Add policy for run-as program.
Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
Gerrit Code Review
parent
fdaa7869a5
commit
e884872655
5 changed files with 76 additions and 7 deletions
2
file.te
2
file.te
|
|
@ -12,7 +12,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
|
|||
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type inotify, fs_type, mlstrustedobject;
|
||||
type devpts, fs_type;
|
||||
type devpts, fs_type, mlstrustedobject;
|
||||
type tmpfs, fs_type;
|
||||
type shm, fs_type;
|
||||
type mqueue, fs_type;
|
||||
|
|
|
|||
|
|
@ -89,6 +89,7 @@
|
|||
/system/bin/ash u:object_r:shell_exec:s0
|
||||
/system/bin/mksh u:object_r:shell_exec:s0
|
||||
/system/bin/sh -- u:object_r:shell_exec:s0
|
||||
/system/bin/run-as -- u:object_r:runas_exec:s0
|
||||
/system/bin/app_process u:object_r:zygote_exec:s0
|
||||
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
|
||||
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
|
||||
|
|
|
|||
9
mls
9
mls
|
|
@ -34,11 +34,10 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit
|
|||
# Socket constraints
|
||||
#
|
||||
|
||||
# These permissions are between the process and its local socket,
|
||||
# not between a process/socket and its peer.
|
||||
# Equivalence is the normal situation; anything else requires trust.
|
||||
mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown }
|
||||
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
||||
# Create/relabel operations: Subject must be equivalent to object unless
|
||||
# the subject is trusted. Sockets inherit the range of their creator.
|
||||
mlsconstrain socket_class_set { create relabelfrom relabelto }
|
||||
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
|
||||
|
||||
# Datagram send: Sender must be dominated by receiver unless one of them is
|
||||
# trusted.
|
||||
|
|
|
|||
69
runas.te
Normal file
69
runas.te
Normal file
|
|
@ -0,0 +1,69 @@
|
|||
type runas, domain, mlstrustedsubject;
|
||||
type runas_exec, file_type;
|
||||
|
||||
bool support_runas true;
|
||||
|
||||
if (support_runas) {
|
||||
|
||||
# ndk-gdb invokes adb shell ps to find the app PID.
|
||||
r_dir_file(shell, untrusted_app)
|
||||
dontaudit shell domain:dir r_dir_perms;
|
||||
dontaudit shell domain:file r_file_perms;
|
||||
|
||||
# ndk-gdb invokes adb shell ls to check the app data dir.
|
||||
allow shell app_data_file:dir search;
|
||||
|
||||
# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
|
||||
allow shell untrusted_app:process sigkill;
|
||||
dontaudit shell self:capability { sys_ptrace kill };
|
||||
|
||||
# ndk-gdb invokes adb shell run-as.
|
||||
domain_auto_trans(shell, runas_exec, runas)
|
||||
allow runas shell:fd use;
|
||||
allow runas devpts:chr_file { read write };
|
||||
|
||||
# run-as reads package information.
|
||||
allow runas system_data_file:file r_file_perms;
|
||||
|
||||
# run-as checks and changes to the app data dir.
|
||||
dontaudit runas self:capability dac_override;
|
||||
allow runas self:capability dac_read_search;
|
||||
allow runas app_data_file:dir { getattr search };
|
||||
|
||||
# run-as switches to the app UID/GID.
|
||||
allow runas self:capability { setuid setgid };
|
||||
|
||||
# run-as switches to the app security context.
|
||||
allow runas rootfs:file r_file_perms; # read /seapp_contexts
|
||||
selinux_check_context(runas) # validate context
|
||||
allow runas untrusted_app:process dyntransition; # setcon
|
||||
|
||||
# run-as runs lib/gdbserver from the app data dir.
|
||||
allow untrusted_app system_data_file:file rx_file_perms;
|
||||
|
||||
# run-as may also run sh or system commands.
|
||||
allow untrusted_app shell_exec:file rx_file_perms;
|
||||
allow untrusted_app system_file:file rx_file_perms;
|
||||
|
||||
# gdbserver reads the zygote.
|
||||
allow untrusted_app zygote_exec:file r_file_perms;
|
||||
|
||||
# (grand)child death notification.
|
||||
allow untrusted_app shell:process sigchld;
|
||||
|
||||
# child shell or gdbserver pty access.
|
||||
allow untrusted_app devpts:chr_file { getattr read write };
|
||||
|
||||
# gdbserver creates a socket in the app data dir.
|
||||
allow untrusted_app app_data_file:sock_file { create unlink };
|
||||
|
||||
# ndk-gdb invokes adb forward to forward the gdbserver socket.
|
||||
allow adbd app_data_file:dir search;
|
||||
allow adbd app_data_file:sock_file write;
|
||||
allow adbd untrusted_app:unix_stream_socket connectto;
|
||||
|
||||
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
|
||||
allow adbd zygote_exec:file r_file_perms;
|
||||
allow adbd system_file:file r_file_perms;
|
||||
|
||||
}
|
||||
2
shell.te
2
shell.te
|
|
@ -1,4 +1,4 @@
|
|||
type shell, domain;
|
||||
type shell, domain, mlstrustedsubject;
|
||||
type shell_exec, file_type;
|
||||
domain_auto_trans(init, shell_exec, shell)
|
||||
allow shell rootfs:dir r_dir_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue