tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/vendor_init.te
Jeff Vander Stoep 7a4af30b38 Start the process of locking down proc/net 
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.

To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.

Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
    navigate maps, send text message, make voice call, make video call.
    Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest

Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f)
2018-05-04 21:36:33 +00:00

197 lines
5.8 KiB
Text
Raw Blame History

# vendor_init is its own domain.
type vendor_init, domain, mlstrustedsubject;
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open write };
# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;
# Create and remove symlinks in /.
allow vendor_init rootfs:lnk_file { create unlink };
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
# /config
allow vendor_init configfs:dir mounton;
allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
allow vendor_init self:global_capability_class_set dac_override;
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
allow vendor_init unencrypted_data_file:dir search;
allow vendor_init unencrypted_data_file:file r_file_perms;
allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-system_file
-unlabeled
-vendor_file_type
-vold_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-runtime_event_log_tags_file
-system_file
-unlabeled
-vendor_file_type
-vold_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-system_file
-unlabeled
-vendor_file_type
-vold_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-system_file
-unlabeled
-vendor_file_type
-vold_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-system_file
-vendor_file_type
-vold_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
allow vendor_init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow vendor_init debugfs_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
-contextmount_type
-sdcard_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:file { open read setattr };
allow vendor_init {
fs_type
-contextmount_type
-sdcard_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
-kmem_device
-port_device
-lowpan_device
-hw_random_device
}:chr_file setattr;
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
r_dir_file(vendor_init, proc_net_type)
allow vendor_init proc_net_type:file w_file_perms;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
# Write to sysfs nodes.
allow vendor_init sysfs_type:dir r_dir_perms;
allow vendor_init sysfs_type:lnk_file read;
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
# setfscreatecon() for labeling directories and socket files.
allow vendor_init self:process { setfscreate };
r_dir_file(vendor_init, vendor_file_type)
# Vendor init can read properties
allow vendor_init serialno_prop:file { getattr open read };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
# Raw writes to misc block device
allow vendor_init misc_block_device:blk_file w_file_perms;
not_compatible_property(`
set_prop(vendor_init, {
property_type
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
-pm_prop
-system_boot_reason_prop
-bootloader_boot_reason_prop
-last_boot_reason_prop
})
')
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_bluetooth_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
set_prop(vendor_init, exported_default_prop)
set_prop(vendor_init, exported_ffs_prop)
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
set_prop(vendor_init, exported_radio_prop)
set_prop(vendor_init, exported_system_radio_prop)
set_prop(vendor_init, exported_wifi_prop)
set_prop(vendor_init, exported2_config_prop)
set_prop(vendor_init, exported2_system_prop)
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
Reference in a new issue View git blame Copy permalink