Commit graph

20 commits

Author SHA1 Message Date
Stephen Smalley
b8caf7fdd4 Move allow rules before neverallow rules.
There were a few instances where allow rules were appended
after the neverallow rules stanza in the .te file.  Also
there were some regular allow rules inserted into the CTS-specific
rules section of app.te.  Just move the rules as appropriate.
Should be no change in policy.

Change-Id: Iec76f32d4b531d245bbf5dd9f621a71ff5c71f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-13 16:42:42 -04:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Stephen Smalley
d4731ad8c7 Remove -kernel -recovery from keystore_data_file neverallow.
Aside from the keystore daemon itself, only init needs any access
to keystore_data_file (in order to create and potentially restorecon
/data/misc/keystore).  The exceptions for the kernel and recovery domains
are unnecessary; no allow rule permits this access in current policy.

Change-Id: I5cf6f29ec08174017ac8f5fb36fef166ce360ca0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-22 11:13:17 -04:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-14 11:09:27 -07:00
Riley Spahn
1196d2a576 Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-26 08:53:10 -07:00
Riley Spahn
f90c41f6e8 Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
2014-06-12 20:46:07 +00:00
Nick Kralevich
8aa754c9be Don't allow ptrace on keystore
keystore may hold sensitive information in it's memory. Don't
allow anyone to ptrace keystore.

Change-Id: I4e3717e482b9fd128d38ce687c03122d41678b6f
2014-05-19 21:49:50 -07:00
Nick Kralevich
cd905ec04e Protect keystore's files.
Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
2014-05-09 10:14:56 -07:00
Nick Kralevich
b23d287681 Allow keystore to talk to the tee
On manta, the keystore CTS tests are failing, because
keystore isn't allowed to talk to the tee. Allow it.

I've only seen this bug on manta, but it seems appropriate
for all domains.

Fixes the following denial:

<5>[  286.249563] type=1400 audit(1389210059.924:6): avc:  denied  { connectto } for  pid=126 comm="keystore" path=006D636461656D6F6E scontext=u:r:keystore:s0 tcontext=u:r:tee:s0 tclass=unix_stream_socket

Bug: 12450710
Change-Id: I07133d9abeaf967392118ba478a5a391cf0c5fa5
2014-01-08 11:47:00 -08:00
Stephen Smalley
870c4e5e77 Make the keystore domain enforcing.
Change-Id: I7ef479ac1806b0a52bb0145a82d6d4265edc1f3e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Bug: 11518274
2013-11-06 15:40:19 -08:00
Nick Kralevich
2d8dcb732c Revert "Make the keystore domain enforcing."
This is causing runtime restarts on flo/deb when uninstalling
some APKs. Revert while I investigate it.

11-04 21:52:41.487   687   704 I ActivityManager: Force stopping com.android.development appid=10078 user=-1: uninstall pkg
11-04 21:52:41.487   687   712 W PackageManager: Couldn't delete native library directory /data/app-lib/com.android.development
11-04 21:52:41.557   687   712 W dalvikvm: threadid=20: thread exiting with uncaught exception (group=0x959dfae8)
11-04 21:52:41.557   687   712 E AndroidRuntime: *** FATAL EXCEPTION IN SYSTEM PROCESS: PackageManager
11-04 21:52:41.557   687   712 E AndroidRuntime: java.lang.NullPointerException
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.security.KeyStore.clearUid(KeyStore.java:327)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.removeKeystoreDataIfNeeded(PackageManagerService.java:9787)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.removePackageDataLI(PackageManagerService.java:9384)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.deleteInstalledPackageLI(PackageManagerService.java:9503)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.deletePackageLI(PackageManagerService.java:9612)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.deletePackageX(PackageManagerService.java:9239)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService.access$4100(PackageManagerService.java:178)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at com.android.server.pm.PackageManagerService$7.run(PackageManagerService.java:9173)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.Handler.handleCallback(Handler.java:733)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.Handler.dispatchMessage(Handler.java:95)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.Looper.loop(Looper.java:136)
11-04 21:52:41.557   687   712 E AndroidRuntime:        at android.os.HandlerThread.run(HandlerThread.java:61)
11-04 21:52:41.567   687   712 I Process : Sending signal. PID: 687 SIG: 9

and

[    7.324554] type=1400 audit(1383601030.823:5): avc:  denied  { read write } for  pid=192 comm="keystore" name="qseecom" dev="tmpfs" ino=7521 scontext=u:r:keystore:s0 tcontext=u:object_r:device:s0 tclass=chr_file

This reverts commit 709d71836d.

Bug: 11518274
2013-11-05 09:57:40 -08:00
Stephen Smalley
709d71836d Make the keystore domain enforcing.
Change-Id: I8f4964fb31e91d9f384ef05df5acdcdd45dec08b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-31 13:39:59 -04:00
Stephen Smalley
cdd83f4eae Confine keystore, but leave it permissive for now.
Change-Id: Ia92165478764b062e7e33e7741742f5ec8762ad9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 14:47:32 -04:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
Stephen Smalley
61c80d5ec8 Update policy for Android 4.2 / latest master.
Update policy for Android 4.2 / latest master.
Primarily this consists of changes around the bluetooth subsystem.
The zygote also needs further permissions to set up /storage/emulated.
adbd service now gets a socket under /dev/socket.
keystore uses the binder.

Change-Id: I8c5aeb8d100313c75169734a0fa614aa974b3bfc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2012-11-19 09:55:10 -05:00
rpcraig
e07b8a56b9 Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
rpcraig
abd977a79e Additions for grouper/JB 2012-08-10 06:25:52 -04:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00