Require sdcard_type access to be explicitly allowed to
each domain. This is to both protect services from
being killed by unsafe ejection and to protect SDcard
data from access by rogue daemons.
Change-Id: If3bdd50fd2be50bd98d755b2f252e0ae455b82c4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Require app_data_file access to be explicitly allowed to
each domain. We especially do not want to allow
app_data_file:lnk_file read to any privileged domain.
But removing app_data_file access in general can be useful
in protecting app data from rogue daemons.
Change-Id: I46240562bce76579e108495ab15833e143841ad8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove write access to rootfs files from unconfineddomain and
prevent adding it back via neverallow. This is only applied to
regular files, as we are primarily concerned with preventing
writing to a file that can be exec'd and because creation of
directories or symlinks in the rootfs may be required for mount
point directories.
Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
execute_no_trans controls whether a domain can execve a program
without switching to another domain. Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon). Prohibit it otherwise for the
kernel domain via neverallow. This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.
Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
system_server needs to open /dev/snd and access files
within that directory. Allow it.
system_server need to parse the ALSA card descriptors after a USB device
has been inserted. This happens from USBService in system_server.
Addresses the following denial:
system_server( 1118): type=1400 audit(0.0:19): avc: denied { search } for comm=5573625365727669636520686F7374 name="snd" dev="tmpfs" ino=8574 scontext=u:r:system_server:s0 tcontext=u:object_r:audio_device:s0 tclass=dir
and likely others
Change-Id: Id274d3feb7bf337f492932e5e664d65d0b8d05b8
Add neverallow rules to prohibit adding any transitions into
the kernel or init domains. Rewrite the domain self:process
rule to use a positive permission list and omit the transition
and dyntransition permissions from this list as well as other
permissions only checked when changing contexts. This should be
a no-op since these permissions are only checked when
changing contexts but avoids needing to exclude kernel or init
from the neverallow rules.
Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also rewrite to use positive permission sets, macros, and
eliminate duplication.
Change-Id: I4dc340784f770e569160025a5db2dc3da90d2629
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.
Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).
Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We were incorrectly reporting overlapping rules as duplicates.
Only report cases where an attribute-based rule is a superset
of type-based rule. Also omit self rules as they are often due
to expansion of domain self rules by checkpolicy.
Change-Id: I27f33cdf9467be5fdb6ce148aa0006d407291833
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Some device-specific policies are improperly creating a security
domain for logwrapper, rather than removing the logwrapper
lines from init.device.rc. Don't allow that. Explicitly add an entry
for /system/bin/logwrapper to force it to a system_file. Attempting
to override this will result in the following compile time error:
obj/ETC/file_contexts_intermediates/file_contexts: Multiple different
specifications for /system/bin/logwrapper
(u:object_r:logwrapper_exec:s0 and u:object_r:system_file:s0).
Bug: 15616899
Change-Id: Ia55394247a9fa16e00434d61091fff9d9d4ff125
Add missing services to service_contexts that we did not include
in earlier patch that added SELinux checks in service_manager.
Change-Id: I889d999bf0b745bfcb75a3553b207777dc5700b7
The following commits added support for runtime resource overlays.
New command line tool 'idmap'
* 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5
Runtime resource overlay, iteration 2
* 48d22323ce39f9aab003dce74456889b6414af55
Runtime resource overlay, iteration 2, test cases
* ad6ed950dbfa152c193dd7e49c369d9e831f1591
During SELinux tightening, support for these runtime resource
overlays was unknowingly broken. Fix it.
This change has been tested by hackbod and she reports that
everything is working after this change. I haven't independently
verified the functionality.
Test cases are available for this by running:
* python frameworks/base/core/tests/overlaytests/testrunner.py
Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
Several device-specific policy changes with the same Change-Id
also add this attribute to device-specific types.
Change-Id: I09e13839b1956f61875a38844fe4fc3c911ea60f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time. The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).
Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow. This ensures that the no write to /system
restriction cannot be bypassed via context= mount.
Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It's a bug to have a type with both the file_type and fs_type
attribute. A type should be declared with either file_type,
or fs_type, but not both.
Create a neverallow rule which detects this situation. This works
because we have the following allow rule:
allow fs_type self:filesystem associate;
If a type is a file_type and an fs_type, the associate allow rule
will conflict with this neverallow rule.
Not sure if this is the cleanest way to accomplish this, but it
seems to work.
Change-Id: Ida387b1df260efca15de38ae7a66ed25e353acaa
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:
set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");
which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.
Allow this behavior for now, even though it's obviously a bug.
Also, allow recovery to read through the /dev directory.
Addresses the following denials:
avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
These are no longer necessary after the clatd change to acquire
membership in AID_VPN when dropping root privileges.
Change-Id: I9955296fe79e6dcbaa12acad1f1438e11d3b06cf
This is no longer required now that clatd has switched from IPv6
forwarding to sockets.
Bug: 15340961
Change-Id: Id7d503b842882d30e6cb860ed0af69ad4ea3e62c
8670305177 wasn't complete. I thought
getattr on the directory wasn't needed but I was wrong. Not sure
how I missed this.
Addresses the following denial:
<4>[ 40.699344] type=1400 audit(15795140.469:9): avc: denied { getattr } for pid=1087 comm="system_server" path="/data/dalvik-cache/profiles" dev="mmcblk0p28" ino=105874 scontext=u:r:system_server:s0 tcontext=u:object_r:dalvikcache_profiles_data_file:s0 tclass=dir
Change-Id: Ibc176b2b00083bafaa91ab78d0f8dc1ca3c208b6
run-as won't communicate with shell via pipes. Allow it.
nnk@nnk:~$ adb shell "cat /dev/zero | run-as com.google.foo sh -c 'cat'"
/system/bin/sh: cat: <stdout>: Broken pipe
<4>[ 1485.483517] type=1400 audit(1402623577.085:25): avc: denied { read } for pid=6026 comm="run-as" path="pipe:[29823]" dev="pipefs" ino=29823 scontext=u:r:runas:s0 tcontext=u:r:shell:s0 tclass=fifo_file
read is definitely needed. Not sure about write, but adding it just
in case.
Change-Id: Ifdf838b0df79a5f1e9559af57c2d1fdb8c41a201
Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.
Add read/write capabilities back to app domains, since apps need to
read/write profiling data.
Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.
Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
Addresses denials such as:
avc: denied { read write } for comm="dnsmasq" path="socket:[1054090]" dev="sockfs" ino=1054090 scontext=u:r:dnsmasq:s0 tcontext=u:r:netd:s0 tclass=udp_socket
This may not be needed (need to check netd to see if it should be closing
all of these sockets before exec'ing other programs), but should be harmless.
Change-Id: I77c7af5e050e039fd48322914eeabbcb8a716040
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh. So they originally
shared a common set of rules. Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc. Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc). The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command. And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.
Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te. init_shell was an unconfined_domain(),
so it loses nothing from this change. Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.
Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Need this for changing the max_cpufreq and min_cpufreq for the low power
mode.
Denials:
type=1400 audit(1402431554.756:14): avc: denied { write } for pid=854
comm="PowerManagerSer" name="scaling_max_freq" dev="sysfs" ino=9175
scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0
tclass=file
Change required for Change-Id: I1cf458c4f128818ad1286e5a90b0d359b6913bb8
Change-Id: Ic5ce3c8327e973bfa1d53f298c07dcea1550b646
Signed-off-by: Ruchi Kandoi<kandoiruchi@google.com>
single quotes make the m4 parser think it's at the end of
a block, and generates the following compile time warning:
external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720:
Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b
dumpstate calls screencap to take a screenshot. screencap
requires the ability to access the gpu device. Allow it.
Bug: 15514427
Change-Id: Iad8451b6108786653146de471f6be2d26b0e3297
