Commit graph

36 commits

Author SHA1 Message Date
Nick Kralevich
3351122ec8 netd.te: Remove allow netd toolbox_exec:file rx_file_perms;
no SELinux denials from auditallow

Change-Id: Ied61f7f97b148b1c10d0f71e9ab30c136a123738
2016-01-14 21:26:42 -08:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Stephen Smalley
a3c97a7660 Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage.  However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain.  Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.

Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 12:46:07 -04:00
William Roberts
625a3526f1 Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 00:02:59 +00:00
Nick Kralevich
8d200817d4 netd dontaudit fsetid
For the reasons explained in the pre-existing code, we don't want
to grant fsetid to netd, nor do we want denial messages to be
generated.

Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
2015-04-02 15:36:51 -07:00
Nick Kralevich
5cf3994d8a Revert /proc/net related changes
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc82
and commit 99940d1af5

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
2015-02-25 13:35:17 -08:00
Jeff Sharkey
33bf053826 Rules to let netd read packets from NFLOG target.
avc: denied { create } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { setopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { bind } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { getopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { write } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1
avc: denied { read } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1

Bug: 18335678
Change-Id: I7c03d55b4719d0fd8057507bf8ac1cf573e4744a
2015-01-15 15:59:39 -08:00
Nick Kralevich
99940d1af5 remove /proc/net read access from domain.te
SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
2015-01-14 22:18:24 +00:00
Stephen Smalley
45731c70ef Annotate MLS trusted subjects and objects.
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file.  Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.

This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.

Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-08 16:06:40 -04:00
Sreeram Ramachandran
65edb75d53 Allow netd to create data files in /data/misc/net/.
This will be used to populate rt_tables (a mapping from routing table numbers to
table names) that's read by the iproute2 utilities.

Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-08 19:06:28 +00:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Sreeram Ramachandran
56ecf4bdf8 Introduce fwmarkd: a service to set the fwmark of sockets.
(cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907)

Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-14 11:23:28 -07:00
Robert Craig
4b3893f90b Replace ctl_default_prop access with explicit service property keys.
The ctl_default_prop label is a bit too generic for some
of the priveleged domains when describing access rights.
Instead, be explicit about which services are being started
and stopped by introducing new ctl property keys.

Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-03-25 13:36:50 -04:00
Stephen Smalley
853ffaad32 Deduplicate neverallow rules on selinuxfs operations.
We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-10 20:41:34 +00:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Stephen Smalley
96ff4c053a Add a domain for mdnsd and allow connecting to it.
Change-Id: I0a06fa32a46e515671b4e9a6f68e1a3f8b2c21a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 16:23:12 +00:00
Stephen Smalley
d581b812d6 Remove fsetid from netd.
fsetid checks are triggered by chmod on a directory or file owned by
a group other than one of the groups assigned to the current process
to see if the setgid bit should be cleared, regardless of whether the
setgid bit was even set.  We do not appear to truly need this
capability for netd to operate, so remove it.  Potential dontaudit
candidate.

Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 09:41:13 -05:00
Robert Craig
529fcbe065 Create proc_net type for /proc/sys/net entries.
/proc/sys/net could use its own type to help distinguish
among some of the proc access rules. Fix dhcp and netd
because of this.

Change-Id: I6e16cba660f07bc25f437bf43e1eba851a88d538
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-01-07 14:03:32 -05:00
Nick Kralevich
bc19050cdd put netd into net_domain
This addresses the review comments from
https://android-review.googlesource.com/#/c/69855/

Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f
2013-12-15 19:04:09 -08:00
The Android Open Source Project
6af0cc2430 Merge commit '060f6fa67e1d9779d2d8357659ae530d65171faa' into HEAD 2013-11-22 10:35:15 -08:00
Nick Kralevich
91ebcf3332 netd: allow tcp_socket name_connect
The patch in 36a5d109e6 wasn't
sufficient to address DNS over TCP. We also need to allow
name_connect.

Fixes the following denial:

<5>[   82.120746] type=1400 audit(1830030.349:5): avc:  denied  { name_connect } for  pid=1457 comm="netd" dest=53 scontext=u:r:netd:s0 tcontext=u:object_r:port:s0 tclass=tcp_socket

Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Bug: 11097631

Change-Id: I688d6923b78782e2183a9d69b7e74f95d6e3f893
2013-11-13 11:32:13 -08:00
Nick Kralevich
36a5d109e6 netd: allow tcp connections.
DNS can use TCP connections, in addition to UDP connections.
Allow TCP connections.

Addresses the following denial:

[ 1831.586826] type=1400 audit(1384129166.563:173): avc:  denied  { create } for  pid=11406 comm="netd" scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=tcp_socket

Public Bug: https://code.google.com/p/android/issues/detail?id=62196
Change-Id: Ia542a9df3e466a8d409955bab6a23a524ff3d07b
Bug: 11097631
2013-11-13 06:29:29 -08:00
Geremy Condra
ddf98fa8cf Neverallow access to the kmem device from userspace.
Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
2013-11-07 16:17:32 -08:00
Geremy Condra
776cd0f372 am 3bb1ccc2: Fix long-tail denials in enforcing domains.
* commit '3bb1ccc265bbc6e865506b38ae66721ec1177b55':
  Fix long-tail denials in enforcing domains.
2013-09-17 14:03:11 -07:00
Geremy Condra
3bb1ccc265 Fix long-tail denials in enforcing domains.
The specific denials we see are:

denied  { getattr } for  pid=169 comm=""installd"" path=""/data/data/com.android.providers.downloads/cache/downloadfile.jpeg"" dev=""mmcblk0p23"" ino=602861 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=file
denied  { fsetid } for  pid=598 comm=""netd"" capability=4  scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability
denied  { read } for  pid=209 comm=""installd"" name=""cache"" dev=""mmcblk0p28"" ino=81694 scontext=u:r:installd:s0 tcontext=u:object_r:download_file:s0 tclass=dir

Bug: 10786017
Change-Id: Ia5d0b6337f3de6a168ac0d5a77df2a1ac419ec29
2013-09-17 11:28:47 -07:00
Stephen Smalley
a62d5c6679 Drop obsolete comments about SEAndroidManager.
Change-Id: I6b27418507ebd0113a97bea81f37e4dc1de6da14
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-13 13:26:14 -07:00
Lorenzo Colitti
ab7dfabb61 Fix clatd, broken by selinux policing /dev/tun
Bug: 10175701
Change-Id: I185df22bdbaafd56725760ec6c71340b67455046
2013-08-05 19:53:23 +09:00
Nick Kralevich
9a19885c4c remove "self:process ptrace" from domain, netd neverallow rules
Remove "self:process ptrace" from all SELinux enforced domains.
In general, a process should never need to ptrace itself.
We can add this back to more narrowly scoped domains as needed.

Add a bunch of neverallow assertions to netd.te, to verify that netd
never gets unexpected capabilities.

Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
Nick Kralevich
4a13f7809b netd.te: allow ctl.mdnsd
Allow netd to set ctl.* properties. Currently, mdnsd is broken because
it can't set this property.

Bug: 9777774
Change-Id: I2f32504d77b651e66e0a0067e65a5ed44b427f5a
2013-07-10 15:26:54 -07:00
Nick Kralevich
dbd28d91d3 Enable SELinux protections for netd.
This change does several things:

1) Restore domain.te to the version present at
cd516a3266 . This is the version
currently being distributed in AOSP.

2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.

3) Restore netd.te to the version present at
80c9ba5267 . This is the version
currently being distributed in AOSP.

4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.

5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.

6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.

7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.

The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.

Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.

Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 08:24:30 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
Stephen Smalley
9de4c69202 Strip unnecessary trailing semicolon on macro calls.
Change-Id: I013e08bcd82a9e2311a958e1c98931f53f6720c9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-05 13:07:26 -07:00
rpcraig
ff7e5305b8 Create policy for PAN connections.
Policy to allow bluetooth tethering.

Change-Id: Ic24c97b0e1dc93395b8381b78ca4929baa30337c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-22 15:05:44 -04:00
Stephen Smalley
c94e2392f6 Further policy for Motorola Xoom. 2012-01-06 10:25:53 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00