Clean up old file-based OTA SELinux rules
Remove a number of SELinux rules which were required to support file based OTA. After this, we can have a much stronger assertion that files on /system are immutable. Tighten up the neverallow rules at the same time. Bug: 35853185 Bug: 15575013 Bug: 69664758 Test: adb reboot recovery && adb sideload [file] Change-Id: I22aa208859b8478a2a90e1ed1c0f0d6b62a6664e
This commit is contained in:
Nick Kralevich
parent
df642bef22
commit
b8b4f5d649
2 changed files with 17 additions and 35 deletions
|
|
@ -238,8 +238,8 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
|
||||||
# http://www.openwall.com/lists/oss-security/2016/09/26/14
|
# http://www.openwall.com/lists/oss-security/2016/09/26/14
|
||||||
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
||||||
|
|
||||||
# Do not allow any domain other than init or recovery to create unlabeled files.
|
# Do not allow any domain other than init to create unlabeled files.
|
||||||
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
neverallow { domain -init } unlabeled:dir_file_class_set create;
|
||||||
|
|
||||||
# Limit device node creation to these whitelisted domains.
|
# Limit device node creation to these whitelisted domains.
|
||||||
neverallow {
|
neverallow {
|
||||||
|
|
@ -269,8 +269,10 @@ neverallow * self:memprotect mmap_zero;
|
||||||
# No domain needs mac_override as it is unused by SELinux.
|
# No domain needs mac_override as it is unused by SELinux.
|
||||||
neverallow * self:global_capability2_class_set mac_override;
|
neverallow * self:global_capability2_class_set mac_override;
|
||||||
|
|
||||||
# Only recovery needs mac_admin to set contexts not defined in current policy.
|
# Disallow attempts to set contexts not defined in current policy
|
||||||
neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
|
# This helps guarantee that unknown or dangerous contents will not ever
|
||||||
|
# be set.
|
||||||
|
neverallow * self:global_capability2_class_set mac_admin;
|
||||||
|
|
||||||
# Once the policy has been loaded there shall be none to modify the policy.
|
# Once the policy has been loaded there shall be none to modify the policy.
|
||||||
# It is sealed.
|
# It is sealed.
|
||||||
|
|
@ -376,6 +378,7 @@ neverallow {
|
||||||
-bootanim # for oemfs
|
-bootanim # for oemfs
|
||||||
-recovery # for /tmp/update_binary in tmpfs
|
-recovery # for /tmp/update_binary in tmpfs
|
||||||
} { fs_type -rootfs }:file execute;
|
} { fs_type -rootfs }:file execute;
|
||||||
|
|
||||||
# Files from cache should never be executed
|
# Files from cache should never be executed
|
||||||
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
|
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
|
||||||
|
|
||||||
|
|
@ -399,10 +402,12 @@ neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms
|
||||||
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
|
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
|
||||||
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
|
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
|
||||||
|
|
||||||
# Only recovery should be doing writes to /system & /vendor
|
# Nobody should be doing writes to /system & /vendor
|
||||||
|
# These partitions are intended to be read-only and must never be
|
||||||
|
# modified. Doing so would violate important Android security guarantees
|
||||||
|
# and invalidate dm-verity signatures.
|
||||||
neverallow {
|
neverallow {
|
||||||
domain
|
domain
|
||||||
-recovery
|
|
||||||
with_asan(`-asan_extract')
|
with_asan(`-asan_extract')
|
||||||
} {
|
} {
|
||||||
system_file
|
system_file
|
||||||
|
|
@ -410,7 +415,7 @@ neverallow {
|
||||||
exec_type
|
exec_type
|
||||||
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
|
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
|
||||||
|
|
||||||
neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
|
neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
|
||||||
|
|
||||||
# Don't allow mounting on top of /system files or directories
|
# Don't allow mounting on top of /system files or directories
|
||||||
neverallow * exec_type:dir_file_class_set mounton;
|
neverallow * exec_type:dir_file_class_set mounton;
|
||||||
|
|
@ -426,7 +431,7 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto;
|
||||||
# Ensure that context mount types are not writable, to ensure that
|
# Ensure that context mount types are not writable, to ensure that
|
||||||
# the write to /system restriction above is not bypassed via context=
|
# the write to /system restriction above is not bypassed via context=
|
||||||
# mount to another type.
|
# mount to another type.
|
||||||
neverallow { domain -recovery } contextmount_type:dir_file_class_set
|
neverallow * contextmount_type:dir_file_class_set
|
||||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||||
|
|
||||||
# Do not allow service_manager add for default service labels.
|
# Do not allow service_manager add for default service labels.
|
||||||
|
|
@ -1091,12 +1096,9 @@ neverallow {
|
||||||
# vendor, and boot partitions.
|
# vendor, and boot partitions.
|
||||||
neverallow * ~{ system_file vendor_file rootfs }:system module_load;
|
neverallow * ~{ system_file vendor_file rootfs }:system module_load;
|
||||||
|
|
||||||
# Only allow filesystem caps to be set at build time or
|
# Only allow filesystem caps to be set at build time. Runtime changes
|
||||||
# during upgrade by recovery.
|
# to filesystem capabilities are not permitted.
|
||||||
neverallow {
|
neverallow * self:global_capability_class_set setfcap;
|
||||||
domain
|
|
||||||
-recovery
|
|
||||||
} self:global_capability_class_set setfcap;
|
|
||||||
|
|
||||||
# Enforce AT_SECURE for executing crash_dump.
|
# Enforce AT_SECURE for executing crash_dump.
|
||||||
neverallow domain crash_dump:process noatsecure;
|
neverallow domain crash_dump:process noatsecure;
|
||||||
|
|
|
||||||
|
|
@ -12,10 +12,7 @@ recovery_only(`
|
||||||
# Recovery can only use HALs in passthrough mode
|
# Recovery can only use HALs in passthrough mode
|
||||||
passthrough_hal_client_domain(recovery, hal_bootctl)
|
passthrough_hal_client_domain(recovery, hal_bootctl)
|
||||||
|
|
||||||
allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
|
allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config };
|
||||||
|
|
||||||
# Set security contexts on files that are not known to the loaded policy.
|
|
||||||
allow recovery self:global_capability2_class_set mac_admin;
|
|
||||||
|
|
||||||
# Run helpers from / or /system without changing domain.
|
# Run helpers from / or /system without changing domain.
|
||||||
r_dir_file(recovery, rootfs)
|
r_dir_file(recovery, rootfs)
|
||||||
|
|
@ -29,26 +26,9 @@ recovery_only(`
|
||||||
allow recovery unlabeled:filesystem ~relabelto;
|
allow recovery unlabeled:filesystem ~relabelto;
|
||||||
allow recovery contextmount_type:filesystem relabelto;
|
allow recovery contextmount_type:filesystem relabelto;
|
||||||
|
|
||||||
# Create and relabel files and directories under /system.
|
|
||||||
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
||||||
allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
||||||
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
|
|
||||||
|
|
||||||
# We may be asked to set an SELinux label for a type not known to the
|
|
||||||
# currently loaded policy. Allow it.
|
|
||||||
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
|
||||||
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
|
|
||||||
# Get file contexts
|
# Get file contexts
|
||||||
allow recovery file_contexts_file:file r_file_perms;
|
allow recovery file_contexts_file:file r_file_perms;
|
||||||
|
|
||||||
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
|
|
||||||
# support to OTAs. However, that code has a bug. When an update occurs,
|
|
||||||
# some directories are inappropriately labeled as exec_type. This is
|
|
||||||
# only transient, and subsequent steps in the OTA script correct this
|
|
||||||
# mistake. New devices are moving to block based OTAs, so this is not
|
|
||||||
# worth fixing. b/15575013
|
|
||||||
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
|
|
||||||
|
|
||||||
# Write to /proc/sys/vm/drop_caches
|
# Write to /proc/sys/vm/drop_caches
|
||||||
allow recovery proc_drop_caches:file w_file_perms;
|
allow recovery proc_drop_caches:file w_file_perms;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue