3c77d4d1c1
Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.
Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache
* init
* zygote
* installd
* dex2oat
For zygote, installd, and dex2oat, these accesses make sense.
For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.
This change was motivated by the discussion
in https://android-review.googlesource.com/127582
Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.
The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.
Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd
94 lines
3.6 KiB
Text
94 lines
3.6 KiB
Text
#######################################################
|
|
#
|
|
# This is the unconfined template. This template is the base policy
|
|
# which is used by daemons and other privileged components of
|
|
# Android.
|
|
#
|
|
# Historically, this template was called "unconfined" because it
|
|
# allowed the domain to do anything it wanted. Over time,
|
|
# this has changed, and will continue to change in the future.
|
|
# The rules in this file will be removed when no remaining
|
|
# unconfined domains require it, or when the rules contradict
|
|
# Android security best practices. Domains which need rules not
|
|
# provided by the unconfined template should add them directly to
|
|
# the relevant policy.
|
|
#
|
|
# The use of this template is discouraged.
|
|
######################################################
|
|
|
|
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
|
|
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
|
|
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
|
|
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
|
|
allow unconfineddomain domain:fd *;
|
|
allow unconfineddomain domain:dir r_dir_perms;
|
|
allow unconfineddomain domain:lnk_file r_file_perms;
|
|
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
|
|
allow unconfineddomain domain:{
|
|
socket
|
|
netlink_socket
|
|
key_socket
|
|
unix_stream_socket
|
|
unix_dgram_socket
|
|
netlink_route_socket
|
|
netlink_firewall_socket
|
|
netlink_tcpdiag_socket
|
|
netlink_nflog_socket
|
|
netlink_xfrm_socket
|
|
netlink_selinux_socket
|
|
netlink_audit_socket
|
|
netlink_ip6fw_socket
|
|
netlink_dnrt_socket
|
|
netlink_kobject_uevent_socket
|
|
tun_socket
|
|
} *;
|
|
allow unconfineddomain domain:ipc_class_set *;
|
|
allow unconfineddomain domain:key *;
|
|
allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
|
allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
|
allow unconfineddomain {
|
|
file_type
|
|
-keystore_data_file
|
|
-property_data_file
|
|
-system_file
|
|
-exec_type
|
|
-security_file
|
|
-shell_data_file
|
|
-app_data_file
|
|
-unlabeled
|
|
}:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
|
allow unconfineddomain exec_type:dir r_dir_perms;
|
|
allow unconfineddomain exec_type:file { r_file_perms execute };
|
|
allow unconfineddomain exec_type:lnk_file r_file_perms;
|
|
allow unconfineddomain system_file:dir r_dir_perms;
|
|
allow unconfineddomain system_file:file { r_file_perms execute };
|
|
allow unconfineddomain system_file:lnk_file r_file_perms;
|
|
allow unconfineddomain {
|
|
fs_type
|
|
-usermodehelper
|
|
-proc_security
|
|
-contextmount_type
|
|
-rootfs
|
|
-sdcard_type
|
|
-device
|
|
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
|
allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
|
allow unconfineddomain {
|
|
file_type
|
|
-keystore_data_file
|
|
-property_data_file
|
|
-system_file
|
|
-exec_type
|
|
-security_file
|
|
-shell_data_file
|
|
-app_data_file
|
|
-unlabeled
|
|
-dalvikcache_data_file
|
|
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
|
allow unconfineddomain rootfs:file execute;
|
|
allow unconfineddomain contextmount_type:dir r_dir_perms;
|
|
allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
|
|
allow unconfineddomain node_type:node *;
|
|
allow unconfineddomain netif_type:netif *;
|
|
allow unconfineddomain domain:peer recv;
|
|
allow unconfineddomain { domain -init }:binder { call transfer };
|