_file:file rx_file_perms; -allow racoon ppp_system_file:dir search; -allow racoon vpn_data_file:file create_file_perms; -allow racoon vpn_data_file:dir w_dir_perms; +unconfined_domain(racoon) diff --git a/radio.te b/radio.te index 9de8aba22..6d569b07c 100644 --- a/radio.te +++ b/radio.te @@ -5,20 +5,4 @@ app_domain(radio) net_domain(radio) bluetooth_domain(radio) -# Talks to init via the property socket. -unix_socket_connect(radio, property, init) - -# Talks to rild via the rild socket. -unix_socket_connect(radio, rild, rild) - -# Data file accesses. -allow radio radio_data_file:dir create_dir_perms; -allow radio radio_data_file:notdevfile_class_set create_file_perms; - -allow radio alarm_device:chr_file rw_file_perms; - -# Property service -allow radio radio_prop:property_service set; - -# ctl interface -allow radio ctl_rildaemon_prop:property_service set; +unconfined_domain(radio) \ No newline at end of file diff --git a/rild.te b/rild.te index c2fcda91e..1721fb170 100644 --- a/rild.te +++ b/rild.te @@ -5,42 +5,4 @@ type rild_exec, exec_type, file_type; init_daemon_domain(rild) net_domain(rild) -allow rild self:netlink_route_socket { setopt write }; -allow rild kernel:system module_request; -unix_socket_connect(rild, property, init) -unix_socket_connect(rild, qemud, qemud) -allow rild self:capability { setuid net_admin net_raw }; -allow rild alarm_device:chr_file rw_file_perms; -allow rild cgroup:dir create_dir_perms; -allow rild radio_device:chr_file rw_file_perms; -allow rild radio_device:blk_file r_file_perms; -allow rild qemu_device:chr_file rw_file_perms; -allow rild mtd_device:dir search; -allow rild efs_file:dir create_dir_perms; -allow rild efs_file:file create_file_perms; -allow rild shell_exec:file rx_file_perms; -allow rild bluetooth_efs_file:file r_file_perms; -allow rild bluetooth_efs_file:dir r_dir_perms; -allow rild radio_data_file:dir rw_dir_perms; -allow rild radio_data_file:file create_file_perms; -allow rild sdcard_type:dir r_dir_perms; -allow rild system_data_file:dir create_dir_perms; -allow rild system_data_file:file create_file_perms; -allow rild system_file:file x_file_perms; -dontaudit rild self:capability sys_admin; -# XXX Label sysfs files with a specific type? -allow rild sysfs:file rw_file_perms; - -# property service -allow rild rild_prop:property_service set; -allow rild radio_prop:property_service set; - -# Read/Write to uart driver (for GPS) -allow rild gps_device:chr_file rw_file_perms; - -allow rild tty_device:chr_file rw_file_perms; - -# Allow rild to create, bind, read, write to itself through a netlink socket -allow rild self:netlink_socket { create bind read write }; - -allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt }; +unconfined_domain(rild) diff --git a/runas.te b/runas.te index 8bb2d03f5..50295a9b9 100644 --- a/runas.te +++ b/runas.te @@ -1,67 +1,7 @@ -type runas, domain, mlstrustedsubject; +type runas, domain; type runas_exec, file_type; - -bool support_runas true; - -if (support_runas) { - -# ndk-gdb invokes adb shell ps to find the app PID. -r_dir_file(shell, untrusted_app) -dontaudit shell domain:dir r_dir_perms; -dontaudit shell domain:file r_file_perms; - -# ndk-gdb invokes adb shell ls to check the app data dir. -allow shell app_data_file:dir search; - -# ndk-gdb invokes adb shell kill -9 to kill the gdbserver. -allow shell untrusted_app:process sigkill; -dontaudit shell self:capability { sys_ptrace kill }; +permissive runas; +unconfined_domain(runas) # ndk-gdb invokes adb shell run-as. domain_auto_trans(shell, runas_exec, runas) -allow runas adbd:process sigchld; -allow runas shell:fd use; -allow runas devpts:chr_file { read write ioctl }; - -# run-as reads package information. -allow runas system_data_file:file r_file_perms; - -# run-as checks and changes to the app data dir. -dontaudit runas self:capability dac_override; -allow runas app_data_file:dir { getattr search }; - -# run-as switches to the app UID/GID. -allow runas self:capability { setuid setgid }; - -# run-as switches to the app security context. -# read /seapp_contexts and /data/security/seapp_contexts -security_access_policy(runas) -selinux_check_context(runas) # validate context -allow runas untrusted_app:process dyntransition; # setcon - -# run-as runs lib/gdbserver from the app data dir. -allow untrusted_app system_data_file:file rx_file_perms; - -# gdbserver reads the zygote. -allow untrusted_app zygote_exec:file r_file_perms; - -# (grand)child death notification. -allow untrusted_app shell:process sigchld; -allow untrusted_app adbd:process sigchld; - -# child shell or gdbserver pty access. -allow untrusted_app devpts:chr_file { getattr read write ioctl }; - -# gdbserver creates a socket in the app data dir. -allow untrusted_app app_data_file:sock_file { create unlink }; - -# ndk-gdb invokes adb forward to forward the gdbserver socket. -allow adbd app_data_file:dir search; -allow adbd app_data_file:sock_file write; -allow adbd untrusted_app:unix_stream_socket connectto; - -# ndk-gdb invokes adb pull of app_process, linker, and libc.so. -allow adbd zygote_exec:file r_file_perms; -allow adbd system_file:file r_file_perms; - -} diff --git a/sdcardd.te b/sdcardd.te index 3e556c3a5..32e686cd1 100644 --- a/sdcardd.te +++ b/sdcardd.te @@ -3,11 +3,4 @@ permissive sdcardd; type sdcardd_exec, exec_type, file_type; init_daemon_domain(sdcardd) - -allow sdcardd cgroup:dir create_dir_perms; -allow sdcardd fuse_device:chr_file rw_file_perms; -allow sdcardd rootfs:dir mounton; -allow sdcardd sdcard_type:filesystem mount; -allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; -allow sdcardd system_data_file:dir create_dir_perms; -allow sdcardd system_data_file:file create_file_perms; +unconfined_domain(sdcardd) diff --git a/servicemanager.te b/servicemanager.te index dc0f15e13..80ed9dfeb 100644 --- a/servicemanager.te +++ b/servicemanager.te @@ -4,12 +4,4 @@ permissive servicemanager; type servicemanager_exec, exec_type, file_type; init_daemon_domain(servicemanager) - -# Note that we do not use the binder_* macros here. -# servicemanager is unique in that it only provides -# name service (aka context manager) for Binder. -# As such, it only ever receives and transfers other references -# created by other domains. It never passes its own references -# or initiates a Binder IPC. -allow servicemanager self:binder set_context_mgr; -allow servicemanager domain:binder transfer; +unconfined_domain(servicemanager) diff --git a/shell.te b/shell.te index 78702077c..89bc9becb 100644 --- a/shell.te +++ b/shell.te @@ -1,34 +1,8 @@ # Domain for shell processes spawned by ADB -type shell, domain, mlstrustedsubject; +type shell, domain; type shell_exec, file_type; -allow shell rootfs:dir r_dir_perms; -allow shell devpts:chr_file rw_file_perms; -allow shell tty_device:chr_file rw_file_perms; -allow shell console_device:chr_file rw_file_perms; -allow shell input_device:chr_file rw_file_perms; -allow shell system_file:file x_file_perms; -allow shell shell_exec:file rx_file_perms; -allow shell zygote_exec:file rx_file_perms; -allow shell shell_data_file:dir create_dir_perms; -allow shell shell_data_file:file create_file_perms; -allow shell shell_data_file:file rx_file_perms; - -# Access sdcard. -allow shell sdcard_type:dir rw_dir_perms; -allow shell sdcard_type:file create_file_perms; - -r_dir_file(shell, apk_data_file) -allow shell dalvikcache_data_file:file { write setattr }; +unconfined_domain(shell) # Run app_process. # XXX Split into its own domain? app_domain(shell) - -# Property Service -allow shell shell_prop:property_service set; - -# setprop toolbox command -unix_socket_connect(shell, property, init) - -# ctl interface -allow shell ctl_dumpstate_prop:property_service set; diff --git a/surfaceflinger.te b/surfaceflinger.te index 4244d01ed..ba66b83b1 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -4,32 +4,7 @@ permissive surfaceflinger; type surfaceflinger_exec, exec_type, file_type; init_daemon_domain(surfaceflinger) -typeattribute surfaceflinger mlstrustedsubject; +unconfined_domain(surfaceflinger) # Talk to init over the property socket. unix_socket_connect(surfaceflinger, property, init) - -# Perform Binder IPC. -binder_use(surfaceflinger) -binder_call(surfaceflinger, system) -binder_service(surfaceflinger) -allow surfaceflinger init:binder transfer; - -# Access /dev/graphics/fb0. -allow surfaceflinger graphics_device:dir search; -allow surfaceflinger graphics_device:chr_file rw_file_perms; - -# Access /dev/video1. -allow surfaceflinger video_device:chr_file rw_file_perms; - -# Create and use netlink kobject uevent sockets. -allow surfaceflinger self:netlink_kobject_uevent_socket *; - -# Set properties. -allow surfaceflinger system_prop:property_service set; -allow surfaceflinger ctl_default_prop:property_service set; - -# Use open files supplied by an app. -allow surfaceflinger appdomain:fd use; -allow surfaceflinger platform_app_data_file:file { read write }; -allow surfaceflinger app_data_file:file { read write }; diff --git a/system.te b/system.te index cef5ceed2..fc76cd4fe 100644 --- a/system.te +++ b/system.te @@ -1,226 +1,11 @@ -# -# Apps that run with the system UID, e.g. com.android.system.ui, -# com.android.settings. These are not as privileged as the system -# server. -# type system_app, domain; permissive system_app; app_domain(system_app) +unconfined_domain(system_app) -# Perform binder IPC to any app domain. -binder_call(system_app, appdomain) - -# Read and write system data files. -# May want to split into separate types. -allow system_app system_data_file:dir create_dir_perms; -allow system_app system_data_file:file create_file_perms; - -# Read wallpaper file. -allow system_app wallpaper_file:file r_file_perms; - -# Write to dalvikcache. -allow system_app dalvikcache_data_file:file { write setattr }; - -# Talk to keystore. -unix_socket_connect(system_app, keystore, keystore) - -# Read SELinux enforcing status. -selinux_getenforce(system) -selinux_getenforce(system_app) - -# Settings app reads sdcard for storage stats -allow system_app sdcard_type:dir r_dir_perms; - -# -# System Server aka system_server spawned by zygote. -# Most of the framework services run in this process. -# -type system, domain, mlstrustedsubject; - -# Child of the zygote. -allow system zygote:fd use; -allow system zygote:process sigchld; -allow system zygote_tmpfs:file read; - -# system server gets network and bluetooth permissions. -net_domain(system) -bluetooth_domain(system) - -# These are the capabilities assigned by the zygote to the -# system server. -# XXX See if we can remove some of these. -allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config }; - -# Triggered by /proc/pid accesses, not allowed. -dontaudit system self:capability sys_ptrace; - -# Trigger module auto-load. -allow system kernel:system module_request; - -# Use netlink uevent sockets. -allow system self:netlink_kobject_uevent_socket *; - -# Kill apps. -allow system appdomain:process { sigkill signal }; - -# Set scheduling info for apps. -allow system appdomain:process { getsched setsched }; -allow system mediaserver:process { getsched setsched }; - -# Read /proc data for apps. -allow system appdomain:dir r_dir_perms; -allow system appdomain:{ file lnk_file } rw_file_perms; - -# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. -allow system qtaguid_proc:file rw_file_perms; -allow system qtaguid_device:chr_file rw_file_perms; - -# WifiWatchdog uses a packet_socket -allow system self:packet_socket *; - -# Notify init of death. -allow system init:process sigchld; - -# 3rd party VPN clients require a tun_socket to be created -allow system self:tun_socket create; - -# Talk to init and various daemons via sockets. -unix_socket_connect(system, property, init) -unix_socket_connect(system, qemud, qemud) -unix_socket_connect(system, installd, installd) -unix_socket_connect(system, netd, netd) -unix_socket_connect(system, vold, vold) -unix_socket_connect(system, zygote, zygote) -unix_socket_connect(system, keystore, keystore) -unix_socket_connect(system, dbus, dbusd) -unix_socket_connect(system, gps, gpsd) -unix_socket_connect(system, bluetooth, bluetoothd) -unix_socket_connect(system, racoon, racoon) -unix_socket_send(system, wpa, wpa) -unix_socket_send(system, wpa, init) - -# Communicate over a socket created by surfaceflinger. -allow system surfaceflinger:unix_stream_socket { read write setopt }; - -# Perform Binder IPC. -tmpfs_domain(system) -binder_use(system) -binder_call(system, binderservicedomain) -binder_call(system, appdomain) -binder_service(system) - -# Read /proc/pid files for Binder clients. -r_dir_file(system, appdomain) -r_dir_file(system, mediaserver) -allow system appdomain:process getattr; -allow system mediaserver:process getattr; - -# Specify any arguments to zygote. -allow system self:zygote *; - -# Check SELinux permissions. -selinux_check_access(system) - -# XXX Label sysfs files with a specific type? -allow system sysfs:file rw_file_perms; -allow system sysfs_nfc_power_writable:file rw_file_perms; - -# Access devices. -allow system device:dir r_dir_perms; -allow system device:sock_file rw_file_perms; -allow system akm_device:chr_file rw_file_perms; -allow system accelerometer_device:chr_file rw_file_perms; -allow system alarm_device:chr_file rw_file_perms; -allow system graphics_device:dir search; -allow system graphics_device:chr_file rw_file_perms; -allow system iio_device:chr_file rw_file_perms; -allow system input_device:dir r_dir_perms; -allow system input_device:chr_file rw_file_perms; -allow system tty_device:chr_file rw_file_perms; -allow system urandom_device:chr_file rw_file_perms; -allow system usbaccessory_device:chr_file rw_file_perms; -allow system video_device:chr_file rw_file_perms; -allow system qemu_device:chr_file rw_file_perms; -allow system devpts:chr_file rw_file_perms; - -# tun device used for 3rd party vpn apps -allow system tun_device:chr_file rw_file_perms; - -# Manage data files. -allow system data_file_type:dir create_dir_perms; -allow system data_file_type:notdevfile_class_set create_file_perms; - -# Read /file_contexts and /data/security/file_contexts -security_access_policy(system) - -# Relabel apk files. -allow system { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto }; -allow system { apk_data_file apk_private_data_file }:file { relabelfrom relabelto }; - -# Relabel wallpaper. -allow system system_data_file:file relabelfrom; -allow system wallpaper_file:file relabelto; -allow system wallpaper_file:file rw_file_perms; - -# Relabel /data/anr. -allow system system_data_file:dir relabelfrom; -allow system anr_data_file:dir relabelto; - -# Property Service write -allow system system_prop:property_service set; -allow system radio_prop:property_service set; - -# ctl interface -allow system ctl_default_prop:property_service set; +type system, domain; +permissive system; +unconfined_domain(system); # Create a socket for receiving info from wpa. type_transition system wifi_data_file:sock_file system_wpa_socket; -allow system system_wpa_socket:sock_file create_file_perms; - -# Manage cache files. -allow system cache_file:dir { relabelfrom create_dir_perms }; -allow system cache_file:file { relabelfrom create_file_perms }; - -# Run system programs, e.g. dexopt. -allow system system_file:file x_file_perms; - -# Allow reading of /proc/pid data for other domains. -# XXX dontaudit candidate -allow system domain:dir r_dir_perms; -allow system domain:file r_file_perms; - -# LocationManager(e.g, GPS) needs to read and write -# to uart driver and ctrl proc entry -allow system gps_device:chr_file rw_file_perms; -allow system gps_control:file rw_file_perms; - -# system Read/Write tcp/udp_socket of untrusted_app -allow system appdomain:{ tcp_socket udp_socket } { setopt read write }; - -# Allow abstract socket connection -allow system rild:unix_stream_socket connectto; - -# connect to vpn tunnel -allow system mtp:unix_stream_socket { connectto }; - -# BackupManagerService lets PMS create a data backup file -allow system cache_backup_file:file create_file_perms; -# Relabel /data/backup -allow system backup_data_file:dir { relabelto relabelfrom }; -# Relabel /cache/.*\.{data|restore} -allow system cache_backup_file:file { relabelto relabelfrom }; -# LocalTransport creates and relabels /cache/backup -allow system cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; - -# Allow system to talk to usb device -allow system usb_device:chr_file rw_file_perms; -allow system usb_device:dir r_dir_perms; - -# Allow system to talk to sensors -allow system sensors_device:chr_file rw_file_perms; - -# Allow system to search the /sys/devices/system/cpu directory -allow system sysfs_devices_system_cpu:dir search; - -# Allow system to write to the adbd_socket -allow system adbd_socket:sock_file write; diff --git a/tee.te b/tee.te index dad3505c6..79f8d13cf 100644 --- a/tee.te +++ b/tee.te @@ -2,14 +2,10 @@ # trusted execution environment (tee) daemon # type tee, domain; -permissive tee; type tee_exec, exec_type, file_type; type tee_device, dev_type; type tee_data_file, file_type, data_file_type; +permissive tee; +unconfined_domain(netd) init_daemon_domain(tee) -allow tee self:capability { dac_override }; -allow tee tee_device:chr_file rw_file_perms; -allow tee tee_data_file:dir { getattr write add_name }; -allow tee tee_data_file:file create_file_perms; -allow tee self:netlink_socket { create bind read }; diff --git a/ueventd.te b/ueventd.te index 271718281..6e1a4a82b 100644 --- a/ueventd.te +++ b/ueventd.te @@ -3,21 +3,5 @@ type ueventd, domain; permissive ueventd; tmpfs_domain(ueventd) -write_klog(ueventd) -security_access_policy(ueventd) +unconfined_domain(ueventd) allow ueventd rootfs:file entrypoint; -allow ueventd init:process sigchld; -allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; -allow ueventd device:file create_file_perms; -allow ueventd device:chr_file rw_file_perms; -allow ueventd sysfs:file rw_file_perms; -allow ueventd sysfs:file setattr; -allow ueventd sysfs_type:file { relabelfrom relabelto }; -allow ueventd tmpfs:chr_file rw_file_perms; -allow ueventd dev_type:dir create_dir_perms; -allow ueventd dev_type:lnk_file { create unlink }; -allow ueventd dev_type:chr_file { create setattr unlink }; -allow ueventd dev_type:blk_file { create setattr unlink }; -allow ueventd self:netlink_kobject_uevent_socket *; -allow ueventd efs_file:dir search; -allow ueventd efs_file:file r_file_perms; diff --git a/unconfined.te b/unconfined.te index af60be864..3dbfb59d0 100644 --- a/unconfined.te +++ b/unconfined.te @@ -19,5 +19,5 @@ allow unconfineddomain netif_type:netif *; allow unconfineddomain port_type:socket_class_set name_bind; allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; allow unconfineddomain domain:peer recv; -allow unconfineddomain domain:binder { call transfer }; +allow unconfineddomain domain:binder { call transfer set_context_mgr }; allow unconfineddomain property_type:property_service set; diff --git a/vold.te b/vold.te index fa76a55f2..e91d6c39b 100644 --- a/vold.te +++ b/vold.te @@ -4,71 +4,4 @@ permissive vold; type vold_exec, exec_type, file_type; init_daemon_domain(vold) -typeattribute vold mlstrustedsubject; -allow vold system_file:file x_file_perms; -allow vold block_device:dir create_dir_perms; -allow vold block_device:blk_file create_file_perms; -allow vold device:dir write; -allow vold devpts:chr_file rw_file_perms; -allow vold rootfs:dir mounton; -allow vold sdcard_type:dir mounton; -allow vold sdcard_type:filesystem { mount remount unmount }; -allow vold sdcard_type:dir create_dir_perms; -allow vold tmpfs:filesystem { mount unmount }; -allow vold tmpfs:dir create_dir_perms; -allow vold tmpfs:dir mounton; -allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; -allow vold self:netlink_kobject_uevent_socket *; -allow vold app_data_file:dir search; -allow vold app_data_file:file rw_file_perms; -allow vold loop_device:blk_file rw_file_perms; -allow vold dm_device:chr_file rw_file_perms; -# For vold Process::killProcessesWithOpenFiles function. -allow vold domain:dir r_dir_perms; -allow vold domain:{ file lnk_file } r_file_perms; -allow vold domain:process { signal sigkill }; -allow vold self:capability { sys_ptrace }; -# Grant vold the capability to reboot the system -allow vold self:capability { sys_boot }; - -# XXX Label sysfs files with a specific type? -allow vold sysfs:file rw_file_perms; - -write_klog(vold) - -# -# Rules to support encrypted fs support. -# - -# Set property. -unix_socket_connect(vold, property, init) - -# Unmount and mount the fs. -allow vold labeledfs:filesystem { mount unmount remount }; - -# Access /efs/userdata_footer. -# XXX Split into a separate type? -allow vold efs_file:file rw_file_perms; - -# Request AES module. -allow vold kernel:system module_request; - -# Write to /proc/sysrq-trigger -# XXX Label with a distinct type? -allow vold proc:file write; - -# Create and mount on /data/tmp_mnt. -allow vold system_data_file:dir { create rw_dir_perms mounton }; - -# Set scheduling policy of kernel processes -allow vold kernel:process setsched; - -# Property Service -allow vold vold_prop:property_service set; - -# ASEC -allow vold asec_image_file:file create_file_perms; -allow vold asec_image_file:dir rw_dir_perms; -security_access_policy(vold) -allow vold asec_apk_file:dir { rw_dir_perms setattr }; -allow vold asec_apk_file:file { r_file_perms setattr }; +unconfined_domain(vold) diff --git a/watchdogd.te b/watchdogd.te index 76f8244d2..1c14d8f00 100644 --- a/watchdogd.te +++ b/watchdogd.te @@ -1,9 +1,4 @@ # watchdogd seclabel is specified in init..rc type watchdogd, domain; permissive watchdogd; -allow watchdogd rootfs:file { entrypoint r_file_perms }; -allow watchdogd self:capability mknod; -allow watchdogd device:dir { add_name write remove_name }; -allow watchdogd watchdog_device:chr_file rw_file_perms; -# because of /dev/__kmsg__ and /dev/__null__ -allow watchdogd device:chr_file create_file_perms; +unconfined_domain(watchdogd) diff --git a/wpa_supplicant.te b/wpa_supplicant.te index 2c4ea6044..c92421439 100644 --- a/wpa_supplicant.te +++ b/wpa_supplicant.te @@ -4,18 +4,5 @@ permissive wpa; type wpa_exec, exec_type, file_type; init_daemon_domain(wpa) -allow wpa kernel:system module_request; -allow wpa self:capability { setuid net_admin setgid net_raw }; -allow wpa cgroup:dir create_dir_perms; -allow wpa self:netlink_route_socket *; -allow wpa self:netlink_socket *; -allow wpa self:packet_socket *; -allow wpa self:udp_socket *; -allow wpa wifi_data_file:dir create_dir_perms; -allow wpa wifi_data_file:file create_file_perms; -unix_socket_send(wpa, system_wpa, system) -allow wpa random_device:chr_file r_file_perms; - -# Create a socket for receiving info from wpa +unconfined_domain(wpa) type_transition wpa wifi_data_file:sock_file wpa_socket; -allow wpa wpa_socket:sock_file create_file_perms; diff --git a/zygote.te b/zygote.te index 90a9b3dca..4603d75b4 100644 --- a/zygote.te +++ b/zygote.te @@ -1,44 +1,7 @@ # zygote type zygote, domain; -permissive zygote; type zygote_exec, exec_type, file_type; +permissive zygote; init_daemon_domain(zygote) -typeattribute zygote mlstrustedsubject; -# Override DAC on files and switch uid/gid. -allow zygote self:capability { dac_override setgid setuid }; -# Drop capabilities from bounding set. -allow zygote self:capability setpcap; -# Switch SELinux context to app domains. -allow zygote system:process dyntransition; -allow zygote appdomain:process dyntransition; -# Move children into the peer process group. -allow zygote system:process { getpgid setpgid }; -allow zygote appdomain:process { getpgid setpgid }; -# Write to system data. -allow zygote system_data_file:dir rw_dir_perms; -allow zygote system_data_file:file create_file_perms; -allow zygote dalvikcache_data_file:dir rw_dir_perms; -allow zygote dalvikcache_data_file:file create_file_perms; -# Execute dexopt. -allow zygote system_file:file x_file_perms; -# Control cgroups. -allow zygote cgroup:dir create_dir_perms; -allow zygote self:capability sys_admin; -# Check validity of SELinux context before use. -selinux_check_context(zygote) -# Check SELinux permissions. -selinux_check_access(zygote) -# Read /seapp_contexts and /data/security/seapp_contexts -security_access_policy(zygote) - -# Setting up /storage/emulated. -allow zygote rootfs:dir mounton; -allow zygote sdcard_type:dir { write search setattr create add_name mounton }; -dontaudit zygote self:capability fsetid; -allow zygote tmpfs:dir { write create add_name setattr mounton search }; -allow zygote tmpfs:filesystem mount; -allow zygote labeledfs:filesystem remount; - -# Handle --invoke-with command when launching Zygote with a wrapper command. -allow zygote zygote_exec:file { execute_no_trans open }; +unconfined_domain(zygote)