Commit graph

9 commits

Author SHA1 Message Date
Riley Spahn
1196d2a576 Adding policies for KeyStore MAC.
Add keystore_key class and an action for each action supported
by keystore. Add policies that replicate the access control that
already exists in keystore. Add auditallow rules for actions
not known to be used frequently. Add macro for those domains
wishing to access keystore.

Change-Id: Iddd8672b9e9b72b45ee208e6eda608cc9dc61edc
2014-06-26 08:53:10 -07:00
Stephen Smalley
ffdcb2eab9 Make racoon enforcing.
Change-Id: Id585191e1077c3a2d0e0a6a51e0dd98c48ea0291
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 14:40:07 -04:00
Stephen Smalley
28afdd9234 Deduplicate binder_call rules.
A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-03 22:42:52 +00:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Stephen Smalley
97f7c82703 Make racoon permissive or unconfined.
Also add allow rules from our policy.

Change-Id: Id480eb7c8cd4e5544a1ec46cb39a55abc653ddb9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 10:09:10 -05:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
Robert Craig
18b5f87ea1 racoon policy.
Initial policy for racoon (IKE key management).

Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Change-Id: If1e344f39ea914e42afbaa021b272ba1b7113479
2013-03-22 17:09:26 -07:00