Expand the set of neverallow rules applied to app domains.

This change synchronizes the AOSP set of neverallow rules for app domains with our own. However, as we exclude unconfineddomain from each neverallow rule, it causes no breakage in the AOSP policy. As app domains are confined, you will need to either adjust the app domain or the neverallow rule according to your preference. But our policy builds with all of these applied with all app domains confined. Change-Id: I00163d46a6ca3a87e3d742d90866300f889a0b11 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-09-27 10:55:59 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2013-09-27 16:36:27 -0400
commit: 2a273ad2c50b255985a71e92898ac9224a9d2bd7 (patch)
tree: 1aa318337ca06052cc24f3fcc749c6e8182dcf75 /app.te
parent: 189558f64affb73b554b568db90d62eb7d2a9ada (diff)
download: android_external_sepolicy-2a273ad2c50b255985a71e92898ac9224a9d2bd7.tar.gz
android_external_sepolicy-2a273ad2c50b255985a71e92898ac9224a9d2bd7.tar.bz2
android_external_sepolicy-2a273ad2c50b255985a71e92898ac9224a9d2bd7.zip
1 files changed, 134 insertions, 7 deletions
diff --git a/app.te b/app.te
index 689ff95..e292c05 100644
--- a/app.te
+++ b/app.te
@@ -122,8 +122,9 @@ allow appdomain self:rawip_socket create_socket_perms;
 ###
 
 # Superuser capabilities.
-# Only exception is sys_nice for binder, might not be necessary.
-neverallow { appdomain -unconfineddomain } self:capability ~sys_nice;
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
 neverallow { appdomain -unconfineddomain } self:capability2 *;
 
 # Block device access.
@@ -132,8 +133,32 @@ neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
 # Kernel memory access.
 neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
 
-# Setting SELinux enforcing status or booleans.
-neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
+# Access to any character device that is not specifically typed.
+neverallow { appdomain -unconfineddomain } device:chr_file { read write };
+
+# Access to any of the following character devices.
+neverallow { appdomain -unconfineddomain } {
+    audio_device
+    camera_device
+    dm_device
+    radio_device
+    gps_device
+    rpmsg_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell -unconfineddomain }
+    graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
+    { read write };
+neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
+    { read write };
+neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
+
+# Set SELinux enforcing mode, booleans or any other SELinux settings.
+neverallow { appdomain -unconfineddomain } kernel:security
+    { setenforce setbool setsecparam setcheckreqprot };
 
 # Load security policy.
 neverallow appdomain kernel:security load_policy;
@@ -153,18 +178,120 @@ neverallow { appdomain -unconfineddomain }
         netlink_kobject_uevent_socket
     } *;
 
+# Sockets under /dev/socket that are not specifically typed.
+neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } bluetooth_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
+neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
+    property_socket:sock_file write;
+neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
+
 # ptrace access to non-app domains.
 neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
 
+# Write access to /proc/pid entries for any non-app domain.
+neverallow { appdomain -unconfineddomain } { domain - appdomain }:file write;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
+    { sigkill sigstop signal };
+
 # Transition to a non-app domain.
-neverallow { appdomain -unconfineddomain } ~appdomain:process { transition dyntransition };
+neverallow { appdomain -unconfineddomain } ~appdomain:process
+    { transition dyntransition };
+
+# Map low memory.
+# Note: Take to domain.te and apply to all domains in the future.
+neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
+
+# Write to rootfs.
+neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to /system.
-neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set write;
+neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow { appdomain -unconfineddomain } exec_type:file
+    { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to system-owned parts of /data.
 # This is the default type for anything under /data not otherwise
 # specified in file_contexts.  Define a different type for portions
 # that should be writable by apps.
 # Exception for system_app for Settings.
-neverallow { appdomain -unconfineddomain -system_app } system_data_file:dir_file_class_set write;
+neverallow { appdomain -unconfineddomain -system_app }
+    system_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow { appdomain -system_app -unconfineddomain }
+    security_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+    apk_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+    apk_tmp_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+    apk_private_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+    apk_private_tmp_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell -unconfineddomain }
+    shell_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth -unconfineddomain }
+    bluetooth_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+    keystore_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+    systemkeys_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+    wifi_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+    dhcp_data_file:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Access to factory files.
+neverallow { appdomain -unconfineddomain }
+    efs_file:dir_file_class_set { read write };
+
+# Write to various pseudo file systems.
+neverallow { appdomain -nfc -unconfineddomain }
+    sysfs:dir_file_class_set write;
+neverallow { appdomain -system_app -unconfineddomain }
+    selinuxfs:dir_file_class_set write;
+neverallow { appdomain -unconfineddomain }
+    proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow { appdomain -system_app -unconfineddomain }
+    kernel:system { syslog_read syslog_mod syslog_console };
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
+
+# Ability to set system properties.
+neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
+    property_type:property_service set;
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-09-27 10:55:59 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2013-09-27 16:36:27 -0400
commit	2a273ad2c50b255985a71e92898ac9224a9d2bd7 (patch)
tree	1aa318337ca06052cc24f3fcc749c6e8182dcf75 /app.te
parent	189558f64affb73b554b568db90d62eb7d2a9ada (diff)
download	android_external_sepolicy-2a273ad2c50b255985a71e92898ac9224a9d2bd7.tar.gz android_external_sepolicy-2a273ad2c50b255985a71e92898ac9224a9d2bd7.tar.bz2 android_external_sepolicy-2a273ad2c50b255985a71e92898ac9224a9d2bd7.zip