aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2014-05-23 11:26:19 -0400
committerStephen Smalley <sds@tycho.nsa.gov>2014-05-23 13:14:22 -0400
commit356f4be679544363466dad93e7bee68b2a6f2cf0 (patch)
treec8546dcc31738c6fac03d7c1ce6ba65665aad45e
parent4fce0ef97c2a4cb6e0ce2adf17c012c8be6252bf (diff)
downloadandroid_external_sepolicy-356f4be679544363466dad93e7bee68b2a6f2cf0.tar.gz
android_external_sepolicy-356f4be679544363466dad93e7bee68b2a6f2cf0.tar.bz2
android_external_sepolicy-356f4be679544363466dad93e7bee68b2a6f2cf0.zip
Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r--adbd.te1
-rw-r--r--domain.te2
-rw-r--r--init.te6
-rw-r--r--kernel.te2
-rw-r--r--recovery.te3
-rw-r--r--runas.te1
-rw-r--r--ueventd.te3
-rw-r--r--zygote.te1
8 files changed, 18 insertions, 1 deletions
diff --git a/adbd.te b/adbd.te
index 44607c7..4b67647 100644
--- a/adbd.te
+++ b/adbd.te
@@ -3,6 +3,7 @@
type adbd, domain;
userdebug_or_eng(`
+ allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
diff --git a/domain.te b/domain.te
index 5fef04b..f7e8692 100644
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr };
allow domain tmpfs:dir r_dir_perms;
# Intra-domain accesses.
-allow domain self:process ~{ execmem execstack execheap ptrace };
+allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
diff --git a/init.te b/init.te
index 3441dd0..e94ca47 100644
--- a/init.te
+++ b/init.te
@@ -27,3 +27,9 @@ allow init watchdogd:process transition;
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
diff --git a/kernel.te b/kernel.te
index 0048a62..f2405e4 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,6 +1,8 @@
# Life begins with the kernel.
type kernel, domain;
+# setcon to init domain.
+allow kernel self:process setcurrent;
allow kernel init:process dyntransition;
# The kernel is unconfined.
diff --git a/recovery.te b/recovery.te
index cfec161..c132983 100644
--- a/recovery.te
+++ b/recovery.te
@@ -15,3 +15,6 @@ allow recovery dev_type:blk_file rw_file_perms;
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery tmpfs:file rx_file_perms;
+
+# Use setfscreatecon() to label files for OTA updates.
+allow recovery self:process setfscreate;
diff --git a/runas.te b/runas.te
index 8648ee7..8cc0eea 100644
--- a/runas.te
+++ b/runas.te
@@ -21,4 +21,5 @@ allow runas self:capability { setuid setgid };
# read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(runas)
selinux_check_context(runas) # validate context
+allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/ueventd.te b/ueventd.te
index babebe0..25460de 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -20,3 +20,6 @@ allow ueventd dev_type:blk_file { create setattr unlink };
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
diff --git a/zygote.te b/zygote.te
index 4d169f3..da3a037 100644
--- a/zygote.te
+++ b/zygote.te
@@ -9,6 +9,7 @@ allow zygote self:capability { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
+allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872)