Restrict service_manager find and list access.
All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
This commit is contained in:
parent
b7d0ae3aca
commit
cd82557d40
18 changed files with 72 additions and 140 deletions
6
adbd.te
6
adbd.te
|
@ -79,8 +79,4 @@ allow adbd system_file:file r_file_perms;
|
||||||
|
|
||||||
allow adbd kernel:security read_policy;
|
allow adbd kernel:security read_policy;
|
||||||
|
|
||||||
service_manager_local_audit_domain(adbd)
|
allow adbd surfaceflinger_service:service_manager find;
|
||||||
auditallow adbd {
|
|
||||||
service_manager_type
|
|
||||||
-surfaceflinger_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
11
bluetooth.te
11
bluetooth.te
|
@ -49,14 +49,9 @@ allow bluetooth bluetooth_prop:property_service set;
|
||||||
allow bluetooth pan_result_prop:property_service set;
|
allow bluetooth pan_result_prop:property_service set;
|
||||||
allow bluetooth ctl_dhcp_pan_prop:property_service set;
|
allow bluetooth ctl_dhcp_pan_prop:property_service set;
|
||||||
|
|
||||||
# Audited locally.
|
allow bluetooth bluetooth_service:service_manager find;
|
||||||
service_manager_local_audit_domain(bluetooth)
|
allow bluetooth radio_service:service_manager find;
|
||||||
auditallow bluetooth {
|
allow bluetooth system_server_service:service_manager find;
|
||||||
service_manager_type
|
|
||||||
-bluetooth_service
|
|
||||||
-radio_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
||||||
###
|
###
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
|
|
|
@ -16,6 +16,4 @@ allow bootanim oemfs:file r_file_perms;
|
||||||
allow bootanim audio_device:dir r_dir_perms;
|
allow bootanim audio_device:dir r_dir_perms;
|
||||||
allow bootanim audio_device:chr_file rw_file_perms;
|
allow bootanim audio_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# Audited locally.
|
allow bootanim surfaceflinger_service:service_manager find;
|
||||||
service_manager_local_audit_domain(bootanim)
|
|
||||||
auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
|
|
||||||
|
|
|
@ -165,11 +165,6 @@ allow domain security_file:lnk_file r_file_perms;
|
||||||
allow domain asec_public_file:file r_file_perms;
|
allow domain asec_public_file:file r_file_perms;
|
||||||
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
|
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
|
||||||
|
|
||||||
allow domain servicemanager:service_manager list;
|
|
||||||
auditallow { domain -dumpstate } servicemanager:service_manager list;
|
|
||||||
allow domain service_manager_type:service_manager find;
|
|
||||||
auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
|
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
|
11
drmserver.te
11
drmserver.te
|
@ -45,18 +45,11 @@ allow drmserver asec_apk_file:file { read getattr };
|
||||||
# Read /data/data/com.android.providers.telephony files passed over Binder.
|
# Read /data/data/com.android.providers.telephony files passed over Binder.
|
||||||
allow drmserver radio_data_file:file { read getattr };
|
allow drmserver radio_data_file:file { read getattr };
|
||||||
|
|
||||||
allow drmserver drmserver_service:service_manager add;
|
|
||||||
|
|
||||||
# /oem access
|
# /oem access
|
||||||
allow drmserver oemfs:dir search;
|
allow drmserver oemfs:dir search;
|
||||||
allow drmserver oemfs:file r_file_perms;
|
allow drmserver oemfs:file r_file_perms;
|
||||||
|
|
||||||
# Audited locally.
|
allow drmserver drmserver_service:service_manager { add find };
|
||||||
service_manager_local_audit_domain(drmserver)
|
allow drmserver system_server_service:service_manager find;
|
||||||
auditallow drmserver {
|
|
||||||
service_manager_type
|
|
||||||
-drmserver_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
||||||
selinux_check_access(drmserver)
|
selinux_check_access(drmserver)
|
||||||
|
|
24
dumpstate.te
24
dumpstate.te
|
@ -106,17 +106,15 @@ allow dumpstate tombstone_data_file:file r_file_perms;
|
||||||
# Access /system/bin executables to determine type of executable.
|
# Access /system/bin executables to determine type of executable.
|
||||||
allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms;
|
allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms;
|
||||||
|
|
||||||
service_manager_local_audit_domain(dumpstate)
|
allow dumpstate {
|
||||||
auditallow dumpstate {
|
drmserver_service
|
||||||
service_manager_type
|
healthd_service
|
||||||
-drmserver_service
|
inputflinger_service
|
||||||
-healthd_service
|
keystore_service
|
||||||
-inputflinger_service
|
mediaserver_service
|
||||||
-keystore_service
|
nfc_service
|
||||||
-mediaserver_service
|
radio_service
|
||||||
-nfc_service
|
surfaceflinger_service
|
||||||
-radio_service
|
system_app_service
|
||||||
-surfaceflinger_service
|
system_server_service
|
||||||
-system_app_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
}:service_manager find;
|
||||||
|
|
|
@ -38,11 +38,7 @@ allow healthd self:process execmem;
|
||||||
allow healthd proc_sysrq:file rw_file_perms;
|
allow healthd proc_sysrq:file rw_file_perms;
|
||||||
allow healthd self:capability sys_boot;
|
allow healthd self:capability sys_boot;
|
||||||
|
|
||||||
allow healthd healthd_service:service_manager add;
|
allow healthd healthd_service:service_manager { add find };
|
||||||
|
|
||||||
# Audited locally.
|
|
||||||
service_manager_local_audit_domain(healthd)
|
|
||||||
auditallow healthd { service_manager_type -healthd_service }:service_manager find;
|
|
||||||
|
|
||||||
# Healthd needs to tell init to continue the boot
|
# Healthd needs to tell init to continue the boot
|
||||||
# process when running in charger mode.
|
# process when running in charger mode.
|
||||||
|
|
|
@ -8,8 +8,4 @@ binder_service(inputflinger)
|
||||||
|
|
||||||
binder_call(inputflinger, system_server)
|
binder_call(inputflinger, system_server)
|
||||||
|
|
||||||
allow inputflinger inputflinger_service:service_manager add;
|
allow inputflinger inputflinger_service:service_manager { add find };
|
||||||
|
|
||||||
# Audited locally.
|
|
||||||
service_manager_local_audit_domain(inputflinger)
|
|
||||||
auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
|
|
||||||
|
|
|
@ -21,11 +21,6 @@ neverallow isolated_app app_data_file:file open;
|
||||||
# Isolated apps shouldn't be able to access the driver directly.
|
# Isolated apps shouldn't be able to access the driver directly.
|
||||||
neverallow isolated_app gpu_device:file { rw_file_perms execute };
|
neverallow isolated_app gpu_device:file { rw_file_perms execute };
|
||||||
|
|
||||||
# Audited locally.
|
allow isolated_app radio_service:service_manager find;
|
||||||
service_manager_local_audit_domain(isolated_app)
|
allow isolated_app surfaceflinger_service:service_manager find;
|
||||||
auditallow isolated_app {
|
allow isolated_app system_server_service:service_manager find;
|
||||||
service_manager_type
|
|
||||||
-radio_service
|
|
||||||
-surfaceflinger_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
|
@ -26,11 +26,7 @@ neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
|
||||||
|
|
||||||
neverallow domain keystore:process ptrace;
|
neverallow domain keystore:process ptrace;
|
||||||
|
|
||||||
allow keystore keystore_service:service_manager add;
|
allow keystore keystore_service:service_manager { add find };
|
||||||
|
|
||||||
# Audited locally.
|
|
||||||
service_manager_local_audit_domain(keystore)
|
|
||||||
auditallow keystore { service_manager_type -keystore_service }:service_manager find;
|
|
||||||
|
|
||||||
# Check SELinux permissions.
|
# Check SELinux permissions.
|
||||||
selinux_check_access(keystore)
|
selinux_check_access(keystore)
|
||||||
|
|
|
@ -78,22 +78,15 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
|
||||||
# Connect to tee service.
|
# Connect to tee service.
|
||||||
allow mediaserver tee:unix_stream_socket connectto;
|
allow mediaserver tee:unix_stream_socket connectto;
|
||||||
|
|
||||||
allow mediaserver mediaserver_service:service_manager add;
|
allow mediaserver drmserver_service:service_manager find;
|
||||||
|
allow mediaserver mediaserver_service:service_manager { add find };
|
||||||
|
allow mediaserver system_server_service:service_manager find;
|
||||||
|
allow mediaserver surfaceflinger_service:service_manager find;
|
||||||
|
|
||||||
# /oem access
|
# /oem access
|
||||||
allow mediaserver oemfs:dir search;
|
allow mediaserver oemfs:dir search;
|
||||||
allow mediaserver oemfs:file r_file_perms;
|
allow mediaserver oemfs:file r_file_perms;
|
||||||
|
|
||||||
# Audited locally.
|
|
||||||
service_manager_local_audit_domain(mediaserver)
|
|
||||||
auditallow mediaserver {
|
|
||||||
service_manager_type
|
|
||||||
-drmserver_service
|
|
||||||
-mediaserver_service
|
|
||||||
-system_server_service
|
|
||||||
-surfaceflinger_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
||||||
use_drmservice(mediaserver)
|
use_drmservice(mediaserver)
|
||||||
allow mediaserver drmserver:drmservice {
|
allow mediaserver drmserver:drmservice {
|
||||||
consumeRights
|
consumeRights
|
||||||
|
|
12
nfc.te
12
nfc.te
|
@ -18,13 +18,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
|
||||||
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
|
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
|
||||||
allow nfc sysfs:file write;
|
allow nfc sysfs:file write;
|
||||||
|
|
||||||
|
allow nfc mediaserver_service:service_manager find;
|
||||||
allow nfc nfc_service:service_manager add;
|
allow nfc nfc_service:service_manager add;
|
||||||
|
allow nfc surfaceflinger_service:service_manager find;
|
||||||
# Audited locally.
|
allow nfc system_server_service:service_manager find;
|
||||||
service_manager_local_audit_domain(nfc)
|
|
||||||
auditallow nfc {
|
|
||||||
service_manager_type
|
|
||||||
-mediaserver_service
|
|
||||||
-surfaceflinger_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
|
@ -28,12 +28,7 @@ allow platform_app media_rw_data_file:file create_file_perms;
|
||||||
allow platform_app cache_file:dir create_dir_perms;
|
allow platform_app cache_file:dir create_dir_perms;
|
||||||
allow platform_app cache_file:file create_file_perms;
|
allow platform_app cache_file:file create_file_perms;
|
||||||
|
|
||||||
# Audited locally.
|
allow platform_app mediaserver_service:service_manager find;
|
||||||
service_manager_local_audit_domain(platform_app)
|
allow platform_app radio_service:service_manager find;
|
||||||
auditallow platform_app {
|
allow platform_app surfaceflinger_service:service_manager find;
|
||||||
service_manager_type
|
allow platform_app system_server_service:service_manager find;
|
||||||
-mediaserver_service
|
|
||||||
-radio_service
|
|
||||||
-surfaceflinger_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
15
radio.te
15
radio.te
|
@ -30,14 +30,7 @@ auditallow radio system_radio_prop:property_service set;
|
||||||
# ctl interface
|
# ctl interface
|
||||||
allow radio ctl_rildaemon_prop:property_service set;
|
allow radio ctl_rildaemon_prop:property_service set;
|
||||||
|
|
||||||
allow radio radio_service:service_manager add;
|
allow radio mediaserver_service:service_manager find;
|
||||||
|
allow radio radio_service:service_manager { add find };
|
||||||
# Audited locally.
|
allow radio surfaceflinger_service:service_manager find;
|
||||||
service_manager_local_audit_domain(radio)
|
allow radio system_server_service:service_manager find;
|
||||||
auditallow radio {
|
|
||||||
service_manager_type
|
|
||||||
-mediaserver_service
|
|
||||||
-radio_service
|
|
||||||
-surfaceflinger_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
|
@ -57,15 +57,11 @@ r_dir_file(surfaceflinger, dumpstate)
|
||||||
allow surfaceflinger tee:unix_stream_socket connectto;
|
allow surfaceflinger tee:unix_stream_socket connectto;
|
||||||
allow surfaceflinger tee_device:chr_file rw_file_perms;
|
allow surfaceflinger tee_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
allow surfaceflinger surfaceflinger_service:service_manager add;
|
|
||||||
|
|
||||||
# Audited locally.
|
# media.player service
|
||||||
service_manager_local_audit_domain(surfaceflinger)
|
allow surfaceflinger mediaserver_service:service_manager find;
|
||||||
auditallow surfaceflinger {
|
allow surfaceflinger surfaceflinger_service:service_manager { add find };
|
||||||
service_manager_type
|
allow surfaceflinger system_server_service:service_manager find;
|
||||||
-surfaceflinger_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
||||||
###
|
###
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
|
|
|
@ -48,7 +48,12 @@ allow system_app anr_data_file:file create_file_perms;
|
||||||
# Settings need to access app name and icon from asec
|
# Settings need to access app name and icon from asec
|
||||||
allow system_app asec_apk_file:file r_file_perms;
|
allow system_app asec_apk_file:file r_file_perms;
|
||||||
|
|
||||||
|
allow system_app keystore_service:service_manager find;
|
||||||
|
allow system_app nfc_service:service_manager find;
|
||||||
|
allow system_app radio_service:service_manager find;
|
||||||
|
allow system_app surfaceflinger_service:service_manager find;
|
||||||
allow system_app system_app_service:service_manager add;
|
allow system_app system_app_service:service_manager add;
|
||||||
|
allow system_app system_server_service:service_manager find;
|
||||||
|
|
||||||
allow system_app keystore:keystore_key {
|
allow system_app keystore:keystore_key {
|
||||||
test
|
test
|
||||||
|
@ -70,14 +75,3 @@ allow system_app keystore:keystore_key {
|
||||||
};
|
};
|
||||||
|
|
||||||
control_logd(system_app)
|
control_logd(system_app)
|
||||||
|
|
||||||
# Audited locally.
|
|
||||||
service_manager_local_audit_domain(system_app)
|
|
||||||
auditallow system_app {
|
|
||||||
service_manager_type
|
|
||||||
-keystore_service
|
|
||||||
-nfc_service
|
|
||||||
-radio_service
|
|
||||||
-surfaceflinger_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
|
@ -364,10 +364,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
|
||||||
allow system_server pstorefs:dir r_dir_perms;
|
allow system_server pstorefs:dir r_dir_perms;
|
||||||
allow system_server pstorefs:file r_file_perms;
|
allow system_server pstorefs:file r_file_perms;
|
||||||
|
|
||||||
allow system_server system_server_service:service_manager add;
|
allow system_server healthd_service:service_manager find;
|
||||||
|
allow system_server keystore_service:service_manager find;
|
||||||
|
allow system_server mediaserver_service:service_manager find;
|
||||||
|
allow system_server radio_service:service_manager find;
|
||||||
|
allow system_server system_server_service:service_manager { add find };
|
||||||
|
allow system_server surfaceflinger_service:service_manager find;
|
||||||
|
|
||||||
# Audited locally.
|
# TODO: Remove. Make up for previously lacking auditing.
|
||||||
service_manager_local_audit_domain(system_server)
|
allow system_server service_manager_type:service_manager find;
|
||||||
|
auditallow system_server {
|
||||||
|
service_manager_type
|
||||||
|
-healthd_service
|
||||||
|
-keystore_service
|
||||||
|
-mediaserver_service
|
||||||
|
-radio_service
|
||||||
|
-system_server_service
|
||||||
|
-surfaceflinger_service
|
||||||
|
}:service_manager find;
|
||||||
|
|
||||||
allow system_server keystore:keystore_key {
|
allow system_server keystore:keystore_key {
|
||||||
test
|
test
|
||||||
|
|
|
@ -63,18 +63,13 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
|
||||||
allow untrusted_app cache_file:dir create_dir_perms;
|
allow untrusted_app cache_file:dir create_dir_perms;
|
||||||
allow untrusted_app cache_file:file create_file_perms;
|
allow untrusted_app cache_file:file create_file_perms;
|
||||||
|
|
||||||
# Audited locally.
|
allow untrusted_app drmserver_service:service_manager find;
|
||||||
service_manager_local_audit_domain(untrusted_app)
|
allow untrusted_app keystore_service:service_manager find;
|
||||||
auditallow untrusted_app {
|
allow untrusted_app mediaserver_service:service_manager find;
|
||||||
service_manager_type
|
allow untrusted_app nfc_service:service_manager find;
|
||||||
-drmserver_service
|
allow untrusted_app radio_service:service_manager find;
|
||||||
-keystore_service
|
allow untrusted_app surfaceflinger_service:service_manager find;
|
||||||
-mediaserver_service
|
allow untrusted_app system_server_service:service_manager find;
|
||||||
-nfc_service
|
|
||||||
-radio_service
|
|
||||||
-surfaceflinger_service
|
|
||||||
-system_server_service
|
|
||||||
}:service_manager find;
|
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
|
|
Loading…
Reference in a new issue