Commit 0d08d4721a added two auditallow
statements. The intented purpose of the auditallow statement was:
auditallow accesses by init to files
and character devices left in the generic device type so we can monitor
what is being left there, although it is not necessarily a problem unless
the file or device should be accessible to others.
As currently written, the auditallow rules aren't actionable. It's not
a problem by itself for init to access a /dev file or chr_file.
Rather, we care about when other domains access such files.
Currently, this generates a number of (expected) audit statements on
boot, which causes unnecessary confusion and makes people believe
that something is broken.
Remove the unactionable auditallow statements.
Change-Id: Ibfe33976505a7dc3f8d15c9eb203c044a39da426
On the Nexus 9, init.rc creates the /vendor -> /system/vendor
symlink, then a bit later removes the symlink, creates a
proper directory, and mounts /vendor on the directory.
The current permissive SELinux policy doesn't allow init to
remove the /vendor symlink, which eventually causes the following
errors:
avc: denied { unlink } for pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered
There was an attempt to reorder some of these operations so
we didn't have to create / delete the symlink, but it
doesn't seem to have gone well.
f67d6bd3c0
Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
init.rc files can potentially chown/chmod any character device, so
allow it for everything except for kmem (prohibited by neverallow).
While we could whitelist each of the device types, doing so would also
require device-specific changes for the device-specific types and
may be difficult to maintain.
Resolves (permissive) denials such as:
avc: denied { read } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
avc: denied { open } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
avc: denied { setattr } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
avc: denied { read } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
avc: denied { open } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
avc: denied { read } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file
avc: denied { open } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file
avc: denied { setattr } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file
Change-Id: If8d14e9e434fab645d43db12cc1bdbfd3fc5d354
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Resolves (permissive) denials on upgrades from 4.4.
Change-Id: Ia9eed4938a7235c23bb65de7ad65e6e7c325dfd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Switch the kernel and init domains from unconfined_domain()
to permissive_or_unconfined() so that we can start collecting
and addressing denials in -userdebug/-eng builds.
Also begin to address denials for kernel and init seen after
making this switch.
I intentionally did not allow the following denials on hammerhead:
avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file
avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file
These occur when init.rc does:
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
because the prior command to mount the cgroup failed:
mount cgroup none /sys/fs/cgroup/memory memory
I think this is because that cgroup is not enabled in the
kernel configuration. If the cgroup mount succeeded,
then this would have been a write to a cgroup:file and
would have been allowed already.
Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
With the sepolicy-analyze neverallow checking, attribute
expansion is performed against the device policy and therefore
we do not want our neverallow rules to exempt domains from
consideration based on an attribute (e.g. -unconfineddomain).
Otherwise, device policy could pass the neverallow check just
by adding more domains to unconfineddomain. We could of course
add a CTS test to check the list of unconfineddomains against
a whitelist, but it seems desirable regardless to narrow these
neverallow rules to only the specific domains required.
There are three such neverallow rules in current policy: one
on creating unlabeled files, one on accessing /dev/hw_random, and
one on accessing a character device without a specific type. The
only domain in unconfineddomain that appears to have a legitimate
need for any of these permissions is the init domain. Replace
-unconfineddomain with -init in these neverallow rules, exclude these
permissions from unconfineddomain, and add these permissions to init if
not already explicitly allowed. auditallow accesses by init to files
and character devices left in the generic device type so we can monitor
what is being left there, although it is not necessarily a problem unless
the file or device should be accessible to others.
Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove the ability of init to execute programs from / or /system
without changing domains. This forces all helper programs and
services invoked by init to be assigned their own domain.
Introduce separate domains for running the helper programs
executed from the fs_mgr library by init. This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).
e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system. We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.
mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices. As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.
With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.
To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain. This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.
Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission. Required for:
https://android-review.googlesource.com/#/c/101800/
Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.
For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.
Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.
Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.
Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Don't allow unconfined domains to access the internet. Restrict
internet functionality to domains which explicitly declare their
use. Removing internet access from unconfined domains helps
protect daemons from network level attacks.
In unconfined.te, expand out socket_class_set, and explicitly remove
tcp_socket, udp_socket, rawip_socket, packet_socket, and
appletalk_socket. Remove name_bind, node_bind and name_connect rules,
since they only apply to internet accessible rules.
Add limited udp support to init.te. This is needed to bring up
the loopback interface at boot.
Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.
Addresses denials such as:
avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.
Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
execute_no_trans controls whether a domain can execve a program
without switching to another domain. Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon). Prohibit it otherwise for the
kernel domain via neverallow. This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.
Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add neverallow rules to prohibit adding any transitions into
the kernel or init domains. Rewrite the domain self:process
rule to use a positive permission list and omit the transition
and dyntransition permissions from this list as well as other
permissions only checked when changing contexts. This should be
a no-op since these permissions are only checked when
changing contexts but avoids needing to exclude kernel or init
from the neverallow rules.
Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time. The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).
Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow. This ensures that the no write to /system
restriction cannot be bypassed via context= mount.
Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Domains which want to access /data/local/tmp must do so by
creating their own SELinux domain.
Bug: 15164984
Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).
init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it. init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.
Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.
This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.
Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.
Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These permissions are already allowed indirectly via unconfineddomain
and via domain, but ultimately we plan to remove them from those two
attributes. Explicitly allow the ones we expect to be required,
matching the complement of the auditallow rules in domain.te.
Change-Id: I43edca89d59c159b97d49932239f8952a848031c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Narrow the relabelto rules to a more specific type set
for each domain.
Drop mount permissions from the kernel domain since mounting
occurs after switching to the init domain. This was likely
a residual of when all processes were left in the kernel domain
on a recovery boot due to the missing setcon statement in the
recovery init.rc.
Be consistent with unlabeled filesystems (i.e. filesystems
without any matching fs_use or genfs_contexts entry) so
that we can also unmount them.
Add comments to note the reason for various rules.
Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.
Allow recovery to write to /system. This is needed to apply OTA
images.
Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
/data/property is only accessible by root and is used by the init
property service for storing persistent property values. Create
a separate type for it and only allow init to write to the directory
and files within it. Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.
Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.
Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission. Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.
Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.
Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.
Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module. It can be added back where appropriate in device
policy if using a modular kernel. No neverallow since it is device
specific.
Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.
Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.
healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.
Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/
init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file. Hence,
the setenforce permission is checked while still running in the
kernel domain. Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later. We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.
Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The build is broken. Reverting temporarily to fix breakage.
libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....
This reverts commit bf12e22514.
Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/
init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file. Hence,
the setenforce permission is checked while still running in the
kernel domain. Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later. We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.
Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.
The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.
Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space
-rw------- root root u:object_r:usermodehelper:s0 bset
-rw------- root root u:object_r:usermodehelper:s0 inheritable
Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.
Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.
Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.
To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.
Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
