Remove domain:process from unconfined
Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
This commit is contained in:
parent
bad4e91dd2
commit
a7c04dcd74
7 changed files with 21 additions and 34 deletions
2
adbd.te
2
adbd.te
|
@ -8,8 +8,6 @@ userdebug_or_eng(`
|
||||||
')
|
')
|
||||||
|
|
||||||
domain_auto_trans(adbd, shell_exec, shell)
|
domain_auto_trans(adbd, shell_exec, shell)
|
||||||
# this is an entrypoint
|
|
||||||
allow adbd rootfs:file entrypoint;
|
|
||||||
|
|
||||||
# Do not sanitize the environment or open fds of the shell.
|
# Do not sanitize the environment or open fds of the shell.
|
||||||
allow adbd shell:process noatsecure;
|
allow adbd shell:process noatsecure;
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
# it lives in the rootfs and has no unique file type.
|
# it lives in the rootfs and has no unique file type.
|
||||||
type healthd, domain;
|
type healthd, domain;
|
||||||
|
|
||||||
allow healthd rootfs:file { read entrypoint };
|
|
||||||
write_klog(healthd)
|
write_klog(healthd)
|
||||||
# /dev/__null__ created by init prior to policy load,
|
# /dev/__null__ created by init prior to policy load,
|
||||||
# open fd inherited by healthd.
|
# open fd inherited by healthd.
|
||||||
|
|
27
init.te
27
init.te
|
@ -60,12 +60,23 @@ allow init usermodehelper:file rw_file_perms;
|
||||||
allow init proc_security:file rw_file_perms;
|
allow init proc_security:file rw_file_perms;
|
||||||
|
|
||||||
# Transitions to seclabel processes in init.rc
|
# Transitions to seclabel processes in init.rc
|
||||||
allow init adbd:process transition;
|
domain_trans(init, rootfs, adbd)
|
||||||
allow init healthd:process transition;
|
domain_trans(init, rootfs, healthd)
|
||||||
allow init recovery:process transition;
|
recovery_only(`
|
||||||
allow init shell:process transition;
|
domain_trans(init, rootfs, recovery)
|
||||||
allow init ueventd:process transition;
|
')
|
||||||
allow init watchdogd:process transition;
|
domain_trans(init, shell_exec, shell)
|
||||||
|
domain_trans(init, rootfs, ueventd)
|
||||||
|
domain_trans(init, rootfs, watchdogd)
|
||||||
|
|
||||||
|
# Certain domains need LD_PRELOAD passed from init.
|
||||||
|
# https://android-review.googlesource.com/94851
|
||||||
|
# For now, allow it to all domains.
|
||||||
|
# TODO: scope this down.
|
||||||
|
allow init domain:process noatsecure;
|
||||||
|
|
||||||
|
# Support "adb shell stop"
|
||||||
|
allow init domain:process sigkill;
|
||||||
|
|
||||||
# Init creates keystore's directory on boot, and walks through
|
# Init creates keystore's directory on boot, and walks through
|
||||||
# the directory as part of a recursive restorecon.
|
# the directory as part of a recursive restorecon.
|
||||||
|
@ -92,6 +103,10 @@ allow init property_type:property_service set;
|
||||||
# Run "ifup lo" to bring up the localhost interface
|
# Run "ifup lo" to bring up the localhost interface
|
||||||
allow init self:udp_socket { create ioctl };
|
allow init self:udp_socket { create ioctl };
|
||||||
|
|
||||||
|
# This line seems suspect, as it should not really need to
|
||||||
|
# set scheduling parameters for a kernel domain task.
|
||||||
|
allow init kernel:process setsched;
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
@ -7,8 +7,6 @@ type recovery, domain;
|
||||||
# But the allow rules are only included in the recovery policy.
|
# But the allow rules are only included in the recovery policy.
|
||||||
# Otherwise recovery is only allowed the domain rules.
|
# Otherwise recovery is only allowed the domain rules.
|
||||||
recovery_only(`
|
recovery_only(`
|
||||||
allow recovery rootfs:file { entrypoint execute };
|
|
||||||
|
|
||||||
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
||||||
|
|
||||||
# Set security contexts on files that are not known to the loaded policy.
|
# Set security contexts on files that are not known to the loaded policy.
|
||||||
|
|
|
@ -4,7 +4,6 @@ type ueventd, domain;
|
||||||
tmpfs_domain(ueventd)
|
tmpfs_domain(ueventd)
|
||||||
write_klog(ueventd)
|
write_klog(ueventd)
|
||||||
security_access_policy(ueventd)
|
security_access_policy(ueventd)
|
||||||
allow ueventd rootfs:file entrypoint;
|
|
||||||
allow ueventd init:process sigchld;
|
allow ueventd init:process sigchld;
|
||||||
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
|
||||||
allow ueventd device:file create_file_perms;
|
allow ueventd device:file create_file_perms;
|
||||||
|
|
|
@ -20,27 +20,6 @@ allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module
|
||||||
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
|
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
|
||||||
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
|
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
|
||||||
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
|
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
|
||||||
allow unconfineddomain domain:process {
|
|
||||||
fork
|
|
||||||
sigchld
|
|
||||||
sigkill
|
|
||||||
sigstop
|
|
||||||
signull
|
|
||||||
signal
|
|
||||||
getsched
|
|
||||||
setsched
|
|
||||||
getsession
|
|
||||||
getpgid
|
|
||||||
setpgid
|
|
||||||
getcap
|
|
||||||
setcap
|
|
||||||
share
|
|
||||||
getattr
|
|
||||||
noatsecure
|
|
||||||
siginh
|
|
||||||
setrlimit
|
|
||||||
rlimitinh
|
|
||||||
};
|
|
||||||
allow unconfineddomain domain:fd *;
|
allow unconfineddomain domain:fd *;
|
||||||
allow unconfineddomain domain:dir r_dir_perms;
|
allow unconfineddomain domain:dir r_dir_perms;
|
||||||
allow unconfineddomain domain:lnk_file r_file_perms;
|
allow unconfineddomain domain:lnk_file r_file_perms;
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
# watchdogd seclabel is specified in init.<board>.rc
|
# watchdogd seclabel is specified in init.<board>.rc
|
||||||
type watchdogd, domain;
|
type watchdogd, domain;
|
||||||
allow watchdogd rootfs:file { entrypoint r_file_perms };
|
|
||||||
allow watchdogd self:capability mknod;
|
allow watchdogd self:capability mknod;
|
||||||
allow watchdogd device:dir { add_name write remove_name };
|
allow watchdogd device:dir { add_name write remove_name };
|
||||||
allow watchdogd watchdog_device:chr_file rw_file_perms;
|
allow watchdogd watchdog_device:chr_file rw_file_perms;
|
||||||
|
|
Loading…
Reference in a new issue