Commit graph

57 commits

Author SHA1 Message Date
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Jeff Sharkey
c69b5e0a69 Let Settings measure transient free space.
Transient volumes like USB drives are only mounted at /mnt/media_rw,
but they still appear in Settings > Storage.  To show stats like
free/used space, give Settings the permissions it needs to access
devices mounted there.

avc: denied { search } for name="media_rw" dev="tmpfs" ino=8358 scontext=u:r:system_app:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir permissive=0

Bug: 22545248
Change-Id: I273a1729e417873184ad04ba9dd0fec95fd54f97
2015-07-30 17:51:04 -07:00
dcashman
48c1f613e0 Allow system_app to find all system services.
SystemPropPoker in settings app lists and communicates with every service on the
system on property change, which is not currently allowed for all services.

This occurs, for instance, when toggling
Developer options -> Monitoring -> Profile GPU Rendering -> On scren as bars.

Addresses the following denials:
SELinux : avc:  denied  { find } for service=samplingprofiler scontext=u:r:system_app:s0 tcontext=u:object_r:samplingprofiler_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=DockObserver scontext=u:r:system_app:s0 tcontext=u:object_r:DockObserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=devicestoragemonitor scontext=u:r:system_app:s0 tcontext=u:object_r:devicestoragemonitor_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=media.camera.proxy scontext=u:r:system_app:s0 tcontext=u:object_r:cameraproxy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=scheduling_policy scontext=u:r:system_app:s0 tcontext=u:object_r:scheduling_policy_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=battery scontext=u:r:system_app:s0 tcontext=u:object_r:battery_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=processinfo scontext=u:r:system_app:s0 tcontext=u:object_r:processinfo_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=batteryproperties scontext=u:r:system_app:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=drm.drmManager scontext=u:r:system_app:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
SELinux : avc:  denied  { find } for service=commontime_management scontext=u:r:system_app:s0 tcontext=u:object_r:commontime_management_service:s0 tclass=service_manager

(cherry-pick of commit: bf0c34d59b)

Bug: 20762975
Bug: 21446739
Change-Id: I655d39c6d6ff0b8bd333a99d17abc08af8001be8
2015-05-28 16:33:45 -07:00
Chad Brubaker
eaa1a1e975 Rename keystore methods and delete unused permissions
Keystore is going through an API cleanup to make names more clear and
remove unclear methods.

(cherry-picked from commit cbc8f79655)

Change-Id: I06354ccd0a9a73fd20168bfce9350c451cfaced3
2015-05-18 12:19:19 -07:00
Chad Brubaker
77a824600b Add keystore user_changed permission
user_changed will be used for state change methods around android user
creation/deletion.

(cherry-picked from commit 520bb816b8)

Change-Id: I295ca9adfc4907b5d7bcf0555f6e5a9a3379635b
2015-05-18 16:26:41 +01:00
William Roberts
2f5a6a96bd Replace unix_socket_connect() and explicit property sets with macro
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service

The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.

To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)

This macro handles steps 1, 2 and 3.

No difference in sediff is expected.

(cherrypicked from commit 625a3526f1)

Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-07 10:32:06 -07:00
dcashman
c6290ac2a2 Allow system_app to list all services.
The Settings app contains a SystemPropPoker class which notifies every service
on the system that a property has changed.

Address the following denial:
avc:  denied  { list } for service=NULL scontext=u:r:system_app:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager

Cherry-pick of Change-Id: I81926e8833c1abcb17a4d49687fc89619b416d6c

Bug: 20762975
Change-Id: I665a460f30a1ef57b513da9166aad60097dd4886
2015-05-04 15:30:36 -07:00
dcashman
bd7f5803f9 Enforce more specific service access.
Move the remaining services from tmp_system_server_service to appropriate
attributes and remove tmp_system_server and associated logging:

registry
restrictions
rttmanager
scheduling_policy
search
sensorservice
serial
servicediscovery
statusbar
task
textservices
telecom_service
trust_service
uimode
updatelock
usagestats
usb
user
vibrator
voiceinteraction
wallpaper
webviewupdate
wifip2p
wifi
window

Bug: 18106000
Change-Id: Ia0a6d47099d82c53ba403af394537db6fbc71ca0
2015-04-09 09:45:54 -07:00
dcashman
03a6f64f95 Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

network_management
network_score
notification
package
permission
persistent
power
print
processinfo
procstats

Bug: 18106000
Change-Id: I9dfb41fa41cde72ef0059668410a2e9eb1af491c
2015-04-08 20:26:50 +00:00
dcashman
91b7c67d16 Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

jobscheduler
launcherapps
location
lock_settings
media_projection
media_router
media_session
mount
netpolicy
netstats

Bug: 18106000
Change-Id: Ia82d475ec41f658851f945173c968f4abf57e7e1
2015-04-07 15:48:58 -07:00
dcashman
3cc6fc5ffb Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

diskstats
display
dreams
dropbox
ethernet
fingerprint
graphicstats
hardware
hdmi_control
input_method
input_service

Bug: 18106000
Change-Id: Iadd8aab9e78d9d39fb00cf0b5a95fa1927d02095
2015-04-07 12:43:47 -07:00
dcashman
d4c78f4b3f Enforce more specific service access.
Move the following services from tmp_system_server_service to appropriate
attributes:

battery
bluetooth_manager
clipboard
commontime_management
connectivity
content
country_detector
device_policy
deviceidle

Bug: 18106000
Change-Id: I0d0f2a075c0509a783631d88ba453ac13399cdf2
2015-04-07 16:59:38 +00:00
dcashman
4cdea7fc40 Assign app_api_service attribute to services.
Assign the alarm, appwidget, assetatlas, audio, backup and batterystats services
the appropriate service access levels and move into enforcing.

Bug: 18106000
Change-Id: If3210bb25f3076edfdb6eec36ef6521ace1bd8d7
2015-04-06 13:20:41 -07:00
dcashman
b075338d0e Assign app_api_service attribute to services.
Move accessibility, account, appops and activity services into enforcing with
app_api_service level of access, with additional grants to mediaserver and
isolated app.

Bug: 18106000
Change-Id: I1d5a79b9223026415f1690e8e9325ec4c270e3dd
2015-04-03 14:29:40 -07:00
dcashman
d12993f084 Add system_api_service and app_api_service attributes.
System services differ in designed access level.  Add attributes reflecting this
distinction and label services appropriately.  Begin moving access to the newly
labeled services by removing them from tmp_system_server_service into the newly
made system_server_service attribute.  Reflect the move of system_server_service
from a type to an attribute by removing access to system_server_service where
appropriate.

Change-Id: I7fd06823328daaea6d6f96e4d6bd00332382230b
2015-04-03 11:20:00 -07:00
dcashman
8af4e9cb00 Record observed service accesses.
Get ready to switch system_server service lookups into enforcing.

Bug: 18106000
Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
2015-04-01 14:30:46 -07:00
John Reck
e8064afb5e Add graphicsstats service
Change-Id: I156b139b57f46c695ece35b7b26a3087d87b25df
2015-03-27 19:10:58 +00:00
dcashman
23f336156d Record observed system_server servicemanager service requests.
Also formally allow dumpstate access to all services and grant system_server
access to address the following non-system_server_service entries:

avc:  granted  { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager
avc:  granted  { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager

Bug: 18106000
Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
2015-03-03 11:38:07 -08:00
dcashman
6a2451b580 Allow platform_app access to keystore.
Encountered when certinstaller tries to talk to keystore:
ComponentInfo{com.android.certinstaller/com.android.certinstaller.CertInstaller}: java.lang.NullPointerException: Attempt to invoke interface method 'int android.security.IKeystoreService.test()' on a null object reference

Address the following denial:
avc:  denied  { find } for service=android.security.keystore scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:keystore_service:s0 tclass=service_manager

Bug: 19347232
Change-Id: I35b46da3c78b384cf04216be937c6b5bfa86452d
2015-03-02 11:31:26 -08:00
Sharif Inamdar
99b4052126 Allow system_app to access /data/data link files
system_app tries to access files in /data/data (lnk_files).
But due to permission issue it is not able to access the
link files.

Change-Id: I2959d899f5e3ab9caa219d684541d36587a6c059
2015-01-21 23:08:20 +00:00
dcashman
566e8fe258 Record service accesses.
Reduce logspam and record further observed service connections.

Bug: 18106000
Change-Id: I9a57e4bb8f1c8e066861719fb208c691498842a8
2015-01-16 17:27:25 -08:00
dcashman
c631ede7dc Remove known system_server service accesses from auditing.
Address observed  audit logs of the form:
granted  { find } for service=XXX scontext=u:r:YYY:s0:c512,c768 tcontext=u:object_r:XXX_service:s0 tclass=service_manager

in order to record existing relationships with services.

Bug: 18106000
Change-Id: I99a68f329c17ba67ebf3b87729b8405bdc925ef4
2015-01-15 15:12:18 -08:00
dcashman
4a89cdfa89 Make system_server_service an attribute.
Temporarily give every system_server_service its own
domain in preparation for splitting it and identifying
special services or classes of services.

Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
2015-01-14 13:54:26 -08:00
dcashman
404575312b Allow system_app to locate mediaserver_service.
Address the following denial:
SELinux : avc:  denied  { find } for service=media.audio_flinger scontext=u:r:system_app:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager

Change-Id: I6bd5d2490c7d4aa06a645c1ee293f2b3db21968b
2015-01-07 10:24:28 -08:00
dcashman
cd82557d40 Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary.  Pare the permissions
which did not trigger any of the auditallow reporting.

Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
2014-12-15 10:09:24 -08:00
Pawit Pornkitprasan
c06ed8f7b2 sepolicy: allow system apps to access ASEC
Required for Settings to show name/icon of apps on sd card
(permission copied from untrusted_app)

Also removed duplicate permission (from domain) in untrusted_app

Change-Id: Ib2b3bee4dfb54ad5e45b392fd9bfd65add4a00bf
2014-12-12 13:58:39 +07:00
Robin Lee
5871d1bc18 resolved conflicts for merge of 51bfecf4 to lmp-dev-plus-aosp
Change-Id: I8ea400354e33a01d3223b4efced6db76ba00aed6
2014-10-15 23:11:59 +01:00
Robin Lee
51bfecf49d Pull keychain-data policy out of system-data
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-15 18:02:03 +00:00
Brian Carlstrom
09eae90890 Remove system_server create access from /data/dalvik-cache
Bug: 16875245

(cherry picked from commit 372d0df796)

Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7
2014-08-28 21:36:27 -07:00
Brian Carlstrom
372d0df796 Remove system_server create access from /data/dalvik-cache
Bug: 16875245
Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a
2014-08-28 21:15:38 -07:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
14aa7c0608 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea347)

Change-Id: I25354db2add3135335c80be2c2d350e526137572
2014-07-17 16:30:26 -07:00
Riley Spahn
88157ea347 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb
2014-07-17 21:33:33 +00:00
Riley Spahn
344fc109e9 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
2014-07-15 10:09:52 -07:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-14 11:09:27 -07:00
Riley Spahn
596bcc7687 Remove keystore auditallow statements from system.
Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28
2014-07-01 18:25:02 +00:00
Riley Spahn
b1ec3dfacd Add imms service and system_app_service type.
Map imms to system_app_service in service_contexts and add
the system_app_service type and allow system_app to add the
system_app_service.

Bug: 16005467
Change-Id: I06ca75e2602f083297ed44960767df2e78991140
2014-07-01 16:17:59 +00:00
Riley Spahn
1196d2a576 Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-26 08:53:10 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Mark Salyzyn
9e7bbf61de selinux: logd Development settings
- logd Development Settings failed to access persist.logd.size

Change-Id: I0732b44fcbffbf3c187bcb23df2db807fa3e8fde
2014-06-12 13:08:13 -07:00
Stephen Smalley
d159122481 Make system_app enforcing.
Change-Id: I9c3ff0a79d947a14084638772451d06298c43e47
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-09 05:27:11 +00:00
Stephen Smalley
f1ea707a3d Restore system_app access to system-owned /data directories.
System UID apps want to be able to create/write to system-owned
/data directories outside of their own /data/data package directory,
such as /data/system/cache and /data/misc/keychain.  Restore access
(which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when
system_app_data_file was introduced for the /data/data package
directories of system UID apps), but audit writes to system_data_file
so we can look at introducing separate types for these directories in
the future and ultimately remove access to the rest of the system-owned
data.

Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-27 14:32:28 -04:00
Mark Salyzyn
c52d738834 Allow Developer settings to change runtime size of logd
- permit logd control from system_app

Bug: 14563261
Change-Id: Id5992cca70647a0e4b913a793c6ba8334dc57963
2014-05-12 10:14:19 -07:00
Stephen Smalley
91a4f8d4fd Label app data directories for system UID apps with a different type.
We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-07 18:04:51 +00:00
Stephen Smalley
1c0c010261 Allow system_app to start bugreport and to create /data/anr/traces.txt.
Resolves denials such as:

avc:  denied  { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service

avc:  denied  { write } for  pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { add_name } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { create } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-11 12:12:14 +00:00
Stephen Smalley
b0db712bf0 Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-07 15:47:33 -05:00
Stephen Smalley
28afdd9234 Deduplicate binder_call rules.
A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-03 22:42:52 +00:00
Stephen Smalley
2c347e0a36 Drop obsolete keystore_socket type and rules.
Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while.  The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).

Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 19:07:03 +00:00
Stephen Smalley
85708ec4f9 Resolve overlapping rules between app.te and net.te.
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 17:26:06 +00:00
Robert Craig
48b18832c4 Introduce asec_public_file type.
This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-11 17:08:10 +00:00