Add a neverallow rule (compile time assertion) that no SELinux domain
other than init can set default_prop. default_prop is assigned to a
property when no more specific label exists for that property.
This ensures that all properties are labeled properly, and that
no-one (other than init) gets access to unknown properties.
Change-Id: If279960f23737e263d4d1b5face7b5c49cda7ae7
Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.
This change expands on commit a730e50bd9,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.
Change-Id: I12547a75cf68517d54784873846bdadcb60c5112
Augment the already existing neverallow on loading executable content
from file types other than /system with one on loading executable content
from filesystem types other than the rootfs. Include exceptions for
appdomain and recovery as required by current policy.
Change-Id: I73d70ab04719a67f71e48ac795025f2ccd5da385
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
The new Nexus 5 tee implementation requires raw block I/O
for anti-rollback protection.
Bug: 15777869
Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396
Create a new domain for the one-shot init service flash_recovery.
This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.
Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8
libsepol.check_assertion_helper: neverallow on line 166 of external/sepolicy/domain.te (or line 5056 of policy.conf) violated by allow recovery unlabeled:file { create };
Error while expanding policy
make: *** [out/target/product/generic/obj/ETC/sepolicy.recovery_intermediates/sepolicy.recovery] Error 1
Change-Id: Iddf2cb8d0de2ab445e54a727f01be0b992b45ba5
Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.
Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156
This is required for the restorecon /adb_keys in init.rc or
for any other relabeling of rootfs files to more specific types on
kernels that support setting security contexts on rootfs inodes.
Addresses denials such as:
avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0
We do not need to prohibit relabelfrom of such files because our goal
is to prevent writing to executable files, while relabeling the file
to another type will take it to a non-executable (or non-writable) type.
In contrast, relabelto must be prohibited by neverallow so that a
modified file in a writable type cannot be made executable.
Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove write access to rootfs files from unconfineddomain and
prevent adding it back via neverallow. This is only applied to
regular files, as we are primarily concerned with preventing
writing to a file that can be exec'd and because creation of
directories or symlinks in the rootfs may be required for mount
point directories.
Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add neverallow rules to prohibit adding any transitions into
the kernel or init domains. Rewrite the domain self:process
rule to use a positive permission list and omit the transition
and dyntransition permissions from this list as well as other
permissions only checked when changing contexts. This should be
a no-op since these permissions are only checked when
changing contexts but avoids needing to exclude kernel or init
from the neverallow rules.
Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As reported by sepolicy-analyze -D -P /path/to/sepolicy.
No semantic difference reported by sediff between the policy
before and after this change.
Deduplication of selinuxfs read access resolved by taking the
common rules to domain.te (and thereby getting rid of the
selinux_getenforce macro altogether).
Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time. The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).
Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow. This ensures that the no write to /system
restriction cannot be bypassed via context= mount.
Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.
Add read/write capabilities back to app domains, since apps need to
read/write profiling data.
Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.
Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh. So they originally
shared a common set of rules. Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc. Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc). The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command. And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.
Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te. init_shell was an unconfined_domain(),
so it loses nothing from this change. Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.
Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
https://android-review.googlesource.com/#/c/95900/ added
allow rules for unlabeled access as needed to all confined
domains. Therefore we can remove it from domain. The only
other domain that truly needs unlabeled access is init, which
presently inherits it from unconfineddomain.
Also prevent rules that would permit any confined domain from
creating new unlabeled files on the system.
Change-Id: I31c6478b42fbf60e3b7893b9578b6ad50170def6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This is to accomodate migration to (and ongoing support of) a
new installed-app file topology, in which APK files are placed
in /data/app/$PACKAGE-rev/, there is a canonical-path symlink
/data/app/$PACKAGE/ -> /data/app/$PACKAGE-rev/, and the native
libraries exist not under a top-level /data/app-lib/$PACKAGE-rev
hard directory, but rather under /data/app/$PACKAGE/lib (when
referenced by canonical path).
Change-Id: I4f60257f8923c64266d98aa247bffa912e204fb0
Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).
init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it. init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.
Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.
This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.
Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.
Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
https://android-review.googlesource.com/#/c/95900/ added further
unlabeled rules for installd and added explicit unlabeled rules for
vold and system_server. Exclude these permissions from the auditallow
rules on unlabeled so that we only see the ones that would be denied if
we were to remove the allow domain rules here.
Change-Id: I2b9349ad6606bcb6a74a7e67343a8a9e5d70174c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.
Allow recovery to write to /system. This is needed to apply OTA
images.
Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
/data/property is only accessible by root and is used by the init
property service for storing persistent property values. Create
a separate type for it and only allow init to write to the directory
and files within it. Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.
Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a compile time assertion that most SELinux domains don't
execute code from outside of the system partition.
Exceptions are listed in the neverallow rule.
Change-Id: I8166e29a269adca11661df3c6cda4448a42ca30d
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission. Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.
Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
CTS test luni/src/test/java/libcore/java/nio/BufferTest.java function
testDevZeroMapRW() requires us to be able to open /dev/zero in read-write
mode. Allow it.
Change-Id: I2be266875b1d190188376fd84c0996039d3c1524
This just adds a neverallow rule to ensure we never
add an allow rule permitting such mappings.
Change-Id: Id20463b26e0eac5b7629326f68b3b94713108cc2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Kernel userspace helpers may be spawned running in the kernel
SELinux domain. Those userspace helpers shouldn't be able to turn
SELinux off.
This change revisits the discussion in
https://android-review.googlesource.com/#/c/71184/
At the time, we were debating whether or not to have an allow rule,
or a dontaudit rule. Both have the same effect, as at the time we
switch to enforcing mode, the kernel is in permissive and the operation
will be allowed.
Change-Id: If335a5cf619125806c700780fcf91f8602083824
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files. Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.
Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Should no longer be required due to restorecon_recursive of /data
by init.rc (covers everything outside of /data/data) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).
Move the neverallow rule on relabelto to the neverallow section.
We could potentially drop this altogether, along with the relabelto_domain
macro and its callers, since its motivation was to provide some
safeguard in spite of allowing relabelfrom to unlabeled files for
all domains and this change removes relabelfrom.
unconfined still retains rw access to unlabeled, as do specific domains
that are explicitly allowed it.
Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
To see whether we can safely remove these allow rules on unlabeled files
since we now have restorecon_recursive /data in init.rc to fully relabel
legacy userdata partitions, audit all accesses on such files.
Exclude the init domain since it performs the restorecon_recursive /data
and therefore will read unlabeled directories, stat unlabeled files,
and relabel unlabeled directories and files on upgrade. init may also
create/write unlabeled files in /data prior to the restorecon_recursive
/data being called.
Exclude the kernel domain for search on unlabeled:dir as this happens
during cgroup filesystem initialization in the kernel as a side effect
of populating the cgroup directory during the superblock initialization
before SELinux has set the label on the root directory.
Change-Id: Ieb5d807f529db9a4bf3e6c93e6b37c9648c04633
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
I9b8e59e3bd7df8a1bf60fa7ffd376a24ba0eb42f added a profiles
subdirectory to /data/dalvik-cache with files that must be
app-writable. As a result, we have denials such as:
W/Profiler( 3328): type=1400 audit(0.0:199): avc: denied { write } for name="com.google.android.setupwizard" dev="mmcblk0p28" ino=106067 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file
W/Profiler( 3328): type=1300 audit(0.0:199): arch=40000028 syscall=322 per=800000 success=yes exit=33 a0=ffffff9c a1=b8362708 a2=20002 a3=0 items=1 ppid=194 auid=4294967295 uid=10019 gid=10019 euid=10019 suid=10019 fsuid=10019 egid=10019 sgid=10019 fsgid=10019 tty=(none) ses=4294967295 exe="/system/bin/app_process" subj=u:r:untrusted_app:s0 key=(null)
W/auditd ( 286): type=1307 audit(0.0:199): cwd="/"
W/auditd ( 286): type=1302 audit(0.0:199): item=0 name="/data/dalvik-cache/profiles/com.google.android.setupwizard" inode=106067 dev=b3:1c mode=0100664 ouid=1012 ogid=50019 rdev=00:00 obj=u:object_r:dalvikcache_data_file:s0
We do not want to allow untrusted app domains to write to the
existing type on other /data/dalvik-cache files as that could be used
for code injection into another app domain, the zygote or the system_server.
So define a new type for this subdirectory. The restorecon_recursive /data
in init.rc will fix the labeling on devices that already have a profiles
directory created. For correct labeling on first creation, we also need
a separate change to installd under the same change id.
Bug: 13927667
Change-Id: I4857d031f9e7e60d48b8c72fcb22a81b3a2ebaaa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.
Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This is a world-readable directory anyway and will help to
address a small number of new denials.
Change-Id: I9e53c89a19da8553cbcbef8295c02ccaaa5d564c
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If we are going to allow all domains to search and
stat the contents of /data/security, then we should
also allow them to read the /data/security/current symlink
created by SELinuxPolicyInstallReceiver to the directory
containing the current policy update.
Change-Id: Ida352ed7ae115723964d2723f1115a87af438013
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add initial support for uncrypt, started via the
pre-recovery service in init.rc. On an encrypted device,
uncrypt reads an OTA zip file on /data, opens the underlying
block device, and writes the unencrypted blocks on top of the
encrypted blocks. This allows recovery, which can't normally
read encrypted partitions, to reconstruct the OTA image and apply
the update as normal.
Add an exception to the neverallow rule for sys_rawio. This is
needed to support writing to the raw block device.
Add an exception to the neverallow rule for unlabeled block devices.
The underlying block device for /data varies between devices
within the same family (for example, "flo" vs "deb"), and the existing
per-device file_context labeling isn't sufficient to cover these
differences. Until I can resolve this problem, allow access to any
block devices.
Bug: 13083922
Change-Id: I7cd4c3493c151e682866fe4645c488b464322379
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.
Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module. It can be added back where appropriate in device
policy if using a modular kernel. No neverallow since it is device
specific.
Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.
Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This new type will allow us to write finer-grained
policy concerning asec containers. Some files of
these containers need to be world readable.
Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
- Add write_logd, read_logd and control_logd macros added along
with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
deal with fd inheritance. ToDo: investigate means to allow
references to close, and reopen in context of application
or call setsockcreatecon() to label them in child context.
Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
Rather then allowing open,read,write to raw block devices, one
should relabel it to something more specific.
vold should be re-worked so we can drop it from this assert.
Change-Id: Ie891a9eaf0814ea3878d32b18b4e9f4d7dac4faf
Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files. That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.
CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed. CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.
Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.
Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.
This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
powervr_device is obsoleted by the more general gpu_device.
akm_device and accelerometer_device are obsoleted by the more
general sensors_device.
We could also drop the file_contexts entries altogether and
take them to device-specific policy (in this case, they all
came from crespo, so that is obsolete for master).
Change-Id: I63cef43b0d66bc99b80b64655416cc050f443e7d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We do not want to permit connecting to arbitrary unconfined services
left running in the init domain. I do not know how this was originally
triggered and thus cannot test that it is fixed. Possible causes:
- another service was left running in init domain, e.g. dumpstate,
- there was a socket entry for the service in the init.rc file
and the service was launched via logwrapper and therefore init did
not know how to label the socket.
The former should be fixed. The latter can be solved either by
removing use of logwrapper or by specifying the socket context
explicitly in the init.rc file now.
Change-Id: I09ececaaaea2ccafb7637ca08707566c1155a298
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
