(cherry picked from commit 6ba383c575)
Restrict unix_dgram_socket and unix_stream_socket to a whitelist.
Disallow all ioctls for netlink_selinux_socket and netlink_route_socket.
Neverallow third party app use of all ioctls other than
unix_dgram_socket, unix_stream_socket, netlink_selinux_socket,
netlink_route_socket, tcp_socket, udp_socket and rawip_socket.
Bug: 28171804
Change-Id: Icfe3486a62fc2fc2d2abd8d4030a5fbdd0ab30ab
postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.
Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.
(cherry picked from commit a9671c6b9e)
Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c
(cherry picked from AOSP 163c8a006b87cae0217fd9dafdaec5271f1d795b)
Do not allow module loading except from the system, vendor,
and boot partitions.
Bug: 27824855
Change-Id: Ifc012e47c5677190c7cc564f9d48af8c7d0982e1
There are now individual property files to control access to
properties. Don't allow processes other than init to write
to these property files.
Change-Id: I184b9df4555ae5051f9a2ba946613c6c5d9d4403
Many permissions were removed from untrusted_app by the removal of
domain_deprecated, including procfs access. procfs file access was restored,
however, but not completely. Add the ability to getattr to all domains,
so that other domains which lost domain_deprecated may benefit, as they
will likely need it.
Bug: 27249037
Change-Id: Id3f5e6121548b29d739d5e0fa6ccdbc9f0fc29be
When using the A/B updater, a device specific hook is sometimes needed
to run after the new partitions are updated but before rebooting into
the new image. This hook is referred to throughout the code as the
"postinstall" step.
This patch creates a new execution domain "postinstall" which
update_engine will use to run said hook. Since the hook needs to run
from the new image (namelly, slot "B"), update_engine needs to
temporarly mount this B partition into /postinstall and then run a
program from there.
Since the new program in B runs from the old execution context in A, we
can't rely on the labels set in the xattr in the new filesystem to
enforce the policies baked into the old running image. Instead, when
temporarily mounting the new filesystem in update_engine, we override
all the new file attributes with the new postinstall_file type by
passing "context=u:object_r:postinstall_file:s0" to the mount syscall.
This allows us to set new rules specific to the postinstall environment
that are consistent with the rules in the old system.
Bug: 27177071
TEST=Deployed a payload with a trivial postinstall script to edison-eng.
(cherry picked from commit 6cb2c893b1)
Change-Id: I49a529eecf1ef0524819470876ef7c8c2659c7ef
Ability to read all of proc was placed in domain_deprecated with the
intention of reducing information leaking from proc. Many processes try
to read proc dirs, though. Allow this with the belief that information
leakage is from the proc files themselves rather than dir structure.
Address the following denial:
avc: denied { read } for name="/" dev="proc" ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=dir permissive=0
Bug: 26833472
Change-Id: I975ae022c093e1cf80de21487dc11e49f938e5a3
Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.
Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
Was moved to domain_deprecated. Move back to domain.
Files in /acct/uid/*/tasks are well protected by unix permissions.
No information is leaked with write perms.
Change-Id: I8017e906950cba41ce350bc0892a36269ade8d53
Domain is already allowed to stat selinuxfs, it also needs
dir search.
Addresses:
avc: denied { search } for name="/" dev="selinuxfs" ino=1 scontext=u:r:watchdogd:s0 tcontext=u:object_r:selinuxfs:s0 tclass=dir
Change-Id: I3e5bb96e905db480a2727038f80315d9544e9c07
This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).
Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.
BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
Access to /proc/cpuinfo was moved to domain_deprecated in commit
6e3506e1ba. Restore access to everyone.
Allow the shell user to stat() /dev, and vfsstat() /proc and other
labeled filesystems such as /system and /data.
Access to /proc/cpuinfo was explicitly granted to bootanim, but is no
longer required after moving it back to domain.te. Delete the redundant
entry.
Commit 4e2d22451f restored access to
/sys/devices/system/cpu for all domains, but forgot to remove the
redundant entry from bootanim.te. Cleanup the redundant entry.
Addresses the following denials:
avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0
avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0
avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0
avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 26295417
Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.
Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.
Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
Start labeling the directory /sys/kernel/debug/tracing. The files
in this directory need to be writable to the shell user.
Remove global debugfs:file write access. This was added in the days
before we could label individual debugfs files.
Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
Instead of allowing global read access to all properties,
only allow read access to the properties which are part of
core SELinux policy. Device-specific policies are no longer
readable by default and need to be granted in device-specific
policy.
Grant read-access to any property where the person has write
access. In most cases, anyone who wants to write a property
needs read access to that property.
Change-Id: I2bd24583067b79f31b3bb0940b4c07fc33d09918
