SELinux permissions for gatekeeper TEE proxy

sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
This commit is contained in:
Andres Morales 2015-04-03 16:46:33 -07:00
parent c24d90cb59
commit e207986ea0
7 changed files with 22 additions and 2 deletions

View file

@ -107,7 +107,7 @@ allow dumpstate net_data_file:file r_file_perms;
allow dumpstate tombstone_data_file:dir r_dir_perms; allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms; allow dumpstate tombstone_data_file:file r_file_perms;
allow dumpstate service_manager_type:service_manager find; allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
allow dumpstate servicemanager:service_manager list; allow dumpstate servicemanager:service_manager list;
service_manager_local_audit_domain(dumpstate) service_manager_local_audit_domain(dumpstate)

View file

@ -147,6 +147,7 @@
/system/bin/mdnsd u:object_r:mdnsd_exec:s0 /system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0 /system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0 /system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/debuggerd u:object_r:debuggerd_exec:s0 /system/bin/debuggerd u:object_r:debuggerd_exec:s0
/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0 /system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
/system/bin/wpa_supplicant u:object_r:wpa_exec:s0 /system/bin/wpa_supplicant u:object_r:wpa_exec:s0

15
gatekeeperd.te Normal file
View file

@ -0,0 +1,15 @@
type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd
init_daemon_domain(gatekeeperd)
binder_use(gatekeeperd)
binder_service(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
allow gatekeeperd gatekeeper_service:service_manager { add find };
allow gatekeeperd keystore:keystore_key { add_auth };
neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;

View file

@ -4,6 +4,7 @@ type drmserver_service, service_manager_type;
type healthd_service, service_manager_type; type healthd_service, service_manager_type;
type inputflinger_service, service_manager_type; type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type; type keystore_service, service_manager_type;
type gatekeeper_service, service_manager_type;
type mediaserver_service, service_manager_type; type mediaserver_service, service_manager_type;
type nfc_service, service_manager_type; type nfc_service, service_manager_type;
type radio_service, service_manager_type; type radio_service, service_manager_type;

View file

@ -3,6 +3,7 @@ account u:object_r:account_service:s0
activity u:object_r:activity_service:s0 activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0 alarm u:object_r:alarm_service:s0
android.security.keystore u:object_r:keystore_service:s0 android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0 appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0 appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0 assetatlas u:object_r:assetatlas_service:s0

View file

@ -59,7 +59,8 @@ allow shell kernel:system syslog_read;
# allow shell access to services # allow shell access to services
allow shell servicemanager:service_manager list; allow shell servicemanager:service_manager list;
allow shell service_manager_type:service_manager find; # don't allow shell to access GateKeeper service
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
service_manager_local_audit_domain(shell) service_manager_local_audit_domain(shell)
# allow shell to look through /proc/ for ps, top # allow shell to look through /proc/ for ps, top

View file

@ -360,6 +360,7 @@ allow system_server pstorefs:file r_file_perms;
allow system_server drmserver_service:service_manager find; allow system_server drmserver_service:service_manager find;
allow system_server healthd_service:service_manager find; allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find; allow system_server keystore_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
allow system_server mediaserver_service:service_manager find; allow system_server mediaserver_service:service_manager find;
allow system_server nfc_service:service_manager find; allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find; allow system_server radio_service:service_manager find;