Add access control for each service_manager action.

Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-07 13:56:27 -07:00 · 2014-07-07 13:56:27 -07:00 · b8511e0d98
commit b8511e0d98
parent c103da877b
20 changed files with 133 additions and 4 deletions
--- a/2
+++ b/2
@ -892,6 +892,8 @@ class property_service
 class service_manager
 {
 	add
+	find
+	list
 }

 class keystore_key
--- a/3
+++ b/3
@ -67,3 +67,6 @@ attribute bluetoothdomain;

 # All domains used for binder service domains.
 attribute binderservicedomain;
+
+# All domains that are excluded from the domain.te auditallow.
+attribute service_manager_local_audit;
--- a/bluetooth.te
+++ b/bluetooth.te
@ -49,6 +49,14 @@ allow bluetooth bluetooth_prop:property_service set;
 allow bluetooth pan_result_prop:property_service set;
 allow bluetooth ctl_dhcp_pan_prop:property_service set;

+# Audited locally.
+service_manager_local_audit_domain(bluetooth)
+auditallow bluetooth {
+    service_manager_type
+    -bluetooth_service
+    -system_server_service
+}:service_manager find;
+
 ###
 ### Neverallow rules
 ###
--- a/bootanim.te
+++ b/bootanim.te
@ -11,3 +11,7 @@ allow bootanim gpu_device:chr_file rw_file_perms;

 # /oem access
 allow bootanim oemfs:dir search;
+
+# Audited locally.
+service_manager_local_audit_domain(bootanim)
+auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
--- a/domain.te
+++ b/domain.te
@ -158,6 +158,11 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;

+allow domain servicemanager:service_manager list;
+auditallow domain servicemanager:service_manager list;
+allow domain service_manager_type:service_manager find;
+auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
+
 ###
 ### neverallow rules
 ###
--- a/drmserver.te
+++ b/drmserver.te
@ -46,3 +46,7 @@ allow drmserver asec_apk_file:file { read getattr };
 allow drmserver radio_data_file:file { read getattr };

 allow drmserver drmserver_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(drmserver)
+auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
--- a/healthd.te
+++ b/healthd.te
@ -31,8 +31,13 @@ allow healthd ashmem_device:chr_file execute;
 allow healthd self:process execmem;
 allow healthd proc_sysrq:file rw_file_perms;
 allow healthd self:capability sys_boot;
+
 allow healthd healthd_service:service_manager add;

+# Audited locally.
+service_manager_local_audit_domain(healthd)
+auditallow healthd { service_manager_type -healthd_service }:service_manager find;
+
 # Healthd needs to tell init to continue the boot
 # process when running in charger mode.
 unix_socket_connect(healthd, property, init)
--- a/inputflinger.te
+++ b/inputflinger.te
@ -9,3 +9,7 @@ binder_service(inputflinger)
 binder_call(inputflinger, system_server)

 allow inputflinger inputflinger_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(inputflinger)
+auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
--- a/isolated_app.te
+++ b/isolated_app.te
@ -18,3 +18,7 @@ net_domain(isolated_app)
 # Needed to allow dlopen() from Chrome renderer processes.
 # See b/15902433 for details.
 allow isolated_app app_data_file:file execute;
+
+# Audited locally.
+service_manager_local_audit_domain(isolated_app)
+auditallow isolated_app service_manager_type:service_manager find;
--- a/keystore.te
+++ b/keystore.te
@ -28,5 +28,9 @@ neverallow domain keystore:process ptrace;

 allow keystore keystore_service:service_manager add;

+# Audited locally.
+service_manager_local_audit_domain(keystore)
+auditallow keystore { service_manager_type -keystore_service }:service_manager find;
+
 # Check SELinux permissions.
 selinux_check_access(keystore)
--- a/mediaserver.te
+++ b/mediaserver.te
@ -79,3 +79,13 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
 allow mediaserver tee:unix_stream_socket connectto;

 allow mediaserver mediaserver_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(mediaserver)
+auditallow mediaserver {
+    service_manager_type
+    -drmserver_service
+    -mediaserver_service
+    -system_server_service
+    -surfaceflinger_service
+}:service_manager find;
--- a/nfc.te
+++ b/nfc.te
@ -15,3 +15,11 @@ allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;

 allow nfc nfc_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(nfc)
+auditallow nfc {
+    service_manager_type
+    -mediaserver_service
+    -system_server_service
+}:service_manager find;
--- a/platform_app.te
+++ b/platform_app.te
@ -27,3 +27,13 @@ allow platform_app media_rw_data_file:file create_file_perms;
 # Write to /cache.
 allow platform_app cache_file:dir create_dir_perms;
 allow platform_app cache_file:file create_file_perms;
+
+# Audited locally.
+service_manager_local_audit_domain(platform_app)
+auditallow platform_app {
+    service_manager_type
+    -mediaserver_service
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
--- a/radio.te
+++ b/radio.te
@ -28,3 +28,12 @@ auditallow radio system_radio_prop:property_service set;
 allow radio ctl_rildaemon_prop:property_service set;

 allow radio radio_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(radio)
+auditallow radio {
+    service_manager_type
+    -mediaserver_service
+    -radio_service
+    -system_server_service
+}:service_manager find;
--- a/servicemanager.te
+++ b/servicemanager.te
@ -13,9 +13,5 @@ init_daemon_domain(servicemanager)
 allow servicemanager self:binder set_context_mgr;
 allow servicemanager domain:binder transfer;

-# Get contexts of binder services that call servicemanager.
-allow servicemanager binderservicedomain:dir search;
-allow servicemanager binderservicedomain:file { read open };
-allow servicemanager binderservicedomain:process getattr;
 # Check SELinux permissions.
 selinux_check_access(servicemanager)
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@ -59,6 +59,14 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;

 allow surfaceflinger surfaceflinger_service:service_manager add;

+# Audited locally.
+service_manager_local_audit_domain(surfaceflinger)
+auditallow surfaceflinger {
+    service_manager_type
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
+
 ###
 ### Neverallow rules
 ###
--- a/system_app.te
+++ b/system_app.te
@ -64,3 +64,12 @@ allow system_app keystore:keystore_key {
 };

 control_logd(system_app)
+
+# Audited locally.
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+    service_manager_type
+    -nfc_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
--- a/system_server.te
+++ b/system_server.te
@ -361,6 +361,18 @@ allow system_server pstorefs:file r_file_perms;

 allow system_server system_server_service:service_manager add;

+# Audited locally.
+service_manager_local_audit_domain(system_server)
+auditallow system_server {
+    service_manager_type
+    -healthd_service
+    -keystore_service
+    -mediaserver_service
+    -radio_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
+
 allow system_server keystore:keystore_key {
 	test
 	get
--- a/13
+++ b/13
@ -109,6 +109,7 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
+service_manager_local_audit_domain($1)
 ')

 #####################################
@ -149,6 +150,10 @@ allow $1 $3:unix_dgram_socket sendto;
 define(`binder_use', `
 # Call the servicemanager and transfer references to it.
 allow $1 servicemanager:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
 # all domains in domain.te.
 ')
@ -354,3 +359,11 @@ define(`use_keystore', `
  allow keystore $1:process getattr;
  binder_call($1, keystore)
 ')
+
+###########################################
+# service_manager_local_audit_domain(domain)
+# Has its own auditallow rule on service_manager
+# and should be excluded from the domain.te auditallow.
+define(`service_manager_local_audit_domain', `
+  typeattribute $1 service_manager_local_audit;
+')
--- a/untrusted_app.te
+++ b/untrusted_app.te
@ -64,6 +64,17 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;

+# Audited locally.
+service_manager_local_audit_domain(untrusted_app)
+auditallow untrusted_app {
+    service_manager_type
+    -drmserver_service
+    -mediaserver_service
+    -nfc_service
+    -surfaceflinger_service
+    -system_server_service
+}:service_manager find;
+
 ###
 ### neverallow rules
 ###