Commit graph

53 commits

Author SHA1 Message Date
Sami Tolvanen
35f537c7ef Allow init to set up dm-verity
Allow init to

 1. Access device mapper to set up dm-verity devices

    avc:  denied  { write } for  pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0

 2. Access the metadata partition to load and store dm-verity state

    avc:  denied  { write } for  pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0

 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered
    by dm-verity

    avc:  denied  { getattr } for  pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0

These can be reproduced using the following steps:

 1. Add fs_mgr flag verify to the system partition in fstab

 2. Add a device specific init.rc handler for the init action that
    calls the built-in command verity_load_state.

Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
2015-03-05 01:46:47 +00:00
Nick Kralevich
07e7348921 init: drop read_policy permission
As of https://android-review.googlesource.com/127858 ,
open(O_RDONLY) is no longer used for chmod. It's no
longer necessary to allow init to read the SELinux policy.

Change-Id: I691dd220827a01a8d7a9955b62f8aca50eb25447
2015-02-28 03:55:15 -08:00
Stephen Smalley
ed532c06d6 init: remove permissive_or_unconfined()
Bug: 19050686
Change-Id: Ie41c3e4d5aaeb43577ba85a4768a5fdbdd665efb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-02-27 19:14:27 -08:00
Nick Kralevich
543faccc62 allow init tmpfs:dir relabelfrom
When encrypting a device, or when an encrypted device boots,
a tmpfs is mounted in place of /data, so that a pseudo filesystem
exists to start system_server and related components. SELinux labels
need to be applied to that tmpfs /data so the system boots
properly.

Allow init to relabel a tmpfs /data.

Addresses the following denial:

[    6.294896] type=1400 audit(29413651.850:4): avc:  denied  { relabelfrom } for  pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Steps to reproduce:
  1) Go into Settings > Security > Encrypt Phone
  2) Encrypt phone
  3) See denial
  4) reboot phone
  5) See denial on boot

Bug: 19050686
Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
2015-02-27 14:54:40 -08:00
Sami Tolvanen
9d87c647af Allow init to execute /sbin/slideshow
Add rules to allow /sbin/slideshow to access framebuffer and input
devices at early stages of boot, and rules to allow init to execute
the program (from init.rc using exec).

Needed by changes from
  I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d

Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
2015-02-26 17:23:29 +00:00
Nick Kralevich
5cf3994d8a Revert /proc/net related changes
Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

  avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
  avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc82
and commit 99940d1af5

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
2015-02-25 13:35:17 -08:00
Yongqin Liu
cc38e6d1a4 bootchart: add policy rules for bootchart
allow the bootchart to create dir and files at init,
also allow user to create the stop and start file under
/data/bootchart directory to start and stop bootchart

Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2015-02-24 01:02:20 +08:00
Nick Kralevich
fcd86911d7 allow init fs_type:dir search
We allow chmod/chown of files / directories by init, but don't allow
init to search into subdirectories. Feels wrong.

Addresses the following denial:

  avc:  denied  { search } for  pid=1 comm="init" name="/" dev="pstore" ino=5570 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1

which results from the following init.rc statement:

  # pstore/ramoops previous console log
  mount pstore pstore /sys/fs/pstore
  chown system log /sys/fs/pstore/console-ramoops
  chmod 0440 /sys/fs/pstore/console-ramoops
  chown system log /sys/fs/pstore/pmsg-ramoops-0
  chmod 0440 /sys/fs/pstore/pmsg-ramoops-0

Bug: 19050686
Change-Id: I0528ecb17686891b66262de1f3c229cc68a56830
2015-02-08 15:09:29 +00:00
Elliott Hughes
b00a037992 No one needs LD_PRELOAD from init any more.
Change-Id: I40a3d089a4a2325abcd1e12aa57b1fd97a1f7902
2015-02-06 23:40:42 -08:00
Nick Kralevich
99940d1af5 remove /proc/net read access from domain.te
SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4
2015-01-14 22:18:24 +00:00
Nick Kralevich
30707a457d init.te: remove unactionable auditallow statements
Commit 0d08d4721a added two auditallow
statements. The intented purpose of the auditallow statement was:

  auditallow accesses by init to files
  and character devices left in the generic device type so we can monitor
  what is being left there, although it is not necessarily a problem unless
  the file or device should be accessible to others.

As currently written, the auditallow rules aren't actionable. It's not
a problem by itself for init to access a /dev file or chr_file.
Rather, we care about when other domains access such files.

Currently, this generates a number of (expected) audit statements on
boot, which causes unnecessary confusion and makes people believe
that something is broken.

Remove the unactionable auditallow statements.

Change-Id: Ibfe33976505a7dc3f8d15c9eb203c044a39da426
2015-01-05 15:59:25 -08:00
Nick Kralevich
8809341cb0 init: allow rootfs symlink removal
On the Nexus 9, init.rc creates the /vendor -> /system/vendor
symlink, then a bit later removes the symlink, creates a
proper directory, and mounts /vendor on the directory.

The current permissive SELinux policy doesn't allow init to
remove the /vendor symlink, which eventually causes the following
errors:

  avc:  denied  { unlink } for  pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1
  fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered

There was an attempt to reorder some of these operations so
we didn't have to create / delete the symlink, but it
doesn't seem to have gone well.
f67d6bd3c0

Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
2014-12-23 17:19:36 -08:00
Stephen Smalley
1c16abd340 Allow init to chown/chmod character devices.
init.rc files can potentially chown/chmod any character device, so
allow it for everything except for kmem (prohibited by neverallow).
While we could whitelist each of the device types, doing so would also
require device-specific changes for the device-specific types and
may be difficult to maintain.

Resolves (permissive) denials such as:
avc:  denied  { read } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { open } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { setattr } for  pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1

avc:  denied  { read } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file

avc:  denied  { read } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { open } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

avc:  denied  { setattr } for  pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file

Change-Id: If8d14e9e434fab645d43db12cc1bdbfd3fc5d354
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-10 13:25:12 -05:00
Stephen Smalley
c457572bdf Allow init to restorecon /data directories on upgrades.
Resolves (permissive) denials on upgrades from 4.4.

Change-Id: Ia9eed4938a7235c23bb65de7ad65e6e7c325dfd7
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-30 16:55:27 -04:00
Stephen Smalley
a523aaca12 Switch kernel and init to permissive_or_unconfined().
Switch the kernel and init domains from unconfined_domain()
to permissive_or_unconfined() so that we can start collecting
and addressing denials in -userdebug/-eng builds.

Also begin to address denials for kernel and init seen after
making this switch.

I intentionally did not allow the following denials on hammerhead:
avc:  denied  { create } for  pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file
avc:  denied  { open } for  pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file

These occur when init.rc does:
write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1
because the prior command to mount the cgroup failed:
mount cgroup none /sys/fs/cgroup/memory memory

I think this is because that cgroup is not enabled in the
kernel configuration.  If the cgroup mount succeeded,
then this would have been a write to a cgroup:file and
would have been allowed already.

Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-29 15:35:35 -04:00
Stephen Smalley
0d08d4721a Remove -unconfineddomain from neverallow rules.
With the sepolicy-analyze neverallow checking, attribute
expansion is performed against the device policy and therefore
we do not want our neverallow rules to exempt domains from
consideration based on an attribute (e.g. -unconfineddomain).
Otherwise, device policy could pass the neverallow check just
by adding more domains to unconfineddomain.  We could of course
add a CTS test to check the list of unconfineddomains against
a whitelist, but it seems desirable regardless to narrow these
neverallow rules to only the specific domains required.

There are three such neverallow rules in current policy: one
on creating unlabeled files, one on accessing /dev/hw_random, and
one on accessing a character device without a specific type.  The
only domain in unconfineddomain that appears to have a legitimate
need for any of these permissions is the init domain.  Replace
-unconfineddomain with -init in these neverallow rules, exclude these
permissions from unconfineddomain, and add these permissions to init if
not already explicitly allowed.  auditallow accesses by init to files
and character devices left in the generic device type so we can monitor
what is being left there, although it is not necessarily a problem unless
the file or device should be accessible to others.

Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 13:32:41 -04:00
Nick Kralevich
beb279c7ea allow init swapon()
swapon(2) requires write access to the underlying block device.
Allow it.

Addresses the following denial:

   avc:  denied  { write } for  pid=1 comm="init" name="zram0" dev="tmpfs" ino=6267 scontext=u:r:init:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file permissive=0

Change-Id: Id1a4f51038d0b6ce7351294698a0ff146d6e4643
2014-10-20 11:52:19 -07:00
Stephen Smalley
8a0c25efb0 Do not allow init to execute anything without changing domains.
Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-28 03:23:27 +00:00
Stephen Smalley
018e9402c6 Prohibit reading of untrusted symlinks via neverallow.
Change-Id: Id669fa1850edf2adee230e71bca2278f215e39f4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-02 17:05:44 -04:00
Stephen Smalley
32915658aa Allow init to restorecon sysfs files.
The boot-time restorecon_recursive("/sys") occurs while still in
the kernel domain, but init.rc files may nonetheless perform
restorecon_recursive of parts of /sys created later and therefore
require this permission.   Required for:
https://android-review.googlesource.com/#/c/101800/

Change-Id: I68dc2c6019a1f9deae3eec5c2f068365ce2372e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-17 14:58:50 -04:00
Nick Kralevich
8a5b28d259 lmkd: avoid locking libsigchain into memory
https://android-review.googlesource.com/94851 added an LD_PRELOAD
line to init.environ.rc.in. This has the effect of loading
libsigchain.so into every process' memory space, regardless of
whether it wants it or not.

For lmkd, it doesn't need libsigchain, so it doesn't make any sense
to load it and keep it locked in memory.

Disable noatsecure for lmkd. This sets AT_SECURE=1, which instructs the
linker to not honor security sensitive environment variables such
as LD_PRELOAD. This prevents libsigchain.so from being loaded into
lmkd's memory.

Change-Id: I6378ba28ff3a1077747fe87c080e1f9f7ca8132e
2014-07-17 02:05:55 +00:00
Nick Kralevich
a7c04dcd74 Remove domain:process from unconfined
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-10 13:54:20 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Nick Kralevich
0db95cce33 unconfined: remove internet access
Don't allow unconfined domains to access the internet. Restrict
internet functionality to domains which explicitly declare their
use. Removing internet access from unconfined domains helps
protect daemons from network level attacks.

In unconfined.te, expand out socket_class_set, and explicitly remove
tcp_socket, udp_socket, rawip_socket, packet_socket, and
appletalk_socket. Remove name_bind, node_bind and name_connect rules,
since they only apply to internet accessible rules.

Add limited udp support to init.te. This is needed to bring up
the loopback interface at boot.

Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
2014-06-23 11:28:30 -07:00
Stephen Smalley
c626a882f5 Allow init to relabel rootfs files.
This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.

Addresses denials such as:
  avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.

Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 09:17:51 -04:00
Stephen Smalley
f3c3a1aa33 Remove execute_no_trans from unconfineddomain.
execute_no_trans controls whether a domain can execve a program
without switching to another domain.  Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon).  Prohibit it otherwise for the
kernel domain via neverallow.  This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.

Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 22:38:28 +00:00
Stephen Smalley
bac4ccce8f Prevent adding transitions to kernel or init domains.
Add neverallow rules to prohibit adding any transitions into
the kernel or init domains.  Rewrite the domain self:process
rule to use a positive permission list and omit the transition
and dyntransition permissions from this list as well as other
permissions only checked when changing contexts.  This should be
a no-op since these permissions are only checked when
changing contexts but avoids needing to exclude kernel or init
from the neverallow rules.

Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 15:36:38 +00:00
Stephen Smalley
75e2ef9260 Restrict use of context= mount options.
Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time.  The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).

Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow.  This ensures that the no write to /system
restriction cannot be bypassed via context= mount.

Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 13:25:07 -04:00
Nick Kralevich
ee49c0e36a remove shell_data_file from unconfined.
Domains which want to access /data/local/tmp must do so by
creating their own SELinux domain.

Bug: 15164984
Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
2014-06-07 10:00:59 -07:00
Stephen Smalley
3235f61aa8 Restrict /data/security and setprop selinux.reload_policy access.
Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).

init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it.  init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.

Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.

This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.

Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.

Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 18:30:11 +00:00
Stephen Smalley
73b0346a7d Explictly allow init and kernel unlabeled access.
These permissions are already allowed indirectly via unconfineddomain
and via domain, but ultimately we plan to remove them from those two
attributes.  Explicitly allow the ones we expect to be required,
matching the complement of the auditallow rules in domain.te.

Change-Id: I43edca89d59c159b97d49932239f8952a848031c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 09:53:00 -04:00
Stephen Smalley
eb1bbf2632 Clean up kernel, init, and recovery domains.
Narrow the relabelto rules to a more specific type set
for each domain.

Drop mount permissions from the kernel domain since mounting
occurs after switching to the init domain.  This was likely
a residual of when all processes were left in the kernel domain
on a recovery boot due to the missing setcon statement in the
recovery init.rc.

Be consistent with unlabeled filesystems (i.e. filesystems
without any matching fs_use or genfs_contexts entry) so
that we can also unmount them.

Add comments to note the reason for various rules.

Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 14:35:55 -04:00
Nick Kralevich
03ce512072 Remove /system write from unconfined
Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.

Allow recovery to write to /system. This is needed to apply OTA
images.

Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-29 12:04:35 -04:00
Stephen Smalley
ad0d0fc722 Protect /data/property.
/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:43:37 +00:00
Nick Kralevich
685e2f9d9c remove syslog_* from unconfined
As suggested in https://android-review.googlesource.com/95966 , remove
various syslog_* from unconfined. SELinux domains which want to use
syslog_* can declare it themselves.

Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
2014-05-28 13:48:52 -07:00
Stephen Smalley
356f4be679 Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 13:14:22 -04:00
Stephen Smalley
02dac03a8c Drop relabelto_domain() macro and its associated definitions.
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-09 18:30:22 +00:00
Nick Kralevich
cd905ec04e Protect keystore's files.
Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
2014-05-09 10:14:56 -07:00
Stephen Smalley
3f40d4f4b1 Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 13:03:38 -05:00
Stephen Smalley
5487ca00d4 Remove several superuser capabilities from unconfined domains.
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 11:14:16 -05:00
Stephen Smalley
b081cc1e05 Remove mount-related permissions from unconfined domains.
Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.

Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 17:32:31 +00:00
Nick Kralevich
fed8a2a4d9 Remove transition / dyntransition from unconfined
Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.

healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.

Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-27 11:06:21 -08:00
Stephen Smalley
fea6e66fad Allow kernel domain, not init domain, to set SELinux enforcing mode.
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/

init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 12:02:01 -05:00
Nick Kralevich
9e8b8d9fdf Revert "Allow kernel domain, not init domain, to set SELinux enforcing mode."
The build is broken. Reverting temporarily to fix breakage.

libsepol.check_assertion_helper: neverallow on line 4758 violated by allow init kernel:security { setenforce };
Error while expanding policy
make: *** [out/target/product/mako/obj/ETC/sepolicy_intermediates/sepolicy] Error 1
make: *** Waiting for unfinished jobs....


This reverts commit bf12e22514.

Change-Id: I78a05756d8ce3c7d06e1d9d27e6135f4b352bb85
2013-12-06 16:52:30 +00:00
Stephen Smalley
bf12e22514 Allow kernel domain, not init domain, to set SELinux enforcing mode.
As per the discussion in:
https://android-review.googlesource.com/#/c/71184/

init sets the enforcing mode in its code prior to switching to
the init domain via a setcon command in the init.rc file.  Hence,
the setenforce permission is checked while still running in the
kernel domain.  Further, as init has no reason to ever set the
enforcing mode again, we do not need to allow setenforce to the
init domain and this prevents reverting to permissive
mode via an errant write by init later.  We could technically
dontaudit the kernel setenforce access instead since the first
call to setenforce happens while still permissive (and thus we
never need to allow it in policy) but we allow it to more accurately
represent what is possible.

Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 08:21:15 -08:00
Stephen Smalley
7adb999e70 Restrict the ability to set usermodehelpers and proc security settings.
Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 09:44:38 -05:00
Stephen Smalley
d99e6d5fa1 Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 15:59:04 -05:00
Nick Kralevich
b1d81645b3 Make kernel / init enforcing
Start running in enforcing mode for kernel / init.
This should be mostly a no-op, as the kernel / init
is in the unconfined domain.

Change-Id: I8273d936c9a4eecb50b78ae93490a4dd52f59eb6
2013-11-08 15:44:30 -08:00
Nick Kralevich
2637198f92 Only init should be able to load a security policy
Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b
2013-07-15 17:16:08 -07:00
Nick Kralevich
0c9708b2af domain.te: Add backwards compatibility for unlabeled files
For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 18:54:45 -07:00