platform_system_sepolicy/public/init.te
Nick Kralevich 23c9d91b46 Start partitioning off privapp_data_file from app_data_file
Currently, both untrusted apps and priv-apps use the SELinux file label
"app_data_file" for files in their /data/data directory. This is
problematic, as we really want different rules for such files. For
example, we may want to allow untrusted apps to load executable code
from priv-app directories, but disallow untrusted apps from loading
executable code from their own home directories.

This change adds a new file type "privapp_data_file". For compatibility,
we adjust the policy to support access privapp_data_files almost
everywhere we were previously granting access to app_data_files
(adbd and run-as being exceptions). Additional future tightening is
possible here by removing some of these newly added rules.

This label will start getting used in a followup change to
system/sepolicy/private/seapp_contexts, similar to:

  -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
  +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user

For now, this newly introduced label has no usage, so this change
is essentially a no-op.

Test: Factory reset and boot - no problems on fresh install.
Test: Upgrade to new version and test. No compatibility problems on
      filesystem upgrade.

Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837
2018-08-02 16:29:02 -07:00

529 lines
16 KiB
Text

# init is its own domain.
type init, domain, mlstrustedsubject;
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
#
# init direct restorecon calls.
#
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { write relabelto };
# /dev/kmsg_debug
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { write relabelto };
')
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { create_file_perms relabelto };
# /dev/__properties__/property_info
allow init properties_device:file create_file_perms;
allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device }:dir relabelto;
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
allow init { null_device ptmx_device random_device } : chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
allow init {
misc_block_device
recovery_block_device
system_block_device
}:{ blk_file lnk_file } relabelto;
# setrlimit
allow init self:global_capability_class_set sys_resource;
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
allow init tmpfs:file unlink;
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
# Create /dev/fscklogs files.
allow init fscklogs:file create_file_perms;
# Access /dev/__null__ node created prior to initial policy load.
allow init tmpfs:chr_file write;
# Access /dev/console.
allow init console_device:chr_file rw_file_perms;
# Access /dev/tty0.
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
allow init self:global_capability_class_set sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
allow init cgroup_bpf:dir { create mounton };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
r_dir_file(init, cgroup)
allow init cpuctl_device:dir { create mounton };
# /config
allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
allow init configfs:{ file lnk_file } create_file_perms;
# /metadata
allow init metadata_file:dir mounton;
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
allow init self:global_capability_class_set dac_override;
# Set system clock.
allow init self:global_capability_class_set sys_time;
allow init self:global_capability_class_set { sys_rawio mknod };
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
# Mounting filesystems.
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
# restorecon /adb_keys or any other rootfs files and directories to a more
# specific type.
allow init rootfs:{ dir file } relabelfrom;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:global_capability_class_set { chown fowner fsetid };
allow init {
file_type
-app_data_file
-exec_type
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-system_app_data_file
-system_file
-vendor_file_type
}:dir { create search getattr open read setattr ioctl };
allow init {
file_type
-app_data_file
-exec_type
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_file
-vendor_file_type
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
allow init {
file_type
-app_data_file
-exec_type
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
-system_file
-vendor_file_type
-vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow init {
file_type
-app_data_file
-exec_type
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_file
-vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {
file_type
-app_data_file
-exec_type
-keystore_data_file
-misc_logd_file
-nativetest_data_file
-privapp_data_file
-shell_data_file
-system_app_data_file
-system_file
-vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file r_file_perms;
allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
# does init really need to relabel app data?
userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file w_file_perms;
# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir create_dir_perms;
allow init debugfs_tracing_instances:file w_file_perms;
allow init debugfs_wifi_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow init {
fs_type
-contextmount_type
-proc_type
-sdcard_type
-sysfs_type
-rootfs
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
# init should not be able to read or open generic devices
# TODO: auditing to see if this can be deleted entirely
allow init {
dev_type
-kmem_device
-port_device
-device
-vndbinder_device
}:chr_file { read open };
auditallow init {
dev_type
-alarm_device
-ashmem_device
-binder_device
-console_device
-device
-devpts
-dm_device
-hwbinder_device
-hw_random_device
-input_device
-keychord_device
-kmem_device
-kmsg_device
-null_device
-owntty_device
-port_device
-ptmx_device
-random_device
-zero_device
}:chr_file { read open };
# chown/chmod on devices.
allow init { dev_type -kmem_device -port_device }:chr_file setattr;
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
allow init self:global_capability2_class_set syslog;
# init access to /proc.
r_dir_file(init, proc_net_type)
allow init {
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
proc_meminfo
proc_stat # Read /proc/stat for bootchart.
proc_uptime
proc_version
}:file r_file_perms;
allow init {
proc_abi
proc_dirty
proc_hostname
proc_hung_task
proc_extra_free_kbytes
proc_net_type
proc_max_map_count
proc_min_free_order_shift
proc_overcommit_memory
proc_panic
proc_page_cluster
proc_perf
proc_sched
proc_sysrq
}:file w_file_perms;
allow init {
proc_security
}:file rw_file_perms;
# init chmod/chown access to /proc files.
allow init {
proc_cmdline
proc_kmsg
proc_net
proc_qtaguid_stat
proc_slabinfo
proc_sysrq
proc_qtaguid_ctrl
proc_vmallocinfo
}:file setattr;
# init access to /sys files.
allow init {
sysfs_android_usb
sysfs_leds
sysfs_power
}:file w_file_perms;
allow init {
sysfs_dt_firmware_android
}:file r_file_perms;
allow init {
sysfs_zram
}:file rw_file_perms;
# Allow init to write to vibrator/trigger
allow init sysfs_vibrator:file w_file_perms;
# init chmod/chown access to /sys files.
allow init {
sysfs_android_usb
sysfs_devices_system_cpu
sysfs_ipv4
sysfs_leds
sysfs_lowmemorykiller
sysfs_power
sysfs_vibrator
sysfs_wake_lock
}:file setattr;
# Set usermodehelpers.
allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
allow init self:global_capability_class_set net_admin;
# Reboot.
allow init self:global_capability_class_set sys_boot;
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
# Set UID, GID, and adjust capability bounding set for services.
allow init self:global_capability_class_set { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
# to different domains.
r_dir_file(init, domain)
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
# Get file context
allow init file_contexts_file:file r_file_perms;
# sepolicy access
allow init sepolicy_file:file r_file_perms;
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
# Ask the kernel for the new context on services to label their sockets.
allow init kernel:security compute_create;
# Create sockets for the services.
allow init domain:unix_stream_socket { create bind setopt };
allow init domain:unix_dgram_socket { create bind setopt };
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
# Set any property.
allow init property_type:property_service set;
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
allow init self:global_capability_class_set net_raw;
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow init kernel:process setsched;
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
# Read from /dev/hw_random if present.
# system/core/init/init.c - mix_hwrng_into_linux_rng_action
allow init hw_random_device:chr_file r_file_perms;
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file create_file_perms;
# keychord configuration
allow init self:global_capability_class_set sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
allow init input_device:dir r_dir_perms;
allow init input_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
allow init kernel:system syslog_read;
# linux keyring configuration
allow init init:key { write search setattr };
# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir create_dir_perms;
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
unix_socket_connect(init, vold, vold)
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
r_dir_file(init, vendor_file_type)
allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file r_file_perms;
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
###
### neverallow rules
###
# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
neverallow { domain -kernel } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init { app_data_file privapp_data_file }:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
# Init never adds or uses services via service_manager.
neverallow init service_manager_type:service_manager { add find };
neverallow init servicemanager:service_manager list;
# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };
# Init should not access sysfs node that are not explicitly labeled.
neverallow init sysfs:file { open read write };