From cd82557d4069c20bda8e18aa7f72fc0521a3ae32 Mon Sep 17 00:00:00 2001 From: dcashman Date: Thu, 11 Dec 2014 16:01:27 -0800 Subject: [PATCH] Restrict service_manager find and list access. All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a --- adbd.te | 6 +----- bluetooth.te | 11 +++-------- bootanim.te | 4 +--- domain.te | 5 ----- drmserver.te | 11 ++--------- dumpstate.te | 24 +++++++++++------------- healthd.te | 6 +----- inputflinger.te | 6 +----- isolated_app.te | 11 +++-------- keystore.te | 6 +----- mediaserver.te | 15 ++++----------- nfc.te | 12 +++--------- platform_app.te | 13 ++++--------- radio.te | 15 ++++----------- surfaceflinger.te | 12 ++++-------- system_app.te | 16 +++++----------- system_server.te | 20 +++++++++++++++++--- untrusted_app.te | 19 +++++++------------ 18 files changed, 72 insertions(+), 140 deletions(-) diff --git a/adbd.te b/adbd.te index c21e70331..f5cebd269 100644 --- a/adbd.te +++ b/adbd.te @@ -79,8 +79,4 @@ allow adbd system_file:file r_file_perms; allow adbd kernel:security read_policy; -service_manager_local_audit_domain(adbd) -auditallow adbd { - service_manager_type - -surfaceflinger_service -}:service_manager find; +allow adbd surfaceflinger_service:service_manager find; diff --git a/bluetooth.te b/bluetooth.te index 56fe17058..d6adc3b49 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,14 +49,9 @@ allow bluetooth bluetooth_prop:property_service set; allow bluetooth pan_result_prop:property_service set; allow bluetooth ctl_dhcp_pan_prop:property_service set; -# Audited locally. -service_manager_local_audit_domain(bluetooth) -auditallow bluetooth { - service_manager_type - -bluetooth_service - -radio_service - -system_server_service -}:service_manager find; +allow bluetooth bluetooth_service:service_manager find; +allow bluetooth radio_service:service_manager find; +allow bluetooth system_server_service:service_manager find; ### ### Neverallow rules diff --git a/bootanim.te b/bootanim.te index e0e25b967..dd1e57a4d 100644 --- a/bootanim.te +++ b/bootanim.te @@ -16,6 +16,4 @@ allow bootanim oemfs:file r_file_perms; allow bootanim audio_device:dir r_dir_perms; allow bootanim audio_device:chr_file rw_file_perms; -# Audited locally. -service_manager_local_audit_domain(bootanim) -auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find; +allow bootanim surfaceflinger_service:service_manager find; diff --git a/domain.te b/domain.te index 243c992f3..52920a72d 100644 --- a/domain.te +++ b/domain.te @@ -165,11 +165,6 @@ allow domain security_file:lnk_file r_file_perms; allow domain asec_public_file:file r_file_perms; allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; -allow domain servicemanager:service_manager list; -auditallow { domain -dumpstate } servicemanager:service_manager list; -allow domain service_manager_type:service_manager find; -auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find; - ### ### neverallow rules ### diff --git a/drmserver.te b/drmserver.te index ba7e62fc2..37edbfe9a 100644 --- a/drmserver.te +++ b/drmserver.te @@ -45,18 +45,11 @@ allow drmserver asec_apk_file:file { read getattr }; # Read /data/data/com.android.providers.telephony files passed over Binder. allow drmserver radio_data_file:file { read getattr }; -allow drmserver drmserver_service:service_manager add; - # /oem access allow drmserver oemfs:dir search; allow drmserver oemfs:file r_file_perms; -# Audited locally. -service_manager_local_audit_domain(drmserver) -auditallow drmserver { - service_manager_type - -drmserver_service - -system_server_service -}:service_manager find; +allow drmserver drmserver_service:service_manager { add find }; +allow drmserver system_server_service:service_manager find; selinux_check_access(drmserver) diff --git a/dumpstate.te b/dumpstate.te index e5ccb562d..df1506702 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -106,17 +106,15 @@ allow dumpstate tombstone_data_file:file r_file_perms; # Access /system/bin executables to determine type of executable. allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms; -service_manager_local_audit_domain(dumpstate) -auditallow dumpstate { - service_manager_type - -drmserver_service - -healthd_service - -inputflinger_service - -keystore_service - -mediaserver_service - -nfc_service - -radio_service - -surfaceflinger_service - -system_app_service - -system_server_service +allow dumpstate { + drmserver_service + healthd_service + inputflinger_service + keystore_service + mediaserver_service + nfc_service + radio_service + surfaceflinger_service + system_app_service + system_server_service }:service_manager find; diff --git a/healthd.te b/healthd.te index 3cb69bf8e..2ea825c8f 100644 --- a/healthd.te +++ b/healthd.te @@ -38,11 +38,7 @@ allow healthd self:process execmem; allow healthd proc_sysrq:file rw_file_perms; allow healthd self:capability sys_boot; -allow healthd healthd_service:service_manager add; - -# Audited locally. -service_manager_local_audit_domain(healthd) -auditallow healthd { service_manager_type -healthd_service }:service_manager find; +allow healthd healthd_service:service_manager { add find }; # Healthd needs to tell init to continue the boot # process when running in charger mode. diff --git a/inputflinger.te b/inputflinger.te index 4377a104f..0a8dd9023 100644 --- a/inputflinger.te +++ b/inputflinger.te @@ -8,8 +8,4 @@ binder_service(inputflinger) binder_call(inputflinger, system_server) -allow inputflinger inputflinger_service:service_manager add; - -# Audited locally. -service_manager_local_audit_domain(inputflinger) -auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find; +allow inputflinger inputflinger_service:service_manager { add find }; diff --git a/isolated_app.te b/isolated_app.te index 6fc7a99ab..8c4549293 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -21,11 +21,6 @@ neverallow isolated_app app_data_file:file open; # Isolated apps shouldn't be able to access the driver directly. neverallow isolated_app gpu_device:file { rw_file_perms execute }; -# Audited locally. -service_manager_local_audit_domain(isolated_app) -auditallow isolated_app { - service_manager_type - -radio_service - -surfaceflinger_service - -system_server_service -}:service_manager find; +allow isolated_app radio_service:service_manager find; +allow isolated_app surfaceflinger_service:service_manager find; +allow isolated_app system_server_service:service_manager find; diff --git a/keystore.te b/keystore.te index 700b99ba0..6a89df33a 100644 --- a/keystore.te +++ b/keystore.te @@ -26,11 +26,7 @@ neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; neverallow domain keystore:process ptrace; -allow keystore keystore_service:service_manager add; - -# Audited locally. -service_manager_local_audit_domain(keystore) -auditallow keystore { service_manager_type -keystore_service }:service_manager find; +allow keystore keystore_service:service_manager { add find }; # Check SELinux permissions. selinux_check_access(keystore) diff --git a/mediaserver.te b/mediaserver.te index 711f4df7e..54112af2a 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -78,22 +78,15 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth) # Connect to tee service. allow mediaserver tee:unix_stream_socket connectto; -allow mediaserver mediaserver_service:service_manager add; +allow mediaserver drmserver_service:service_manager find; +allow mediaserver mediaserver_service:service_manager { add find }; +allow mediaserver system_server_service:service_manager find; +allow mediaserver surfaceflinger_service:service_manager find; # /oem access allow mediaserver oemfs:dir search; allow mediaserver oemfs:file r_file_perms; -# Audited locally. -service_manager_local_audit_domain(mediaserver) -auditallow mediaserver { - service_manager_type - -drmserver_service - -mediaserver_service - -system_server_service - -surfaceflinger_service -}:service_manager find; - use_drmservice(mediaserver) allow mediaserver drmserver:drmservice { consumeRights diff --git a/nfc.te b/nfc.te index 4113d3172..ad88bd98f 100644 --- a/nfc.te +++ b/nfc.te @@ -18,13 +18,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms; allow nfc sysfs_nfc_power_writable:file rw_file_perms; allow nfc sysfs:file write; +allow nfc mediaserver_service:service_manager find; allow nfc nfc_service:service_manager add; - -# Audited locally. -service_manager_local_audit_domain(nfc) -auditallow nfc { - service_manager_type - -mediaserver_service - -surfaceflinger_service - -system_server_service -}:service_manager find; +allow nfc surfaceflinger_service:service_manager find; +allow nfc system_server_service:service_manager find; diff --git a/platform_app.te b/platform_app.te index a44e35d8a..d34c9f1fc 100644 --- a/platform_app.te +++ b/platform_app.te @@ -28,12 +28,7 @@ allow platform_app media_rw_data_file:file create_file_perms; allow platform_app cache_file:dir create_dir_perms; allow platform_app cache_file:file create_file_perms; -# Audited locally. -service_manager_local_audit_domain(platform_app) -auditallow platform_app { - service_manager_type - -mediaserver_service - -radio_service - -surfaceflinger_service - -system_server_service -}:service_manager find; +allow platform_app mediaserver_service:service_manager find; +allow platform_app radio_service:service_manager find; +allow platform_app surfaceflinger_service:service_manager find; +allow platform_app system_server_service:service_manager find; diff --git a/radio.te b/radio.te index e6ffac267..9282055f2 100644 --- a/radio.te +++ b/radio.te @@ -30,14 +30,7 @@ auditallow radio system_radio_prop:property_service set; # ctl interface allow radio ctl_rildaemon_prop:property_service set; -allow radio radio_service:service_manager add; - -# Audited locally. -service_manager_local_audit_domain(radio) -auditallow radio { - service_manager_type - -mediaserver_service - -radio_service - -surfaceflinger_service - -system_server_service -}:service_manager find; +allow radio mediaserver_service:service_manager find; +allow radio radio_service:service_manager { add find }; +allow radio surfaceflinger_service:service_manager find; +allow radio system_server_service:service_manager find; diff --git a/surfaceflinger.te b/surfaceflinger.te index ff91993ec..02cb43310 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -57,15 +57,11 @@ r_dir_file(surfaceflinger, dumpstate) allow surfaceflinger tee:unix_stream_socket connectto; allow surfaceflinger tee_device:chr_file rw_file_perms; -allow surfaceflinger surfaceflinger_service:service_manager add; -# Audited locally. -service_manager_local_audit_domain(surfaceflinger) -auditallow surfaceflinger { - service_manager_type - -surfaceflinger_service - -system_server_service -}:service_manager find; +# media.player service +allow surfaceflinger mediaserver_service:service_manager find; +allow surfaceflinger surfaceflinger_service:service_manager { add find }; +allow surfaceflinger system_server_service:service_manager find; ### ### Neverallow rules diff --git a/system_app.te b/system_app.te index fed44d1f6..9a91624cf 100644 --- a/system_app.te +++ b/system_app.te @@ -48,7 +48,12 @@ allow system_app anr_data_file:file create_file_perms; # Settings need to access app name and icon from asec allow system_app asec_apk_file:file r_file_perms; +allow system_app keystore_service:service_manager find; +allow system_app nfc_service:service_manager find; +allow system_app radio_service:service_manager find; +allow system_app surfaceflinger_service:service_manager find; allow system_app system_app_service:service_manager add; +allow system_app system_server_service:service_manager find; allow system_app keystore:keystore_key { test @@ -70,14 +75,3 @@ allow system_app keystore:keystore_key { }; control_logd(system_app) - -# Audited locally. -service_manager_local_audit_domain(system_app) -auditallow system_app { - service_manager_type - -keystore_service - -nfc_service - -radio_service - -surfaceflinger_service - -system_server_service -}:service_manager find; diff --git a/system_server.te b/system_server.te index a8348e720..9dc1e90c8 100644 --- a/system_server.te +++ b/system_server.te @@ -364,10 +364,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:file r_file_perms; -allow system_server system_server_service:service_manager add; +allow system_server healthd_service:service_manager find; +allow system_server keystore_service:service_manager find; +allow system_server mediaserver_service:service_manager find; +allow system_server radio_service:service_manager find; +allow system_server system_server_service:service_manager { add find }; +allow system_server surfaceflinger_service:service_manager find; -# Audited locally. -service_manager_local_audit_domain(system_server) +# TODO: Remove. Make up for previously lacking auditing. +allow system_server service_manager_type:service_manager find; +auditallow system_server { + service_manager_type + -healthd_service + -keystore_service + -mediaserver_service + -radio_service + -system_server_service + -surfaceflinger_service +}:service_manager find; allow system_server keystore:keystore_key { test diff --git a/untrusted_app.te b/untrusted_app.te index 3fd4a40cc..e55807601 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -63,18 +63,13 @@ allow untrusted_app media_rw_data_file:file create_file_perms; allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; -# Audited locally. -service_manager_local_audit_domain(untrusted_app) -auditallow untrusted_app { - service_manager_type - -drmserver_service - -keystore_service - -mediaserver_service - -nfc_service - -radio_service - -surfaceflinger_service - -system_server_service -}:service_manager find; +allow untrusted_app drmserver_service:service_manager find; +allow untrusted_app keystore_service:service_manager find; +allow untrusted_app mediaserver_service:service_manager find; +allow untrusted_app nfc_service:service_manager find; +allow untrusted_app radio_service:service_manager find; +allow untrusted_app surfaceflinger_service:service_manager find; +allow untrusted_app system_server_service:service_manager find; ### ### neverallow rules