Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.
healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.
Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/
init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file. Hence,
the setenforce permission is checked while still running in the
kernel domain. Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later. We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.
Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The build is broken. Reverting temporarily to fix breakage.
libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....
This reverts commit bf12e22514.
Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/
init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file. Hence,
the setenforce permission is checked while still running in the
kernel domain. Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later. We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.
Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.
The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.
Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space
-rw------- root root u:object_r:usermodehelper:s0 bset
-rw------- root root u:object_r:usermodehelper:s0 inheritable
Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.
Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.
Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.
To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.
Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.
Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
