Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.
Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.
Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.
Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
Currently, recovery is allowed write access to the following three
file labels:
* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)
system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.
The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.
The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.
Allow unlabeled symbolic link modifications.
(cherrypicked from commit 683ac49d9d)
Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.
Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
Support opening the ffs-based interface for adbd in recovery. (Copied
from adbd.te.)
Bug: 16183878
Change-Id: Ib80e5b910d9ad4252cb80e7ce2f85e478cd94816
Rename sdcard_internal/external types to fuse and vfat
respectively to make it clear that they are assigned to any
fuse or vfat filesystem by default (absent a context= mount option)
and do not necessarily represent the SDcard.
The sdcard_type attribute is still assigned to both types and
can still be used in allow rules to permit access to either the
internal or external SDcard.
Define type aliases for the old names to preserve compatibility
on policy reload and for device-specific policies that may not yet
be updated.
Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
adb sideload depends on the ability to access the fuse
directory. Flipping recovery into enforcing started triggering
the following denial:
type=1400 audit(17964905.699:7): avc: denied { search } for pid=132 comm="recovery" name="/" dev="fuse" ino=1 scontext=u:r:recovery:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir
Change-Id: I27ee0295fa2e2d0449bfab4f95bfbc076e92cf59
Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.
Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
The recovery script may ask to label a file with a label not
known to the currently loaded policy. Allow it.
Addresses the following denials:
avc: denied { relabelto } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
avc: denied { setattr } for pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
The new sideloading mechanism in recovery needs to create a fuse
filesystem and read files from it.
Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
execute_no_trans controls whether a domain can execve a program
without switching to another domain. Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon). Prohibit it otherwise for the
kernel domain via neverallow. This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.
Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time. The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).
Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow. This ensures that the no write to /system
restriction cannot be bypassed via context= mount.
Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:
set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");
which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.
Allow this behavior for now, even though it's obviously a bug.
Also, allow recovery to read through the /dev directory.
Addresses the following denials:
avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
single quotes make the m4 parser think it's at the end of
a block, and generates the following compile time warning:
external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720:
Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b
Better refine the rules surrounding the recovery SELinux
domain, and get rid of dmesg log spam.
Recovery is still in permissive_or_unconfined(), so no expected
change in behavior.
Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
Switch from using unconfined_domain() to permissive_or_unconfined().
For user builds, or builds with FORCE_PERMISSIVE_TO_UNCONFINED=true,
this is a no-op. For userdebug / eng builds, this will allow us to
collect denials from /proc/last_kmsg.
Change-Id: I41e1a206b2a3b0eee34539bfebfc5deee9e18a42
Create a separate recovery policy and only include the
recovery domain allow rules in it.
Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Narrow the relabelto rules to a more specific type set
for each domain.
Drop mount permissions from the kernel domain since mounting
occurs after switching to the init domain. This was likely
a residual of when all processes were left in the kernel domain
on a recovery boot due to the missing setcon statement in the
recovery init.rc.
Be consistent with unlabeled filesystems (i.e. filesystems
without any matching fs_use or genfs_contexts entry) so
that we can also unmount them.
Add comments to note the reason for various rules.
Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.
Allow recovery to write to /system. This is needed to apply OTA
images.
Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission. Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.
Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We added these rules to the recovery domain when we removed them
from unconfined to ensure that we did not break anything. But we
have seen no uses of these rules by the recovery domain. Tested
wiping userdata and cache from the recovery and performing an
adb sideload of an ota zip file.
Change-Id: I261cb1124130f73e98b87f3e5a31d6d7f521ff11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.
Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module. It can be added back where appropriate in device
policy if using a modular kernel. No neverallow since it is device
specific.
Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.
Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files. That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.
CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed. CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.
Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.
Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Requires execmem and ashmem_device:chr_file execute similar to bootanim
presumably for the display.
Did not see any cache_file execute denials and do not see any
exec of /cache files in the code, only reading/interpreting scripts,
so I removed cache_file rx_file_perms.
Did not see any tmpfs execute denials in /proc/last_kmsg but the
source code appears to extract the update-binary to a tmpfs mount
in /tmp and then exec it. So I retained that rule.
Tested with adb sideload.
Change-Id: I8ca5f2cd390be1adf063f16e6280cc4cd1833c0e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Define a domain for use by the recovery init.rc file for
/sbin/recovery. Start with a copy of the kernel domain
rules since that is what /sbin/recovery was previously running in,
and then add rules as appropriate.
Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>