Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while. The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).
Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain. Resolve this overlap by:
1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.
Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.
Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.
Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
fsetid checks are triggered by chmod on a directory or file owned by
a group other than one of the groups assigned to the current process
to see if the setgid bit should be cleared, regardless of whether the
setgid bit was even set. We do not appear to truly need this
capability for netd to operate, so remove it. Potential dontaudit
candidate.
Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In the absence of any levelFrom= specifier, the default is none,
so this is unnecessary and conspicuous in contrast to all other
entries. It came from switching our default of levelFrom=app
to levelFrom=none in AOSP rather than just dropping it.
Change-Id: Ia2f8c72200318ef66a1b6d6b6c117f8848441d7f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These are obsoleted by the restorecon_recursive /data/media call
added to the device init*.rc files, e.g.
see I4a191d32a46104a68f6644398c152b274c7937a6
for the hammerhead change.
If/when Ib8d9751a47c8e0238cf499fcec61898937945d9d is merged, this
will also be addressed for all devices by the restorecon_recursive /data
call added to the main init.rc file.
Change-Id: Idbe2006a66817d6bb284d138a7565dec24dc6745
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Our policy also has this entry:
net.rmnet_usb0. u:object_r:radio_prop:s0
Rather than trying to enumerate all possible variants, just reduce
the existing rmnet0 entry to rmnet so that it matches all properties
with that prefix.
Change-Id: Ic2090ea55282fb219eab54c96fd52da96bb18917
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If we are going to allow all domains to search and
stat the contents of /data/security, then we should
also allow them to read the /data/security/current symlink
created by SELinuxPolicyInstallReceiver to the directory
containing the current policy update.
Change-Id: Ida352ed7ae115723964d2723f1115a87af438013
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This should be obsoleted by the restorecon in
I30e4d2a1ae223a03eadee58a883c79932fff59fe .
Change-Id: Iaeacb1b720b4ac754c6b9baa114535adc1494df2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These same permissions are already allowed via net_domain() and
the rules in net.te.
Change-Id: I4681fb9993258b4ad668333ad7d7102e983b5c2b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Move the uncrypt domain into SELinux enforcing mode. This will
start enforcing SELinux rules; security policy violations will
return EPERM.
Bug: 13083922
Change-Id: I4805662d8b336e2bfd891237cc916c57179ebf12
init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell. It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc. We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.
shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.
su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.
Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The current inline documentation is not entirely accurate and caused
user confusion, e.g. see:
https://groups.google.com/d/msg/android-security-discuss/javBrPT8ius/C4EVEFUu4ZoJ
Try to clarify the meaning of untrusted_app, how app domains are
assigned, and how to move other system apps out of untrusted_app into
a different domain.
Change-Id: I98d344dd078fe9e2738b68636adaabda1f4b3c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets
and re-create it at times, so make sure that it remains labeled correctly
when re-created in this manner via a name-based type transition rule.
Do the same for hostapd as it also has permissions for creating/removing
this directory.
<5>[83921.800071] type=1400 audit(1392997522.105:26): avc: denied { rmdir } for pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir
We no longer need the type_transition for sock_file as it will inherit
the type from the parent directory which is set via restorecon_recursive
/data/misc/wifi/sockets or via type_transition, so drop it.
Change-Id: Iffa61c426783eb03205ba6964c624c6ecea32630
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Per https://android-review.googlesource.com/82814 , uncrypt
needs to be able to read shell_data_files on userdebug / eng
builds. Allow it.
Bug: 13083922
Change-Id: I72299673bb5e36be79413227105b5cad006d504f
Add initial support for uncrypt, started via the
pre-recovery service in init.rc. On an encrypted device,
uncrypt reads an OTA zip file on /data, opens the underlying
block device, and writes the unencrypted blocks on top of the
encrypted blocks. This allows recovery, which can't normally
read encrypted partitions, to reconstruct the OTA image and apply
the update as normal.
Add an exception to the neverallow rule for sys_rawio. This is
needed to support writing to the raw block device.
Add an exception to the neverallow rule for unlabeled block devices.
The underlying block device for /data varies between devices
within the same family (for example, "flo" vs "deb"), and the existing
per-device file_context labeling isn't sufficient to cover these
differences. Until I can resolve this problem, allow access to any
block devices.
Bug: 13083922
Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
Extend check_seapp to accept the use of the new path= specifier
in seapp_contexts and use it to ensure proper labeling of the cache
subdirectory of com.android.providers.downloads for restorecon.
After this change, restorecon /data/data/com.android.providers.downloads/cache
does not change the context, leaving it in download_file rather than
relabeling it to platform_app_data_file.
Depends on Iddaa3931cfd4ddd5b9f62cd66989e1f26553baa1.
Change-Id: Ief65b8c8dcb44ec701d53e0b58c52d6688cc2a14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/data/data subdirectories are labeled by installd at creation time
based on seapp_contexts, not based on file_contexts, so we do not
need the /data/data/.* entry, and the wallpaper file was moved from
under com.android.settings/files to /data/system/users/N long ago so we can
delete the old entry for it.
Change-Id: I32af6813ff284e8fe9fd4867df482a642c728755
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.
Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.
Only support reading user input on userdebug / eng builds.
Steps to reproduce with the "crasher" program:
adb root
adb shell setprop debug.db.uid 20000
mmm system/core/debuggerd
adb sync
adb shell crasher
Addresses the following denials:
<5>[ 580.637442] type=1400 audit(1392412124.612:149): avc: denied { read } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637589] type=1400 audit(1392412124.612:150): avc: denied { open } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[ 580.637706] type=1400 audit(1392412124.612:151): avc: denied { read write } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637823] type=1400 audit(1392412124.612:152): avc: denied { open } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[ 580.637958] type=1400 audit(1392412124.612:153): avc: denied { ioctl } for pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
Should resolve b/13060688 - emulator writes to /storage/sdcard failing.
Change-Id: I9f00d9dfcd1c4f84c2320628257beca71abf170b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
dhcpcd opens a raw ip socket in ipv6rs_open() to use ICMPv6. This
facility should be available for all devices which have a need to
use it.
Addresses the following denials:
<5>[ 42.699877] type=1400 audit(1392332560.306:8): avc: denied { create } for pid=983 comm="dhcpcd" scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[ 42.699993] type=1400 audit(1392332560.306:9): avc: denied { setopt } for pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
<5>[ 42.732208] type=1400 audit(1392332560.338:10): avc: denied { write } for pid=983 comm="dhcpcd" lport=58 scontext=u:r:dhcp:s0 tcontext=u:r:dhcp:s0 tclass=rawip_socket
Bug: 12473306
Change-Id: Iee57a0cb4c2d2085a24d4b5fb23a5488f0fd3e03
Start enforcing SELinux rules for lmkd. Security policy
violations will return an error instead of being allowed.
Change-Id: I2bad2c2094d93ebbcb8ccc4b7f3369419004a3f0
