From 46e832f5624e21ab155deb35c52b8127a2c678ae Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Wed, 22 Apr 2015 18:38:41 -0700 Subject: [PATCH] SELinux policy changes for re-execing init. Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448 --- domain.te | 3 ++- file_contexts | 2 +- init.te | 29 +++++++++++++++++++++++------ kernel.te | 28 +++++++--------------------- 4 files changed, 33 insertions(+), 29 deletions(-) diff --git a/domain.te b/domain.te index c7fe3be7a..7bc2292d5 100644 --- a/domain.te +++ b/domain.te @@ -299,7 +299,8 @@ neverallow { domain -init } property_data_file:file no_w_file_perms; # Only recovery should be doing writes to /system neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; + { create write setattr relabelfrom append unlink link rename }; +neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto; # Don't allow mounting on top of /system files or directories neverallow domain { system_file exec_type }:dir_file_class_set mounton; diff --git a/file_contexts b/file_contexts index e36a6c384..0fc096dcb 100644 --- a/file_contexts +++ b/file_contexts @@ -12,7 +12,7 @@ # Executables /charger u:object_r:rootfs:s0 -/init u:object_r:rootfs:s0 +/init u:object_r:init_exec:s0 /sbin(/.*)? u:object_r:rootfs:s0 # Empty directories diff --git a/init.te b/init.te index 78f460a4d..9f68bb85d 100644 --- a/init.te +++ b/init.te @@ -1,7 +1,22 @@ -# init switches to init domain (via init.rc). +# init is its own domain. type init, domain, mlstrustedsubject; tmpfs_domain(init) +# The init domain is entered by execing init. +type init_exec, exec_type, file_type; + +# /dev/__null__ node created by init. +allow init tmpfs:chr_file create_file_perms; + +# +# init direct restorecon calls. +# +# /dev/socket +allow init { device socket_device }:dir relabelto; +# /dev/__properties__ +allow init tmpfs:file relabelfrom; +allow init properties_device:file relabelto; + # setrlimit allow init self:capability sys_resource; @@ -30,6 +45,8 @@ allow init self:capability sys_admin; allow init rootfs:dir create_dir_perms; allow init rootfs:dir mounton; +allow init proc:dir mounton; + # Mount on /dev/usb-ffs/adb. allow init device:dir mounton; @@ -144,8 +161,8 @@ recovery_only(` domain_trans(init, rootfs, recovery) ') domain_trans(init, shell_exec, shell) -domain_trans(init, rootfs, ueventd) -domain_trans(init, rootfs, watchdogd) +domain_trans(init, init_exec, ueventd) +domain_trans(init, init_exec, watchdogd) # Support "adb shell stop" allow init self:capability kill; @@ -257,9 +274,9 @@ unix_socket_connect(init, vold, vold) # The init domain is only entered via setcon from the kernel domain, # never via an exec-based transition. -neverallow { domain -kernel} init:process dyntransition; -neverallow domain init:process transition; -neverallow init { file_type fs_type }:file entrypoint; +neverallow domain init:process dyntransition; +neverallow { domain -kernel} init:process transition; +neverallow init { file_type fs_type -init_exec }:file entrypoint; # Never read/follow symlinks created by shell or untrusted apps. neverallow init shell_data_file:lnk_file read; diff --git a/kernel.te b/kernel.te index f570ac21c..72325c2f3 100644 --- a/kernel.te +++ b/kernel.te @@ -3,15 +3,11 @@ type kernel, domain, mlstrustedsubject; allow kernel self:capability sys_nice; -# Run /init before we have switched domains. -allow kernel rootfs:file execute_no_trans; - -# /dev/__null__ node created by init prior to policy load. -allow kernel tmpfs:chr_file rw_file_perms; - -# setcon to init domain. -allow kernel self:process setcurrent; -allow kernel init:process dyntransition; +# Allow init relabel itself. +allow kernel rootfs:file relabelfrom; +allow kernel init_exec:file relabelto; +# TODO: investigate why we need this. +allow kernel init:process share; # cgroup filesystem initialization prior to setting the cgroup root directory label. allow kernel unlabeled:dir search; @@ -20,18 +16,6 @@ allow kernel unlabeled:dir search; allow kernel usbfs:filesystem mount; allow kernel usbfs:dir search; -# init direct restorecon calls prior to switching to init domain -# /dev and /dev/socket -allow kernel tmpfs:dir relabelfrom; -allow kernel { device socket_device }:dir relabelto; -# /dev/__properties__ -allow kernel tmpfs:file relabelfrom; -allow kernel properties_device:file relabelto; -# /sys -allow kernel sysfs:{ dir file lnk_file } relabelfrom; -allow kernel sysfs_type:{ dir file lnk_file } relabelto; -allow kernel sysfs_type:dir r_dir_perms; - # Initial setenforce by init prior to switching to init domain. # We use dontaudit instead of allow to prevent a kernel spawned userspace # process from turning off SELinux once enabled. @@ -58,6 +42,8 @@ allow kernel vold:fd use; allow kernel app_data_file:file read; allow kernel asec_image_file:file read; +domain_auto_trans(kernel, init_exec, init) + ### ### neverallow rules ###