Merge "sepolicy: Add rules for non-init namespaces"

This commit is contained in:
Benjamin Gordon 2017-11-21 17:34:40 +00:00 committed by Gerrit Code Review
commit b9ea282c65
61 changed files with 128 additions and 127 deletions

View file

@ -17,10 +17,10 @@ userdebug_or_eng(`
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
allow adbd self:capability { setuid setgid };
allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
allow adbd self:capability setpcap;
allow adbd self:global_capability_class_set setpcap;
# Create and use network sockets.
net_domain(adbd)

View file

@ -350,8 +350,7 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
# Superuser capabilities.
# bluetooth requires net_admin and wake_alarm.
neverallow { appdomain -bluetooth } self:capability *;
neverallow { appdomain -bluetooth } self:capability2 *;
neverallow { appdomain -bluetooth } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };

View file

@ -22,12 +22,12 @@ allow bluetooth bluetooth_logs_data_file:file create_file_perms;
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
allow bluetooth self:capability net_admin;
allow bluetooth self:capability2 wake_alarm;
allow bluetooth self:global_capability_class_set net_admin;
allow bluetooth self:global_capability2_class_set wake_alarm;
# tethering
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
allow bluetooth self:capability { net_admin net_raw net_bind_service };
allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
@ -56,7 +56,7 @@ allow bluetooth system_api_service:service_manager find;
allow bluetooth shell_data_file:file read;
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
allow bluetooth self:capability sys_nice;
allow bluetooth self:global_capability_class_set sys_nice;
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
@ -71,5 +71,5 @@ read_runtime_log_tags(bluetooth)
# Superuser capabilities.
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };

View file

@ -12,7 +12,7 @@ neverallow {
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;

View file

@ -7,12 +7,12 @@ wakelock_use(incidentd)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
# TODO allow incidentd self:capability { setuid setgid sys_resource };
# TODO allow incidentd self:global_capability_class_set { setuid setgid sys_resource };
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
allow incidentd self:capability {
allow incidentd self:global_capability_class_set {
# Send signals to processes
kill
};
@ -56,7 +56,7 @@ binder_call(incidentd, binderservicedomain)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
# TODO allow incidentd self:capability sys_ptrace;
# TODO allow incidentd self:global_capability_class_set sys_ptrace;
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;

View file

@ -8,7 +8,7 @@ userdebug_or_eng(`
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
allow logpersist self:capability sys_nice;
allow logpersist self:global_capability_class_set sys_nice;
allow logpersist pstorefs:dir search;
allow logpersist pstorefs:file r_file_perms;

View file

@ -3,13 +3,13 @@ typeattribute netutils_wrapper coredomain;
r_dir_file(netutils_wrapper, system_file);
# For netutils (ip, iptables, tc)
allow netutils_wrapper self:capability net_raw;
allow netutils_wrapper self:global_capability_class_set net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
allow netutils_wrapper proc_net:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
allow netutils_wrapper self:capability net_admin;
allow netutils_wrapper self:global_capability_class_set net_admin;
# ip utils need everything but ioctl
allow netutils_wrapper self:netlink_route_socket ~ioctl;
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;

View file

@ -52,7 +52,7 @@ allow storaged package_native_service:service_manager find;
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
dontaudit storaged self:capability dac_override;
dontaudit storaged self:global_capability_class_set dac_override;
###
### neverallow

View file

@ -87,7 +87,7 @@ allow surfaceflinger window_service:service_manager find;
# allow self to set SCHED_FIFO
allow surfaceflinger self:capability sys_nice;
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
r_dir_file(surfaceflinger, system_file)

View file

@ -52,7 +52,7 @@ bluetooth_domain(system_server)
# These are the capabilities assigned by the zygote to the
# system server.
allow system_server self:capability {
allow system_server self:global_capability_class_set {
ipc_lock
kill
net_admin
@ -72,7 +72,7 @@ wakelock_use(system_server)
allow system_server kernel:system module_request;
# Allow alarmtimers to be set
allow system_server self:capability2 wake_alarm;
allow system_server self:global_capability2_class_set wake_alarm;
# Create and share netlink_netfilter_sockets for tetheroffload.
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;

View file

@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:capability dac_override;
allow vold_prepare_subdirs self:global_capability_class_set dac_override;
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };

View file

@ -20,9 +20,9 @@ allow webview_zygote shared_relro_file:dir search;
allow webview_zygote shared_relro_file:file r_file_perms;
# Set the UID/GID of the process.
allow webview_zygote self:capability { setgid setuid };
allow webview_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
allow webview_zygote self:capability setpcap;
allow webview_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;

View file

@ -7,10 +7,10 @@ init_daemon_domain(zygote)
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner chown };
allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
allow zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
@ -56,7 +56,7 @@ r_dir_file(zygote, vendor_overlay_file)
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
allow zygote self:capability sys_admin;
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork

View file

@ -10,8 +10,8 @@ r_dir_file(charger, sysfs_type)
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
allow charger self:capability { sys_tty_config };
allow charger self:capability sys_boot;
allow charger self:global_capability_class_set { sys_tty_config };
allow charger self:global_capability_class_set sys_boot;
wakelock_use(charger)

View file

@ -17,7 +17,7 @@ allow clatd netd:udp_socket { read write };
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
allow clatd self:capability { net_admin net_raw setuid setgid };
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
@ -26,7 +26,7 @@ allow clatd self:capability { net_admin net_raw setuid setgid };
# so we permit any requests we see from clatd asking for this capability.
# See https://android-review.googlesource.com/127940 and
# https://b.corp.google.com/issues/21736319
allow clatd self:capability ipc_lock;
allow clatd self:global_capability_class_set ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;

View file

@ -11,7 +11,7 @@ allow crash_dump {
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:capability { sys_ptrace };
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };

View file

@ -4,7 +4,7 @@ type dhcp_exec, exec_type, file_type;
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;

View file

@ -6,9 +6,9 @@ net_domain(dnsmasq)
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
allow dnsmasq self:capability dac_override;
allow dnsmasq self:global_capability_class_set dac_override;
allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;

View file

@ -248,7 +248,7 @@ neverallow {
-init
-ueventd
-vold
} self:capability mknod;
} self:global_capability_class_set mknod;
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
@ -261,16 +261,16 @@ neverallow {
-healthd
-uncrypt
-tee
} self:capability sys_rawio;
} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
neverallow * self:capability2 mac_override;
neverallow * self:global_capability2_class_set mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
@ -1096,7 +1096,7 @@ neverallow * ~{ system_file vendor_file rootfs }:system module_load;
neverallow {
domain
-recovery
} self:capability setfcap;
} self:global_capability_class_set setfcap;
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;

View file

@ -8,12 +8,12 @@ wakelock_use(dumpstate)
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:capability { setuid setgid sys_resource };
allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
allow dumpstate self:capability {
allow dumpstate self:global_capability_class_set {
# Send signals to processes
kill
# Run iptables
@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
@ -42,7 +42,7 @@ allow dumpstate anr_data_file:file create_file_perms;
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
allow dumpstate self:capability2 syslog;
allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
@ -116,7 +116,7 @@ hal_client_domain(dumpstate, hal_vibrator)
allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
allow dumpstate self:global_capability_class_set sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport

View file

@ -1,7 +1,9 @@
#####################################
# Common groupings of object classes.
#
define(`capability_class_set', `{ capability capability2 }')
define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
define(`global_capability_class_set', `{ capability cap_userns }')
define(`global_capability2_class_set', `{ capability2 cap2_userns }')
define(`devfile_class_set', `{ chr_file blk_file }')
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')

View file

@ -8,7 +8,7 @@ allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
allow hal_bluetooth self:capability net_admin;
allow hal_bluetooth self:global_capability_class_set net_admin;
# bluetooth factory file accesses.
r_dir_file(hal_bluetooth, bluetooth_efs_file)
@ -18,7 +18,7 @@ allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
# sysfs access.
r_dir_file(hal_bluetooth, sysfs_type)
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow hal_bluetooth self:capability2 wake_alarm;
allow hal_bluetooth self:global_capability2_class_set wake_alarm;
# Allow write access to bluetooth-specific properties
set_prop(hal_bluetooth, bluetooth_prop)
@ -27,4 +27,4 @@ set_prop(hal_bluetooth, bluetooth_prop)
allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
# allow to run with real-time scheduling policy
allow hal_bluetooth self:capability sys_nice;
allow hal_bluetooth self:global_capability_class_set sys_nice;

View file

@ -10,4 +10,4 @@ allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:capability sys_nice;
allow hal_graphics_allocator self:global_capability_class_set sys_nice;

View file

@ -23,4 +23,4 @@ allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:capability sys_nice;
allow hal_graphics_composer self:global_capability_class_set sys_nice;

View file

@ -6,7 +6,7 @@ neverallow {
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
} self:capability { net_admin net_raw };
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.

View file

@ -12,4 +12,4 @@ allow hal_sensors { appdomain -isolated_app }:fd use;
allow hal_sensors hal_allocator:fd use;
# allow to run with real-time scheduling policy
allow hal_sensors self:capability sys_nice;
allow hal_sensors self:global_capability_class_set sys_nice;

View file

@ -14,7 +14,7 @@ set_prop(hal_wifi, wifi_prop)
allow hal_wifi self:udp_socket create_socket_perms;
allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
allow hal_wifi self:capability { net_admin net_raw };
allow hal_wifi self:global_capability_class_set { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
@ -22,4 +22,4 @@ allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
allow hal_wifi proc_modules:file { getattr open read };
allow hal_wifi proc_modules:file { getattr open read };

View file

@ -12,7 +12,7 @@ r_dir_file(hal_wifi_supplicant, sysfs_type)
r_dir_file(hal_wifi_supplicant, proc_net)
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;

View file

@ -14,8 +14,8 @@ r_dir_file(healthd, cgroup)
# /{system,vendor,odm}/lib[64]/hw/
r_dir_file(healthd, system_file)
allow healthd self:capability { sys_tty_config };
allow healthd self:capability sys_boot;
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;

View file

@ -40,7 +40,7 @@ allow init system_block_device:{ blk_file lnk_file } relabelto;
allow init misc_block_device:{ blk_file lnk_file } relabelto;
# setrlimit
allow init self:capability sys_resource;
allow init self:global_capability_class_set sys_resource;
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
allow init tmpfs:file unlink;
@ -61,7 +61,7 @@ allow init console_device:chr_file rw_file_perms;
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
allow init self:capability sys_admin;
allow init self:global_capability_class_set sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
@ -92,12 +92,12 @@ allow init configfs:{ file lnk_file } create_file_perms;
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
allow init self:capability dac_override;
allow init self:global_capability_class_set dac_override;
# Set system clock.
allow init self:capability sys_time;
allow init self:global_capability_class_set sys_time;
allow init self:capability { sys_rawio mknod };
allow init self:global_capability_class_set { sys_rawio mknod };
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
@ -124,7 +124,7 @@ allow init rootfs:{ dir file } relabelfrom;
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
allow init self:global_capability_class_set { chown fowner fsetid };
allow init {
file_type
@ -256,7 +256,7 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
allow init self:capability2 syslog;
allow init self:global_capability2_class_set syslog;
# init access to /proc.
r_dir_file(init, proc_net)
@ -295,10 +295,10 @@ allow init {
# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
allow init self:capability net_admin;
allow init self:global_capability_class_set net_admin;
# Reboot.
allow init self:capability sys_boot;
allow init self:global_capability_class_set sys_boot;
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
@ -311,7 +311,7 @@ allow init misc_logd_file:dir { add_name open create read getattr setattr search
allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
allow init self:capability kill;
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
# Init creates keystore's directory on boot, and walks through
@ -329,7 +329,7 @@ allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
# Set UID, GID, and adjust capability bounding set for services.
allow init self:capability { setuid setgid setpcap };
allow init self:global_capability_class_set { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
@ -369,13 +369,13 @@ allow init property_type:property_service set;
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:capability audit_write;
allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
allow init self:capability net_raw;
allow init self:global_capability_class_set net_raw;
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
@ -396,7 +396,7 @@ allow init hw_random_device:chr_file r_file_perms;
allow init device:file create_file_perms;
# keychord configuration
allow init self:capability sys_tty_config;
allow init self:global_capability_class_set sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity

View file

@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
allow install_recovery self:capability dac_override;
allow install_recovery self:global_capability_class_set dac_override;
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh

View file

@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;

View file

@ -1,7 +1,7 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
allow kernel self:capability sys_nice;
allow kernel self:global_capability_class_set sys_nice;
# Root fs.
r_dir_file(kernel, rootfs)
@ -33,14 +33,14 @@ allow kernel usbfs:dir search;
dontaudit kernel self:security setenforce;
# Write to /proc/1/oom_adj prior to switching to init domain.
allow kernel self:capability sys_resource;
allow kernel self:global_capability_class_set sys_resource;
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
allow kernel self:capability sys_boot;
allow kernel self:global_capability_class_set sys_boot;
allow kernel proc_sysrq:file w_file_perms;
# Allow writing to /dev/kmsg which was created prior to loading policy.
@ -101,4 +101,4 @@ neverallow kernel *:file { entrypoint execute_no_trans };
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
neverallow kernel self:capability { dac_override dac_read_search };
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };

View file

@ -2,13 +2,13 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
allow lmkd self:capability { dac_override sys_resource kill };
allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
# b/16236289
allow lmkd self:capability ipc_lock;
allow lmkd self:global_capability_class_set ipc_lock;
## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?
@ -31,7 +31,7 @@ allow lmkd cgroup:dir { remove_name rmdir };
allow lmkd cgroup:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:capability sys_nice;
allow lmkd self:global_capability_class_set sys_nice;
allow lmkd proc_zoneinfo:file r_file_perms;

View file

@ -8,8 +8,8 @@ r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)
allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
allow logd self:capability2 syslog;
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;

View file

@ -1,7 +1,7 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
allow modprobe self:capability sys_module;
allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
allow modprobe rootfs:system module_load;

View file

@ -6,6 +6,6 @@ net_domain(mtp)
# pptp policy
allow mtp self:socket create_socket_perms_no_ioctl;
allow mtp self:capability net_raw;
allow mtp self:global_capability_class_set net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;

View file

@ -9,14 +9,14 @@ allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
allow netd system_server:fd use;
allow netd self:capability { net_admin net_raw kill };
allow netd self:global_capability_class_set { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for netd to operate.
dontaudit netd self:capability fsetid;
dontaudit netd self:global_capability_class_set fsetid;
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
@ -60,12 +60,12 @@ allow netd sysfs_usb:file write;
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
allow netd self:capability { dac_override chown };
allow netd self:global_capability_class_set { dac_override chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
allow netd self:capability fowner;
allow netd self:global_capability_class_set fowner;
# Needed to lock the iptables lock.
allow netd system_file:file lock;

View file

@ -5,7 +5,7 @@ type otapreopt_chroot_exec, exec_type, file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
allow otapreopt_chroot self:capability { sys_admin sys_chroot };
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;

View file

@ -10,7 +10,7 @@ allow performanced permission_service:service_manager find;
pdx_server(performanced, performance_client)
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
allow performanced self:capability { setuid setgid sys_nice };
allow performanced self:global_capability_class_set { setuid setgid sys_nice };
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the

View file

@ -20,7 +20,7 @@ userdebug_or_eng(`
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd app_data_file:file r_file_perms;
allow perfprofd app_data_file:dir search;
allow perfprofd self:capability { dac_override };
allow perfprofd self:global_capability_class_set { dac_override };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
@ -34,13 +34,13 @@ userdebug_or_eng(`
wakelock_use(perfprofd);
# simpleperf uses ioctl() to turn on kernel perf events measurements
allow perfprofd self:capability sys_admin;
allow perfprofd self:global_capability_class_set sys_admin;
# simpleperf needs to examine /proc to collect task/thread info
r_dir_file(perfprofd, domain)
# simpleperf needs to access /proc/<pid>/exec
allow perfprofd self:capability { sys_resource sys_ptrace };
allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
neverallow perfprofd domain:process ptrace;
# simpleperf needs open/read any file that turns up in a profile
@ -54,6 +54,6 @@ userdebug_or_eng(`
allow perfprofd toolbox_exec:file rx_file_perms;
# needed for simpleperf on some kernels
allow perfprofd self:capability ipc_lock;
allow perfprofd self:global_capability_class_set ipc_lock;
')

View file

@ -5,7 +5,7 @@
type postinstall_dexopt, domain;
allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };

View file

@ -15,7 +15,7 @@ allowxperm ppp mtp:socket ioctl ppp_ioctls;
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp self:global_capability_class_set net_admin;
allow ppp system_file:file rx_file_perms;
not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;

View file

@ -15,7 +15,7 @@ allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
allow racoon self:capability { net_admin net_bind_service net_raw };
allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;

View file

@ -12,10 +12,10 @@ recovery_only(`
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin;
allow recovery self:global_capability2_class_set mac_admin;
# Run helpers from / or /system without changing domain.
r_dir_file(recovery, rootfs)

View file

@ -7,7 +7,7 @@ allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
allow rild self:capability { setpcap setgid setuid net_admin net_raw };
allow rild self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
allow rild cgroup:{ file lnk_file } r_file_perms;

View file

@ -18,11 +18,11 @@ allow runas system_data_file:lnk_file getattr;
allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
dontaudit runas self:capability dac_override;
dontaudit runas self:global_capability_class_set dac_override;
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
allow runas self:capability { setuid setgid };
allow runas self:global_capability_class_set { setuid setgid };
# run-as switches to the app security context.
selinux_check_context(runas) # validate context
@ -38,5 +38,5 @@ allow runas seapp_contexts_file:file r_file_perms;
###
# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
neverallow runas self:capability ~{ setuid setgid };
neverallow runas self:capability2 *;
neverallow runas self:global_capability_class_set ~{ setuid setgid };
neverallow runas self:global_capability2_class_set *;

View file

@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;

View file

@ -14,7 +14,7 @@ allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
allow sgdisk self:capability sys_admin;
allow sgdisk self:global_capability_class_set sys_admin;
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;

View file

@ -5,7 +5,7 @@ type slideshow, domain;
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
allow slideshow device:dir r_dir_perms;
allow slideshow self:capability sys_tty_config;
allow slideshow self:global_capability_class_set sys_tty_config;
allow slideshow graphics_device:dir r_dir_perms;
allow slideshow graphics_device:chr_file rw_file_perms;
allow slideshow input_device:dir r_dir_perms;

View file

@ -402,7 +402,7 @@ define(`wakelock_use', `
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:capability2 block_suspend;
allow $1 self:global_capability2_class_set block_suspend;
')
#####################################

View file

@ -5,7 +5,7 @@ type ueventd, domain;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)

View file

@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
allow uncrypt self:capability dac_override;
allow uncrypt self:global_capability_class_set dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
@ -29,7 +29,7 @@ unix_socket_connect(uncrypt, uncrypt, uncrypt)
set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;

View file

@ -11,12 +11,12 @@ allow update_engine qtaguid_device:chr_file r_file_perms;
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
allow update_engine self:capability { fowner sys_admin };
allow update_engine self:global_capability_class_set { fowner sys_admin };
# Note: fsetid checks are triggered when creating a file in a directory with
# the setgid bit set to determine if the file should inherit setgid. In this
# case, setgid on the file is undesirable so we should just suppress the
# denial.
dontaudit update_engine self:capability fsetid;
dontaudit update_engine self:global_capability_class_set fsetid;
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;

View file

@ -22,14 +22,14 @@ allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
allow vendor_init self:capability dac_override;
allow vendor_init self:global_capability_class_set dac_override;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow vendor_init self:capability { chown fowner fsetid };
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
allow vendor_init {
file_type
@ -188,7 +188,7 @@ allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
r_dir_file(vendor_init, proc_net)
allow vendor_init proc_net:file w_file_perms;
allow vendor_init self:capability net_admin;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
@ -207,4 +207,4 @@ r_dir_file(vendor_init, vendor_file_type)
allow vendor_init serialno_prop:file { getattr open read };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:capability sys_admin;
allow vendor_init self:global_capability_class_set sys_admin;

View file

@ -75,7 +75,7 @@ allow vold shell_data_file:dir { create getattr setattr };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
@ -88,7 +88,7 @@ allow vold dm_device:blk_file rw_file_perms;
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill };
allow vold self:global_capability_class_set { sys_ptrace kill };
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
@ -179,10 +179,10 @@ allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
# vold temporarily changes its priority when running benchmarks
allow vold self:capability sys_nice;
allow vold self:global_capability_class_set sys_nice;
# vold needs to chroot into app namespaces to remount when runtime permissions change
allow vold self:capability sys_chroot;
allow vold self:global_capability_class_set sys_chroot;
allow vold storage_file:dir mounton;
# For AppFuse.

View file

@ -14,7 +14,7 @@ set_prop(wificond, ctl_default_prop)
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
allow wificond self:capability { net_admin net_raw };
allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets

View file

@ -25,5 +25,5 @@ allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
# Allow us to bring up a TUN network interface.
allow wpantund tun_device:chr_file rw_file_perms;
allow wpantund self:capability { net_admin net_raw };
allow wpantund self:global_capability_class_set { net_admin net_raw };
allow wpantund self:tun_socket create;

2
vendor/hostapd.te vendored
View file

@ -5,7 +5,7 @@ type hostapd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hostapd)
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };
allow hostapd self:global_capability_class_set { net_admin net_raw };
# hostapd learns about its network interface via sysfs.
allow hostapd sysfs:file r_file_perms;

2
vendor/tee.te vendored
View file

@ -4,7 +4,7 @@
type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)
allow tee self:capability { dac_override };
allow tee self:global_capability_class_set { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:file create_file_perms;

View file

@ -4,7 +4,7 @@ type vendor_modprobe, domain;
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
allow vendor_modprobe self:capability sys_module;
allow vendor_modprobe self:global_capability_class_set sys_module;
allow vendor_modprobe kernel:key search;
allow vendor_modprobe { vendor_file }:system module_load;