Commit graph

33 commits

Author SHA1 Message Date
Nick Kralevich
03ce512072 Remove /system write from unconfined
Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.

Allow recovery to write to /system. This is needed to apply OTA
images.

Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-29 12:04:35 -04:00
Stephen Smalley
ad0d0fc722 Protect /data/property.
/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:43:37 +00:00
Nick Kralevich
685e2f9d9c remove syslog_* from unconfined
As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.

Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
2014-05-28 13:48:52 -07:00
Stephen Smalley
f853715d22 Remove setting /proc/self/attr/* from unconfined.
Change I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 removed
these permissions from domain.te and added them to specific domains
as required.  Remove the permissions from unconfineddomain as well
so that they are only allowed where explicitly allowed.  The earlier
change already added the necessary permissions to init, kernel,
and recovery so we do not need to add them here.

Change-Id: Ifeb5438532a7525e64328e1c54b436e9b6f7fd3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-27 10:41:56 -04:00
Nick Kralevich
fa34d47185 unconfined: remove linux_immutable
As far as I know, this is never used. Get rid of it.

Change-Id: Iee0fb4e3f3952a0c4cc28d0aa96ca6c462ba5211
2014-05-19 22:54:07 -07:00
Nick Kralevich
cd905ec04e Protect keystore's files.
Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
2014-05-09 10:14:56 -07:00
Stephen Smalley
e8c9fdac46 Exclude audit-related capabilities from unconfined domains.
Require them to be explicitly granted by specific allow rules.
audit_write is required to write an audit message from userspace.
audit_control is required to configure the audit subsystem.

Change-Id: I5aa4e3228f9b0bde3570689fe7a0d68e56861a17
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-04-03 08:51:38 -04:00
Stephen Smalley
853ffaad32 Deduplicate neverallow rules on selinuxfs operations.
We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-10 20:41:34 +00:00
Stephen Smalley
3f40d4f4b1 Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 13:03:38 -05:00
Stephen Smalley
5487ca00d4 Remove several superuser capabilities from unconfined domains.
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 11:14:16 -05:00
Stephen Smalley
b081cc1e05 Remove mount-related permissions from unconfined domains.
Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.

Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 17:32:31 +00:00
Stephen Smalley
04ee5dfb80 Remove MAC capabilities from unconfined domains.
Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files.  That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.

CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed.  CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.

Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.

Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-30 14:36:57 -05:00
Nick Kralevich
fed8a2a4d9 Remove transition / dyntransition from unconfined
Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.

healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.

Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-27 11:06:21 -08:00
Stephen Smalley
08fffc5db6 Revert "Revert "Strip file execute permissions from unconfined domains.""
The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 43ddc10694.

Change-Id: Id2d2c02ccf6ac38c48b07ab84b73348cd9c815fa
2014-01-13 15:34:14 -05:00
Stephen Smalley
8aae7bda9b Revert "Revert "Strip exec* permissions from unconfined domains.""
The recovery console now has its own domain and therefore we do not
need to allow this for unconfined domains.

This reverts commit 89740a6967.

Change-Id: Ie060cff0de8cbd206e0e55e196021726e52246c7
2014-01-13 15:34:12 -05:00
Nick Kralevich
89740a6967 Revert "Strip exec* permissions from unconfined domains."
As discussed in https://android-review.googlesource.com/78634 , the removal of execmem may cause OTA problems. Not sure...

Revert this patch to give us more time to investigate.

This reverts commit 4e416ea4ca.

Change-Id: Ie05f90235da5b9ee20b374298494cbc0a58b9b49
2014-01-10 21:41:26 +00:00
Stephen Smalley
4e416ea4ca Strip exec* permissions from unconfined domains.
This ensures that only domains that are explicitly allowed executable
memory permissions are granted them.

Unconfined domains retain full write + execute access to all file
types.  A further change could possibly restrict execute access to
a subset of file types, e.g. system_file + exec_type.

Change-Id: I842f5a2ac5921cc2bd0ab23a091eb808fdd89565
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 09:34:31 -05:00
Stephen Smalley
8b51674b2d Restrict ability to set checkreqprot.
Now that we set /sys/fs/selinux/checkreqprot via init.rc,
restrict the ability to set it to only the kernel domain.

Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-08 09:33:26 -05:00
Nick Kralevich
a730e50bd9 Don't allow zygote init:binder call
init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50
2014-01-03 20:45:42 -08:00
Stephen Smalley
e6a7b37d4c Restrict mapping low memory.
Label /proc/sys/vm/mmap_min_addr with proc_security to prevent
writing it by any domain other than init.  Also remove memprotect
mmap_zero permission from unconfineddomain so that it cannot pass
the SELinux check over mapping low memory.

Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-09 13:19:49 -08:00
Stephen Smalley
95e0842e34 Restrict ptrace access by debuggerd and unconfineddomain.
Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-09 12:59:17 -05:00
Stephen Smalley
7adb999e70 Restrict the ability to set usermodehelpers and proc security settings.
Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 09:44:38 -05:00
Stephen Smalley
d99e6d5fa1 Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 15:59:04 -05:00
Geremy Condra
ddf98fa8cf Neverallow access to the kmem device from userspace.
Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
2013-11-07 16:17:32 -08:00
Nick Kralevich
84d88314e0 Clarify the expectations for the unconfined template.
In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.

Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f
2013-10-21 13:44:07 -07:00
Nick Kralevich
2637198f92 Only init should be able to load a security policy
Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b
2013-07-15 17:16:08 -07:00
Nick Kralevich
0c9708b2af domain.te: Add backwards compatibility for unlabeled files
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 18:54:45 -07:00
repo sync
274d2927a7 Clean up remaining denials.
Bug: 8424461
Change-Id: I8f0b01cdb19b4a479d5de842f4e4844aeab00622
2013-05-22 14:20:20 -07:00
repo sync
77d4731e9d Make all domains unconfined.
This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
2013-05-20 11:08:05 -07:00
Stephen Smalley
9aea69c004 Require entrypoint to be explicitly granted for unconfined domains.
Change-Id: Ieeaa002061c9e4224ea90dfa60dffb112aa152c2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-21 20:55:59 +00:00
Stephen Smalley
9ce99e3908 Update binder-related policy.
The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.

Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-03-19 22:48:17 +00:00
Stephen Smalley
124720a697 Add policy for property service.
New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.
2012-04-04 10:11:16 -04:00
Stephen Smalley
2dd4e51d5c SE Android policy. 2012-01-04 12:33:27 -05:00