tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/te_macros
Alex Klyubin d9745f3dec Unbreak user builds 
This unbreaks user builds broken by recently landed changes to secilc
which is now aggressively removing attributes which aren't used in
allow rules, even when they are used in other places, such as being
referenced from *_contexts files.

User builds are broken by vndservice_manager_type not being found when
checkfc is run for *vndservice_contexts targets.

Test: On a clean user build: mmma system/sepolicy
Bug: 37319524
Bug: 36508258
Change-Id: I4a1727a74122ecd9020c3831462d56a65ee6d304
2017-04-13 14:17:32 -07:00

519 lines
16 KiB
Text
Raw Blame History

#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
allow $1 $2:file { getattr open read execute };
allow $1 $3:process transition;
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr };
# New domain can send SIGCHLD to its caller.
ifelse($1, `init', `', `allow $3 $1:process sigchld;')
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')
#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
define(`domain_auto_trans', `
# Allow the necessary permissions.
domain_trans($1,$2,$3)
# Make the transition occur by default.
type_transition $1 $2:process $3;
')
#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
define(`file_type_trans', `
# Allow the domain to add entries to the directory.
allow $1 $2:dir ra_dir_perms;
# Allow the domain to create the file.
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
')
#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
define(`file_type_auto_trans', `
# Allow the necessary permissions.
file_type_trans($1, $2, $3)
# Make the transition occur by default.
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
')
#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;
')
#####################################
# tmpfs_domain(domain)
# Define and allow access to a unique type for
# this domain when creating tmpfs / shmem / ashmem files.
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write };
allow $1 tmpfs:dir { getattr search };
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
# rules from underlying transport (e.g. UDS-based implementation).
#####################################
# pdx_server(domain)
define(`pdx_server', `
allow $1 pdx_socket:dir create_dir_perms;
allow $1 pdx_socket:sock_file create_file_perms;
')
#####################################
# use_pdx(clientdomain, serverdomain)
define(`use_pdx', `
# Open the socket.
allow $1 pdx_socket:dir r_dir_perms;
allow $1 pdx_socket:sock_file rw_file_perms;
# Use the socket.
allow $1 $2:unix_stream_socket { connectto read write shutdown };
# Clients recieve an event fd from the server.
allow $1 $2:fd use;
# Servers may receive sync fences, gralloc buffers, etc, from clients.
# This could be tightened on a per-server basis, but keeping track of service
# clients is error prone.
allow $2 $1:fd use;
')
#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
tmpfs_domain($1)
')
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
# Label ashmem objects with our own unique type.
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
')
#####################################
# untrusted_app_domain(domain)
# Allow a base set of permissions required for all untrusted apps.
define(`untrusted_app_domain', `
typeattribute $1 untrusted_app_all;
')
#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
typeattribute $1 netdomain;
')
#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
define(`bluetooth_domain', `
typeattribute $1 bluetoothdomain;
')
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
#
# For example, default implementation of Foo HAL:
# type hal_foo_default, domain;
# hal_server_domain(hal_foo_default, hal_foo)
#
define(`hal_server_domain', `
typeattribute $1 halserverdomain;
typeattribute $1 $2_server;
typeattribute $1 $2;
')
#####################################
# hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a HAL of the specified type.
#
# For example, make some_domain a client of Foo HAL:
# hal_client_domain(some_domain, hal_foo)
#
define(`hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
# TODO(b/34170079): Make the inclusion of the rules below conditional also on
# non-Treble devices. For now, on non-Treble device, always grant clients of a
# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
not_full_treble(`
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute };
')
')
#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
# passthrough_hal_client_domain(some_domain, hal_foo)
#
define(`passthrough_hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
allow $2 vendor_file:dir r_dir_perms;
allow $2 vendor_file:file { read open getattr execute };
')
#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
#
# Note: If you see denial records that distill to the
# following allow rules:
# allow clientdomain property_socket:sock_file write;
# allow clientdomain init:unix_stream_socket connectto;
# allow clientdomain something_prop:property_service set;
#
# This sequence is indicative of attempting to set a property.
# use set_prop(sourcedomain, targetproperty)
#
define(`unix_socket_connect', `
ifelse($2, `property', `
ifelse($3,`init', `
print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
')
')
__unix_socket_connect__($1, $2, $3)
')
define(`__unix_socket_connect__', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')
#####################################
# set_prop(sourcedomain, targetproperty)
# Allows source domain to set the
# targetproperty.
#
define(`set_prop', `
__unix_socket_connect__($1, property, init)
allow $1 $2:property_service set;
get_prop($1, $2)
')
#####################################
# get_prop(sourcedomain, targetproperty)
# Allows source domain to read the
# targetproperty.
#
define(`get_prop', `
allow $1 $2:file r_file_perms;
')
#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
define(`unix_socket_send', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_dgram_socket sendto;
')
#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# servicemanager performs getpidcon on clients.
allow servicemanager $1:dir search;
allow servicemanager $1:file { read open };
allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# hwbinder_use(domain)
# Allow domain to use HwBinder IPC.
define(`hwbinder_use', `
# Call the hwservicemanager and transfer references to it.
allow $1 hwservicemanager:binder { call transfer };
# Allow hwservicemanager to send out callbacks
allow hwservicemanager $1:binder { call transfer };
# hwservicemanager performs getpidcon on clients.
allow hwservicemanager $1:dir search;
allow hwservicemanager $1:file { read open };
allow hwservicemanager $1:process getattr;
# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# vndbinder_use(domain)
# Allow domain to use Binder IPC.
define(`vndbinder_use', `
# Talk to the vndbinder device node
allow $1 vndbinder_device:chr_file rw_file_perms;
# Call the vndservicemanager and transfer references to it.
allow $1 vndservicemanager:binder { call transfer };
# vndservicemanager performs getpidcon on clients.
allow vndservicemanager $1:dir search;
allow vndservicemanager $1:file { read open };
allow vndservicemanager $1:process getattr;
')
#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# Call the server domain and optionally transfer references to it.
allow $1 $2:binder { call transfer };
# Allow the serverdomain to transfer references to the client on the reply.
allow $2 $1:binder transfer;
# Receive and use open files from the server.
allow $1 $2:fd use;
')
#####################################
# binder_service(domain)
# Mark a domain as being a Binder service domain.
# Used to allow binder IPC to the various system services.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
#####################################
# wakelock_use(domain)
# Allow domain to manage wake locks
define(`wakelock_use', `
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
allow $1 self:capability2 block_suspend;
')
#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
')
#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security check_context;
')
#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
# Each domain gets a unique devpts type.
type $1_devpts, fs_type;
# Label the pty with the unique type when created.
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')
#####################################
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
#####################################
# Recovery only
# SELinux rules which apply only to recovery mode
#
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
define(`full_treble_only', ifelse(target_full_treble, `true', $1,
ifelse(target_full_treble, `cts',
# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
$1
# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
, )))
#####################################
# Not full TREBLE
# SELinux rules which apply only to devices which are not full TREBLE devices
#
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
####################################
# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
#
define(`crash_dump_fallback', `
userdebug_or_eng(`
allow $1 su:fifo_file append;
')
allow $1 anr_data_file:file append;
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
allow $1 tombstoned_crash_socket:sock_file write;
allow $1 tombstone_data_file:file append;
')
#####################################
# WITH_DEXPREOPT builds
# SELinux rules which apply only when pre-opting.
#
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
define(`write_logd', `
unix_socket_send($1, logdw, logd)
allow $1 pmsg_device:chr_file w_file_perms;
')
#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
define(`read_logd', `
allow $1 logcat_exec:file rx_file_perms;
unix_socket_connect($1, logdr, logd)
')
#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
define(`read_runtime_log_tags', `
allow $1 runtime_event_log_tags_file:file r_file_perms;
')
#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
define(`control_logd', `
# Group AID_LOG checked by filesystem & logd
# to permit control commands
unix_socket_connect($1, logd, logd)
')
#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
# to call getpidcon.
define(`use_keystore', `
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
')
###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
define(`use_drmservice', `
allow drmserver $1:dir search;
allow drmserver $1:file { read open };
allow drmserver $1:process getattr;
')
###########################################
# add_service(domain, service)
# Ability for domain to add a service to service_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
')
###########################################
# add_hwservice(domain, service)
# Ability for domain to add a service to hwservice_manager
# and find it. It also creates a neverallow preventing
# others from adding it.
define(`add_hwservice', `
allow $1 $2:hwservice_manager { add find };
neverallow { domain -$1 } $2:hwservice_manager add;
')
##########################################
# print a message with a trailing newline
# print(`args')
define(`print', `errprint(`m4: '__file__: __line__`: $*
')')
Reference in a new issue View git blame Copy permalink