8a0c25efb0
Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
120 lines
4.3 KiB
Text
120 lines
4.3 KiB
Text
# init switches to init domain (via init.rc).
|
|
type init, domain;
|
|
# init is unconfined.
|
|
unconfined_domain(init)
|
|
tmpfs_domain(init)
|
|
|
|
allow init self:capability { sys_rawio mknod };
|
|
|
|
# Mounting filesystems from block devices.
|
|
allow init dev_type:blk_file r_file_perms;
|
|
|
|
# Mounting filesystems.
|
|
# Only allow relabelto for types used in context= mount options,
|
|
# which should all be assigned the contextmount_type attribute.
|
|
# This can be done in device-specific policy via type or typeattribute
|
|
# declarations.
|
|
allow init fs_type:filesystem ~relabelto;
|
|
allow init unlabeled:filesystem ~relabelto;
|
|
allow init contextmount_type:filesystem relabelto;
|
|
|
|
# Allow read-only access to context= mounted filesystems.
|
|
allow init contextmount_type:dir r_dir_perms;
|
|
allow init contextmount_type:notdevfile_class_set r_file_perms;
|
|
|
|
# restorecon /adb_keys or any other rootfs files to a more specific type.
|
|
allow init rootfs:file relabelfrom;
|
|
|
|
# restorecon and restorecon_recursive calls from init.rc files.
|
|
# system/core/init.rc requires at least cache_file and data_file_type.
|
|
# init.<board>.rc files often include device-specific types, so
|
|
# we just allow all file types except /system files here.
|
|
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
|
allow init sysfs_type:{ dir file lnk_file } relabelto;
|
|
|
|
# Unlabeled file access for upgrades from 4.2.
|
|
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
|
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
|
|
|
# Create /data/security from init.rc post-fs-data.
|
|
allow init security_file:dir { create setattr };
|
|
|
|
# setprop selinux.reload_policy 1 from init.rc post-fs-data.
|
|
allow init security_prop:property_service set;
|
|
|
|
# Reload policy upon setprop selinux.reload_policy 1.
|
|
r_dir_file(init, security_file)
|
|
allow init kernel:security load_policy;
|
|
|
|
# Any operation that can modify the kernel ring buffer, e.g. clear
|
|
# or a read that consumes the messages that were read.
|
|
allow init kernel:system syslog_mod;
|
|
|
|
# Set usermodehelpers and /proc security settings.
|
|
allow init usermodehelper:file rw_file_perms;
|
|
allow init proc_security:file rw_file_perms;
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
domain_trans(init, rootfs, adbd)
|
|
domain_trans(init, rootfs, healthd)
|
|
recovery_only(`
|
|
domain_trans(init, rootfs, recovery)
|
|
')
|
|
domain_trans(init, shell_exec, shell)
|
|
domain_trans(init, rootfs, ueventd)
|
|
domain_trans(init, rootfs, watchdogd)
|
|
|
|
# Certain domains need LD_PRELOAD passed from init.
|
|
# https://android-review.googlesource.com/94851
|
|
# For now, allow it to most domains.
|
|
# TODO: scope this down.
|
|
allow init { domain -lmkd }:process noatsecure;
|
|
|
|
# Support "adb shell stop"
|
|
allow init domain:process sigkill;
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
allow init keystore_data_file:file { getattr };
|
|
|
|
# Init creates /data/local/tmp at boot
|
|
allow init shell_data_file:dir { open create read getattr setattr search };
|
|
allow init shell_data_file:file { getattr };
|
|
|
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
|
# setexec is for services with seclabel options.
|
|
# setfscreate is for labeling directories and socket files.
|
|
# setsockcreate is for labeling local/unix domain sockets.
|
|
allow init self:process { setexec setfscreate setsockcreate };
|
|
|
|
# Create /data/property and files within it.
|
|
allow init property_data_file:dir create_dir_perms;
|
|
allow init property_data_file:file create_file_perms;
|
|
|
|
# Set any property.
|
|
allow init property_type:property_service set;
|
|
|
|
# Run "ifup lo" to bring up the localhost interface
|
|
allow init self:udp_socket { create ioctl };
|
|
|
|
# This line seems suspect, as it should not really need to
|
|
# set scheduling parameters for a kernel domain task.
|
|
allow init kernel:process setsched;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# The init domain is only entered via setcon from the kernel domain,
|
|
# never via an exec-based transition.
|
|
neverallow { domain -kernel} init:process dyntransition;
|
|
neverallow domain init:process transition;
|
|
neverallow init { file_type fs_type }:file entrypoint;
|
|
|
|
# Never read/follow symlinks created by shell or untrusted apps.
|
|
neverallow init shell_data_file:lnk_file read;
|
|
neverallow init app_data_file:lnk_file read;
|
|
|
|
# init should never execute a program without changing to another domain.
|
|
neverallow init { file_type fs_type }:file execute_no_trans;
|