diff options
-rw-r--r-- | access_vectors | 2 | ||||
-rw-r--r-- | attributes | 3 | ||||
-rw-r--r-- | bluetooth.te | 8 | ||||
-rw-r--r-- | bootanim.te | 4 | ||||
-rw-r--r-- | domain.te | 5 | ||||
-rw-r--r-- | drmserver.te | 4 | ||||
-rw-r--r-- | healthd.te | 5 | ||||
-rw-r--r-- | inputflinger.te | 4 | ||||
-rw-r--r-- | isolated_app.te | 4 | ||||
-rw-r--r-- | keystore.te | 4 | ||||
-rw-r--r-- | mediaserver.te | 10 | ||||
-rw-r--r-- | nfc.te | 8 | ||||
-rw-r--r-- | platform_app.te | 10 | ||||
-rw-r--r-- | radio.te | 9 | ||||
-rw-r--r-- | servicemanager.te | 4 | ||||
-rw-r--r-- | surfaceflinger.te | 8 | ||||
-rw-r--r-- | system_app.te | 9 | ||||
-rw-r--r-- | system_server.te | 12 | ||||
-rw-r--r-- | te_macros | 13 | ||||
-rw-r--r-- | untrusted_app.te | 11 |
20 files changed, 133 insertions, 4 deletions
diff --git a/access_vectors b/access_vectors index f8c0110..5e78341 100644 --- a/access_vectors +++ b/access_vectors @@ -892,6 +892,8 @@ class property_service class service_manager { add + find + list } class keystore_key @@ -67,3 +67,6 @@ attribute bluetoothdomain; # All domains used for binder service domains. attribute binderservicedomain; + +# All domains that are excluded from the domain.te auditallow. +attribute service_manager_local_audit; diff --git a/bluetooth.te b/bluetooth.te index 2b108a9..8ba56b0 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,6 +49,14 @@ allow bluetooth bluetooth_prop:property_service set; allow bluetooth pan_result_prop:property_service set; allow bluetooth ctl_dhcp_pan_prop:property_service set; +# Audited locally. +service_manager_local_audit_domain(bluetooth) +auditallow bluetooth { + service_manager_type + -bluetooth_service + -system_server_service +}:service_manager find; + ### ### Neverallow rules ### diff --git a/bootanim.te b/bootanim.te index 3a0a76f..7592295 100644 --- a/bootanim.te +++ b/bootanim.te @@ -11,3 +11,7 @@ allow bootanim gpu_device:chr_file rw_file_perms; # /oem access allow bootanim oemfs:dir search; + +# Audited locally. +service_manager_local_audit_domain(bootanim) +auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find; @@ -158,6 +158,11 @@ allow domain security_file:lnk_file r_file_perms; allow domain asec_public_file:file r_file_perms; allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; +allow domain servicemanager:service_manager list; +auditallow domain servicemanager:service_manager list; +allow domain service_manager_type:service_manager find; +auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find; + ### ### neverallow rules ### diff --git a/drmserver.te b/drmserver.te index 1993176..12e3ac7 100644 --- a/drmserver.te +++ b/drmserver.te @@ -46,3 +46,7 @@ allow drmserver asec_apk_file:file { read getattr }; allow drmserver radio_data_file:file { read getattr }; allow drmserver drmserver_service:service_manager add; + +# Audited locally. +service_manager_local_audit_domain(drmserver) +auditallow drmserver { service_manager_type -drmserver_service }:service_manager find; @@ -31,8 +31,13 @@ allow healthd ashmem_device:chr_file execute; allow healthd self:process execmem; allow healthd proc_sysrq:file rw_file_perms; allow healthd self:capability sys_boot; + allow healthd healthd_service:service_manager add; +# Audited locally. +service_manager_local_audit_domain(healthd) +auditallow healthd { service_manager_type -healthd_service }:service_manager find; + # Healthd needs to tell init to continue the boot # process when running in charger mode. unix_socket_connect(healthd, property, init) diff --git a/inputflinger.te b/inputflinger.te index 283bbba..4377a10 100644 --- a/inputflinger.te +++ b/inputflinger.te @@ -9,3 +9,7 @@ binder_service(inputflinger) binder_call(inputflinger, system_server) allow inputflinger inputflinger_service:service_manager add; + +# Audited locally. +service_manager_local_audit_domain(inputflinger) +auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find; diff --git a/isolated_app.te b/isolated_app.te index a156838..27b0e40 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -18,3 +18,7 @@ net_domain(isolated_app) # Needed to allow dlopen() from Chrome renderer processes. # See b/15902433 for details. allow isolated_app app_data_file:file execute; + +# Audited locally. +service_manager_local_audit_domain(isolated_app) +auditallow isolated_app service_manager_type:service_manager find; diff --git a/keystore.te b/keystore.te index afa701c..f2c5039 100644 --- a/keystore.te +++ b/keystore.te @@ -28,5 +28,9 @@ neverallow domain keystore:process ptrace; allow keystore keystore_service:service_manager add; +# Audited locally. +service_manager_local_audit_domain(keystore) +auditallow keystore { service_manager_type -keystore_service }:service_manager find; + # Check SELinux permissions. selinux_check_access(keystore) diff --git a/mediaserver.te b/mediaserver.te index 55d1f20..52c593e 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -79,3 +79,13 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth) allow mediaserver tee:unix_stream_socket connectto; allow mediaserver mediaserver_service:service_manager add; + +# Audited locally. +service_manager_local_audit_domain(mediaserver) +auditallow mediaserver { + service_manager_type + -drmserver_service + -mediaserver_service + -system_server_service + -surfaceflinger_service +}:service_manager find; @@ -15,3 +15,11 @@ allow nfc sysfs_nfc_power_writable:file rw_file_perms; allow nfc sysfs:file write; allow nfc nfc_service:service_manager add; + +# Audited locally. +service_manager_local_audit_domain(nfc) +auditallow nfc { + service_manager_type + -mediaserver_service + -system_server_service +}:service_manager find; diff --git a/platform_app.te b/platform_app.te index 7ff8d62..a44e35d 100644 --- a/platform_app.te +++ b/platform_app.te @@ -27,3 +27,13 @@ allow platform_app media_rw_data_file:file create_file_perms; # Write to /cache. allow platform_app cache_file:dir create_dir_perms; allow platform_app cache_file:file create_file_perms; + +# Audited locally. +service_manager_local_audit_domain(platform_app) +auditallow platform_app { + service_manager_type + -mediaserver_service + -radio_service + -surfaceflinger_service + -system_server_service +}:service_manager find; @@ -28,3 +28,12 @@ auditallow radio system_radio_prop:property_service set; allow radio ctl_rildaemon_prop:property_service set; allow radio radio_service:service_manager add; + +# Audited locally. +service_manager_local_audit_domain(radio) +auditallow radio { + service_manager_type + -mediaserver_service + -radio_service + -system_server_service +}:service_manager find; diff --git a/servicemanager.te b/servicemanager.te index f3dbca8..a928916 100644 --- a/servicemanager.te +++ b/servicemanager.te @@ -13,9 +13,5 @@ init_daemon_domain(servicemanager) allow servicemanager self:binder set_context_mgr; allow servicemanager domain:binder transfer; -# Get contexts of binder services that call servicemanager. -allow servicemanager binderservicedomain:dir search; -allow servicemanager binderservicedomain:file { read open }; -allow servicemanager binderservicedomain:process getattr; # Check SELinux permissions. selinux_check_access(servicemanager) diff --git a/surfaceflinger.te b/surfaceflinger.te index c508612..ff91993 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -59,6 +59,14 @@ allow surfaceflinger tee_device:chr_file rw_file_perms; allow surfaceflinger surfaceflinger_service:service_manager add; +# Audited locally. +service_manager_local_audit_domain(surfaceflinger) +auditallow surfaceflinger { + service_manager_type + -surfaceflinger_service + -system_server_service +}:service_manager find; + ### ### Neverallow rules ### diff --git a/system_app.te b/system_app.te index 2a7421b..24b135e 100644 --- a/system_app.te +++ b/system_app.te @@ -64,3 +64,12 @@ allow system_app keystore:keystore_key { }; control_logd(system_app) + +# Audited locally. +service_manager_local_audit_domain(system_app) +auditallow system_app { + service_manager_type + -nfc_service + -surfaceflinger_service + -system_server_service +}:service_manager find; diff --git a/system_server.te b/system_server.te index 9afd8af..5e217d4 100644 --- a/system_server.te +++ b/system_server.te @@ -362,6 +362,18 @@ allow system_server pstorefs:file r_file_perms; allow system_server system_server_service:service_manager add; +# Audited locally. +service_manager_local_audit_domain(system_server) +auditallow system_server { + service_manager_type + -healthd_service + -keystore_service + -mediaserver_service + -radio_service + -surfaceflinger_service + -system_server_service +}:service_manager find; + allow system_server keystore:keystore_key { test get @@ -109,6 +109,7 @@ typeattribute $1 appdomain; tmpfs_domain($1) # Map with PROT_EXEC. allow $1 $1_tmpfs:file execute; +service_manager_local_audit_domain($1) ') ##################################### @@ -149,6 +150,10 @@ allow $1 $3:unix_dgram_socket sendto; define(`binder_use', ` # Call the servicemanager and transfer references to it. allow $1 servicemanager:binder { call transfer }; +# servicemanager performs getpidcon on clients. +allow servicemanager $1:dir search; +allow servicemanager $1:file { read open }; +allow servicemanager $1:process getattr; # rw access to /dev/binder and /dev/ashmem is presently granted to # all domains in domain.te. ') @@ -354,3 +359,11 @@ define(`use_keystore', ` allow keystore $1:process getattr; binder_call($1, keystore) ') + +########################################### +# service_manager_local_audit_domain(domain) +# Has its own auditallow rule on service_manager +# and should be excluded from the domain.te auditallow. +define(`service_manager_local_audit_domain', ` + typeattribute $1 service_manager_local_audit; +') diff --git a/untrusted_app.te b/untrusted_app.te index f29149e..346716a 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -64,6 +64,17 @@ allow untrusted_app media_rw_data_file:file create_file_perms; allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; +# Audited locally. +service_manager_local_audit_domain(untrusted_app) +auditallow untrusted_app { + service_manager_type + -drmserver_service + -mediaserver_service + -nfc_service + -surfaceflinger_service + -system_server_service +}:service_manager find; + ### ### neverallow rules ### |