7adb999e70
Limit the ability to write to the files that configure kernel usermodehelpers and security-sensitive proc settings to the init domain. Permissive domains can also continue to set these values. The current list is not exhaustive, just an initial set. Not all of these files will exist on all kernels/devices. Controlling access to certain kernel usermodehelpers, e.g. cgroup release_agent, will require kernel changes to support and cannot be addressed here. Expected output on e.g. flo after the change: ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper -rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper -rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable -rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern -rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug -rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd -rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space -rw------- root root u:object_r:usermodehelper:s0 bset -rw------- root root u:object_r:usermodehelper:s0 inheritable Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
126 lines
4.8 KiB
Text
126 lines
4.8 KiB
Text
# Filesystem types
|
|
type labeledfs, fs_type;
|
|
type pipefs, fs_type;
|
|
type sockfs, fs_type;
|
|
type rootfs, fs_type;
|
|
type proc, fs_type;
|
|
# Security-sensitive proc nodes that should not be writable to most.
|
|
type proc_security, fs_type;
|
|
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
|
|
type usermodehelper, fs_type, sysfs_type;
|
|
type qtaguid_proc, fs_type, mlstrustedobject;
|
|
type proc_bluetooth_writable, fs_type;
|
|
type selinuxfs, fs_type;
|
|
type cgroup, fs_type, mlstrustedobject;
|
|
type sysfs, fs_type, mlstrustedobject;
|
|
type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
|
|
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
|
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
|
type sysfs_wake_lock, fs_type, sysfs_type;
|
|
# /sys/devices/system/cpu
|
|
type sysfs_devices_system_cpu, fs_type, sysfs_type;
|
|
type inotify, fs_type, mlstrustedobject;
|
|
type devpts, fs_type, mlstrustedobject;
|
|
type tmpfs, fs_type;
|
|
type shm, fs_type;
|
|
type mqueue, fs_type;
|
|
type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
|
|
type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
|
|
type debugfs, fs_type, mlstrustedobject;
|
|
|
|
# File types
|
|
type unlabeled, file_type;
|
|
# Default type for anything under /system.
|
|
type system_file, file_type;
|
|
# Default type for anything under /data.
|
|
type system_data_file, file_type, data_file_type;
|
|
# /data/drm - DRM plugin data
|
|
type drm_data_file, file_type, data_file_type;
|
|
# /data/anr - ANR traces
|
|
type anr_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/tombstones - core dumps
|
|
type tombstone_data_file, file_type, data_file_type;
|
|
# /data/app - user-installed apps
|
|
type apk_data_file, file_type, data_file_type;
|
|
type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/app-private - forward-locked apps
|
|
type apk_private_data_file, file_type, data_file_type;
|
|
type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
|
|
# /data/dalvik-cache
|
|
type dalvikcache_data_file, file_type, data_file_type;
|
|
# /data/local - writable by shell
|
|
type shell_data_file, file_type, data_file_type;
|
|
# /data/gps
|
|
type gps_data_file, file_type, data_file_type;
|
|
# /data/misc subdirectories
|
|
type audio_data_file, file_type, data_file_type;
|
|
type bluetooth_data_file, file_type, data_file_type;
|
|
type media_data_file, file_type, data_file_type;
|
|
type keystore_data_file, file_type, data_file_type;
|
|
type vpn_data_file, file_type, data_file_type;
|
|
type systemkeys_data_file, file_type, data_file_type;
|
|
type wifi_data_file, file_type, data_file_type;
|
|
type radio_data_file, file_type, data_file_type;
|
|
type nfc_data_file, file_type, data_file_type;
|
|
type camera_data_file, file_type, data_file_type;
|
|
type adb_keys_file, file_type, data_file_type;
|
|
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
|
|
typealias audio_data_file alias audio_firmware_file;
|
|
typealias camera_data_file alias camera_calibration_file;
|
|
# /data/data subdirectories - app sandboxes
|
|
type app_data_file, file_type, data_file_type;
|
|
type platform_app_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# Default type for anything under /cache
|
|
type cache_file, file_type, mlstrustedobject;
|
|
# Type for /cache/.*\.{data|restore} and default
|
|
# type for anything under /cache/backup
|
|
type cache_backup_file, file_type, mlstrustedobject;
|
|
# Default type for anything under /efs
|
|
type efs_file, file_type;
|
|
# Type for wallpaper file.
|
|
type wallpaper_file, file_type, mlstrustedobject;
|
|
# /mnt/asec
|
|
type asec_apk_file, file_type, data_file_type;
|
|
# /data/app-asec
|
|
type asec_image_file, file_type, data_file_type;
|
|
# /data/backup and /data/secure/backup
|
|
type backup_data_file, file_type, data_file_type, mlstrustedobject;
|
|
# For /data/security
|
|
type security_file, file_type;
|
|
# All devices have bluetooth efs files. But they
|
|
# vary per device, so this type is used in per
|
|
# device policy
|
|
type bluetooth_efs_file, file_type;
|
|
# Downloaded files
|
|
type download_file, file_type;
|
|
|
|
# Socket types
|
|
type adbd_socket, file_type;
|
|
type bluetooth_socket, file_type;
|
|
type dnsproxyd_socket, file_type, mlstrustedobject;
|
|
type gps_socket, file_type;
|
|
type installd_socket, file_type;
|
|
type keystore_socket, file_type;
|
|
type mdns_socket, file_type;
|
|
type netd_socket, file_type;
|
|
type property_socket, file_type;
|
|
type qemud_socket, file_type;
|
|
type racoon_socket, file_type;
|
|
type rild_socket, file_type;
|
|
type rild_debug_socket, file_type;
|
|
type system_wpa_socket, file_type;
|
|
type system_ndebug_socket, file_type;
|
|
type vold_socket, file_type;
|
|
type wpa_socket, file_type;
|
|
type zygote_socket, file_type;
|
|
|
|
# UART (for GPS) control proc file
|
|
type gps_control, file_type;
|
|
|
|
# Allow files to be created in their appropriate filesystems.
|
|
allow fs_type self:filesystem associate;
|
|
allow sysfs_type sysfs:filesystem associate;
|
|
allow file_type labeledfs:filesystem associate;
|
|
allow file_type tmpfs:filesystem associate;
|
|
allow file_type rootfs:filesystem associate;
|
|
allow dev_type tmpfs:filesystem associate;
|