Commit graph

27 commits

Author SHA1 Message Date
Stephen Smalley
721f1adf53 Allow drmserver and mediaserver to read apk files.
Required to support passing resources via open apk files over Binder.
Resolves denials such as:
 avc:  denied  { read } for  pid=31457 comm="SoundPoolThread" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:mediaserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file
 avc:  denied  { read } for  pid=31439 comm="Binder_2" path="/mnt/asec/au.com.shiftyjelly.pocketcasts-1/pkg.apk" dev="dm-10" ino=12 scontext=u:r:drmserver:s0 tcontext=u:object_r:asec_apk_file:s0 tclass=file

We do not allow open as it is not required (i.e. the files
are passed as open files over Binder or local socket and opened by the
client).

Change-Id: Ib0941df1e9aac8d20621a356d2d212b98471abbc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-15 02:42:55 +00:00
Stephen Smalley
dc88dca115 Get rid of separate platform_app_data_file type.
The original concept was to allow separation between /data/data/<pkgdir>
files of "platform" apps (signed by one of the four build keys) and
untrusted apps.  But we had to allow read/write to support passing of
open files via Binder or local socket for compatibilty, and it seems
that direct open by pathname is in fact used in Android as well,
only passing the pathname via Binder or local socket.  So there is no
real benefit to keeping it as a separate type.

Retain a type alias for platform_app_data_file to app_data_file until
restorecon /data/data support is in place to provide compatibility.

Change-Id: Ic15066f48765322ad40500b2ba2801bb3ced5489
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-13 13:02:06 +00:00
Stephen Smalley
1601132086 Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 12:41:23 -05:00
Robert Craig
48b18832c4 Introduce asec_public_file type.
This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.

Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-11 17:08:10 +00:00
Nick Kralevich
1a1ad959ae Revert "Move tlcd_sock policy over to manta."
This doesn't compile on non-manta devices because of a
missing drmserver_socket declaration.

external/sepolicy/mediaserver.te":68:ERROR 'unknown type drmserver_socket' at token ';' on line 6764:
#line 68
allow mediaserver drmserver_socket:sock_file write;
checkpolicy:  error(s) encountered while parsing configuration
make: *** [out/target/product/flo/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....

This reverts commit 8cd400d3c4.

Change-Id: Ib8f07b57008b9ed1165b945057502779e806f0f8
2014-02-04 21:49:01 +00:00
Stephen Smalley
8cd400d3c4 Move tlcd_sock policy over to manta.
Change-Id: I7d5a5f964133177e7d466b9759fcf6300fec345d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-04 19:32:39 +00:00
Nick Kralevich
7cbe44f244 drmserver: allow looking in efs_file directories
We can read any efs_files, but can't look in the directory
containing them. Allow it.

Without this patch, high resolution movie playback is broken.

Addresses the following denial:

[  276.780046] type=1400 audit(1391105234.431:5): avc:  denied  { search } for  pid=125 comm="drmserver" name="/" dev="mmcblk0p1" ino=2 scontext=u:r:drmserver:s0 tcontext=u:object_r:efs_file:s0 tclass=dir

Bug: 12819852

Change-Id: Ie9d13a224cef5e229de1bdb78d605841ed387a21
2014-01-31 13:22:40 -08:00
Nick Kralevich
5eca63f14d Make drmserver enforcing.
Change-Id: I7c1d2fc7b4d5a962f872d5f032b6d9e31efe7a24
2014-01-25 00:10:03 +00:00
Stephen Smalley
e11935d9e3 Allow drmserver to unlink old socket file.
Change-Id: I35728c4f058fa9aeb51a7960395759590e20b083
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-16 08:40:40 -05:00
Nick Kralevich
623975fa5a Support forcing permissive domains to unconfined.
Permissive domains are only intended for development.
When a device launches, we want to ensure that all
permissive domains are in, at a minimum, unconfined+enforcing.

Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During
development, this flag is false, and permissive domains
are allowed. When SELinux new feature development has been
frozen immediately before release, this flag will be flipped
to true. Any previously permissive domains will move into
unconfined+enforcing.

This will ensure that all SELinux domains have at least a
minimal level of protection.

Unconditionally enable this flag for all user builds.

Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
2014-01-11 13:29:51 -08:00
Nick Kralevich
37339c763e fix mediaserver selinux denials.
mediaserver needs the ability to read media_rw_data_file files.
Allow it. Similarly, this is also needed for drmserver. Addresses
the following denials:

<5>[   22.812859] type=1400 audit(1389041093.955:17): avc:  denied  { read } for  pid=1655 comm="MediaScannerSer" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.813103] type=1400 audit(1389041093.955:18): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   22.832041] type=1400 audit(1389041093.975:19): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124115.mp4" dev="mmcblk0p28" ino=122204 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357470] type=1400 audit(1389041123.494:29): avc:  denied  { read } for  pid=2757 comm="ImageLoader" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.357717] type=1400 audit(1389041123.494:30): avc:  denied  { getattr } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:mediaserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file
<5>[   52.382276] type=1400 audit(1389041123.524:31): avc:  denied  { read } for  pid=849 comm="Binder_2" path="/data/media/0/DCIM/Camera/VID_20140106_124520.mp4" dev="mmcblk0p28" ino=122211 scontext=u:r:drmserver:s0 tcontext=u:object_r:media_rw_data_file:s0 tclass=file

Allow anyone who has access to video_device:chr_file to also
have read access to video_device:dir. Otherwise, the
chracter devices may not be reachable.

Bug: 12416198
Change-Id: I649cd52ec7f1a25afb3aea479482e3f270bfe074
2014-01-06 12:43:47 -08:00
Stephen Smalley
3b2684887e Confine drmserver, but leave it permissive for now.
Change-Id: I8f344dda3ab9766b4a72c404061f242e054129cd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-29 14:46:08 -04:00
Nick Kralevich
353c72e3b0 Move unconfined domains out of permissive mode.
This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
2013-10-21 12:52:03 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
repo sync
50e37b93ac Move domains into per-domain permissive mode.
Bug: 4070557
Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
2013-05-14 21:36:32 -07:00
Geremy Condra
d381b97e13 Give the drmserver the ability to connect to the tee.
Bug: 8539042
Change-Id: I6a9c3247688f49bed4a1637c728e77c2e865afd2
2013-04-05 13:13:34 -07:00
Geremy Condra
207c709e3a Allow drmserver to interact with apk_data_file sock_files.
Bug: 8539042
Change-Id: I255930759ce0612f6ec9b931bfe545342ef808fc
2013-04-05 13:13:26 -07:00
Geremy Condra
03d436a473 Give drmserver the ability to interact with apk_data_file dirs.
Bug: 8539042
Change-Id: I87165fd83b1abef9eb7bf4c403714150aaefed6e
2013-04-05 13:13:16 -07:00
Geremy Condra
8ee49795e3 Allow drmserver to read the wv keys.
Bug: 8539042
Change-Id: I31e7a3ae6ba783b78c3b38756966950a20f2f2aa
2013-04-05 13:13:05 -07:00
Geremy Condra
e69552ba2d Revert "Revert "Various minor policy fixes based on CTS.""
This reverts commit ba84bf1dec

Hidden dependency resolved.

Change-Id: I9f0844f643abfda8405db2c722a36c847882c392
2013-03-27 20:34:51 +00:00
Geremy Condra
ba84bf1dec Revert "Various minor policy fixes based on CTS."
This reverts commit 8a814a7604

Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
2013-03-22 21:41:37 +00:00
Stephen Smalley
8a814a7604 Various minor policy fixes based on CTS.
Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-22 15:27:02 -04:00
William Roberts
c195ec3148 Split internal and external sdcards
Two new types are introduced:
sdcard_internal
sdcard_external

The existing type of sdcard, is dropped and a new attribute
sdcard_type is introduced.

The boolean app_sdcard_rw has also been changed to allow for
controlling untrusted_app domain to use the internal and external
sdcards.

Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
2013-03-22 15:26:39 -04:00
rpcraig
e07b8a56b9 Trusted Execution Environment policy. 2012-08-13 06:09:39 -04:00
rpcraig
abd977a79e Additions for grouper/JB 2012-08-10 06:25:52 -04:00
Stephen Smalley
c83d0087e4 Policy changes to support running the latest CTS. 2012-03-07 14:59:01 -05:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00