diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-05-23 11:26:19 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-05-23 13:14:22 -0400 |
commit | 356f4be679544363466dad93e7bee68b2a6f2cf0 (patch) | |
tree | c8546dcc31738c6fac03d7c1ce6ba65665aad45e | |
parent | 4fce0ef97c2a4cb6e0ce2adf17c012c8be6252bf (diff) | |
download | android_external_sepolicy-356f4be679544363466dad93e7bee68b2a6f2cf0.tar.gz android_external_sepolicy-356f4be679544363466dad93e7bee68b2a6f2cf0.tar.bz2 android_external_sepolicy-356f4be679544363466dad93e7bee68b2a6f2cf0.zip |
Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission. Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.
Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | adbd.te | 1 | ||||
-rw-r--r-- | domain.te | 2 | ||||
-rw-r--r-- | init.te | 6 | ||||
-rw-r--r-- | kernel.te | 2 | ||||
-rw-r--r-- | recovery.te | 3 | ||||
-rw-r--r-- | runas.te | 1 | ||||
-rw-r--r-- | ueventd.te | 3 | ||||
-rw-r--r-- | zygote.te | 1 |
8 files changed, 18 insertions, 1 deletions
@@ -3,6 +3,7 @@ type adbd, domain; userdebug_or_eng(` + allow adbd self:process setcurrent; allow adbd su:process dyntransition; ') @@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr }; allow domain tmpfs:dir r_dir_perms; # Intra-domain accesses. -allow domain self:process ~{ execmem execstack execheap ptrace }; +allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate }; allow domain self:fd use; allow domain self:dir r_dir_perms; allow domain self:lnk_file r_file_perms; @@ -27,3 +27,9 @@ allow init watchdogd:process transition; # the directory as part of a recursive restorecon. allow init keystore_data_file:dir { open create read getattr setattr search }; allow init keystore_data_file:file { getattr }; + +# Use setexeccon(), setfscreatecon(), and setsockcreatecon(). +# setexec is for services with seclabel options. +# setfscreate is for labeling directories and socket files. +# setsockcreate is for labeling local/unix domain sockets. +allow init self:process { setexec setfscreate setsockcreate }; @@ -1,6 +1,8 @@ # Life begins with the kernel. type kernel, domain; +# setcon to init domain. +allow kernel self:process setcurrent; allow kernel init:process dyntransition; # The kernel is unconfined. diff --git a/recovery.te b/recovery.te index cfec161..c132983 100644 --- a/recovery.te +++ b/recovery.te @@ -15,3 +15,6 @@ allow recovery dev_type:blk_file rw_file_perms; allow recovery self:process execmem; allow recovery ashmem_device:chr_file execute; allow recovery tmpfs:file rx_file_perms; + +# Use setfscreatecon() to label files for OTA updates. +allow recovery self:process setfscreate; @@ -21,4 +21,5 @@ allow runas self:capability { setuid setgid }; # read /seapp_contexts and /data/security/seapp_contexts security_access_policy(runas) selinux_check_context(runas) # validate context +allow runas self:process setcurrent; allow runas non_system_app_set:process dyntransition; # setcon @@ -20,3 +20,6 @@ allow ueventd dev_type:blk_file { create setattr unlink }; allow ueventd self:netlink_kobject_uevent_socket create_socket_perms; allow ueventd efs_file:dir search; allow ueventd efs_file:file r_file_perms; + +# Use setfscreatecon() to label /dev directories and files. +allow ueventd self:process setfscreate; @@ -9,6 +9,7 @@ allow zygote self:capability { dac_override setgid setuid fowner chown }; # Drop capabilities from bounding set. allow zygote self:capability setpcap; # Switch SELinux context to app domains. +allow zygote self:process setcurrent; allow zygote system_server:process dyntransition; allow zygote appdomain:process dyntransition; # Allow zygote to read app /proc/pid dirs (b/10455872) |