Commit graph

17 commits

Author SHA1 Message Date
Nick Kralevich
44cb98a764 Revert "Do not allow isolated_app to directly open app data files."
This is causing the version of Chrome in Android's tree to crash. The
version of Chrome in Android's tree does not have the following patch:
https://codereview.chromium.org/630123003

Until Chrome updates the version in Android's tree, we need to revert.

Works around the following denials:

audit(0.0:19): avc: denied { search } for name="com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:20): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:21): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

This reverts commit 669a977303.

Bug: 18006219
Change-Id: Id44137ec6a0dfe4a597b34ab3dad9e3feecc2a5e
2014-10-17 18:30:18 +00:00
Stephen Smalley
669a977303 Do not allow isolated_app to directly open app data files.
Only allow it to read/write/stat already open app data files
received via Binder or local socket IPC.

Change-Id: I3c096607a74fd0f360d41f3e6f06535ca00c58ec
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-06 23:31:18 +00:00
Stephen Smalley
59bc00ab89 Remove net_domain() from isolated_app.
isolated_app performs no direct network socket communication, so
we can remove net_domain() from it.

Change-Id: I112aa4140fd577a5ea28f7a3d62567ebabcdb48d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-03 11:50:29 -04:00
Nick Kralevich
94f9ff8750 isolated_app: remove app_data_file execute
In commit ad891591e6, we allowed
isolated processes to execute files from /data/data/APPNAME.

I'm pretty sure all the necessary linker changes have been made
so that this functionality isn't required anymore. Remove the
allow rule.

This is essentially a revert of ad891591e6.

Change-Id: I1b073916f66f4965dfc53c0ea2b624bbb2fe8816
2014-10-01 16:03:27 -07:00
Robert Sesek
7f4a8a7291 isolated_app: Do not allow access to the gpu_device.
Bug: 17471434
Change-Id: I6fd1079be29a454f46ab84f0c43fcf816e679c98
2014-09-11 15:42:15 -04:00
Riley Spahn
603bc20509 Further refined service_manager auditallow statements.
Further refined auditallow statements associated with
service_manager and added dumpstate to the
service_manager_local_audit_domain.

Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
2014-07-18 09:24:13 -07:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-14 11:09:27 -07:00
Nick Kralevich
ad891591e6 isolated_app: allow app_data_file execute
Chrome renderer processes dlopen() a shared library from
gmscore. Open and read on app data file is already allowed,
but execute isn't, so the dlopen() fails. This is a regression
from K, where the dlopen succeeded.

Longer term, there's questions about whether this is appropriate
behavior for an isolated app. For now, allow the behavior.
See the discussion in b/15902433 for details.

Addresses the following denial:

  I/auditd  ( 5087): type=1400 audit(0.0:76): avc:  denied  { execute } for  comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Bug: 15902433
Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678
2014-06-27 15:27:24 -07:00
Stephen Smalley
b0db712bf0 Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-07 15:47:33 -05:00
Stephen Smalley
85708ec4f9 Resolve overlapping rules between app.te and net.te.
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 17:26:06 +00:00
Stephen Smalley
38b8fc8f13 Remove legacy rules from dumpstate in init domain.
From the commit that added these rules, this appears to have been
an artifact of having dumpstate running in the init domain.

Change-Id: Iec2b9c3f5673d0e2cce9a0bf297e23555c423e87
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-09 15:42:27 -05:00
Stephen Smalley
08ecc02821 Make the isolated_app domain enforcing.
Change-Id: I11be7d1713dd7cb35b8046503a09e42567e53d86
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 08:54:31 -05:00
Stephen Smalley
5b00f22349 Remove duplicated rules between appdomain and isolated_app.
r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te;
delete it from isolated_app.te.
binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it.

Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-13 12:48:10 -04:00
Geremy Condra
217f8afc18 Fix more long-tail denials.
For additional context-

The denials related to init_tmpfs are of the form:

denied  { read } for  pid=12315 comm=""dboxed_process0"" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=""tmpfs"" ino=9464 scontext=u:r:isolated_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

(the path above is "/dev/ashmem/dalvik-heap (deleted)")

The denials related to executing things from the dalvik cache are of the form:

enied  { execute } for  pid=3565 comm=""dboxed_process0"" path=""/data/dalvik-cache/system@app@Chrome.apk@classes.dex"" dev=""mmcblk0p28"" ino=105983 scontext=u:r:isolated_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file

The denials related to isolated_app and the init socket are:

denied  { getattr } for  pid=3824 comm=""Binder_2"" path=""socket:[14059]"" dev=""sockfs"" ino=14059 scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

The getopt denials for the aforementioned socket are:

denied  { getopt } for  pid=3824 comm=""Binder_2"" path=""/dev/socket/dumpstate"" scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket

Change-Id: I3c57702e2af5a779a7618da9aa40930e7f12ee49
2013-09-05 16:45:04 -07:00
Nick Kralevich
24617fc3b8 Move isolated_app.te / untrusted_app.te into permissive
OTAs aren't properly labeling /system, which is causing SELinux
breakage. Temporarily put isolated_app.te and untrusted_app.te
into permissive.

Bug: 9878561
Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c
2013-07-16 11:34:08 -07:00
Nick Kralevich
6634a1080e untrusted_app.te / isolated_app.te / app.te first pass
This is my first attempt at creating an enforcing SELinux domain for
apps, untrusted_apps, and isolated_apps. Much of these rules are based on the
contents of app.te as of commit 11153ef349
with extensive modifications, some of which are included below.

* Allow communication with netd/dnsproxyd, to allow netd to handle
  dns requests
* Allow binder communications with the DNS server
* Allow binder communications with surfaceflinger
* Allow an app to bind to tcp/udp ports
* Allow all domains to read files from the root partition, assuming
  the DAC allows access.

In addition, I added a bunch of "neverallow" rules, to assert that
certain capabilities are never added.

This change has a high probability of breaking someone, somewhere.
If it does, then I'm happy to fix the breakage, rollback this change,
or put untrusted_app into permissive mode.

Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
2013-07-13 18:46:03 -07:00
Nick Kralevich
748fdef626 Move *_app into their own file
app.te covers a lot of different apps types (platform_app, media_app,
shared_app, release_app, isolated_app, and untrusted_app), all
of which are going to have slightly different security policies.

Separate the different domains from app.te. Over time, these
files are likely to grow substantially, and mixing different domain types
is a recipe for confusion and mistakes.

No functional change.

Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
2013-07-12 18:18:41 -07:00