tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
4111 commits 1 branch 0 tags 50 MiB
Commit graph

7 commits

Author SHA1 Message Date
Alex Klyubin
effcac7d7e Expand access to gatekeeperd. 
This enables access to gatekeeperd for anybody who invokes Android
framework APIs. This is necessary because the AndroidKeyStore
abstraction offered by the framework API occasionally communicates
with gatekeeperd from the calling process.

Bug: 20526234
Change-Id: I3362ba07d1a7e5f1c47fe7e9ba6aec5ac3fec747
 2015-04-29 09:22:11 -07:00
Nick Kralevich
367757d2ef gatekeeperd: use more specific label for /data file 
Use a more specific label for /data/misc/gatekeeper

Rearrange some other rules.

Change-Id: Ib634e52526cf31a8f0a0e6d12bbf0f69dff8f6b5
 2015-04-17 17:56:31 -07:00
Andres Morales
b348f8f55d New rules for SID access 
Change-Id: Ia9df151cc64ad74133db2095a935220ef9f3ea8e
 2015-04-17 10:41:09 -07:00
Andres Morales
dd156fc377 Allow gatekeeperd to use keystore 
needs to call addAuthToken

Change-Id: If519df61448f19dfafab254668c17eea6c161ea4
 2015-04-13 12:26:02 -07:00
Nick Kralevich
2234f9ff57 gatekeeperd: neverallow non-system_server binder call 
The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
 2015-04-09 12:55:38 -07:00
Andres Morales
13abb1701b Allow gatekeeperd to check Android permissions 
Change-Id: Ie88568c43642505f68d137843a1f6b7a3de481e5
 2015-04-09 04:06:36 +00:00
Andres Morales
e207986ea0 SELinux permissions for gatekeeper TEE proxy 
sets up:
- execute permissions
- binder permission (system_server->gatekeeper->keystore)
- prevents dumpstate and shell from finding GK binder service
- neverallow rules for prohibited clients

Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
 2015-04-06 16:46:58 -07:00