Commit graph

11 commits

Author SHA1 Message Date
Jeff Vander Stoep
d22987b4da Create attribute for moving perms out of domain
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.

Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 23:11:11 +00:00
Stephen Smalley
08461cb039 Allow netd-spawned domains to use inherited netd unix_dgram_socket.
Resolves denials such as:
 avc:  denied  { read write } for  pid=4346 comm="hostapd" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:hostapd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket
 avc:  denied  { read write } for  pid=4348 comm="dnsmasq" path="socket:[7874]" dev="sockfs" ino=7874 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket

Change-Id: Ie82f39c32c6e04bc9ef1369ca787cf80b3b4141c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-18 10:46:48 -04:00
Stephen Smalley
e3d0e655e8 Make hostapd enforcing.
Change-Id: Ica367f34156a7a460e3663589a29743c4a9e955c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-14 08:41:03 -04:00
Stephen Smalley
5f8d9f85b0 Label /data/misc/wifi/hostapd with wpa_socket type.
hostapd creates sockets under /data/misc/wifi/hostapd.
Ensure that they are labeled correctly both at runtime
(type_transition) and during the init.rc restorecon_recursive /data
(file_contexts).

Addresses denials such as:
 avc:  denied  { create } for  pid=20476 comm="hostapd" name="wlan0" scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { setattr } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file
 avc:  denied  { unlink } for  pid=20476 comm="hostapd" name="wlan0" dev="mmcblk0p23" ino=619005 scontext=u:r:hostapd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=sock_file

Change-Id: I80a443faeb6017a9d6cbdb8da9d7416f29a7b85f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-12 15:09:17 -04:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Stephen Smalley
7ade68d797 Ensure that /data/misc/wifi/sockets is always labeled wpa_socket.
It appears that wpa_supplicant tries to rmdir /data/misc/wifi/sockets
and re-create it at times, so make sure that it remains labeled correctly
when re-created in this manner via a name-based type transition rule.
Do the same for hostapd as it also has permissions for creating/removing
this directory.

<5>[83921.800071] type=1400 audit(1392997522.105:26): avc:  denied  { rmdir } for  pid=3055 comm="wpa_supplicant" name="sockets" dev="mmcblk0p28" ino=618957 scontext=u:r:wpa:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir

We no longer need the type_transition for sock_file as it will inherit
the type from the parent directory which is set via restorecon_recursive
/data/misc/wifi/sockets or via type_transition, so drop it.

Change-Id: Iffa61c426783eb03205ba6964c624c6ecea32630
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 11:34:53 -05:00
Stephen Smalley
f20673712b Update hostapd domain for /data/misc/wifi/sockets label change.
Change I9e35cc93abf89ce3594860aa3193f84a3b42ea6e changed the type
on /data/misc/wifi/sockets to wpa_socket and change
I51b09c5e40946673a38732ea9f601b2d047d3b62 fixed the type on existing
devices.  Consequently hostapd now needs access to wpa_socket dir
and sock_file.

Change-Id: I58f552b3cd55821f57e6ef33ebe6bb8587e7b3fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 10:50:07 -05:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Stephen Smalley
945fb56766 Confine hostapd, but leave it permissive for now.
Change-Id: I23a2c568e9fdd51c6c09c6c80a7ce9f2b5bd4966
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-11-18 11:25:10 -08:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
Nick Kralevich
dbd28d91d3 Enable SELinux protections for netd.
This change does several things:

1) Restore domain.te to the version present at
cd516a3266 . This is the version
currently being distributed in AOSP.

2) Add "allow domain properties_device:file r_file_perms;" to
domain.te, to allow all domains to read /dev/__properties__ .
This change was missing from AOSP.

3) Restore netd.te to the version present at
80c9ba5267 . This is the version
currently being distributed in AOSP.

4) Remove anything involving module loading from netd.te. CTS
enforces that Android kernels can't have module loading enabled.

5) Add several new capabilities, plus data file rules, to
netd.te, since netd needs to write to files owned by wifi.

6) Add a new unconfined domain called dnsmasq.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the dnsmasq.te domain.

7) Add a new unconfined domain called hostapd.te, and allow
transitions from netd to that domain. Over time, we'll tighten up
the hostapd.te domain.

The net effect of these changes is to re-enable SELinux protections
for netd. The policy is FAR from perfect, and allows a lot of wiggle
room, but we can improve it over time.

Testing: as much as possible, I've exercised networking related
functionality, including turning on and off wifi, entering airplane
mode, and enabling tethering and portable wifi hotspots. It's quite
possible I've missed something, and if we experience problems, I
can roll back this change.

Bug: 9618347
Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-28 08:24:30 -07:00