Commit graph

9 commits

Author SHA1 Message Date
Nick Kralevich
3ddaa63bde racoon: allow ioctl TUNSETIFF
Used by
bf16586a33/main.c (116)

Addresses the following denial:

audit(0.0:8126): avc: denied { ioctl } for comm="racoon" path="/dev/tun" dev="tmpfs" ino=25329 ioctlcmd=0x54ca scontext=u:r:racoon:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file permissive=0

Test: policy compiles.
Change-Id: Ia26077d4a9e810c7006d4b979d6b7e9ca154b485
2018-11-15 10:32:45 -08:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Jeff Vander Stoep
f627e5581c restore permissions to /vendor for non-treble devices
Relabeling /vendor and /system/vendor to vendor_file removed
previously granted permissions. Restore these for non-treble devices.

Addresses:
avc: denied { execute_no_trans } for pid=2944 comm="dumpstate"
path="/system/vendor/bin/wpa_cli" dev="mmcblk0p10" ino=1929
scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_file:s0
tclass=file

And potentially some other bugs that have yet to surface.

Bug: 37105075
Test: build Fugu
Change-Id: I8e7bd9c33819bf8206f7c110cbce72366afbcef8
2017-04-14 10:01:14 -07:00
Lucas Duffey
1625dba935 remove setuid SELinux capability for racoon.
In the master external/ipsec-tools/{main.c, racoon.rc},
racoon doesn't call setuid, and doesn't have the setuid capability.

Bug: 35642293
Signed-off-by: Lucas Duffey <lucas.duffey@invapid.org>
2017-02-22 03:31:23 +00:00
Nick Kralevich
a675ca60a4 racoon: Add SIOCSIFNETMASK
XAUTH based VPNs
1. IPSec XAUTH PSK
2. IPSec XAUTH RSA
fail with the following error from racoon

  01-24 16:46:05.583 18712 18712 W ip-up-vpn: type=1400 audit(0.0:390):
  avc: denied { ioctl } for path="socket:[954683]" dev="sockfs" ino=954683
  ioctlcmd=891c scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0
  tclass=udp_socket permissive=0

"setenforce 0" on the device fixed the issue.

Bug: 34690009
Test: Policy compiles
Change-Id: Idc0d156ec32e7a9be3825c380c3cb0359fe4fabe
2017-01-24 17:12:58 -08:00
Jeff Vander Stoep
d7a64e4e8b racoon: remove domain_deprecated attribute
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.

Bug: 28760354
Change-Id: Ib6da57f6249a5571015b649bae843590229be714
2016-10-15 17:15:25 -07:00
Jeff Vander Stoep
d063d23032 racoon: allow setting options on tun interface
Fixes failure in VPN connection

avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8914
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket
avc: denied { ioctl } for pid=2870 comm="ip-up-vpn" ioctlcmd=8916
scontext=u:r:racoon:s0 tcontext=u:r:racoon:s0 tclass=udp_socket

Test: VPN works
Bug: 32011648
Change-Id: I28c4dc7ffbf7e35ef582176674c4e9764719a2a9
2016-10-15 14:09:45 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from racoon.te (Browse further)