Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.
Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.
(cherry picked from commit 603bc20509)
Change-Id: Ib8894aa70aa300c14182a6c934dd56c08c82b05f
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
(cherry picked from commit b8511e0d98)
Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
Coalesce a number of allow rules replicated among multiple
app domains.
Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.
Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.
Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:
avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket
avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket
Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain. Resolve this overlap by:
1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.
Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.
Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.
Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.
Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.
The following domains were deliberately NOT changed:
1) kernel
2) init
In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.
When we're ready to tighten up the rules for these domains,
we can:
1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.
For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.
Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11