From 5b340befb4f964365c856606050254a65df909d1 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 6 Mar 2012 11:12:41 -0500 Subject: [PATCH 01/13] Add support for per-device .te and .fc files. --- Android.mk | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/Android.mk b/Android.mk index 2b021ea41..83d268133 100644 --- a/Android.mk +++ b/Android.mk @@ -11,6 +11,11 @@ POLICYVERS := 24 MLS_SENS=1 MLS_CATS=1024 +LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET_DEVICE)/ vendor/*/$(TARGET_DEVICE)/ + +LOCAL_POLICY_FC := $(wildcard $(addsuffix *.fc, $(LOCAL_POLICY_DIRS))) +LOCAL_POLICY_TE := $(wildcard $(addsuffix *.te, $(LOCAL_POLICY_DIRS))) + ################################## include $(CLEAR_VARS) @@ -25,7 +30,7 @@ include $(BUILD_SYSTEM)/base_rules.mk sepolicy_policy.conf := $(intermediates)/policy.conf $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users ocontexts)) +$(sepolicy_policy.conf) : $(wildcard $(addprefix $(LOCAL_PATH)/,security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te) $(LOCAL_POLICY_TE) $(addprefix $(LOCAL_PATH)/, roles users ocontexts)) @mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) -s $^ > $@ @@ -38,13 +43,18 @@ sepolicy_policy.conf := include $(CLEAR_VARS) LOCAL_MODULE := file_contexts -LOCAL_SRC_FILES := $(LOCAL_MODULE) LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_TAGS := optional LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) -include $(BUILD_PREBUILT) +include $(BUILD_SYSTEM)/base_rules.mk +file_contexts := $(intermediates)/file_contexts +$(file_contexts): $(LOCAL_PATH)/file_contexts $(LOCAL_POLICY_FC) + @mkdir -p $(dir $@) + $(hide) cat $^ > $@ + +file_contexts := ################################## include $(CLEAR_VARS) From 64935c7d87ce76ed542e16fce3dde9883b507d7a Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 6 Mar 2012 13:27:39 -0500 Subject: [PATCH 02/13] Limit per-device policy files to a well-defined sepolicy prefix. Avoid any future collisions with the use of .fc or .te suffixes in the per-device directories. If we want multiple file support, add a separate subdirectory for sepolicy files. --- Android.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Android.mk b/Android.mk index 83d268133..c210dcb60 100644 --- a/Android.mk +++ b/Android.mk @@ -13,8 +13,8 @@ MLS_CATS=1024 LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET_DEVICE)/ vendor/*/$(TARGET_DEVICE)/ -LOCAL_POLICY_FC := $(wildcard $(addsuffix *.fc, $(LOCAL_POLICY_DIRS))) -LOCAL_POLICY_TE := $(wildcard $(addsuffix *.te, $(LOCAL_POLICY_DIRS))) +LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS))) +LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS))) ################################## include $(CLEAR_VARS) From c83d0087e457787fc0441d959a20d56fc5200048 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 7 Mar 2012 14:59:01 -0500 Subject: [PATCH 03/13] Policy changes to support running the latest CTS. --- adbd.te | 7 ++++--- app.te | 9 +++------ debuggerd.te | 1 + domain.te | 6 +++++- drmserver.te | 6 ++++++ file.te | 2 ++ file_contexts | 1 + shell.te | 7 ++++--- system.te | 8 ++++---- te_macros | 3 --- ueventd.te | 3 --- 11 files changed, 30 insertions(+), 23 deletions(-) diff --git a/adbd.te b/adbd.te index 4d1e65573..cc2920b34 100644 --- a/adbd.te +++ b/adbd.te @@ -23,9 +23,10 @@ unix_socket_connect(adbd, vold, vold) # Talk to init via the property socket. unix_socket_connect(adbd, property, init) -# Read properties. -allow adbd kernel:fd use; -allow adbd tmpfs:file read; +# Run sh in its own domain. +domain_auto_trans(adbd, shell_exec, shell) +# Do not sanitize the environment of the shell. +allow adbd shell:process noatsecure; # Perform binder IPC to surfaceflinger (screencap) # XXX Run screencap in a separate domain? diff --git a/app.te b/app.te index 976b6bcf4..6cc499aa3 100644 --- a/app.te +++ b/app.te @@ -30,9 +30,6 @@ allow trusted_app sdcard:file create_file_perms; # Populate /data/app/vmdl*.tmp file created by system server. # It would be better if this was labeled differently. allow trusted_app apk_data_file:file write; -# Perform binder IPC to any app domain. -binder_call(trusted_app, appdomain) -binder_transfer(trusted_app, appdomain) # # An example of a specific domain for a specific app @@ -105,6 +102,6 @@ binder_use(appdomain) # Perform binder IPC to binder services. binder_call(appdomain, binderservicedomain) binder_transfer(appdomain, binderservicedomain) -# Perform binder IPC to apps in the trusted_app domain. -binder_call(appdomain, trusted_app) -binder_transfer(appdomain, trusted_app) +# Perform binder IPC to other apps. +binder_call(appdomain, appdomain) +binder_transfer(appdomain, appdomain) diff --git a/debuggerd.te b/debuggerd.te index f808ea9b9..b85133b9d 100644 --- a/debuggerd.te +++ b/debuggerd.te @@ -12,3 +12,4 @@ allow debuggerd tombstone_data_file:dir create_dir_perms; allow debuggerd tombstone_data_file:file create_file_perms; allow debuggerd domain:process { sigstop signal }; allow debuggerd exec_type:file r_file_perms; +allow debuggerd log_device:chr_file r_file_perms; diff --git a/domain.te b/domain.te index 55c9ecd4c..2e9720e14 100644 --- a/domain.te +++ b/domain.te @@ -3,6 +3,10 @@ # Allow reaping by init. allow domain init:process sigchld; +# Read access to properties mapping. +allow domain kernel:fd use; +allow domain tmpfs:file read; + # binder adjusts the nice value during IPC. allow domain self:capability sys_nice; @@ -29,7 +33,7 @@ allow domain debuggerd:unix_stream_socket connectto; # Root fs. allow domain rootfs:dir r_dir_perms; -allow domain rootfs:lnk_file read; +allow domain rootfs:lnk_file { read getattr }; # Device accesses. allow domain device:dir search; diff --git a/drmserver.te b/drmserver.te index 5b46ea88c..624ae1327 100644 --- a/drmserver.te +++ b/drmserver.te @@ -8,3 +8,9 @@ typeattribute drmserver mlstrustedsubject; # Perform Binder IPC to system server. binder_use(drmserver) binder_call(drmserver, system) +binder_call(drmserver, appdomain) +binder_service(drmserver) + +allow drmserver sdcard:dir search; +allow drmserver drm_data_file:dir create_dir_perms; +allow drmserver drm_data_file:file create_file_perms; diff --git a/file.te b/file.te index 11c3ef649..dc9e76821 100644 --- a/file.te +++ b/file.te @@ -22,6 +22,8 @@ type unlabeled, file_type; type system_file, file_type; # Default type for anything under /data. type system_data_file, file_type, data_file_type; +# /data/drm - DRM plugin data +type drm_data_file, file_type, data_file_type; # /data/anr - ANR traces type anr_data_file, file_type, data_file_type; # /data/tombstones - core dumps diff --git a/file_contexts b/file_contexts index 92c6bb0f4..79a3124b1 100644 --- a/file_contexts +++ b/file_contexts @@ -101,6 +101,7 @@ # Data files # /data(/.*)? u:object_r:system_data_file:s0 +/data/drm(/.*)? u:object_r:drm_data_file:s0 /data/gps(/.*)? u:object_r:gps_data_file:s0 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 /data/anr(/.*)? u:object_r:anr_data_file:s0 diff --git a/shell.te b/shell.te index a66eaf49f..56250ab58 100644 --- a/shell.te +++ b/shell.te @@ -1,6 +1,7 @@ type shell, domain; type shell_exec, file_type; domain_auto_trans(adbd, shell_exec, shell) +allow adbd shell:process noatsecure; domain_auto_trans(init, shell_exec, shell) allow shell rootfs:dir r_dir_perms; allow shell devpts:chr_file rw_file_perms; @@ -13,9 +14,9 @@ allow shell shell_data_file:dir create_dir_perms; allow shell shell_data_file:file create_file_perms; allow shell shell_data_file:file rx_file_perms; -# Read properties. -allow shell kernel:fd use; -allow shell tmpfs:file read; +# Access sdcard. +allow shell sdcard:dir rw_dir_perms; +allow shell sdcard:file rw_file_perms; r_dir_file(shell, apk_data_file) allow shell dalvikcache_data_file:file write; diff --git a/system.te b/system.te index ef0d12e5a..47e1eeba1 100644 --- a/system.te +++ b/system.te @@ -141,7 +141,7 @@ allow system cache_file:file create_file_perms; # Run system programs, e.g. dexopt. allow system system_file:file x_file_perms; -# Silently deny any /proc accesses that are not allowed. -# This suppresses noise from walking the process list. -dontaudit system domain:dir r_dir_perms; -dontaudit system domain:file r_file_perms; +# Allow reading of /proc/pid data for other domains. +# XXX dontaudit candidate +allow system domain:dir r_dir_perms; +allow system domain:file r_file_perms; diff --git a/te_macros b/te_macros index 75f294c00..9146e220b 100644 --- a/te_macros +++ b/te_macros @@ -97,9 +97,6 @@ allow $1 $1_tmpfs:file { read execute execmod }; define(`init_daemon_domain', ` domain_auto_trans(init, $1_exec, $1) tmpfs_domain($1) -# Read properties. -allow $1 kernel:fd use; -allow $1 tmpfs:file read; ') ##################################### diff --git a/ueventd.te b/ueventd.te index 89dd9ee93..5e513322c 100644 --- a/ueventd.te +++ b/ueventd.te @@ -16,6 +16,3 @@ allow ueventd dev_type:lnk_file { create unlink }; allow ueventd dev_type:chr_file { create setattr unlink }; allow ueventd dev_type:blk_file { create setattr unlink }; allow ueventd self:netlink_kobject_uevent_socket *; -# Read properties. -allow ueventd kernel:fd use; -allow ueventd tmpfs:file read; From d5a70a7f7c4c970733fdec8b1516837e048c399e Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 7 Mar 2012 15:01:53 -0500 Subject: [PATCH 04/13] Drop redundant rules. --- shell.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/shell.te b/shell.te index 56250ab58..a0d02057a 100644 --- a/shell.te +++ b/shell.te @@ -1,7 +1,5 @@ type shell, domain; type shell_exec, file_type; -domain_auto_trans(adbd, shell_exec, shell) -allow adbd shell:process noatsecure; domain_auto_trans(init, shell_exec, shell) allow shell rootfs:dir r_dir_perms; allow shell devpts:chr_file rw_file_perms; From b660916b0a8ca9604bf9d425f5e385aa13393a1f Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 8 Mar 2012 11:17:45 -0500 Subject: [PATCH 05/13] Allow the shell to create files on the sdcard. --- shell.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shell.te b/shell.te index a0d02057a..0c67c4670 100644 --- a/shell.te +++ b/shell.te @@ -14,7 +14,7 @@ allow shell shell_data_file:file rx_file_perms; # Access sdcard. allow shell sdcard:dir rw_dir_perms; -allow shell sdcard:file rw_file_perms; +allow shell sdcard:file create_file_perms; r_dir_file(shell, apk_data_file) allow shell dalvikcache_data_file:file write; From 59d28035a1e0779a81cde104ea9afffd2bb1a77f Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 19 Mar 2012 10:24:52 -0400 Subject: [PATCH 06/13] Introduce a separate apk_tmp_file type for the vmdl.*\.tmp files. --- app.te | 3 +-- file.te | 3 ++- file_contexts | 1 + installd.te | 1 + system.te | 7 +++++++ 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/app.te b/app.te index 6cc499aa3..fa16910a5 100644 --- a/app.te +++ b/app.te @@ -28,8 +28,7 @@ allow trusted_app shell_data_file:lnk_file read; allow trusted_app sdcard:dir create_dir_perms; allow trusted_app sdcard:file create_file_perms; # Populate /data/app/vmdl*.tmp file created by system server. -# It would be better if this was labeled differently. -allow trusted_app apk_data_file:file write; +allow trusted_app apk_tmp_file:file rw_file_perms; # # An example of a specific domain for a specific app diff --git a/file.te b/file.te index dc9e76821..a7318c4ad 100644 --- a/file.te +++ b/file.te @@ -29,7 +29,8 @@ type anr_data_file, file_type, data_file_type; # /data/tombstones - core dumps type tombstone_data_file, file_type, data_file_type; # /data/app - user-installed apps -type apk_data_file, file_type, data_file_type, mlstrustedobject; +type apk_data_file, file_type, data_file_type; +type apk_tmp_file, file_type, data_file_type, mlstrustedobject; # /data/dalvik-cache type dalvikcache_data_file, file_type, data_file_type; # /data/local - writable by shell diff --git a/file_contexts b/file_contexts index 79a3124b1..550fa9a4e 100644 --- a/file_contexts +++ b/file_contexts @@ -106,6 +106,7 @@ /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 /data/anr(/.*)? u:object_r:anr_data_file:s0 /data/app(/.*)? u:object_r:apk_data_file:s0 +/data/app/vmdl.*\.tmp u:object_r:apk_tmp_file:s0 /data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 /data/local(/.*)? u:object_r:shell_data_file:s0 # Misc data diff --git a/installd.te b/installd.te index e4b0b1828..466125ef4 100644 --- a/installd.te +++ b/installd.te @@ -12,6 +12,7 @@ allow installd data_file_type:dir create_dir_perms; allow installd data_file_type:dir { relabelfrom relabelto }; allow installd data_file_type:file { getattr unlink }; allow installd apk_data_file:file r_file_perms; +allow installd apk_tmp_file:file r_file_perms; allow installd system_file:file x_file_perms; allow installd cgroup:dir create_dir_perms; dontaudit installd self:capability sys_admin; diff --git a/system.te b/system.te index 47e1eeba1..8740c6b0f 100644 --- a/system.te +++ b/system.te @@ -130,6 +130,13 @@ allow system qemu_device:chr_file rw_file_perms; allow system data_file_type:dir create_dir_perms; allow system data_file_type:notdevfile_class_set create_file_perms; +# Read /file_contexts. +allow system rootfs:file r_file_perms; + +# Relabel apk files. +allow system apk_tmp_file:file { relabelfrom relabelto }; +allow system apk_data_file:file { relabelfrom relabelto }; + # Create a socket for receiving info from wpa. type_transition system wifi_data_file:sock_file system_wpa_socket; allow system system_wpa_socket:sock_file create_file_perms; From f6cbbe255bc57a241f35c35629705e8f63bdd77a Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 19 Mar 2012 10:29:36 -0400 Subject: [PATCH 07/13] Introduce a separate wallpaper_file type for the wallpaper file. --- app.te | 3 +++ file.te | 2 ++ file_contexts | 2 ++ system.te | 8 ++++++++ 4 files changed, 15 insertions(+) diff --git a/app.te b/app.te index fa16910a5..99c8e6a52 100644 --- a/app.te +++ b/app.te @@ -96,6 +96,9 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; +# Read/write wallpaper file (opened by system). +allow appdomain wallpaper_file:file { read write }; + # Use the Binder. binder_use(appdomain) # Perform binder IPC to binder services. diff --git a/file.te b/file.te index a7318c4ad..7d7f5fc9e 100644 --- a/file.te +++ b/file.te @@ -52,6 +52,8 @@ type app_data_file, file_type, data_file_type; type cache_file, file_type, mlstrustedobject; # Default type for anything under /efs type efs_file, file_type; +# Type for wallpaper file. +type wallpaper_file, file_type; # Socket types type bluetooth_socket, file_type; diff --git a/file_contexts b/file_contexts index 550fa9a4e..9c8325a2b 100644 --- a/file_contexts +++ b/file_contexts @@ -118,6 +118,8 @@ /data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 # App sandboxes /data/data/.* u:object_r:app_data_file:s0 +# Wallpaper file. +/data/data/com.android.settings/files/wallpaper u:object_r:wallpaper_file:s0 ############################# # efs files # diff --git a/system.te b/system.te index 8740c6b0f..7f299c92e 100644 --- a/system.te +++ b/system.te @@ -15,6 +15,9 @@ binder_transfer(system_app, appdomain) allow system_app system_data_file:dir create_dir_perms; allow system_app system_data_file:file create_file_perms; +# Read wallpaper file. +allow system_app wallpaper_file:file r_file_perms; + # Write to dalvikcache. allow system_app dalvikcache_data_file:file { write setattr }; @@ -137,6 +140,11 @@ allow system rootfs:file r_file_perms; allow system apk_tmp_file:file { relabelfrom relabelto }; allow system apk_data_file:file { relabelfrom relabelto }; +# Relabel wallpaper. +allow system system_data_file:file relabelfrom; +allow system wallpaper_file:file relabelto; +allow system wallpaper_file:file r_file_perms; + # Create a socket for receiving info from wpa. type_transition system wifi_data_file:sock_file system_wpa_socket; allow system system_wpa_socket:sock_file create_file_perms; From 0e85c17e6ee1f881ce543eef26b62f2a6dc0661b Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 19 Mar 2012 10:32:24 -0400 Subject: [PATCH 08/13] Rewrite MLS constraints to only constrain open for app_data_file, not read/write. --- mls | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/mls b/mls index 9bb40680c..a4c214b1c 100644 --- a/mls +++ b/mls @@ -60,21 +60,37 @@ mlsconstrain unix_stream_socket { connectto } mlsconstrain dir_file_class_set { create relabelfrom relabelto } (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); +# +# Constraints for app data files only. +# + +# Only constrain open, not read/write. +# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. +# Subject must be equivalent to object unless the subject is trusted. +mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } + (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); +mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } + (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); + +# +# Constraints for file types other than app data files. +# + # Read operations: Subject must dominate object unless the subject # or the object is trusted. mlsconstrain dir { read getattr search } - (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } - (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Write operations: Subject must be dominated by the object unless the # subject or the object is trusted. mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Special case for FIFOs. # These can be unnamed pipes, in which case they will be labeled with the From f7948230ef65b8617db0762acc9b2fa54adf8ff9 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 19 Mar 2012 15:56:01 -0400 Subject: [PATCH 09/13] Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton. --- file.te | 1 + file_contexts | 1 + nfc.te | 2 ++ rild.te | 1 + system.te | 1 + 5 files changed, 6 insertions(+) diff --git a/file.te b/file.te index 7d7f5fc9e..312ace8d3 100644 --- a/file.te +++ b/file.te @@ -8,6 +8,7 @@ type selinuxfs, fs_type; type cgroup, fs_type, mlstrustedobject; type sysfs, fs_type, mlstrustedobject; type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; type inotify, fs_type, mlstrustedobject; type devpts, fs_type; type tmpfs, fs_type; diff --git a/file_contexts b/file_contexts index 9c8325a2b..1f9781c96 100644 --- a/file_contexts +++ b/file_contexts @@ -132,3 +132,4 @@ # sysfs files # /sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0 +/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0 diff --git a/nfc.te b/nfc.te index b20d23699..72c2d69b7 100644 --- a/nfc.te +++ b/nfc.te @@ -8,3 +8,5 @@ allow nfc nfc_device:chr_file rw_file_perms; # Data file accesses. allow nfc nfc_data_file:dir create_dir_perms; allow nfc nfc_data_file:notdevfile_class_set create_file_perms; + +allow nfc sysfs_nfc_power_writable:file rw_file_perms; diff --git a/rild.te b/rild.te index 2857892df..5993af478 100644 --- a/rild.te +++ b/rild.te @@ -4,6 +4,7 @@ type rild_exec, exec_type, file_type; init_daemon_domain(rild) net_domain(rild) +allow rild self:netlink_route_socket setopt; allow rild kernel:system module_request; unix_socket_connect(rild, property, init) unix_socket_connect(rild, qemud, qemud) diff --git a/system.te b/system.te index 7f299c92e..5fa9a917d 100644 --- a/system.te +++ b/system.te @@ -113,6 +113,7 @@ selinux_check_access(system) # XXX Label sysfs files with a specific type? allow system sysfs:file rw_file_perms; +allow system sysfs_nfc_power_writable:file rw_file_perms; # Access devices. allow system device:dir r_dir_perms; From 2cb1b31f903f2d2747f3fd05b872d9823838af1d Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 3 Apr 2012 15:30:28 -0400 Subject: [PATCH 10/13] Allow adbd to access the qemu device and label /dev/eac correctly. --- adbd.te | 1 + file_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/adbd.te b/adbd.te index cc2920b34..d3f9905df 100644 --- a/adbd.te +++ b/adbd.te @@ -2,6 +2,7 @@ # it lives in the rootfs and has no unique file type. type adbd, domain, mlstrustedsubject; allow adbd adb_device:chr_file rw_file_perms; +allow adbd qemu_device:chr_file rw_file_perms; allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin }; allow adbd rootfs:file entrypoint; allow adbd init:process sigchld; diff --git a/file_contexts b/file_contexts index 1f9781c96..c610df37c 100644 --- a/file_contexts +++ b/file_contexts @@ -23,6 +23,7 @@ /dev/console u:object_r:console_device:s0 /dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 /dev/device-mapper u:object_r:dm_device:s0 +/dev/eac u:object_r:audio_device:s0 /dev/full u:object_r:full_device:s0 /dev/graphics(/.*)? u:object_r:graphics_device:s0 /dev/input(/.*) u:object_r:input_device:s0 From 124720a6976a69357522299afbe5591854e40775 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 4 Apr 2012 10:11:16 -0400 Subject: [PATCH 11/13] Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties. --- Android.mk | 17 ++++++++++++++++ access_vectors | 5 +++++ attributes | 3 +++ property.te | 9 +++++++++ property_contexts | 51 +++++++++++++++++++++++++++++++++++++++++++++++ radio.te | 6 ++++++ rild.te | 3 +++ security_classes | 3 +++ shell.te | 9 +++++++++ surfaceflinger.te | 3 +++ system.te | 6 ++++++ unconfined.te | 1 + vold.te | 3 +++ 13 files changed, 119 insertions(+) create mode 100644 property.te create mode 100644 property_contexts diff --git a/Android.mk b/Android.mk index c210dcb60..0ebc49cc5 100644 --- a/Android.mk +++ b/Android.mk @@ -15,6 +15,7 @@ LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/ device/*/$(TARGET LOCAL_POLICY_FC := $(wildcard $(addsuffix sepolicy.fc, $(LOCAL_POLICY_DIRS))) LOCAL_POLICY_TE := $(wildcard $(addsuffix sepolicy.te, $(LOCAL_POLICY_DIRS))) +LOCAL_POLICY_PC := $(wildcard $(addsuffix sepolicy.pc, $(LOCAL_POLICY_DIRS))) ################################## include $(CLEAR_VARS) @@ -66,6 +67,22 @@ LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) include $(BUILD_PREBUILT) +################################## +include $(CLEAR_VARS) + +LOCAL_MODULE := property_contexts +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_TAGS := optional +LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) + +include $(BUILD_SYSTEM)/base_rules.mk + +property_contexts := $(intermediates)/property_contexts +$(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC) + @mkdir -p $(dir $@) + $(hide) cat $^ > $@ + +property_contexts := ################################## endif #ifeq ($(HAVE_SELINUX),true) diff --git a/access_vectors b/access_vectors index 90927e7e0..4b0c4b193 100644 --- a/access_vectors +++ b/access_vectors @@ -880,3 +880,8 @@ class zygote specifyinvokewith specifyseinfo } + +class property_service +{ + set +} diff --git a/attributes b/attributes index f2ea0c53a..1016ec65d 100644 --- a/attributes +++ b/attributes @@ -33,6 +33,9 @@ attribute netif_type; # All types used for network ports. attribute port_type; +# All types used for property service +attribute property_type; + # All domains that can override MLS restrictions. # i.e. processes that can read up and write down. attribute mlstrustedsubject; diff --git a/property.te b/property.te new file mode 100644 index 000000000..b62004eff --- /dev/null +++ b/property.te @@ -0,0 +1,9 @@ +type default_prop, property_type; +type shell_prop, property_type; +type radio_prop, property_type; +type system_prop, property_type; +type vold_prop, property_type; +type rild_prop, property_type; +type ctl_default_prop, property_type; +type ctl_dumpstate_prop, property_type; +type ctl_rildaemon_prop, property_type; diff --git a/property_contexts b/property_contexts new file mode 100644 index 000000000..320179c60 --- /dev/null +++ b/property_contexts @@ -0,0 +1,51 @@ +########################## +# property service keys +# +# +net.rmnet0 u:object_r:radio_prop:s0 +net.gprs u:object_r:radio_prop:s0 +net.ppp u:object_r:radio_prop:s0 +net.qmi u:object_r:radio_prop:s0 +net.lte u:object_r:radio_prop:s0 +persist.radio u:object_r:radio_prop:s0 +net.dns u:object_r:radio_prop:s0 +sys.usb.config u:object_r:radio_prop:s0 +gsm.current.phone-type u:object_r:radio_prop:s0 +gsm.sim. u:object_r:radio_prop:s0 +gsm.operator. u:object_r:radio_prop:s0 +gsm.version.baseband u:object_r:radio_prop:s0 + +ril. u:object_r:rild_prop:s0 +gsm. u:object_r:rild_prop:s0 +net.cdma u:object_r:rild_prop:s0 + +net. u:object_r:system_prop:s0 +dev. u:object_r:system_prop:s0 +runtime. u:object_r:system_prop:s0 +hw. u:object_r:system_prop:s0 +sys. u:object_r:system_prop:s0 +service. u:object_r:system_prop:s0 +wlan. u:object_r:system_prop:s0 +dhcp. u:object_r:system_prop:s0 + +debug. u:object_r:shell_prop:s0 +log. u:object_r:shell_prop:s0 +service.adb.root u:object_r:shell_prop:s0 +service.adb.tcp.port u:object_r:shell_prop:s0 + +persist.sys. u:object_r:system_prop:s0 +persist.service. u:object_r:system_prop:s0 +persist.security. u:object_r:system_prop:s0 +selinux. u:object_r:system_prop:s0 + +# default property context +* u:object_r:default_prop:s0 + +# data partition encryption properties +vold. u:object_r:vold_prop:s0 +crypto. u:object_r:vold_prop:s0 + +# ctl properties +ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0 +ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0 +ctl. u:object_r:ctl_default_prop:s0 diff --git a/radio.te b/radio.te index 9094cce10..a119d75cf 100644 --- a/radio.te +++ b/radio.te @@ -15,3 +15,9 @@ allow radio radio_data_file:dir create_dir_perms; allow radio radio_data_file:notdevfile_class_set create_file_perms; allow radio alarm_device:chr_file rw_file_perms; + +# Property service +allow radio radio_prop:property_service set; + +# ctl interface +allow radio ctl_rildaemon_prop:property_service set; diff --git a/rild.te b/rild.te index 5993af478..684bc1d3b 100644 --- a/rild.te +++ b/rild.te @@ -20,3 +20,6 @@ allow rild shell_exec:file rx_file_perms; dontaudit rild self:capability sys_admin; # XXX Label sysfs files with a specific type? allow rild sysfs:file rw_file_perms; + +# property service +allow rild rild_prop:property_service set; diff --git a/security_classes b/security_classes index 38d78eb7a..197805e3b 100644 --- a/security_classes +++ b/security_classes @@ -134,4 +134,7 @@ class db_language # userspace class binder class zygote +# Property service +class property_service # userspace + # FLASK diff --git a/shell.te b/shell.te index 0c67c4670..b4fa7fde8 100644 --- a/shell.te +++ b/shell.te @@ -31,3 +31,12 @@ allow shell log_device:chr_file r_file_perms; # Run app_process. # XXX Split into its own domain? app_domain(shell) + +# Property Service +allow shell shell_prop:property_service set; + +# setprop toolbox command +allow shell property_socket:sock_file write; + +# ctl interface +allow shell ctl_dumpstate_prop:property_service set; diff --git a/surfaceflinger.te b/surfaceflinger.te index 80607da94..bbefa142c 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -22,3 +22,6 @@ allow surfaceflinger video_device:chr_file rw_file_perms; # Create and use netlink kobject uevent sockets. allow surfaceflinger self:netlink_kobject_uevent_socket *; + +# ctl interface +allow surfaceflinger ctl_default_prop:property_service set; diff --git a/system.te b/system.te index 5fa9a917d..58e4f4748 100644 --- a/system.te +++ b/system.te @@ -146,6 +146,12 @@ allow system system_data_file:file relabelfrom; allow system wallpaper_file:file relabelto; allow system wallpaper_file:file r_file_perms; +# Property Service write +allow system system_prop:property_service set; + +# ctl interface +allow system ctl_default_prop:property_service set; + # Create a socket for receiving info from wpa. type_transition system wifi_data_file:sock_file system_wpa_socket; allow system system_wpa_socket:sock_file create_file_perms; diff --git a/unconfined.te b/unconfined.te index 71cdfddcd..ff5359577 100644 --- a/unconfined.te +++ b/unconfined.te @@ -21,3 +21,4 @@ allow unconfineddomain port_type:socket_class_set name_bind; allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect; allow unconfineddomain domain:peer recv; allow unconfineddomain domain:binder { call transfer receive }; +allow unconfineddomain property_type:property_service set; diff --git a/vold.te b/vold.te index 85a58f99d..403771fec 100644 --- a/vold.te +++ b/vold.te @@ -54,3 +54,6 @@ allow vold proc:file write; # Create and mount on /data/tmp_mnt. allow vold system_data_file:dir { write create add_name mounton }; + +# Property Service +allow vold vold_prop:property_service set; From a883c3863739d5ada3509517af148a9499401600 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 4 Apr 2012 16:00:11 -0400 Subject: [PATCH 12/13] Allow apps to write to anr_data_file for /data/anr/traces.txt. --- app.te | 4 ++++ file.te | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app.te b/app.te index 99c8e6a52..7e06c102f 100644 --- a/app.te +++ b/app.te @@ -99,6 +99,10 @@ allow appdomain system_data_file:dir r_dir_perms; # Read/write wallpaper file (opened by system). allow appdomain wallpaper_file:file { read write }; +# Write to /data/anr/traces.txt. +allow appdomain anr_data_file:dir search; +allow appdomain anr_data_file:file { open append }; + # Use the Binder. binder_use(appdomain) # Perform binder IPC to binder services. diff --git a/file.te b/file.te index 312ace8d3..b6e3a5d08 100644 --- a/file.te +++ b/file.te @@ -26,7 +26,7 @@ type system_data_file, file_type, data_file_type; # /data/drm - DRM plugin data type drm_data_file, file_type, data_file_type; # /data/anr - ANR traces -type anr_data_file, file_type, data_file_type; +type anr_data_file, file_type, data_file_type, mlstrustedobject; # /data/tombstones - core dumps type tombstone_data_file, file_type, data_file_type; # /data/app - user-installed apps From 730957aef3f96ef5fa294515829ab7a37fd141cf Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 4 Apr 2012 16:01:19 -0400 Subject: [PATCH 13/13] Rework the radio vs rild property split. Only label properties with the ril. prefix with rild_prop. Allow rild and system (and radio) to set radio_prop. Only rild can set rild_prop presently. --- property_contexts | 8 ++------ rild.te | 1 + system.te | 1 + 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/property_contexts b/property_contexts index 320179c60..dc87c9bf8 100644 --- a/property_contexts +++ b/property_contexts @@ -7,17 +7,13 @@ net.gprs u:object_r:radio_prop:s0 net.ppp u:object_r:radio_prop:s0 net.qmi u:object_r:radio_prop:s0 net.lte u:object_r:radio_prop:s0 +net.cdma u:object_r:radio_prop:s0 +gsm. u:object_r:radio_prop:s0 persist.radio u:object_r:radio_prop:s0 net.dns u:object_r:radio_prop:s0 sys.usb.config u:object_r:radio_prop:s0 -gsm.current.phone-type u:object_r:radio_prop:s0 -gsm.sim. u:object_r:radio_prop:s0 -gsm.operator. u:object_r:radio_prop:s0 -gsm.version.baseband u:object_r:radio_prop:s0 ril. u:object_r:rild_prop:s0 -gsm. u:object_r:rild_prop:s0 -net.cdma u:object_r:rild_prop:s0 net. u:object_r:system_prop:s0 dev. u:object_r:system_prop:s0 diff --git a/rild.te b/rild.te index 684bc1d3b..a0a4a374a 100644 --- a/rild.te +++ b/rild.te @@ -23,3 +23,4 @@ allow rild sysfs:file rw_file_perms; # property service allow rild rild_prop:property_service set; +allow rild radio_prop:property_service set; diff --git a/system.te b/system.te index 58e4f4748..6466e9664 100644 --- a/system.te +++ b/system.te @@ -148,6 +148,7 @@ allow system wallpaper_file:file r_file_perms; # Property Service write allow system system_prop:property_service set; +allow system radio_prop:property_service set; # ctl interface allow system ctl_default_prop:property_service set;