platform_system_sepolicy/unconfined.te
Nick Kralevich a730e50bd9 Don't allow zygote init:binder call
init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50
2014-01-03 20:45:42 -08:00

42 lines
2.2 KiB
Text

#######################################################
#
# This is the unconfined template. This template is the base policy
# which is used by daemons and other privileged components of
# Android.
#
# Historically, this template was called "unconfined" because it
# allowed the domain to do anything it wanted. Over time,
# this has changed, and will continue to change in the future.
# The rules in this file will be removed when no remaining
# unconfined domains require it, or when the rules contradict
# Android security best practices. Domains which need rules not
# provided by the unconfined template should add them directly to
# the relevant policy.
#
# The use of this template is discouraged.
######################################################
allow unconfineddomain self:capability_class_set *;
allow unconfineddomain kernel:security ~{ load_policy setenforce };
allow unconfineddomain kernel:system *;
allow unconfineddomain domain:process ~ptrace;
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain fs_type:filesystem *;
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
allow unconfineddomain property_type:property_service set;