Commit graph

21 commits

Author SHA1 Message Date
dcashman
4b4b2b9293 Remove service_manager_local_audit_domain.
service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

(cherry-pick of commit: eab26faa60)

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
2015-06-08 11:38:31 -07:00
Nick Kralevich
85416e06a5 su.te: add filesystem dontaudit rule
Addresses su denials which occur when mounting filesystems not
defined by policy.

Addresses denials similar to:

  avc: denied { mount } for pid=12361 comm="mount" name="/" dev="binfmt_misc" ino=1 scontext=u:r:su:s0 tcontext=u:object_r:unlabeled:s0 tclass=filesystem permissive=1

Change-Id: Ifa0d7c781152f9ebdda9534ac3a04da151f8d78e
2015-04-16 08:38:46 -07:00
Nick Kralevich
28ddd1042a su: don't auditallow service_manager for su
Addresses the following auditallow messages:

  avc: granted { find } for service=accessibility scontext=u:r:su:s0 tcontext=u:object_r:accessibility_service:s0 tclass=service_manager
  avc: granted { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager
  avc: granted { find } for service=package scontext=u:r:su:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager
  avc: granted { find } for service=user scontext=u:r:su:s0 tcontext=u:object_r:user_service:s0 tclass=service_manager
  avc: granted { find } for service=window scontext=u:r:su:s0 tcontext=u:object_r:window_service:s0 tclass=service_manager

Change-Id: Ie58ad3347e9ef1aacd39670cfec7d095875e237b
2015-02-25 09:48:54 -08:00
Christopher Ferris
5ec38c49e3 Dumpstate runs the same from shell as service.
Without this change, any selinux warning you might get when running
dumpstate from init do not show up when running from the shell
as root. This change makes them run the same.

Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb
2015-02-04 14:19:26 -08:00
Nick Kralevich
bf254b46ad su.te: suppress service_manager related denials.
The su domain is always permissive, and will always be permissive.
It never makes sense to show su related denials, as they just cause
a false sense of alarm.

Suppress service_manager related denials. For example:

  SELinux : avc:  denied  { find } for service=SurfaceFlinger scontext=u:r:su:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
  SELinux : avc:  denied  { find } for service=activity scontext=u:r:su:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager

While I'm here, suppress other recent additionsl to security_classes as
well (keystore_key, debuggerd, drmservice)

Change-Id: I844ad8da5ada09775646b5f32c9405e7b73797f9
2015-01-06 13:52:41 -08:00
Nick Kralevich
b54f92bbf4 make su an mlstrustedsubject
Otherwise the following denial occurs when I3972f846ff5e7363799ba521f1258d662b18d64e
is present and "adb root" is run.

  <6>[   64.507223] type=1400 audit(1411432079.100:471): avc: denied { connectto } for pid=717 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1
  <6>[   64.507617] type=1400 audit(1411432079.100:472): avc: denied { connectto } for pid=1659 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1

Change-Id: I1772912b2ca1446b822303ad6ea3154427f8331f
2014-09-22 17:44:00 -07:00
Nick Kralevich
213bb45bdd Tweak rules for su domain.
1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582
Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7
2014-07-14 23:28:19 +00:00
Nick Kralevich
af7deffb2c dontaudit su
Denials generated from the su domain aren't meaningful security
warnings, and just serve to confuse people. Don't log them.

Change-Id: Id38314d4e7b45062c29bed63df4e50e05e4b131e
2014-05-27 15:46:39 -07:00
Sreeram Ramachandran
bc320187b9 Make su a net domain.
Change-Id: Ied6e6eba4895524cf8b442694cc48ef2d6f9a811
2014-05-02 14:50:26 -07:00
Stephen Smalley
b3cb9695c4 Clarify init_shell, shell, and su domain usage.
init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell.  It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc.  We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.

shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.

su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.

Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 13:51:48 -05:00
Nick Kralevich
116a20fdb6 debuggerd: Allow "debug.db.uid" usage
Allow the use of debug.db.uid on userdebug / eng builds.
Setting this property allows debuggerd to suspend a process
if it detects a crash.

Make debug.db.uid only accessible to the su domain. This should
not be used on a user build.

Only support reading user input on userdebug / eng builds.

Steps to reproduce with the "crasher" program:

  adb root
  adb shell setprop debug.db.uid 20000
  mmm system/core/debuggerd
  adb sync
  adb shell crasher

Addresses the following denials:

<5>[  580.637442] type=1400 audit(1392412124.612:149): avc:  denied  { read } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637589] type=1400 audit(1392412124.612:150): avc:  denied  { open } for  pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir
<5>[  580.637706] type=1400 audit(1392412124.612:151): avc:  denied  { read write } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637823] type=1400 audit(1392412124.612:152): avc:  denied  { open } for  pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file
<5>[  580.637958] type=1400 audit(1392412124.612:153): avc:  denied  { ioctl } for  pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file

Bug: 12532622
Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
2014-02-18 15:00:40 -08:00
Nick Kralevich
7d0f955ef0 Support running adbd in the su domain.
When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.

This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.

Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
2014-01-23 09:22:43 -08:00
Nick Kralevich
88ce951d89 Create new conditional userdebug_or_eng
Create a new m4 macro called userdebug_or_eng. Arguments
passed to this macro are only emitted if we're performing
a userdebug or eng build.

Merge shell.te and shell_user.te and eliminate duplicate
lines. Same for su.te and su_user.te

Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
2014-01-09 15:31:37 -08:00
Nick Kralevich
09e6abd91b initial dumpstate domain
Add the necessary rules to support dumpstate.
Start off initially in permissive until it has more testing.

Dumpstate is triggered by running "adb bugreport"

Change-Id: Ic17a60cca1f6f40daa4f2c51e9ad6009ef36cfbd
2013-12-16 15:29:09 -08:00
Stephen Smalley
d99e6d5fa1 Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 15:59:04 -05:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
Stephen Smalley
0130154985 Make sure exec_type is assigned to all entrypoint types.
Some file types used as domain entrypoints were missing the
exec_type attribute.  Add it and add a neverallow rule to
keep it that way.

Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 10:38:14 -04:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
Kenny Root
9ceb47b0c0 Revert "Include su.te only for userdebug/eng builds."
This reverts commit af56ac1954.

Change-Id: Id658a90b58ea31365051c0878c58393fd055fc69
2012-11-01 13:17:29 -07:00
Matt Finifter
af56ac1954 Include su.te only for userdebug/eng builds.
Change-Id: Ia544f13910abbe5e9f6a6cafae397415a41a7a94
2012-07-18 13:25:23 -07:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00