Commit graph

9 commits

Author SHA1 Message Date
Eric Biggers
448bd57181 Remove all module_request rules
Starting in Android 11, Android unconditionally disables kernel module
autoloading (https://r.android.com/1254748) in such a way that even the
SELinux permission does not get checked.  Therefore, all the SELinux
rules that allow or dontaudit the module_request permission are no
longer necessary.  Their presence or absence makes no difference.

Bug: 130424539
Test: Booted Cuttlefish, no SELinux denials.
Change-Id: Ib80e3c8af83478ba2c38d3e8a8ae4e1192786b57
2023-08-22 16:56:04 +00:00
Maciej Żenczykowski
4a865b3089 add dontaudit dnsmasq kernel:system module_request
This was originally added due to:
  avc: denied { module_request } for comm="dnsmasq" kmod="netdev-bt-pan" scontext=u:r:dnsmasq:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
in wahoo specific selinux policy in commit cd761300c1cc67cb2be3e001b95317e8a865c5fe 'Allow some denials we have seen.'

This is most likely simply triggered by a race condition on attempting
to access a non existent network device 'bt-pan'.

While we've never seen this anywhere else, it could potentially happen
on any device so we might as well make this global...

Test: N/A
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I00f61a5fc2bfce604badf3b96f6ed808157eb78c
2020-01-18 18:22:12 -08:00
Maciej Żenczykowski
210cdc6fa4 dnsmasq - allow getattr on unix stream sockets
Fix for:
  type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="socket:[25224]" dev="sockfs" ino=25224 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket permissive=0 b/77868789

Test: built and observed no more avc denials on aosp blueline

Bug: 77868789
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I5af4d01e17f2d37335f523a49c7b1f81886edfa2
2019-05-03 06:16:57 +00:00
Maciej Żenczykowski
afa10f7223 selinux - allow dnsmasq to getattr on fifos
This is presumably libc isatty detection on stdin/out/err.
Either way - allowing it is harmless.

This fixes:
  type=1400 audit(): avc: denied { getattr } for comm="dnsmasq" path="pipe:[38315]" dev="pipefs" ino=38315 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=fifo_file permissive=0

Test: built and observed no more avc denials on crosshatch

Bug: 77868789
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ieab51aeb67ebb85b6c778410ba96963612277ae4
2019-05-01 18:04:22 -07:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Nick Kralevich
6a259ccd9d remove more domain_deprecated
Test: no denials showing up in log collection
Test: device boots
Bug: 28760354
Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23
2016-12-09 19:57:43 -08:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from dnsmasq.te (Browse further)