Commit graph

77 commits

Author SHA1 Message Date
Sylvain Chouleur
9a28f90d6a init: allow to access console-ramoops with newer kernels
Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has
been integrated and requires syslog_read capability a process accessing
console-ramoops file.

sepolicy must be adapted to this new requirement.

Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2
Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
2016-01-27 16:42:31 +01:00
Bertrand SIMONNET
34e4da5fa9 Allows init to send signals.
This will allow init to terminate services cleanly (SIGTERM, wait,
SIGKILL) when needed.

Bug: 26216447
Test: manual: init is able to send a SIGTERM signal without denials.

Change-Id: Id2471ca08c0b011be64a36956628e965bc999bc6
2016-01-07 15:15:29 -08:00
dcashman
36f255ff52 Create sysfs_zram label.
Address following denials:
avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0
avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0
avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0

Bug: 22032619
Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
2016-01-04 14:24:09 -08:00
Nick Kralevich
5beeb81e65 init.te: allow writing to /sys/kernel/debug/tracing/tracing_on
Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc

Also allow shell getattr access to the tracing file. That way
"ls -la" returns something meaningful.

Bug: 26217098
Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786
2015-12-16 12:53:55 -08:00
Nick Kralevich
44826cb5e4 Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker
Add initial support for labeling files on /sys/kernel/debug.
The kernel support was added in https://android-review.googlesource.com/122130
but the userspace portion of the change was never completed until now.

Start labeling the file /sys/kernel/debug/tracing/trace_marker . This
is the trace_marker file, which is written to by almost all processes
in Android. Allow global write access to this file.

This change should be submitted at the same time as the system/core
commit with the same Change-Id as this patch.

Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-07 17:04:49 -08:00
Tom Cherry
949d7cbc29 Support fine grain read access control for properties
Properties are now broken up from a single /dev/__properties__ file into
multiple files, one per property label.  This commit provides the
mechanism to control read access to each of these files and therefore
sets of properties.

This allows full access for all domains to each of these new property
files to match the current permissions of /dev/__properties__.  Future
commits will restrict the access.

Bug: 21852512

Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
2015-12-03 14:06:10 -08:00
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Jeff Vander Stoep
483fd26735 Enforce no persistent logging on user builds
For userdebug and eng builds enforce that:

 - only logd and shell domains may access logd files

 - logd is only allowed to write to /data/misc/logd

Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
2015-09-21 17:04:00 -07:00
Nick Kralevich
4abd409af0 Relax neverallow rule for loading an updated SELinux policy.
Revert the neverallow change portion of
356df32778, in case others need to
do dynamic policy updates.

(cherrypicked from commit e827a8ab27)

Bug: 22885422
Bug: 8949824
Change-Id: If0745e7f83523377fd19082cfc6b33ef47ca0647
2015-08-24 15:24:56 -07:00
Nick Kralevich
6d0e9c8f4e init.te: delete kernel load policy support
Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

(cherrypicked from commit e827a8ab27)

Bug: 22885422
Bug: 8949824
Change-Id: I802cb61fd18a452a2bb71c02fe57cfce5b7e9dc8
2015-08-24 15:24:33 -07:00
Nick Kralevich
be98d9cff3 Add /data/local/tmp neverallow rules
Add a neverallow rule (compile time assertion) for /data/local/tmp
access. /data/local/tmp is intended entirely for the shell user, and
it's dangerous for other SELinux domains to access it. See, for example,
this commit from 2012:

  f3ef1271f2

Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe
2015-08-22 14:47:00 -07:00
Daniel Rosenberg
e244f2d355 Allow init to mount filesystems on properly labeled folders
Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
2015-07-27 15:37:25 -07:00
Nick Kralevich
f2c4e1283e neverallow service_manager / service_manager_type
Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
2015-07-14 13:06:12 -07:00
Mark Salyzyn
0d22c6cec6 logd: logpersistd
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
  lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
  logpersistd (nee logcatd) agent, restrict access to run only in
  userdebug or eng

Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-06-02 13:56:01 -07:00
Paul Lawrence
f7163597f5 New ext4enc kernel switching from xattrs to ioctl
This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: I6ce4bc977a548df93ea5c09430f93eef5ee1f9fa
2015-04-29 15:44:46 -07:00
Paul Lawrence
13dec5fa5b Securely encrypt the master key
Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-04-28 15:28:16 -07:00
Paul Lawrence
3ee85ca6aa Revert "Securely encrypt the master key"
This reverts commit 5287d9a8e5.

Change-Id: I9ec0db0718da7088dc2b66f5b1749b8fb069575a
2015-04-28 19:16:22 +00:00
Paul Lawrence
5287d9a8e5 Securely encrypt the master key
This change removes the link, but moves key management to
vold, so we need to adjust permissions alternately.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/144586/
  https://android-review.googlesource.com/#/c/144663/
  https://android-review.googlesource.com/#/c/144672/
  https://android-review.googlesource.com/#/c/144673/

Bug: 18151196
Change-Id: I58d3200ae0837ccdf1b8d0d6717566a677974cf1
2015-04-27 20:04:10 +00:00
Nick Kralevich
e05487acc3 init.te: Don't allow mounting on top of /proc
Don't allow init to mount on top of /proc. See
https://android-review.googlesource.com/148295 for details.

Change-Id: I65f66b39f3a5bfb72facb9f716f4537ac2237af1
2015-04-25 15:54:11 -07:00
Elliott Hughes
5aac86dc06 Revert "Revert "SELinux policy changes for re-execing init.""
This reverts commit c450759e8e.

There was nothing wrong with this change originally --- the companion
change in init was broken.

Bug: http://b/19702273
Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 12:28:12 -07:00
Nick Kralevich
c450759e8e Revert "SELinux policy changes for re-execing init."
shamu isn't booting.

This reverts commit 46e832f562.

Change-Id: Ib697745a9a1618061bc72f8fddd7ee88c1ac5eca
2015-04-24 16:59:43 +00:00
Elliott Hughes
46e832f562 SELinux policy changes for re-execing init.
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
2015-04-23 17:12:18 -07:00
Jeff Sharkey
4423ecdb09 Directory for vold to store private data.
Creates new directory at /data/misc/vold for storing key material
on internal storage.  Only vold should have access to this label.

Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
2015-04-01 09:28:09 -07:00
Paul Lawrence
38af1da107 Adding e4crypt support
Add selinux rules to allow file level encryption to work

Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-27 14:47:30 -07:00
Sami Tolvanen
35f537c7ef Allow init to set up dm-verity
Allow init to

 1. Access device mapper to set up dm-verity devices

    avc:  denied  { write } for  pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0

 2. Access the metadata partition to load and store dm-verity state

    avc:  denied  { write } for  pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0

 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered
    by dm-verity

    avc:  denied  { getattr } for  pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0

These can be reproduced using the following steps:

 1. Add fs_mgr flag verify to the system partition in fstab

 2. Add a device specific init.rc handler for the init action that
    calls the built-in command verity_load_state.

Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
2015-03-05 01:46:47 +00:00
Nick Kralevich
07e7348921 init: drop read_policy permission
As of https://android-review.googlesource.com/127858 ,
open(O_RDONLY) is no longer used for chmod. It's no
longer necessary to allow init to read the SELinux policy.

Change-Id: I691dd220827a01a8d7a9955b62f8aca50eb25447
2015-02-28 03:55:15 -08:00
Stephen Smalley
ed532c06d6 init: remove permissive_or_unconfined()
Bug: 19050686
Change-Id: Ie41c3e4d5aaeb43577ba85a4768a5fdbdd665efb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-27 19:14:27 -08:00
Nick Kralevich
543faccc62 allow init tmpfs:dir relabelfrom
When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.

Allow init to relabel a tmpfs /data.

Addresses the following denial:

[    6.294896] type=1400 audit(29413651.850:4): avc:  denied  { relabelfrom } for  pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Steps to reproduce:
  1) Go into Settings > Security > Encrypt Phone
  2) Encrypt phone
  3) See denial
  4) reboot phone
  5) See denial on boot

Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
2015-02-27 14:54:40 -08:00
Sami Tolvanen
9d87c647af Allow init to execute /sbin/slideshow
Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).

Needed by changes from
  I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d

Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
2015-02-26 17:23:29 +00:00
Nick Kralevich
5cf3994d8a Revert /proc/net related changes
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc82
and commit 99940d1af5

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
2015-02-25 13:35:17 -08:00
Yongqin Liu
cc38e6d1a4 bootchart: add policy rules for bootchart
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2015-02-24 01:02:20 +08:00
Nick Kralevich
fcd86911d7 allow init fs_type:dir search
We allow chmod/chown of files / directories by init, but don't allow
init to search into subdirectories. Feels wrong.

Addresses the following denial:

  avc:  denied  { search } for  pid=1 comm="init" name="/" dev="pstore" ino=5570 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1

which results from the following init.rc statement:

  # pstore/ramoops previous console log
  mount pstore pstore /sys/fs/pstore
  chown system log /sys/fs/pstore/console-ramoops
  chmod 0440 /sys/fs/pstore/console-ramoops
  chown system log /sys/fs/pstore/pmsg-ramoops-0
  chmod 0440 /sys/fs/pstore/pmsg-ramoops-0

Bug: 19050686
Change-Id: I0528ecb17686891b66262de1f3c229cc68a56830
2015-02-08 15:09:29 +00:00
Elliott Hughes
b00a037992 No one needs LD_PRELOAD from init any more.
Change-Id: I40a3d089a4a2325abcd1e12aa57b1fd97a1f7902
2015-02-06 23:40:42 -08:00
Nick Kralevich
99940d1af5 remove /proc/net read access from domain.te
SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
2015-01-14 22:18:24 +00:00
Nick Kralevich
30707a457d init.te: remove unactionable auditallow statements
Commit 0d08d4721a added two auditallow
statements. The intented purpose of the auditallow statement was:

  auditallow accesses by init to files
  and character devices left in the generic device type so we can monitor
  what is being left there, although it is not necessarily a problem unless
  the file or device should be accessible to others.

As currently written, the auditallow rules aren't actionable. It's not
a problem by itself for init to access a /dev file or chr_file.
Rather, we care about when other domains access such files.

Currently, this generates a number of (expected) audit statements on
boot, which causes unnecessary confusion and makes people believe
that something is broken.

Remove the unactionable auditallow statements.

Change-Id: Ibfe33976505a7dc3f8d15c9eb203c044a39da426
2015-01-05 15:59:25 -08:00
Nick Kralevich
8809341cb0 init: allow rootfs symlink removal
On the Nexus 9, init.rc creates the /vendor -> /system/vendor
symlink, then a bit later removes the symlink, creates a
proper directory, and mounts /vendor on the directory.

The current permissive SELinux policy doesn't allow init to
remove the /vendor symlink, which eventually causes the following
errors:

  avc:  denied  { unlink } for  pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
  fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered

There was an attempt to reorder some of these operations so
we didn't have to create / delete the symlink, but it
doesn't seem to have gone well.
f67d6bd3c0

Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
2014-12-23 17:19:36 -08:00
Stephen Smalley
1c16abd340 Allow init to chown/chmod character devices.
init.rc files can potentially chown/chmod any character device, so
allow it for everything except for kmem (prohibited by neverallow).
While we could whitelist each of the device types, doing so would also
require device-specific changes for the device-specific types and
may be difficult to maintain.

Resolves (permissive) denials such as:
avc:  denied  { read } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { open } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { setattr } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { read } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { setattr } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

Change-Id: If8d14e9e434fab645d43db12cc1bdbfd3fc5d354
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-10 13:25:12 -05:00
Stephen Smalley
c457572bdf Allow init to restorecon /data directories on upgrades.
Resolves (permissive) denials on upgrades from 4.4.

Change-Id: Ia9eed4938a7235c23bb65de7ad65e6e7c325dfd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-30 16:55:27 -04:00
Stephen Smalley
a523aaca12 Switch kernel and init to permissive_or_unconfined().
Switch the kernel and init domains from unconfined_domain()
to permissive_or_unconfined() so that we can start collecting
and addressing denials in -userdebug/-eng builds.

Also begin to address denials for kernel and init seen after
making this switch.

I intentionally did not allow the following denials on hammerhead:
avc:  denied  { create } for  pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file
avc:  denied  { open } for  pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

These occur when init.rc does:
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
because the prior command to mount the cgroup failed:
mount cgroup none /sys/fs/cgroup/memory memory

I think this is because that cgroup is not enabled in the
kernel configuration.  If the cgroup mount succeeded,
then this would have been a write to a cgroup:file and
would have been allowed already.

Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-29 15:35:35 -04:00
Stephen Smalley
0d08d4721a Remove -unconfineddomain from neverallow rules.
With the sepolicy-analyze neverallow checking, attribute
expansion is performed against the device policy and therefore
we do not want our neverallow rules to exempt domains from
consideration based on an attribute (e.g. -unconfineddomain).
Otherwise, device policy could pass the neverallow check just
by adding more domains to unconfineddomain.  We could of course
add a CTS test to check the list of unconfineddomains against
a whitelist, but it seems desirable regardless to narrow these
neverallow rules to only the specific domains required.

There are three such neverallow rules in current policy: one
on creating unlabeled files, one on accessing /dev/hw_random, and
one on accessing a character device without a specific type.  The
only domain in unconfineddomain that appears to have a legitimate
need for any of these permissions is the init domain.  Replace
-unconfineddomain with -init in these neverallow rules, exclude these
permissions from unconfineddomain, and add these permissions to init if
not already explicitly allowed.  auditallow accesses by init to files
and character devices left in the generic device type so we can monitor
what is being left there, although it is not necessarily a problem unless
the file or device should be accessible to others.

Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 13:32:41 -04:00
Nick Kralevich
beb279c7ea allow init swapon()
swapon(2) requires write access to the underlying block device.
Allow it.

Addresses the following denial:

   avc:  denied  { write } for  pid=1 comm="init" name="zram0" dev="tmpfs" ino=6267 scontext=u:r:init:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file permissive=0

Change-Id: Id1a4f51038d0b6ce7351294698a0ff146d6e4643
2014-10-20 11:52:19 -07:00
Stephen Smalley
8a0c25efb0 Do not allow init to execute anything without changing domains.
Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-28 03:23:27 +00:00
Stephen Smalley
018e9402c6 Prohibit reading of untrusted symlinks via neverallow.
Change-Id: Id669fa1850edf2adee230e71bca2278f215e39f4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-02 17:05:44 -04:00
Stephen Smalley
32915658aa Allow init to restorecon sysfs files.
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission.   Required for:
https://android-review.googlesource.com/#/c/101800/

Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-17 14:58:50 -04:00
Nick Kralevich
8a5b28d259 lmkd: avoid locking libsigchain into memory
https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.

For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.

Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.

Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
2014-07-17 02:05:55 +00:00
Nick Kralevich
a7c04dcd74 Remove domain:process from unconfined
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-10 13:54:20 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Nick Kralevich
0db95cce33 unconfined: remove internet access
Don't allow unconfined domains to access the internet. Restrict
internet functionality to domains which explicitly declare their
use. Removing internet access from unconfined domains helps
protect daemons from network level attacks.

In unconfined.te, expand out socket_class_set, and explicitly remove
tcp_socket, udp_socket, rawip_socket, packet_socket, and
appletalk_socket. Remove name_bind, node_bind and name_connect rules,
since they only apply to internet accessible rules.

Add limited udp support to init.te. This is needed to bring up
the loopback interface at boot.

Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
2014-06-23 11:28:30 -07:00
Stephen Smalley
c626a882f5 Allow init to relabel rootfs files.
This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.

Addresses denials such as:
  avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.

Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 09:17:51 -04:00
Stephen Smalley
f3c3a1aa33 Remove execute_no_trans from unconfineddomain.
execute_no_trans controls whether a domain can execve a program
without switching to another domain.  Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon).  Prohibit it otherwise for the
kernel domain via neverallow.  This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.

Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 22:38:28 +00:00