Remove domain:process from unconfined

Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
This commit is contained in:
Nick Kralevich 2014-07-03 22:13:14 -07:00
parent bad4e91dd2
commit a7c04dcd74
7 changed files with 21 additions and 34 deletions

View file

@ -8,8 +8,6 @@ userdebug_or_eng(`
') ')
domain_auto_trans(adbd, shell_exec, shell) domain_auto_trans(adbd, shell_exec, shell)
# this is an entrypoint
allow adbd rootfs:file entrypoint;
# Do not sanitize the environment or open fds of the shell. # Do not sanitize the environment or open fds of the shell.
allow adbd shell:process noatsecure; allow adbd shell:process noatsecure;

View file

@ -2,7 +2,6 @@
# it lives in the rootfs and has no unique file type. # it lives in the rootfs and has no unique file type.
type healthd, domain; type healthd, domain;
allow healthd rootfs:file { read entrypoint };
write_klog(healthd) write_klog(healthd)
# /dev/__null__ created by init prior to policy load, # /dev/__null__ created by init prior to policy load,
# open fd inherited by healthd. # open fd inherited by healthd.

27
init.te
View file

@ -60,12 +60,23 @@ allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms; allow init proc_security:file rw_file_perms;
# Transitions to seclabel processes in init.rc # Transitions to seclabel processes in init.rc
allow init adbd:process transition; domain_trans(init, rootfs, adbd)
allow init healthd:process transition; domain_trans(init, rootfs, healthd)
allow init recovery:process transition; recovery_only(`
allow init shell:process transition; domain_trans(init, rootfs, recovery)
allow init ueventd:process transition; ')
allow init watchdogd:process transition; domain_trans(init, shell_exec, shell)
domain_trans(init, rootfs, ueventd)
domain_trans(init, rootfs, watchdogd)
# Certain domains need LD_PRELOAD passed from init.
# https://android-review.googlesource.com/94851
# For now, allow it to all domains.
# TODO: scope this down.
allow init domain:process noatsecure;
# Support "adb shell stop"
allow init domain:process sigkill;
# Init creates keystore's directory on boot, and walks through # Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon. # the directory as part of a recursive restorecon.
@ -92,6 +103,10 @@ allow init property_type:property_service set;
# Run "ifup lo" to bring up the localhost interface # Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl }; allow init self:udp_socket { create ioctl };
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow init kernel:process setsched;
### ###
### neverallow rules ### neverallow rules
### ###

View file

@ -7,8 +7,6 @@ type recovery, domain;
# But the allow rules are only included in the recovery policy. # But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules. # Otherwise recovery is only allowed the domain rules.
recovery_only(` recovery_only(`
allow recovery rootfs:file { entrypoint execute };
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy. # Set security contexts on files that are not known to the loaded policy.

View file

@ -4,7 +4,6 @@ type ueventd, domain;
tmpfs_domain(ueventd) tmpfs_domain(ueventd)
write_klog(ueventd) write_klog(ueventd)
security_access_policy(ueventd) security_access_policy(ueventd)
allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld; allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms; allow ueventd device:file create_file_perms;

View file

@ -20,27 +20,6 @@ allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module
allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
allow unconfineddomain domain:process {
fork
sigchld
sigkill
sigstop
signull
signal
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
noatsecure
siginh
setrlimit
rlimitinh
};
allow unconfineddomain domain:fd *; allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms; allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms; allow unconfineddomain domain:lnk_file r_file_perms;

View file

@ -1,6 +1,5 @@
# watchdogd seclabel is specified in init.<board>.rc # watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain; type watchdogd, domain;
allow watchdogd rootfs:file { entrypoint r_file_perms };
allow watchdogd self:capability mknod; allow watchdogd self:capability mknod;
allow watchdogd device:dir { add_name write remove_name }; allow watchdogd device:dir { add_name write remove_name };
allow watchdogd watchdog_device:chr_file rw_file_perms; allow watchdogd watchdog_device:chr_file rw_file_perms;