Commit graph

31 commits

Author SHA1 Message Date
Robin Lee
5871d1bc18 resolved conflicts for merge of 51bfecf4 to lmp-dev-plus-aosp
Change-Id: I8ea400354e33a01d3223b4efced6db76ba00aed6
2014-10-15 23:11:59 +01:00
Robin Lee
51bfecf49d Pull keychain-data policy out of system-data
Migrators should be allowed to write to /data/misc/keychain in order
to remove it. Similarly /data/misc/user should be writable by system
apps.

TODO: Revoke zygote's rights to read from /data/misc/keychain on
behalf of some preloaded security classes.

Bug: 17811821
Change-Id: I9e9c6883cff1dca3755732225404909c16a0e547
2014-10-15 18:02:03 +00:00
Brian Carlstrom
09eae90890 Remove system_server create access from /data/dalvik-cache
Bug: 16875245

(cherry picked from commit 372d0df796)

Change-Id: I38fa14226ab94df2029ca60d3c8898f46c1824c7
2014-08-28 21:36:27 -07:00
Brian Carlstrom
372d0df796 Remove system_server create access from /data/dalvik-cache
Bug: 16875245
Change-Id: I2487a80896a4a923fb1fa606f537df9f6ad4220a
2014-08-28 21:15:38 -07:00
Riley Spahn
bf69632724 DO NOT MERGE: Remove service_manager audit_allows.
Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9
2014-07-18 19:58:27 +00:00
Riley Spahn
14aa7c0608 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

(cherry picked from commit 88157ea347)

Change-Id: I25354db2add3135335c80be2c2d350e526137572
2014-07-17 16:30:26 -07:00
Riley Spahn
88157ea347 Refine service_manager find auditallow statements.
Add adbd as a service_manager_local_audit_domain and negate
surfaceflinger_service in its auditallow. Negate keystore_service
and radio_service in the system_app auditallow.

Change-Id: I05ea2a3e853b692f151182202f1b30786b44f1fb
2014-07-17 21:33:33 +00:00
Riley Spahn
344fc109e9 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

(cherry picked from commit b8511e0d98)

Change-Id: I980d4a8acf6a0c6e99a3a7905961eb5564b1be15
2014-07-15 10:09:52 -07:00
Riley Spahn
b8511e0d98 Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.

Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
2014-07-14 11:09:27 -07:00
Riley Spahn
596bcc7687 Remove keystore auditallow statements from system.
Remove the auditallow statements related to keystore
in system_app and system_server.

Change-Id: I1fc25ff475299ee020ea19f9b6b5811f8fd17c28
2014-07-01 18:25:02 +00:00
Riley Spahn
b1ec3dfacd Add imms service and system_app_service type.
Map imms to system_app_service in service_contexts and add
the system_app_service type and allow system_app to add the
system_app_service.

Bug: 16005467
Change-Id: I06ca75e2602f083297ed44960767df2e78991140
2014-07-01 16:17:59 +00:00
Riley Spahn
1196d2a576 Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-26 08:53:10 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Mark Salyzyn
9e7bbf61de selinux: logd Development settings
- logd Development Settings failed to access persist.logd.size

Change-Id: I0732b44fcbffbf3c187bcb23df2db807fa3e8fde
2014-06-12 13:08:13 -07:00
Stephen Smalley
d159122481 Make system_app enforcing.
Change-Id: I9c3ff0a79d947a14084638772451d06298c43e47
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-09 05:27:11 +00:00
Stephen Smalley
f1ea707a3d Restore system_app access to system-owned /data directories.
System UID apps want to be able to create/write to system-owned
/data directories outside of their own /data/data package directory,
such as /data/system/cache and /data/misc/keychain.  Restore access
(which was removed by Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea when
system_app_data_file was introduced for the /data/data package
directories of system UID apps), but audit writes to system_data_file
so we can look at introducing separate types for these directories in
the future and ultimately remove access to the rest of the system-owned
data.

Change-Id: I573f120f23f2dd2d228aa738b31ad2cb3044ec6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-27 14:32:28 -04:00
Mark Salyzyn
c52d738834 Allow Developer settings to change runtime size of logd
- permit logd control from system_app

Bug: 14563261
Change-Id: Id5992cca70647a0e4b913a793c6ba8334dc57963
2014-05-12 10:14:19 -07:00
Stephen Smalley
91a4f8d4fd Label app data directories for system UID apps with a different type.
We were using system_data_file for the /data/data directories of
system UID apps to match the DAC ownership of system UID shared with
other system files.  However, we are seeing cases where files created
in these directories must be writable by other apps, and we would like
to avoid allowing write to system data files outside of these directories.
So introduce a separate system_app_data_file type and assign it.
This should also help protect against arbitrary writes by system UID
apps to other system data directories.

This resolves the following denial when cropping or taking a user photo
for secondary users:
avc:  denied  { write } for  path="/data/data/com.android.settings/cache/TakeEditUserPhoto2.jpg" dev="mmcblk0p28" ino=82120 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

avc:  denied  { write } for path="/data/data/com.android.settings/cache/CropEditUserPhoto.jpg" dev="mmcblk0p30" ino=602905 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Bug: 14604553
Change-Id: Ifa10e3283b07f6bd6ecc16eceeb663edfd756cea
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-07 18:04:51 +00:00
Stephen Smalley
1c0c010261 Allow system_app to start bugreport and to create /data/anr/traces.txt.
Resolves denials such as:

avc:  denied  { set } for property =ctl.bugreport scontext=u:r:system_app:s0 tcontext=u:object_r:ctl_default_prop:s0 tclass=property_service

avc:  denied  { write } for  pid=4415 comm=5369676E616C2043617463686572 name="anr" dev="dm-0" ino=358337 scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { add_name } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=dir

avc:  denied  { create } for  pid=4415 comm=5369676E616C2043617463686572 name="traces.txt" scontext=u:r:system_app:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file

Change-Id: I71d0ede049136d72f28bdc85d52fcefa2f7d128f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-11 12:12:14 +00:00
Stephen Smalley
b0db712bf0 Clean up, unify, and deduplicate app domain rules.
Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-07 15:47:33 -05:00
Stephen Smalley
28afdd9234 Deduplicate binder_call rules.
A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-03 22:42:52 +00:00
Stephen Smalley
2c347e0a36 Drop obsolete keystore_socket type and rules.
Change I6dacdc43bcc1a56e47655e37e825ee6a205eb56b switched
the keystore to using binder instead of a socket, so this
socket type and rules have been unused for a while.  The type
was only ever assigned to a /dev/socket socket file (tmpfs) so
there is no issue with removing the type (no persistent files
will have this xattr value).

Change-Id: Id584233c58f6276774c3432ea76878aca28d6280
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 19:07:03 +00:00
Stephen Smalley
85708ec4f9 Resolve overlapping rules between app.te and net.te.
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 17:26:06 +00:00
Robert Craig
48b18832c4 Introduce asec_public_file type.
This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-11 17:08:10 +00:00
Nick Kralevich
2e7a301fad Address bug report denials.
Triggering a bug report via
Settings > Developer Options > Take bug report
generates a number of denials.

Two bugs here:

1) According to the "allowed" list in
frameworks/native/cmds/servicemanager/service_manager.c ,
media apps, nfc, radio, and apps with system/root UIDs can register
as a binder service. However, they were not placed into the
binder_service domain. Fix them.

2) The bugreport mechanism queries all the services and java
programs and asks them to write to a shell owned file. Grant the
corresponding SELinux capability.

Addresses the following denials:

<5>[  149.342181] type=1400 audit(1389419775.872:17): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:keystore:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.371844] type=1400 audit(1389419775.902:18): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:healthd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  149.980161] type=1400 audit(1389419776.512:22): avc:  denied  { write } for  pid=4023 comm="dumpsys" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:drmserver:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.095066] type=1400 audit(1389419776.622:23): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.096748] type=1400 audit(1389419776.632:24): avc:  denied  { getattr } for  pid=3178 comm="Binder_3" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:system_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  150.097090] type=1400 audit(1389419776.632:25): avc:  denied  { write } for  pid=1514 comm="Binder_C" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  154.545583] type=1400 audit(1389419781.072:43): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:media_app:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.000877] type=1400 audit(1389419782.532:44): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.022567] type=1400 audit(1389419782.552:45): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.043463] type=1400 audit(1389419782.572:46): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:nfc:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
<5>[  156.062550] type=1400 audit(1389419782.592:47): avc:  denied  { write } for  pid=1423 comm="Binder_A" path="/data/data/com.android.shell/files/bugreports/bugreport-2014-01-10-21-55-46.txt.tmp" dev="mmcblk0p28" ino=82094 scontext=u:r:radio:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Change-Id: I365d530c38ce176617e48b620c05c4aae01324d3
2014-01-21 12:34:38 -08:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Nick Kralevich
3e78000e38 Allow system_app to set properties
Settings > Developer Options > Profile GPU Rendering was broken,
as it couldn't set a debug.* system property.

In addition, system_app wasn't allowed to access init's property_service socket.

Both fixed.

In addition, allow system_app to write to radio_prop.

Fixes the following denials:

<5>[  170.769658] type=1400 audit(1386722177.029:57): avc:  denied  { write } for  pid=4142 comm="ndroid.settings" name="property_service" dev="tmpfs" ino=7457 scontext=u:r:system_app:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
<4>[  170.770064] avc:  denied  { set } for property=debug.hwui.overdraw scontext=u:r:system_app:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<3>[  170.770148] init: sys_prop: permission denied uid:1000  name:debug.hwui.overdraw

Bug: 12037026
Change-Id: I5e879ab339e68e9e4715266fc8a698ab6ad5756e
2013-12-11 08:56:10 -08:00
Nick Kralevich
dd1ec6d557 Give system_server / system_app ability to write some properties
Allow writing to persist.sys and debug.

This addresses the following denials (which are actually being enforced):

<4>[  131.700473] avc:  denied  { set } for property=debug.force_rtl scontext=u:r:system_server:s0 tcontext=u:object_r:shell_prop:s0 tclass=property_service
<3>[  131.700625] init: sys_prop: permission denied uid:1000  name:debug.force_rtl
<4>[  132.630062] avc:  denied  { set } for property=persist.sys.dalvik.vm.lib scontext=u:r:system_app:s0 tcontext=u:object_r:system_prop:s0 tclass=property_service
<3>[  132.630184] init: sys_prop: permission denied uid:1000  name:persist.sys.dalvik.vm.lib

Change-Id: I5d114c0d963bf393f49f1bf13d1ed84137fbcca6
2013-11-01 10:45:03 -07:00
Stephen Smalley
5637099a25 Confine all app domains, but make them permissive for now.
As has already been done for untrusted_app, isolated_app,
and bluetooth, make all the other domains used for app
processes confined while making them permissive until sufficient
testing has been done.

Change-Id: If55fe7af196636c49d10fc18be2f44669e2626c5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 13:12:55 -04:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
Stephen Smalley
8840fa7f85 Split system_app from system.
system_app is for apps that run in the system UID, e.g. Settings.
system is for the system_server.
Split them into separate files and note their purpose in the comment
header of each file.

Change-Id: I19369abc728ba2159fd50ae6b230828857e19f10
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-13 15:09:11 -07:00