Align SELinux property policy with init property_perms.

Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 10:27:02 -04:00 · 2014-06-19 10:27:02 -04:00 · fee49159e7
commit fee49159e7
parent 0db95cce33
11 changed files with 37 additions and 18 deletions
--- a/dhcp.te
+++ b/dhcp.te
@ -13,7 +13,7 @@ allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;
-allow dhcp system_prop:property_service set ;
+allow dhcp dhcp_prop:property_service set;
 allow dhcp pan_result_prop:property_service set;
 unix_socket_connect(dhcp, property, init)

--- a/init.te
+++ b/init.te
@ -86,6 +86,9 @@ allow init self:process { setexec setfscreate setsockcreate };
 allow init property_data_file:dir create_dir_perms;
 allow init property_data_file:file create_file_perms;

+# Set any property.
+allow init property_type:property_service set;
+
 # Run "ifup lo" to bring up the localhost interface
 allow init self:udp_socket { create ioctl };

--- a/netd.te
+++ b/netd.te
@ -31,7 +31,9 @@ allow netd sysfs:file write;

 # Set dhcp lease for PAN connection
 unix_socket_connect(netd, property, init)
+allow netd dhcp_prop:property_service set;
 allow netd system_prop:property_service set;
+auditallow netd system_prop:property_service set;

 # Connect to PAN
 domain_auto_trans(netd, dhcp_exec, dhcp)
--- a/property.te
+++ b/property.te
@ -2,10 +2,12 @@ type default_prop, property_type;
 type shell_prop, property_type;
 type debug_prop, property_type;
 type debuggerd_prop, property_type;
+type dhcp_prop, property_type;
 type radio_prop, property_type;
+type net_radio_prop, property_type;
+type system_radio_prop, property_type;
 type system_prop, property_type;
 type vold_prop, property_type;
-type rild_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dhcp_pan_prop, property_type;
--- a/22
+++ b/22
@ -2,19 +2,17 @@
 # property service keys
 #
 #
-net.rmnet               u:object_r:radio_prop:s0
-net.gprs                u:object_r:radio_prop:s0
-net.ppp                 u:object_r:radio_prop:s0
-net.qmi                 u:object_r:radio_prop:s0
-net.lte                 u:object_r:radio_prop:s0
-net.cdma                u:object_r:radio_prop:s0
+net.rmnet               u:object_r:net_radio_prop:s0
+net.gprs                u:object_r:net_radio_prop:s0
+net.ppp                 u:object_r:net_radio_prop:s0
+net.qmi                 u:object_r:net_radio_prop:s0
+net.lte                 u:object_r:net_radio_prop:s0
+net.cdma                u:object_r:net_radio_prop:s0
+net.dns                 u:object_r:net_radio_prop:s0
+sys.usb.config          u:object_r:system_radio_prop:s0
+ril.                    u:object_r:radio_prop:s0
 gsm.                    u:object_r:radio_prop:s0
 persist.radio           u:object_r:radio_prop:s0
-net.dns                 u:object_r:radio_prop:s0
-sys.usb.config          u:object_r:radio_prop:s0
-
-ril.                    u:object_r:rild_prop:s0
-ril.cdma                u:object_r:radio_prop:s0

 net.                    u:object_r:system_prop:s0
 dev.                    u:object_r:system_prop:s0
@ -24,7 +22,7 @@ sys.                    u:object_r:system_prop:s0
 sys.powerctl            u:object_r:powerctl_prop:s0
 service.                u:object_r:system_prop:s0
 wlan.                   u:object_r:system_prop:s0
-dhcp.                   u:object_r:system_prop:s0
+dhcp.                   u:object_r:dhcp_prop:s0
 dhcp.bt-pan.result      u:object_r:pan_result_prop:s0
 bluetooth.              u:object_r:bluetooth_prop:s0

--- a/radio.te
+++ b/radio.te
@ -19,6 +19,10 @@ allow radio alarm_device:chr_file rw_file_perms;

 # Property service
 allow radio radio_prop:property_service set;
+allow radio net_radio_prop:property_service set;
+allow radio system_radio_prop:property_service set;
+auditallow radio net_radio_prop:property_service set;
+auditallow radio system_radio_prop:property_service set;

 # ctl interface
 allow radio ctl_rildaemon_prop:property_service set;
--- a/recovery.te
+++ b/recovery.te
@ -77,6 +77,9 @@ recovery_only(`
  allow recovery powerctl_prop:property_service set;
  unix_socket_connect(recovery, property, init)

+  # Start/stop adbd via ctl.start adbd
+  allow recovery ctl_default_prop:property_service set;
+
  # Use setfscreatecon() to label files for OTA updates.
  allow recovery self:process setfscreate;

--- a/rild.te
+++ b/rild.te
@ -26,8 +26,11 @@ allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;

 # property service
-allow rild rild_prop:property_service set;
 allow rild radio_prop:property_service set;
+allow rild net_radio_prop:property_service set;
+allow rild system_radio_prop:property_service set;
+auditallow rild net_radio_prop:property_service set;
+auditallow rild system_radio_prop:property_service set;

 # Read/Write to uart driver (for GPS)
 allow rild gps_device:chr_file rw_file_perms;
--- a/system_app.te
+++ b/system_app.te
@ -30,7 +30,10 @@ allow system_app dalvikcache_data_file:file { write setattr };
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
-allow system_app radio_prop:property_service set;
+allow system_app net_radio_prop:property_service set;
+allow system_app system_radio_prop:property_service set;
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
 allow system_app system_prop:property_service set;
 allow system_app ctl_bugreport_prop:property_service set;
 allow system_app logd_prop:property_service set;
--- a/system_server.te
+++ b/system_server.te
@ -271,7 +271,9 @@ allow system_server anr_data_file:dir relabelto;

 # Property Service write
 allow system_server system_prop:property_service set;
-allow system_server radio_prop:property_service set;
+allow system_server dhcp_prop:property_service set;
+allow system_server net_radio_prop:property_service set;
+allow system_server system_radio_prop:property_service set;
 allow system_server debug_prop:property_service set;
 allow system_server powerctl_prop:property_service set;

--- a/unconfined.te
+++ b/unconfined.te
@ -109,4 +109,3 @@ allow unconfineddomain node_type:node *;
 allow unconfineddomain netif_type:netif *;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain { property_type -security_prop }:property_service set;