In order to support the new goldfish service domains in
a change with the same Change-Id for the build project, we need
the following changes in external/sepolicy:
- /system/bin/logcat needs its own type so that it can be used as an
entrypoint for the goldfish-logcat service. A neverallow rule prevents
us from allowing entrypoint to any type not in exec_type.
- The config. and dalvik. property namespaces need to be labeled
with something other than default_prop so that the qemu-props
service can set them. A neverallow rule prevents us from allowing
qemu-props to set default_prop.
We allow rx_file_perms to logcat_exec for any domain that
was previously allowed read_logd() as many programs will read
the logs by running logcat. We do not do this for all domains
as it would violate a neverallow rule on the kernel domain executing
any file without transitioning to another domain, and as we ultimately
want to apply the same restriction to the init domain (and possibly others).
Change-Id: Idce1fb5ed9680af84788ae69a5ace684c6663974
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add policies supporting SELinux MAC in DrmManagerservice.
Add drmservice class with verbs for each of the
functions exposed by drmservice.
Change-Id: Ib758a23302962f41e5103c4853c65adea3a5994e
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.
Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.
Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).
Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
write_logd() is allowed for domain, which means that all domains
are permitted read/write access to /dev. That's overly permissive
and causes substantial differences between user and userdebug/eng
devices.
Remove domain device:dir rw_dir_perms access. It's not needed.
Allow all domains to write/append to logd_debug. logd is responsible
for creating this file if need be. Remove logd_debug file create
permissions. This also eliminates the need for the type_transition
rules.
Bug: 15419803
Change-Id: I7dc3c4df8d413c649c24ae7bc15546d64226ce3b
Create a separate recovery policy and only include the
recovery domain allow rules in it.
Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Introduce wakelock_use(). This macro declares that a domain uses
wakelocks.
Wakelocks require both read-write access to files in /sys/power, and
CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and
file access are granted at the same time.
Still TODO: fix device specific wakelock use.
Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This change folds the shared_app, media_app, and release_app
domains into untrusted_app, reducing the set of app domains down
to just distinct domains for the fixed UID apps (e.g. system_app, bluetooth,
nfc, radio), a single domain for apps signed by the platform key
(platform_app), and a single domain for all other apps (untrusted_app).
Thus, SELinux only distinguishes when already distinguished by a predefined
Android ID (AID) or by the platform certificate (which get the signature-only
Android permissions and thus may require special OS-level accesses).
It is still possible to introduce specific app domains for specific
apps by adding signer and package stanzas to mac_permissions.xml,
but this can be done on an as-needed basis for specialized apps that
require particular OS-level permissions outside the usual set.
As there is now only a single platform app domains, get rid of the
platformappdomain attribute and platform_app_domain() macro. We used
to add mlstrustedsubject to those domains but drop this since we are not
using MLS in AOSP presently; we can revisit which domains need it if/when
we use MLS.
Since we are dropping the shared, media, and release seinfo entries from
seapp_contexts, drop them from mac_permissions.xml as well. However,
we leave the keys.conf entries in case someone wants to add a signer
entry in the future for specific apps signed by those keys to
mac_permissions.xml.
Change-Id: I877192cca07360c4a3c0ef475f016cc273e1d968
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- Add write_logd, read_logd and control_logd macros added along
with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
deal with fd inheritance. ToDo: investigate means to allow
references to close, and reopen in context of application
or call setsockcreatecon() to label them in child context.
Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.
Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.
This will ensure that all SELinux domains have at least a
minimal level of protection.
Unconditionally enable this flag for all user builds.
Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.
Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te
Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
tmpfs_domain() macro defines a per-domain type and
allows access for tmpfs-backed files, including ashmem
regions. execute-related permissions crept into it,
thereby allowing write + execute to ashmem regions for
most domains. Move the execute permission out of tmpfs_domain()
to app_domain() and specific domains as required.
Drop execmod for now we are not seeing it.
Similarly, execute permission for /dev/ashmem crept into
binder_use() as it was common to many binder using domains.
Move it out of binder_use() to app_domain() and specific domains
as required.
Change-Id: I66f1dcd02932123eea5d0d8aaaa14d1b32f715bb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:
<5>[ 291.791423] type=1400 audit(1385587240.320:79): avc: denied { write } for pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file
path=/dev/ashmem (deleted)
Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d
In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.
Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f
Add a create_pty() macro that allows a domain to
create and use its own ptys, isolated from the ptys
of any other domain, and use that macro for untrusted_app.
This permits the use of a pty by apps without opening up access
to ptys created by any other domain on the system.
Change-Id: I5d96ce4d1b26073d828e13eb71c48d1e14ce7d6b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.
Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.
To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.
Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.
Change-Id: I729d224347a003eaca29299d216a53c99cc3197c
/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.
Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.
Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
Update the file_contexts for the new location of
the policy files, as well as update the policy
for the management of these types.
Change-Id: Idc475901ed437efb325807897e620904f4ff03e9
The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.
Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Platform (any of the apps signed by build keys, i.e. platform|release|shared|media) apps expect to be able to share files with each other or with third party apps by passing open files or pathnames over Binder. Therefore, we switch to only enforcing the per-app process and file isolation via SELinux on third party apps, not platform apps.
Make the platform app domains mlstrustedsubjects so that they can access any files created by third party apps.
Introduce a new platform_app_data_file type for platform apps so that we can mark it as a mlstrustedobject and allow third party apps to read/write files created by the platform apps.
Specify this new type for the platform app entries in seapp_contexts.
Remove levelFromUid=true for the platform apps in seapp_contexts since we are no longer enforcing per-app separation among them.