platform_system_sepolicy/domain.te
Stephen Smalley 3f40d4f4b1 Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 13:03:38 -05:00

216 lines
7.9 KiB
Text

# Rules for all domains.
# Allow reaping by init.
allow domain init:process sigchld;
# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;
# Intra-domain accesses.
allow domain self:process ~{ execmem execstack execheap ptrace };
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:{ unix_dgram_socket unix_stream_socket } *;
# Inherit or receive open files from others.
allow domain init:fd use;
allow domain system_server:fd use;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain adbd:unix_stream_socket connectto;
allow domain adbd:fd use;
allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
userdebug_or_eng(`
# Same as adbd rules above, except allow su to do the same thing
allow domain su:unix_stream_socket connectto;
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
allow domain su:fifo_file { write getattr };
# allow "gdbserver --attach" to work for su.
allow domain su:process sigchld;
')
###
### Talk to debuggerd.
###
allow domain debuggerd:process sigchld;
allow domain debuggerd:unix_stream_socket connectto;
# Root fs.
allow domain rootfs:dir r_dir_perms;
allow domain rootfs:file r_file_perms;
allow domain rootfs:lnk_file r_file_perms;
# Device accesses.
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
allow domain device:file read;
allow domain socket_device:dir search;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file r_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
allow domain binder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain log_device:dir search;
allow domain log_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms;
# logd access
write_logd(domain)
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
# System file accesses.
allow domain system_file:dir r_dir_perms;
allow domain system_file:file r_file_perms;
allow domain system_file:file execute;
allow domain system_file:lnk_file r_file_perms;
# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
allow domain system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain apk_data_file:dir { getattr search };
allow domain apk_data_file:file r_file_perms;
# Read /data/dalvik-cache.
allow domain dalvikcache_data_file:dir { search getattr };
allow domain dalvikcache_data_file:file r_file_perms;
# Read already opened /cache files.
allow domain cache_file:dir r_dir_perms;
allow domain cache_file:file { getattr read };
allow domain cache_file:lnk_file r_file_perms;
# Read timezone related information
r_dir_file(domain, zoneinfo_data_file)
# For /acct/uid/*/tasks.
allow domain cgroup:dir { search write };
allow domain cgroup:file w_file_perms;
#Allow access to ion memory allocation device
allow domain ion_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(domain, proc)
r_dir_file(domain, sysfs)
r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
r_dir_file(domain, proc_net)
# debugfs access
allow domain debugfs:dir r_dir_perms;
allow domain debugfs:file w_file_perms;
# Get SELinux enforcing status.
selinux_getenforce(domain)
# security files
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;
# World readable asec image contents
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
######## Backwards compatibility - Unlabeled files ############
# Revert to DAC rules when looking at unlabeled files. Over time, the number
# of unlabeled files should decrease.
# TODO: delete these rules in the future.
#
# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
# capability, it's essentially useless. This is needed to allow an app with
# relabelto to relabel unlabeled files.
#
allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
allow domain unlabeled:dir { create_dir_perms relabelfrom };
neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
###
### neverallow rules
###
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
# Limit device node creation and raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod };
# No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
# Only init should be able to load SELinux policies.
# The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet.
# Policy reload requires allowing this to the init domain.
neverallow { domain -init } kernel:security load_policy;
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type.
neverallow domain { file_type -exec_type }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init } proc_security:file { append write };
# No domain should be allowed to ptrace init.
neverallow domain init:process ptrace;
# Init can't receive binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow domain init:binder call;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# ueventd is exempt from this, as its managing these devices.
neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };