Commit graph

24 commits

Author SHA1 Message Date
Stephen Smalley
64c0ff0079 Audit attempts by rild to create/write to system_data_file.
Audit attempts by rild to create/write to system_data_file
with avc:  granted messages so that we can identify any such
instances and put such directories/files into radio_data_file or
some other type and then remove these rules.

Change-Id: Ice20fed1733a3f4208d541a4baaa8b6c6f44fbb0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-13 13:36:51 +00:00
Nick Kralevich
599e71a9ba rild: move to enforcing
Move the rild domain into SELinux enforcing mode. This will
start enforcing SELinux rules; security policy violations will
return EPERM.

Change-Id: Iadb51616ecf6f56148ce076d47f04511810de94c
2014-03-12 17:10:57 -07:00
Stephen Smalley
0296b9434f Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.
Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 21:26:08 +00:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Robert Craig
aa376831e8 Fix new rild denials.
Denials seen on hammerhead but seem
appropriate for general policy.

<5>[ 8.339347] type=1400 audit(3731546.390:17): avc: denied { ioctl } for pid=314 comm="rild" path="socket:[7996]" dev="sockfs" ino=7996 scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket
<5>[ 8.339065] type=1400 audit(3731546.390:16): avc: denied { create } for pid=314 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket
<5>[ 11.232121] type=1400 audit(3731549.289:22): avc: denied { read } for pid=620 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket

Change-Id: Ieaca5360afbb44d5da21c7c24bdd5e7c5758f0a2
2013-12-05 17:37:25 -05:00
Stephen Smalley
dcbab907ea Confine rild, but leave it permissive for now.
Change-Id: I6df9981b2af0150c6379a0ebdbe0a8597c994f4a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-13 16:32:22 -05:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
William Roberts
ec7d39ba16 Introduce controls on wake lock interface
Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1
2013-10-03 15:17:32 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
William Luh
b4ab72d52a Expand permissions for 3 existing allow policies for rild and a new one for rild.
Change-Id: Iafe68ac1b742e40c1a23a2f6cfd6373ea89cc07b
2013-05-02 17:57:14 -07:00
William Luh
e855c3b490 Allow rild to create, bind, read, write to itself through a netlink socket.
Change-Id: Ia7457e3fd4f1100bbee821f412e80ba17fede5ec
2013-04-25 18:29:26 -07:00
Stephen Smalley
0e856a02cb Allow all domains to read /dev symlinks.
Change-Id: I448a5553937a98775178b94f289ccb45ae862876
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-05 13:10:05 -07:00
Robert Craig
65d4f44c1f Various policy updates.
Assortment of policy changes include:
 * Bluetooth domain to talk to init and procfs.
 * New device node domains.
 * Allow zygote to talk to its executable.
 * Update system domain access to new device node domains.
 * Create a post-process sepolicy with dontaudits removed.
 * Allow rild to use the tty device.

Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2013-03-27 06:30:25 -04:00
William Roberts
c195ec3148 Split internal and external sdcards
Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
2013-03-22 15:26:39 -04:00
hqjiang
81039ab556 Corrected denials for LocationManager when accessing gps over uart. 2012-07-12 09:27:40 -04:00
William Roberts
56ad8c7322 This patch fixes rild trying to access the bluetooth efs dir with read
perms.
2012-06-27 08:45:51 -04:00
William Roberts
f6f87105d4 Remove all denials caused by rild on tuna devices.
Tested on a maguro variant.
2012-06-07 11:52:51 -04:00
William Roberts
7fa2f9e0f5 Policy for hci_attach service. 2012-05-31 09:40:12 -04:00
Stephen Smalley
730957aef3 Rework the radio vs rild property split.
Only label properties with the ril. prefix with rild_prop.
Allow rild and system (and radio) to set radio_prop.
Only rild can set rild_prop presently.
2012-04-04 16:01:19 -04:00
Stephen Smalley
124720a697 Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
2012-04-04 10:11:16 -04:00
Stephen Smalley
f7948230ef Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton. 2012-03-19 15:58:11 -04:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00