0d08d4721a
With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
93 lines
3.6 KiB
Text
93 lines
3.6 KiB
Text
#######################################################
|
|
#
|
|
# This is the unconfined template. This template is the base policy
|
|
# which is used by daemons and other privileged components of
|
|
# Android.
|
|
#
|
|
# Historically, this template was called "unconfined" because it
|
|
# allowed the domain to do anything it wanted. Over time,
|
|
# this has changed, and will continue to change in the future.
|
|
# The rules in this file will be removed when no remaining
|
|
# unconfined domains require it, or when the rules contradict
|
|
# Android security best practices. Domains which need rules not
|
|
# provided by the unconfined template should add them directly to
|
|
# the relevant policy.
|
|
#
|
|
# The use of this template is discouraged.
|
|
######################################################
|
|
|
|
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
|
|
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
|
|
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
|
|
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
|
|
allow unconfineddomain domain:fd *;
|
|
allow unconfineddomain domain:dir r_dir_perms;
|
|
allow unconfineddomain domain:lnk_file r_file_perms;
|
|
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
|
|
allow unconfineddomain domain:{
|
|
socket
|
|
netlink_socket
|
|
key_socket
|
|
unix_stream_socket
|
|
unix_dgram_socket
|
|
netlink_route_socket
|
|
netlink_firewall_socket
|
|
netlink_tcpdiag_socket
|
|
netlink_nflog_socket
|
|
netlink_xfrm_socket
|
|
netlink_selinux_socket
|
|
netlink_audit_socket
|
|
netlink_ip6fw_socket
|
|
netlink_dnrt_socket
|
|
netlink_kobject_uevent_socket
|
|
tun_socket
|
|
} *;
|
|
allow unconfineddomain domain:ipc_class_set *;
|
|
allow unconfineddomain domain:key *;
|
|
allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
|
allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
|
allow unconfineddomain {
|
|
file_type
|
|
-keystore_data_file
|
|
-property_data_file
|
|
-system_file
|
|
-exec_type
|
|
-security_file
|
|
-shell_data_file
|
|
-app_data_file
|
|
-unlabeled
|
|
}:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
|
allow unconfineddomain exec_type:dir r_dir_perms;
|
|
allow unconfineddomain exec_type:file { r_file_perms execute };
|
|
allow unconfineddomain exec_type:lnk_file r_file_perms;
|
|
allow unconfineddomain system_file:dir r_dir_perms;
|
|
allow unconfineddomain system_file:file { r_file_perms execute };
|
|
allow unconfineddomain system_file:lnk_file r_file_perms;
|
|
allow unconfineddomain {
|
|
fs_type
|
|
-usermodehelper
|
|
-proc_security
|
|
-contextmount_type
|
|
-rootfs
|
|
-sdcard_type
|
|
-device
|
|
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
|
allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
|
allow unconfineddomain {
|
|
file_type
|
|
-keystore_data_file
|
|
-property_data_file
|
|
-system_file
|
|
-exec_type
|
|
-security_file
|
|
-shell_data_file
|
|
-app_data_file
|
|
-unlabeled
|
|
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
|
allow unconfineddomain rootfs:file execute;
|
|
allow unconfineddomain contextmount_type:dir r_dir_perms;
|
|
allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
|
|
allow unconfineddomain node_type:node *;
|
|
allow unconfineddomain netif_type:netif *;
|
|
allow unconfineddomain domain:peer recv;
|
|
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
|