diff options
| -rw-r--r-- | Android.mk | 3 | ||||
| -rw-r--r-- | access_vectors | 10 | ||||
| -rw-r--r-- | adbd.te | 11 | ||||
| -rw-r--r-- | app.te | 2 | ||||
| -rw-r--r-- | attributes | 3 | ||||
| -rw-r--r-- | binderservicedomain.te | 2 | ||||
| -rw-r--r-- | bluetooth.te | 12 | ||||
| -rw-r--r-- | clatd.te | 11 | ||||
| -rw-r--r-- | device.te | 1 | ||||
| -rw-r--r-- | dhcp.te | 6 | ||||
| -rw-r--r-- | domain.te | 79 | ||||
| -rw-r--r-- | dumpstate.te | 1 | ||||
| -rw-r--r-- | file.te | 10 | ||||
| -rw-r--r-- | file_contexts | 19 | ||||
| -rw-r--r-- | fingerprintd.te | 23 | ||||
| -rw-r--r-- | gatekeeperd.te | 3 | ||||
| -rw-r--r-- | genfs_contexts | 4 | ||||
| -rw-r--r-- | healthd.te | 11 | ||||
| -rw-r--r-- | init.te | 16 | ||||
| -rw-r--r-- | install_recovery.te | 4 | ||||
| -rw-r--r-- | installd.te | 10 | ||||
| -rw-r--r-- | ioctl_macros | 11 | ||||
| -rw-r--r-- | isolated_app.te | 3 | ||||
| -rw-r--r-- | kernel.te | 12 | ||||
| -rw-r--r-- | keystore.te | 2 | ||||
| -rw-r--r-- | logd.te | 9 | ||||
| -rw-r--r-- | mediaserver.te | 5 | ||||
| -rw-r--r-- | netd.te | 7 | ||||
| -rw-r--r-- | nfc.te | 3 | ||||
| -rw-r--r-- | perfprofd.te | 56 | ||||
| -rw-r--r-- | procrank.te | 2 | ||||
| -rw-r--r-- | property.te | 1 | ||||
| -rw-r--r-- | property_contexts | 3 | ||||
| -rw-r--r-- | radio.te | 11 | ||||
| -rw-r--r-- | recovery.te | 11 | ||||
| -rw-r--r-- | rild.te | 7 | ||||
| -rw-r--r-- | sdcardd.te | 10 | ||||
| -rw-r--r-- | security_classes | 1 | ||||
| -rw-r--r-- | service.te | 6 | ||||
| -rw-r--r-- | service_contexts | 4 | ||||
| -rw-r--r-- | shell.te | 13 | ||||
| -rw-r--r-- | slideshow.te | 4 | ||||
| -rw-r--r-- | su.te | 1 | ||||
| -rw-r--r-- | surfaceflinger.te | 7 | ||||
| -rw-r--r-- | system_app.te | 32 | ||||
| -rw-r--r-- | system_server.te | 48 | ||||
| -rw-r--r-- | te_macros | 39 | ||||
| -rw-r--r-- | tools/Android.mk | 11 | ||||
| -rw-r--r-- | tools/sepolicy-analyze/Android.mk | 3 | ||||
| -rw-r--r-- | ueventd.te | 7 | ||||
| -rw-r--r-- | uncrypt.te | 8 | ||||
| -rw-r--r-- | untrusted_app.te | 21 | ||||
| -rw-r--r-- | vold.te | 35 | ||||
| -rw-r--r-- | watchdogd.te | 7 | ||||
| -rw-r--r-- | zygote.te | 15 |
55 files changed, 465 insertions, 191 deletions
@@ -5,7 +5,7 @@ include $(CLEAR_VARS) # SELinux policy version. # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. # Must be within the compatibility range reported by checkpolicy -V. -POLICYVERS ?= 26 +POLICYVERS ?= 30 MLS_SENS=1 MLS_CATS=1024 @@ -36,6 +36,7 @@ sepolicy_build_files := security_classes \ policy_capabilities \ te_macros \ attributes \ + ioctl_macros \ *.te \ roles \ users \ diff --git a/access_vectors b/access_vectors index 65b7e22..c280f08 100644 --- a/access_vectors +++ b/access_vectors @@ -890,26 +890,24 @@ class service_manager class keystore_key { - test + get_state get insert delete exist - saw + list reset password lock unlock - zero + is_empty sign verify grant duplicate clear_uid - reset_uid - sync_uid - password_uid add_auth + user_changed } class debuggerd @@ -42,10 +42,9 @@ allow adbd anr_data_file:dir r_dir_perms; allow adbd anr_data_file:file r_file_perms; # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. -unix_socket_connect(adbd, property, init) -allow adbd shell_prop:property_service set; -allow adbd powerctl_prop:property_service set; -allow adbd ffs_prop:property_service set; +set_prop(adbd, shell_prop) +set_prop(adbd, powerctl_prop) +set_prop(adbd, ffs_prop) # Run /system/bin/bu allow adbd system_file:file rx_file_perms; @@ -74,10 +73,6 @@ allow adbd app_data_file:dir search; allow adbd app_data_file:sock_file write; allow adbd appdomain:unix_stream_socket connectto; -# b/18078338 - allow read access to executable types on /system -# to assist with debugging OTA issues. -allow adbd exec_type:file r_file_perms; - # ndk-gdb invokes adb pull of app_process, linker, and libc.so. allow adbd zygote_exec:file r_file_perms; allow adbd system_file:file r_file_perms; @@ -185,7 +185,7 @@ control_logd(appdomain) # application inherit logd write socket (urge is to deprecate this long term) allow appdomain zygote:unix_dgram_socket write; -allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify }; +allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore({ appdomain -isolated_app }) @@ -73,6 +73,3 @@ attribute bluetoothdomain; # All domains used for binder service domains. attribute binderservicedomain; - -# All domains that are excluded from the domain.te auditallow. -attribute service_manager_local_audit; diff --git a/binderservicedomain.te b/binderservicedomain.te index 82c733d..0bfd33a 100644 --- a/binderservicedomain.te +++ b/binderservicedomain.te @@ -13,6 +13,6 @@ allow binderservicedomain console_device:chr_file rw_file_perms; allow binderservicedomain appdomain:fd use; allow binderservicedomain appdomain:fifo_file write; -allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify }; +allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; use_keystore(binderservicedomain) diff --git a/bluetooth.te b/bluetooth.te index 890c1d9..a79023d 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -38,16 +38,13 @@ allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read allow bluetooth self:tun_socket create_socket_perms; allow bluetooth efs_file:dir search; -# Talk to init over the property socket. -unix_socket_connect(bluetooth, property, init) - # proc access. allow bluetooth proc_bluetooth_writable:file rw_file_perms; # Allow write access to bluetooth specific properties -allow bluetooth bluetooth_prop:property_service set; -allow bluetooth pan_result_prop:property_service set; -allow bluetooth ctl_dhcp_pan_prop:property_service set; +set_prop(bluetooth, bluetooth_prop) +set_prop(bluetooth, pan_result_prop) +set_prop(bluetooth, ctl_dhcp_pan_prop) allow bluetooth bluetooth_service:service_manager find; allow bluetooth mediaserver_service:service_manager find; @@ -56,6 +53,9 @@ allow bluetooth surfaceflinger_service:service_manager find; allow bluetooth app_api_service:service_manager find; allow bluetooth system_api_service:service_manager find; +# Bluetooth Sim Access Profile Socket to the RIL +unix_socket_connect(bluetooth, sap_uim, rild) + # already open bugreport file descriptors may be shared with # the bluetooth process, from a file in # /data/data/com.android.shell/files/bugreports/bugreport-*. @@ -19,11 +19,12 @@ allow clatd self:capability { net_admin net_raw setuid setgid }; # clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks # capable(CAP_IPC_LOCK), and then checks to see the requested amount is -# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd -# does not need CAP_IPC_LOCK, so we suppress any denials we see -# from clatd asking for this capability. -# See https://android-review.googlesource.com/127940 -dontaudit clatd self:capability ipc_lock; +# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have +# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices +# so we permit any requests we see from clatd asking for this capability. +# See https://android-review.googlesource.com/127940 and +# https://b.corp.google.com/issues/21736319 +allow clatd self:capability ipc_lock; allow clatd self:netlink_route_socket nlmsg_write; allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms; @@ -12,6 +12,7 @@ type loop_device, dev_type; type pmsg_device, dev_type, mlstrustedobject; type radio_device, dev_type; type ram_device, dev_type; +type rtc_device, dev_type; type vold_device, dev_type; type console_device, dev_type; type cpuctl_device, dev_type; @@ -13,9 +13,9 @@ allow dhcp shell_exec:file rx_file_perms; allow dhcp system_file:file rx_file_perms; # For /proc/sys/net/ipv4/conf/*/promote_secondaries allow dhcp proc_net:file write; -allow dhcp dhcp_prop:property_service set; -allow dhcp pan_result_prop:property_service set; -unix_socket_connect(dhcp, property, init) + +set_prop(dhcp, dhcp_prop) +set_prop(dhcp, pan_result_prop) type_transition dhcp system_data_file:{ dir file } dhcp_data_file; allow dhcp dhcp_data_file:dir create_dir_perms; @@ -6,6 +6,7 @@ allow domain init:process sigchld; # Read access to properties mapping. allow domain kernel:fd use; allow domain tmpfs:file { read getattr }; +allow domain tmpfs:lnk_file { read getattr }; # Search /storage/emulated tmpfs mount. allow domain tmpfs:dir r_dir_perms; @@ -93,6 +94,7 @@ allow domain urandom_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms; allow domain properties_device:file r_file_perms; allow domain init:key search; +allow domain vold:key search; # logd access write_logd(domain) @@ -182,10 +184,17 @@ neverallow { -dumpstate -system_server userdebug_or_eng(`-procrank') + userdebug_or_eng(`-perfprofd') } self:capability sys_ptrace; # Limit device node creation to these whitelisted domains. -neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod; +neverallow { + domain + -kernel + -init + -ueventd + -vold +} self:capability mknod; # Limit raw I/O to these whitelisted domains. neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; @@ -267,7 +276,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_fi # Rather force a relabel to a more specific type. # init is exempt from this as there are character devices that only it uses. # ueventd is exempt from this, as it is managing these devices. -neverallow { domain -init -ueventd -recovery } device:chr_file { open read write }; +neverallow { domain -init -ueventd } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need @@ -306,7 +315,7 @@ neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class neverallow domain { system_file exec_type }:dir_file_class_set mounton; # Nothing should be writing to files in the rootfs. -neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; +neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. @@ -350,6 +359,14 @@ neverallow { -dex2oat } dalvikcache_data_file:file no_w_file_perms; +neverallow { + domain + -init + -installd + -dex2oat + -zygote +} dalvikcache_data_file:dir no_w_dir_perms; + # Only system_server should be able to send commands via the zygote socket neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; neverallow { domain -system_server } zygote_socket:sock_file write; @@ -400,3 +417,59 @@ neverallow domain { # neverallow { domain -appdomain } file_type:file execmod; neverallow { domain -init } proc:{ file dir } mounton; + +# Ensure that all types assigned to processes are included +# in the domain attribute, so that all allow and neverallow rules +# written on domain are applied to all processes. +# This is achieved by ensuring that it is impossible to transition +# from a domain to a non-domain type and vice versa. +neverallow domain ~domain:process { transition dyntransition }; +neverallow ~domain domain:process { transition dyntransition }; + +# +# Only system_app and system_server should be creating or writing +# their files. The proper way to share files is to setup +# type transitions to a more specific type or assigning a type +# to its parent directory via a file_contexts entry. +# Example type transition: +# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) +# +neverallow { + domain + -system_server + -system_app + -init + -installd # for relabelfrom and unlink, check for this in explicit neverallow +} system_data_file:file no_w_file_perms; +# do not grant anything greater than r_file_perms and relabelfrom unlink +# to installd +neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; + +# +# Only these domains should transition to shell domain. This domain is +# permissible for the "shell user". If you need a process to exec a shell +# script with differing privilege, define a domain and set up a transition. +# +neverallow { + domain + -adbd + -init + -runas + -zygote +} shell:process { transition dyntransition }; + +# Minimize read access to shell- or app-writable symlinks. +# This is to prevent malicious symlink attacks. +neverallow { + domain + -appdomain + -installd + -uncrypt # TODO: see if we can remove +} app_data_file:lnk_file read; + +neverallow { + domain + -shell + userdebug_or_eng(`-uncrypt') + -installd +} shell_data_file:lnk_file read; diff --git a/dumpstate.te b/dumpstate.te index 43daac4..584b140 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -109,6 +109,5 @@ allow dumpstate tombstone_data_file:file r_file_perms; allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find; allow dumpstate servicemanager:service_manager list; -service_manager_local_audit_domain(dumpstate) allow dumpstate devpts:chr_file rw_file_perms; @@ -6,6 +6,8 @@ type rootfs, fs_type; type proc, fs_type; # Security-sensitive proc nodes that should not be writable to most. type proc_security, fs_type; +# Type for /proc/sys/vm/drop_caches +type proc_drop_caches, fs_type; # proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. type usermodehelper, fs_type, sysfs_type; type qtaguid_proc, fs_type, mlstrustedobject; @@ -13,6 +15,8 @@ type proc_bluetooth_writable, fs_type; type proc_cpuinfo, fs_type; type proc_net, fs_type; type proc_sysrq, fs_type; +type proc_uid_cputime_showstat, fs_type; +type proc_uid_cputime_removeuid, fs_type; type selinuxfs, fs_type, mlstrustedobject; type cgroup, fs_type, mlstrustedobject; type sysfs, fs_type, sysfs_type, mlstrustedobject; @@ -116,6 +120,7 @@ type vpn_data_file, file_type, data_file_type; type wifi_data_file, file_type, data_file_type; type zoneinfo_data_file, file_type, data_file_type; type vold_data_file, file_type, data_file_type; +type perfprofd_data_file, file_type, data_file_type, mlstrustedobject; # Compatibility with type names used in vanilla Android 4.3 and 4.4. typealias audio_data_file alias audio_firmware_file; @@ -149,6 +154,8 @@ type security_file, file_type; # vary per device, so this type is used in per # device policy type bluetooth_efs_file, file_type; +# Type for fingerprint template file. +type fingerprintd_data_file, file_type, data_file_type; # Socket types type adbd_socket, file_type; @@ -164,6 +171,7 @@ type logdr_socket, file_type, mlstrustedobject; type logdw_socket, file_type, mlstrustedobject; type mdns_socket, file_type; type mdnsd_socket, file_type, mlstrustedobject; +type misc_logd_file, file_type; type mtpd_socket, file_type; type netd_socket, file_type; type property_socket, file_type; @@ -175,7 +183,7 @@ type system_ndebug_socket, file_type; type vold_socket, file_type; type wpa_socket, file_type; type zygote_socket, file_type; - +type sap_uim_socket, file_type; # UART (for GPS) control proc file type gps_control, file_type; diff --git a/file_contexts b/file_contexts index 0fc096d..d964f9b 100644 --- a/file_contexts +++ b/file_contexts @@ -77,9 +77,12 @@ /dev/random u:object_r:random_device:s0 /dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0 /dev/rproc_user u:object_r:rpmsg_device:s0 +/dev/rtc[0-9] u:object_r:rtc_device:s0 /dev/snd(/.*)? u:object_r:audio_device:s0 /dev/socket(/.*)? u:object_r:socket_device:s0 /dev/socket/adbd u:object_r:adbd_socket:s0 +/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0 +/dev/socket/cryptd u:object_r:vold_socket:s0 /dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0 /dev/socket/dumpstate u:object_r:dumpstate_socket:s0 /dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0 @@ -147,6 +150,7 @@ /system/bin/mdnsd u:object_r:mdnsd_exec:s0 /system/bin/installd u:object_r:installd_exec:s0 /system/bin/keystore u:object_r:keystore_exec:s0 +/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0 /system/bin/debuggerd u:object_r:debuggerd_exec:s0 /system/bin/debuggerd64 u:object_r:debuggerd_exec:s0 @@ -159,6 +163,8 @@ /system/bin/racoon u:object_r:racoon_exec:s0 /system/xbin/su u:object_r:su_exec:s0 /system/xbin/procrank u:object_r:procrank_exec:s0 +/system/xbin/perfprofd u:object_r:perfprofd_exec:s0 +/system/xbin/simpleperf u:object_r:system_file:s0 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0 /system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 /system/bin/hostapd u:object_r:hostapd_exec:s0 @@ -184,9 +190,11 @@ /vendor/bin/gpsd u:object_r:gpsd_exec:s0 ############################# -# ODM files +# OEM and ODM files # -/odm(/.*)? u:object_r:system_file:s0 +/odm(/.*)? u:object_r:system_file:s0 +/oem(/.*)? u:object_r:oemfs:s0 + ############################# # Data files @@ -232,6 +240,7 @@ /data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0 /data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0 /data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 +/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0 /data/misc/media(/.*)? u:object_r:media_data_file:s0 /data/misc/net(/.*)? u:object_r:net_data_file:s0 /data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 @@ -245,8 +254,12 @@ /data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0 /data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 /data/misc/vold(/.*)? u:object_r:vold_data_file:s0 +/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0 /data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0 +# Fingerprint data +/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0 + # Bootchart data /data/bootchart(/.*)? u:object_r:bootchart_data_file:s0 @@ -261,6 +274,7 @@ /mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 /mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0 /mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0 +/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0 # coredump directory for userdebug/eng devices /cores(/.*)? u:object_r:coredump_file:s0 @@ -300,4 +314,5 @@ # external storage /mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0 /mnt/user(/.*)? u:object_r:mnt_user_file:s0 +/mnt/runtime(/.*)? u:object_r:storage_file:s0 /storage(/.*)? u:object_r:storage_file:s0 diff --git a/fingerprintd.te b/fingerprintd.te new file mode 100644 index 0000000..4ceb68d --- /dev/null +++ b/fingerprintd.te @@ -0,0 +1,23 @@ +type fingerprintd, domain; +type fingerprintd_exec, exec_type, file_type; + +# fingerprintd +init_daemon_domain(fingerprintd) +binder_use(fingerprintd) + +# need to find KeyStore and add self +allow fingerprintd fingerprintd_service:service_manager { add find }; + +# allow HAL module to read dir contents +allow fingerprintd fingerprintd_data_file:file { create_file_perms }; + +# allow HAL module to read/write/unlink contents of this dir +allow fingerprintd fingerprintd_data_file:dir rw_dir_perms; + +# Need to add auth tokens to KeyStore +use_keystore(fingerprintd) +allow fingerprintd keystore:keystore_key { add_auth }; + +# For permissions checking +binder_call(fingerprintd, system_server); +allow fingerprintd permission_service:service_manager find; diff --git a/gatekeeperd.te b/gatekeeperd.te index 39d9d21..ca540c6 100644 --- a/gatekeeperd.te +++ b/gatekeeperd.te @@ -3,6 +3,7 @@ type gatekeeperd_exec, exec_type, file_type; # gatekeeperd init_daemon_domain(gatekeeperd) +binder_service(gatekeeperd) binder_use(gatekeeperd) allow gatekeeperd tee_device:chr_file rw_file_perms; @@ -16,6 +17,8 @@ allow gatekeeperd keystore:keystore_key { add_auth }; # For permissions checking allow gatekeeperd system_server:binder call; allow gatekeeperd permission_service:service_manager find; +# For parent user ID lookup +allow gatekeeperd user_service:service_manager find; # for SID file access allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; diff --git a/genfs_contexts b/genfs_contexts index 4b16ffc..cdf65bc 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -20,6 +20,10 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 +genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 +genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 +genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 + # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 @@ -2,12 +2,10 @@ # it lives in the rootfs and has no unique file type. type healthd, domain; -write_klog(healthd) -# /dev/__null__ created by init prior to policy load, -# open fd inherited by healthd. -allow healthd tmpfs:chr_file { read write }; +# Write to /dev/kmsg +allow healthd kmsg_device:chr_file rw_file_perms; -allow healthd self:capability { net_admin mknod sys_tty_config }; +allow healthd self:capability { net_admin sys_tty_config }; wakelock_use(healthd) allow healthd self:netlink_kobject_uevent_socket create_socket_perms; binder_use(healthd) @@ -42,5 +40,4 @@ allow healthd healthd_service:service_manager { add find }; # Healthd needs to tell init to continue the boot # process when running in charger mode. -unix_socket_connect(healthd, property, init) -allow healthd system_prop:property_service set; +set_prop(healthd, system_prop) @@ -96,7 +96,7 @@ allow init rootfs:file relabelfrom; # init.<board>.rc files often include device-specific types, so # we just allow all file types except /system files here. allow init self:capability { chown fowner fsetid }; -allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr }; +allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; @@ -122,8 +122,10 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; allow init security_file:dir { create setattr }; # Reload policy upon setprop selinux.reload_policy 1. +# Note: this requires the following allow rule +# allow init kernel:security load_policy; +# which can be configured on a device-by-device basis if needed. r_dir_file(init, security_file) -allow init kernel:security load_policy; # Any operation that can modify the kernel ring buffer, e.g. clear # or a read that consumes the messages that were read. @@ -161,6 +163,10 @@ recovery_only(` domain_trans(init, shell_exec, shell) domain_trans(init, init_exec, ueventd) domain_trans(init, init_exec, watchdogd) +# case where logpersistd is actually logcat -f in logd context (nee: logcatd) +userdebug_or_eng(` + domain_auto_trans(init, logcat_exec, logd) +') # Support "adb shell stop" allow init self:capability kill; @@ -257,11 +263,7 @@ allow init pstorefs:file r_file_perms; # linux keyring configuration allow init init:key { write search setattr }; -# Allow init to link temp fs to unencrypted data on userdata -allow init tmpfs:lnk_file { create read getattr relabelfrom }; - -# Allow init to manipulate /data/unencrypted -allow init unencrypted_data_file:{ file lnk_file } create_file_perms; +# Allow init to create /data/unencrypted allow init unencrypted_data_file:dir create_dir_perms; unix_socket_connect(init, vold, vold) diff --git a/install_recovery.te b/install_recovery.te index 1385220..2d80b08 100644 --- a/install_recovery.te +++ b/install_recovery.te @@ -23,6 +23,4 @@ allow install_recovery cache_file:dir rw_dir_perms; allow install_recovery cache_file:file create_file_perms; # Write to /proc/sys/vm/drop_caches -# TODO: create a specific label for this file instead of allowing -# write for all /proc files. -allow install_recovery proc:file w_file_perms; +allow install_recovery proc_drop_caches:file w_file_perms; diff --git a/installd.te b/installd.te index 3f685f1..bc4c23e 100644 --- a/installd.te +++ b/installd.te @@ -5,10 +5,16 @@ type installd_exec, exec_type, file_type; init_daemon_domain(installd) typeattribute installd mlstrustedsubject; allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; -allow installd apk_data_file:file { rename unlink }; + +# Allow labeling of files under /data/app/com.example/oat/ allow installd dalvikcache_data_file:dir relabelto; +allow installd dalvikcache_data_file:file { relabelto link }; + +# Allow movement of APK files between volumes allow installd apk_data_file:dir { create_dir_perms relabelfrom }; +allow installd apk_data_file:file { create_file_perms relabelfrom link }; allow installd apk_data_file:lnk_file { create read unlink }; + allow installd asec_apk_file:file r_file_perms; allow installd apk_tmp_file:file { r_file_perms unlink }; allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; @@ -16,7 +22,7 @@ allow installd oemfs:dir r_dir_perms; allow installd oemfs:file r_file_perms; allow installd system_file:file x_file_perms; allow installd cgroup:dir create_dir_perms; -allow installd mnt_expand_file:dir search; +allow installd mnt_expand_file:dir { search getattr }; # Check validity of SELinux context before use. selinux_check_context(installd) # Read /seapp_contexts and /data/security/seapp_contexts diff --git a/ioctl_macros b/ioctl_macros new file mode 100644 index 0000000..e71e0ce --- /dev/null +++ b/ioctl_macros @@ -0,0 +1,11 @@ +# socket ioctls allowed to unprivileged apps +define(`unpriv_sock_ioctls', ` +{ +# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927 +0x8900-0x8926 0x8928-0x89ff +# all wireless extensions ioctls except get/set essid +# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B +0x8B00-0x8B09 0x8B1C-0x8BFF +# commonly used TTY ioctls +0x5411 0x5451 +}') diff --git a/isolated_app.te b/isolated_app.te index 1cede96..330f0af 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -18,7 +18,8 @@ allow isolated_app app_data_file:file { read write getattr lock }; allow isolated_app activity_service:service_manager find; allow isolated_app display_service:service_manager find; -service_manager_local_audit_domain(isolated_app) +# only allow unprivileged socket ioctl commands +allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; ##### ##### Neverallow @@ -24,6 +24,18 @@ dontaudit kernel self:security setenforce; # Write to /proc/1/oom_adj prior to switching to init domain. allow kernel self:capability sys_resource; +# Init reboot before switching selinux domains under certain error +# conditions. Allow it. +# As part of rebooting, init writes "u" to /proc/sysrq-trigger to +# remount filesystems read-only. /data is not mounted at this point, +# so we could ignore this. For now, we allow it. +allow kernel self:capability sys_boot; +allow kernel proc_sysrq:file w_file_perms; + +# Allow writing to /dev/__kmsg__ which was created prior to +# loading policy +allow kernel tmpfs:chr_file write; + # Set checkreqprot by init.rc prior to switching to init domain. allow kernel selinuxfs:file write; allow kernel self:security setcheckreqprot; diff --git a/keystore.te b/keystore.te index 3561fed..83a0e85 100644 --- a/keystore.te +++ b/keystore.te @@ -23,7 +23,7 @@ selinux_check_access(keystore) ### Protect ourself from others ### -neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto }; +neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -keystore -init } keystore_data_file:dir *; @@ -10,6 +10,10 @@ allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write }; allow logd kernel:system syslog_read; allow logd kmsg_device:chr_file w_file_perms; allow logd system_data_file:file r_file_perms; +allow logd misc_logd_file:file create_file_perms; +allow logd misc_logd_file:dir rw_dir_perms; +allow logd pstorefs:dir search; +allow logd pstorefs:file r_file_perms; r_dir_file(logd, domain) @@ -17,6 +21,11 @@ allow logd kernel:system syslog_mod; control_logd(logd) +# case where logpersistd is actually logcat -f in logd context (nee: logcatd) +userdebug_or_eng(` + unix_socket_connect(logd, logdr, logd) +') + ### ### Neverallow rules ### diff --git a/mediaserver.te b/mediaserver.te index d269097..0299466 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -6,7 +6,6 @@ typeattribute mediaserver mlstrustedsubject; net_domain(mediaserver) init_daemon_domain(mediaserver) -unix_socket_connect(mediaserver, property, init) r_dir_file(mediaserver, sdcard_type) @@ -27,7 +26,8 @@ allow mediaserver video_device:dir r_dir_perms; allow mediaserver video_device:chr_file rw_file_perms; allow mediaserver audio_device:dir r_dir_perms; allow mediaserver tee_device:chr_file rw_file_perms; -allow mediaserver audio_prop:property_service set; + +set_prop(mediaserver, audio_prop) # Access audio devices at all. allow mediaserver audio_device:chr_file rw_file_perms; @@ -80,6 +80,7 @@ allow mediaserver tee:unix_stream_socket connectto; allow mediaserver activity_service:service_manager find; allow mediaserver appops_service:service_manager find; +allow mediaserver cameraproxy_service:service_manager find; allow mediaserver batterystats_service:service_manager find; allow mediaserver drmserver_service:service_manager find; allow mediaserver mediaserver_service:service_manager { add find }; @@ -30,9 +30,8 @@ allow netd proc_net:file write; allow netd sysfs:file write; # Set dhcp lease for PAN connection -unix_socket_connect(netd, property, init) -allow netd dhcp_prop:property_service set; -allow netd system_prop:property_service set; +set_prop(netd, dhcp_prop) +set_prop(netd, system_prop) auditallow netd system_prop:property_service set; # Connect to PAN @@ -62,7 +61,7 @@ allow netd dnsmasq:process signal; domain_auto_trans(netd, clatd_exec, clatd) allow netd clatd:process signal; -allow netd ctl_mdnsd_prop:property_service set; +set_prop(netd, ctl_mdnsd_prop) # Allow netd to operate on sockets that are passed to it. allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; @@ -5,8 +5,7 @@ net_domain(nfc) binder_service(nfc) # Set NFC properties -unix_socket_connect(nfc, property, init) -allow nfc nfc_prop:property_service set; +set_prop(nfc, nfc_prop) # NFC device access. allow nfc nfc_device:chr_file rw_file_perms; diff --git a/perfprofd.te b/perfprofd.te new file mode 100644 index 0000000..58cb3e2 --- /dev/null +++ b/perfprofd.te @@ -0,0 +1,56 @@ +# perfprofd - perf profile collection daemon +type perfprofd_exec, exec_type, file_type; + +userdebug_or_eng(` + + type perfprofd, domain, mlstrustedsubject; + + init_daemon_domain(perfprofd) + + # perfprofd needs to control CPU hot-plug in order to avoid kernel + # perfevents problems in cases where CPU goes on/off during measurement; + # this means read access to /sys/devices/system/cpu/possible + # and read/write access to /sys/devices/system/cpu/cpu*/online + allow perfprofd sysfs_devices_system_cpu:file rw_file_perms; + + # perfprofd checks for the existence of and then invokes simpleperf; + # simpleperf retains perfprofd domain after exec + allow perfprofd system_file:file rx_file_perms; + + # perfprofd reads a config file from /data/data/com.google.android.gms/files + allow perfprofd app_data_file:file r_file_perms; + allow perfprofd app_data_file:dir search; + allow perfprofd self:capability { dac_override }; + + # perfprofd opens a file for writing in /data/misc/perfprofd + allow perfprofd perfprofd_data_file:file create_file_perms; + allow perfprofd perfprofd_data_file:dir rw_dir_perms; + + # perfprofd uses the system log + read_logd(perfprofd); + write_logd(perfprofd); + + # perfprofd inspects /sys/power/wake_unlock + wakelock_use(perfprofd); + + # simpleperf uses ioctl() to turn on kernel perf events measurements + allow perfprofd self:capability sys_admin; + + # simpleperf needs to examine /proc to collect task/thread info + r_dir_file(perfprofd, domain) + + # simpleperf needs to access /proc/<pid>/exec + allow perfprofd self:capability { sys_resource sys_ptrace }; + neverallow perfprofd domain:process ptrace; + + # simpleperf needs open/read any file that turns up in a profile + # to see whether it has a build ID + allow perfprofd exec_type:file r_file_perms; + + # simpleperf is going to execute "sleep" + allow perfprofd toolbox_exec:file x_file_perms; + + # needed for simpleperf on some kernels + allow perfprofd self:capability ipc_lock; + +') diff --git a/procrank.te b/procrank.te index 680d549..1aaaad0 100644 --- a/procrank.te +++ b/procrank.te @@ -12,4 +12,6 @@ userdebug_or_eng(` r_dir_file(procrank, domain) allow procrank { shell dumpstate }:fd use; allow procrank adbd:process sigchld; + # allow procrank write to bugreport. + allow procrank shell_data_file:file w_file_perms; ') diff --git a/property.te b/property.te index 94ae714..e046f42 100644 --- a/property.te +++ b/property.te @@ -21,6 +21,7 @@ type ctl_bugreport_prop, property_type; type ctl_console_prop, property_type; type audio_prop, property_type; type logd_prop, property_type; +type restorecon_prop, property_type; type security_prop, property_type; type bluetooth_prop, property_type; type pan_result_prop, property_type; diff --git a/property_contexts b/property_contexts index 1844910..5bdb3c3 100644 --- a/property_contexts +++ b/property_contexts @@ -41,7 +41,8 @@ persist.service.bdroid. u:object_r:bluetooth_prop:s0 persist.security. u:object_r:system_prop:s0 # selinux non-persistent properties -selinux. u:object_r:security_prop:s0 +selinux.restorecon_recursive u:object_r:restorecon_prop:s0 +selinux. u:object_r:security_prop:s0 # default property context * u:object_r:default_prop:s0 @@ -5,9 +5,6 @@ net_domain(radio) bluetooth_domain(radio) binder_service(radio) -# Talks to init via the property socket. -unix_socket_connect(radio, property, init) - # Talks to rild via the rild socket. unix_socket_connect(radio, rild, rild) @@ -21,14 +18,14 @@ allow radio net_data_file:dir search; allow radio net_data_file:file r_file_perms; # Property service -allow radio radio_prop:property_service set; -allow radio net_radio_prop:property_service set; -allow radio system_radio_prop:property_service set; +set_prop(radio, radio_prop) +set_prop(radio, system_radio_prop) +set_prop(radio, net_radio_prop) auditallow radio net_radio_prop:property_service set; auditallow radio system_radio_prop:property_service set; # ctl interface -allow radio ctl_rildaemon_prop:property_service set; +set_prop(radio, ctl_rildaemon_prop) allow radio drmserver_service:service_manager find; allow radio mediaserver_service:service_manager find; diff --git a/recovery.te b/recovery.te index 8576356..8d6fd62 100644 --- a/recovery.te +++ b/recovery.te @@ -41,8 +41,7 @@ recovery_only(` allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; # Write to /proc/sys/vm/drop_caches - # TODO: create more specific label? - allow recovery proc:file w_file_perms; + allow recovery proc_drop_caches:file w_file_perms; # Write to /sys/class/android_usb/android0/enable. # TODO: create more specific label? @@ -77,12 +76,14 @@ recovery_only(` allow recovery cache_file:dir create_dir_perms; allow recovery cache_file:file create_file_perms; + # Read files on /oem. + r_dir_file(recovery, oemfs); + # Reboot the device - allow recovery powerctl_prop:property_service set; - unix_socket_connect(recovery, property, init) + set_prop(recovery, powerctl_prop) # Start/stop adbd via ctl.start adbd - allow recovery ctl_default_prop:property_service set; + set_prop(recovery, ctl_default_prop) # Use setfscreatecon() to label files for OTA updates. allow recovery self:process setfscreate; @@ -6,7 +6,6 @@ init_daemon_domain(rild) net_domain(rild) allow rild self:netlink_route_socket nlmsg_write; allow rild kernel:system module_request; -unix_socket_connect(rild, property, init) allow rild self:capability { setuid net_admin net_raw }; allow rild alarm_device:chr_file rw_file_perms; allow rild cgroup:dir create_dir_perms; @@ -26,9 +25,9 @@ allow rild system_data_file:file r_file_perms; allow rild system_file:file x_file_perms; # property service -allow rild radio_prop:property_service set; -allow rild net_radio_prop:property_service set; -allow rild system_radio_prop:property_service set; +set_prop(rild, radio_prop) +set_prop(rild, net_radio_prop) +set_prop(rild, system_radio_prop) auditallow rild net_radio_prop:property_service set; auditallow rild system_radio_prop:property_service set; @@ -1,8 +1,6 @@ type sdcardd, domain; type sdcardd_exec, exec_type, file_type; -init_daemon_domain(sdcardd) # TODO: deprecated in M - allow sdcardd cgroup:dir create_dir_perms; allow sdcardd fuse_device:chr_file rw_file_perms; allow sdcardd rootfs:dir mounton; # TODO: deprecated in M @@ -31,3 +29,11 @@ allow sdcardd vold:fifo_file { read write getattr }; # Allow running on top of expanded storage allow sdcardd mnt_expand_file:dir search; + +### +### neverallow rules +### + +# The sdcard daemon should no longer be started from init +neverallow init sdcardd_exec:file execute; +neverallow init sdcardd:process { transition dyntransition }; diff --git a/security_classes b/security_classes index 9cd3f1c..c0c9659 100644 --- a/security_classes +++ b/security_classes @@ -132,7 +132,6 @@ class db_sequence # userspace class db_language # userspace class binder -class zygote # Property service class property_service # userspace @@ -1,10 +1,11 @@ type bluetooth_service, service_manager_type; type default_android_service, service_manager_type; type drmserver_service, service_manager_type; +type gatekeeper_service, app_api_service, service_manager_type; +type fingerprintd_service, service_manager_type; type healthd_service, service_manager_type; type inputflinger_service, service_manager_type; type keystore_service, service_manager_type; -type gatekeeper_service, service_manager_type; type mediaserver_service, service_manager_type; type nfc_service, service_manager_type; type radio_service, service_manager_type; @@ -24,6 +25,7 @@ type backup_service, app_api_service, system_server_service, service_manager_typ type batterystats_service, app_api_service, system_server_service, service_manager_type; type battery_service, system_server_service, service_manager_type; type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type; +type cameraproxy_service, system_server_service, service_manager_type; type clipboard_service, app_api_service, system_server_service, service_manager_type; type IProxyService_service, system_api_service, system_server_service, service_manager_type; type commontime_management_service, system_server_service, service_manager_type; @@ -34,7 +36,7 @@ type country_detector_service, system_api_service, system_server_service, servic type cpuinfo_service, system_api_service, system_server_service, service_manager_type; type dbinfo_service, system_api_service, system_server_service, service_manager_type; type device_policy_service, app_api_service, system_server_service, service_manager_type; -type deviceidle_service, system_server_service, service_manager_type; +type deviceidle_service, system_api_service, system_server_service, service_manager_type; type devicestoragemonitor_service, system_server_service, service_manager_type; type diskstats_service, system_api_service, system_server_service, service_manager_type; type display_service, app_api_service, system_server_service, service_manager_type; diff --git a/service_contexts b/service_contexts index 49773b7..85dcd3d 100644 --- a/service_contexts +++ b/service_contexts @@ -39,6 +39,7 @@ drm.drmManager u:object_r:drmserver_service:s0 dropbox u:object_r:dropbox_service:s0 ethernet u:object_r:ethernet_service:s0 fingerprint u:object_r:fingerprint_service:s0 +android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0 gfxinfo u:object_r:gfxinfo_service:s0 graphicsstats u:object_r:graphicsstats_service:s0 hardware u:object_r:hardware_service:s0 @@ -62,8 +63,11 @@ lock_settings u:object_r:lock_settings_service:s0 media.audio_flinger u:object_r:mediaserver_service:s0 media.audio_policy u:object_r:mediaserver_service:s0 media.camera u:object_r:mediaserver_service:s0 +media.camera.proxy u:object_r:cameraproxy_service:s0 media.log u:object_r:mediaserver_service:s0 media.player u:object_r:mediaserver_service:s0 +media.resource_manager u:object_r:mediaserver_service:s0 +media.radio u:object_r:mediaserver_service:s0 media.sound_trigger_hw u:object_r:mediaserver_service:s0 media_projection u:object_r:media_projection_service:s0 media_router u:object_r:media_router_service:s0 @@ -15,6 +15,9 @@ control_logd(shell) # logcat -L (directly, or via dumpstate) allow shell pstorefs:dir search; allow shell pstorefs:file r_file_perms; +# logpersistd (nee logcatd) files +allow shell misc_logd_file:dir r_dir_perms; +allow shell misc_logd_file:file r_file_perms; # read files in /data/anr allow shell anr_data_file:dir r_dir_perms; @@ -41,11 +44,10 @@ allow shell zygote_exec:file rx_file_perms; r_dir_file(shell, apk_data_file) # Set properties. -unix_socket_connect(shell, property, init) -allow shell shell_prop:property_service set; -allow shell ctl_dumpstate_prop:property_service set; -allow shell debug_prop:property_service set; -allow shell powerctl_prop:property_service set; +set_prop(shell, shell_prop) +set_prop(shell, ctl_dumpstate_prop) +set_prop(shell, debug_prop) +set_prop(shell, powerctl_prop) # systrace support - allow atrace to run # debugfs doesn't support labeling individual files, so we have @@ -61,7 +63,6 @@ allow shell kernel:system syslog_read; allow shell servicemanager:service_manager list; # don't allow shell to access GateKeeper service allow shell { service_manager_type -gatekeeper_service }:service_manager find; -service_manager_local_audit_domain(shell) # allow shell to look through /proc/ for ps, top allow shell domain:dir { search open read getattr }; diff --git a/slideshow.te b/slideshow.te index 2b82b3e..86d4bff 100644 --- a/slideshow.te +++ b/slideshow.te @@ -2,10 +2,10 @@ # it lives in the rootfs and has no unique file type. type slideshow, domain; -write_klog(slideshow) +allow slideshow kmsg_device:chr_file rw_file_perms; wakelock_use(slideshow) allow slideshow device:dir r_dir_perms; -allow slideshow self:capability { mknod sys_tty_config }; +allow slideshow self:capability sys_tty_config; allow slideshow graphics_device:dir r_dir_perms; allow slideshow graphics_device:chr_file rw_file_perms; allow slideshow input_device:dir r_dir_perms; @@ -50,5 +50,4 @@ userdebug_or_eng(` dontaudit su domain:debuggerd *; dontaudit su domain:drmservice *; dontaudit su unlabeled:filesystem *; - service_manager_local_audit_domain(su) ') diff --git a/surfaceflinger.te b/surfaceflinger.te index c85df82..26a4e48 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -5,9 +5,6 @@ type surfaceflinger_exec, exec_type, file_type; init_daemon_domain(surfaceflinger) typeattribute surfaceflinger mlstrustedsubject; -# Talk to init over the property socket. -unix_socket_connect(surfaceflinger, property, init) - # Perform Binder IPC. binder_use(surfaceflinger) binder_call(surfaceflinger, binderservicedomain) @@ -37,8 +34,8 @@ allow surfaceflinger video_device:chr_file rw_file_perms; allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms; # Set properties. -allow surfaceflinger system_prop:property_service set; -allow surfaceflinger ctl_bootanim_prop:property_service set; +set_prop(surfaceflinger, system_prop) +set_prop(surfaceflinger, ctl_bootanim_prop) # Use open files supplied by an app. allow surfaceflinger appdomain:fd use; diff --git a/system_app.te b/system_app.te index 895ff71..08e3f5c 100644 --- a/system_app.te +++ b/system_app.te @@ -27,19 +27,21 @@ allow system_app misc_user_data_file:file create_file_perms; auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename }; auditallow system_app system_data_file:file { create setattr append write link unlink rename }; +# Access to vold-mounted storage for measuring free space +allow system_app mnt_media_rw_file:dir search; + # Read wallpaper file. allow system_app wallpaper_file:file r_file_perms; # Write to properties -unix_socket_connect(system_app, property, init) -allow system_app debug_prop:property_service set; -allow system_app net_radio_prop:property_service set; -allow system_app system_radio_prop:property_service set; +set_prop(system_app, debug_prop) +set_prop(system_app, system_prop) +set_prop(system_app, ctl_bugreport_prop) +set_prop(system_app, logd_prop) +set_prop(system_app, net_radio_prop) +set_prop(system_app, system_radio_prop) auditallow system_app net_radio_prop:property_service set; auditallow system_app system_radio_prop:property_service set; -allow system_app system_prop:property_service set; -allow system_app ctl_bugreport_prop:property_service set; -allow system_app logd_prop:property_service set; # Create /data/anr/traces.txt. allow system_app anr_data_file:dir ra_dir_perms; @@ -48,31 +50,27 @@ allow system_app anr_data_file:file create_file_perms; # Settings need to access app name and icon from asec allow system_app asec_apk_file:file r_file_perms; -allow system_app mediaserver_service:service_manager find; -allow system_app nfc_service:service_manager find; -allow system_app radio_service:service_manager find; -allow system_app surfaceflinger_service:service_manager find; -allow system_app system_app_service:service_manager add; -allow system_app app_api_service:service_manager find; -allow system_app system_api_service:service_manager find; +allow system_app servicemanager:service_manager list; +allow system_app service_manager_type:service_manager find; allow system_app keystore:keystore_key { - test + get_state get insert delete exist - saw + list reset password lock unlock - zero + is_empty sign verify grant duplicate clear_uid + user_changed }; control_logd(system_app) diff --git a/system_server.te b/system_server.te index d8e5978..0b18eb4 100644 --- a/system_server.te +++ b/system_server.te @@ -89,6 +89,12 @@ r_dir_file(system_server, domain) allow system_server qtaguid_proc:file rw_file_perms; allow system_server qtaguid_device:chr_file rw_file_perms; +# Read /proc/uid_cputime/show_uid_stat. +allow system_server proc_uid_cputime_showstat:file r_file_perms; + +# Write /proc/uid_cputime/remove_uid_range. +allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; + # Write to /proc/sysrq-trigger. allow system_server proc_sysrq:file rw_file_perms; @@ -105,7 +111,6 @@ allow system_server self:tun_socket create_socket_perms; allow system_server init:process sigchld; # Talk to init and various daemons via sockets. -unix_socket_connect(system_server, property, init) unix_socket_connect(system_server, installd, installd) unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, mtpd, mtp) @@ -123,6 +128,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt }; binder_use(system_server) binder_call(system_server, binderservicedomain) binder_call(system_server, gatekeeperd) +binder_call(system_server, fingerprintd) binder_call(system_server, appdomain) binder_call(system_server, dumpstate) binder_service(system_server) @@ -162,8 +168,11 @@ allow system_server usbaccessory_device:chr_file rw_file_perms; allow system_server video_device:dir r_dir_perms; allow system_server video_device:chr_file rw_file_perms; allow system_server adbd_socket:sock_file rw_file_perms; +allow system_server rtc_device:chr_file rw_file_perms; allow system_server audio_device:dir r_dir_perms; -allow system_server audio_device:chr_file r_file_perms; + +# write access needed for MIDI +allow system_server audio_device:chr_file rw_file_perms; # tun device used for 3rd party vpn apps allow system_server tun_device:chr_file rw_file_perms; @@ -273,18 +282,18 @@ allow system_server system_data_file:dir relabelfrom; allow system_server anr_data_file:dir relabelto; # Property Service write -allow system_server system_prop:property_service set; -allow system_server dhcp_prop:property_service set; -allow system_server net_radio_prop:property_service set; -allow system_server system_radio_prop:property_service set; -allow system_server debug_prop:property_service set; -allow system_server powerctl_prop:property_service set; -allow system_server fingerprint_prop:property_service set; +set_prop(system_server, system_prop) +set_prop(system_server, dhcp_prop) +set_prop(system_server, net_radio_prop) +set_prop(system_server, system_radio_prop) +set_prop(system_server, debug_prop) +set_prop(system_server, powerctl_prop) +set_prop(system_server, fingerprint_prop) # ctl interface -allow system_server ctl_default_prop:property_service set; -allow system_server ctl_dhcp_pan_prop:property_service set; -allow system_server ctl_bugreport_prop:property_service set; +set_prop(system_server, ctl_default_prop) +set_prop(system_server, ctl_dhcp_pan_prop) +set_prop(system_server, ctl_bugreport_prop) # Create a socket for receiving info from wpa. type_transition system_server wifi_data_file:sock_file system_wpa_socket; @@ -302,6 +311,7 @@ allow system_server system_ndebug_socket:sock_file create_file_perms; # Manage cache files. allow system_server cache_file:dir { relabelfrom create_dir_perms }; allow system_server cache_file:file { relabelfrom create_file_perms }; +allow system_server cache_file:fifo_file create_file_perms; # Run system programs, e.g. dexopt. allow system_server system_file:file x_file_perms; @@ -367,6 +377,7 @@ allow system_server drmserver_service:service_manager find; allow system_server healthd_service:service_manager find; allow system_server keystore_service:service_manager find; allow system_server gatekeeper_service:service_manager find; +allow system_server fingerprintd_service:service_manager find; allow system_server mediaserver_service:service_manager find; allow system_server nfc_service:service_manager find; allow system_server radio_service:service_manager find; @@ -374,26 +385,24 @@ allow system_server system_server_service:service_manager { add find }; allow system_server surfaceflinger_service:service_manager find; allow system_server keystore:keystore_key { - test + get_state get insert delete exist - saw + list reset password lock unlock - zero + is_empty sign verify grant duplicate clear_uid - reset_uid - sync_uid - password_uid add_auth + user_changed }; # Allow system server to search and write to the persistent factory reset @@ -418,6 +427,9 @@ allow system_server sdcard_type:dir { getattr search }; # Traverse into expanded storage allow system_server mnt_expand_file:dir r_dir_perms; +# Allow system process to relabel the fingerprint directory after mkdir +allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto}; + ### ### Neverallow rules ### @@ -118,12 +118,32 @@ typeattribute $1 bluetoothdomain; # unix_socket_connect(clientdomain, socket, serverdomain) # Allow a local socket connection from clientdomain via # socket to serverdomain. +# +# Note: If you see denial records that distill to the +# following allow rules: +# allow clientdomain property_socket:sock_file write; +# allow clientdomain init:unix_stream_socket connectto; +# allow clientdomain something_prop:property_service set; +# +# This sequence is indicative of attempting to set a property. +# use set_prop(sourcedomain, targetproperty) +# define(`unix_socket_connect', ` allow $1 $2_socket:sock_file write; allow $1 $3:unix_stream_socket connectto; ') ##################################### +# set_prop(sourcedomain, targetproperty) +# Allows source domain to set the +# targetproperty. +# +define(`set_prop', ` +unix_socket_connect($1, property, init) +allow $1 $2:property_service set; +') + +##################################### # unix_socket_send(clientdomain, socket, serverdomain) # Allow a local socket send from clientdomain via # socket to serverdomain. @@ -255,17 +275,6 @@ allow $1 kernel:system syslog_read; ') ##################################### -# write_klog(domain) -# Ability to write to kernel log via -# klog_write() -# See system/core/libcutil/klog.c -define(`write_klog', ` -type_transition $1 device:chr_file klog_device "__kmsg__"; -allow $1 klog_device:chr_file { create open write unlink }; -allow $1 device:dir { write add_name remove_name }; -') - -##################################### # create_pty(domain) # Allow domain to create and use a pty, isolated from any other domain ptys. define(`create_pty', ` @@ -338,14 +347,6 @@ define(`use_keystore', ` ') ########################################### -# service_manager_local_audit_domain(domain) -# Has its own auditallow rule on service_manager -# and should be excluded from the domain.te auditallow. -define(`service_manager_local_audit_domain', ` - typeattribute $1 service_manager_local_audit; -') - -########################################### # use_drmservice(domain) # Ability to use DrmService which requires # DrmService to call getpidcon. diff --git a/tools/Android.mk b/tools/Android.mk index d749dd6..2a2e83d 100644 --- a/tools/Android.mk +++ b/tools/Android.mk @@ -4,10 +4,11 @@ include $(CLEAR_VARS) LOCAL_MODULE := checkseapp LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/libsepol/include/ +LOCAL_C_INCLUDES := external/selinux/libsepol/include/ LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror LOCAL_SRC_FILES := check_seapp.c LOCAL_STATIC_LIBRARIES := libsepol +LOCAL_CXX_STL := none include $(BUILD_HOST_EXECUTABLE) @@ -16,11 +17,12 @@ include $(CLEAR_VARS) LOCAL_MODULE := checkfc LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/libsepol/include \ +LOCAL_C_INCLUDES := external/selinux/libsepol/include \ external/libselinux/include LOCAL_CFLAGS := -Wall -Werror LOCAL_SRC_FILES := checkfc.c LOCAL_STATIC_LIBRARIES := libsepol libselinux +LOCAL_CXX_STL := none include $(BUILD_HOST_EXECUTABLE) @@ -39,11 +41,12 @@ include $(CLEAR_VARS) LOCAL_MODULE := sepolicy-check LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/libsepol/include +LOCAL_C_INCLUDES := external/selinux/libsepol/include LOCAL_CFLAGS := -Wall -Werror LOCAL_SRC_FILES := sepolicy-check.c LOCAL_STATIC_LIBRARIES := libsepol +LOCAL_CXX_STL := none include $(BUILD_HOST_EXECUTABLE) -include $(call all-makefiles-under,$(LOCAL_PATH))
\ No newline at end of file +include $(call all-makefiles-under,$(LOCAL_PATH)) diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk index e65efe9..7568351 100644 --- a/tools/sepolicy-analyze/Android.mk +++ b/tools/sepolicy-analyze/Android.mk @@ -5,9 +5,10 @@ include $(CLEAR_VARS) LOCAL_MODULE := sepolicy-analyze LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/libsepol/include +LOCAL_C_INCLUDES := external/selinux/libsepol/include LOCAL_CFLAGS := -Wall -Werror LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c LOCAL_STATIC_LIBRARIES := libsepol +LOCAL_CXX_STL := none include $(BUILD_HOST_EXECUTABLE) @@ -2,7 +2,12 @@ # it lives in the rootfs and has no unique file type. type ueventd, domain; tmpfs_domain(ueventd) -write_klog(ueventd) + +# TODO: why is ueventd using __kmsg__ when it should just create +# and use /dev/kmsg instead? +type_transition ueventd device:chr_file klog_device "__kmsg__"; +allow ueventd klog_device:chr_file { create open write unlink }; + security_access_policy(ueventd) allow ueventd init:process sigchld; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; @@ -14,15 +14,15 @@ userdebug_or_eng(` r_dir_file(uncrypt, shell_data_file) ') -# Create tmp file /cache/recovery/command.tmp # Read /cache/recovery/command -# Rename /cache/recovery/command.tmp to /cache/recovery/command +# Read /cache/recovery/uncrypt_file +# Write to pipe file /cache/recovery/uncrypt_status allow uncrypt cache_file:dir rw_dir_perms; allow uncrypt cache_file:file create_file_perms; +allow uncrypt cache_file:fifo_file w_file_perms; # Set a property to reboot the device. -unix_socket_connect(uncrypt, property, init) -allow uncrypt powerctl_prop:property_service set; +set_prop(uncrypt, powerctl_prop) # Raw writes to block device allow uncrypt self:capability sys_rawio; diff --git a/untrusted_app.te b/untrusted_app.te index 1b7aaee..693a13c 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -72,6 +72,10 @@ allow untrusted_app mtp_device:chr_file rw_file_perms; allow untrusted_app media_rw_data_file:dir create_dir_perms; allow untrusted_app media_rw_data_file:file create_file_perms; +# Traverse into /mnt/media_rw for bypassing FUSE daemon +# TODO: narrow this to just MediaProvider +allow untrusted_app mnt_media_rw_file:dir search; + # Write to /cache. allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; @@ -93,9 +97,20 @@ allow untrusted_app persistent_data_block_service:service_manager find; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; -# Apps using KeyStore API will request the SID from GateKeeper -allow untrusted_app gatekeeper_service:service_manager find; -binder_call(untrusted_app, gatekeeperd) +# only allow unprivileged socket ioctl commands +allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; + +# Allow GMS core to access perfprofd output, which is stored +# in /data/misc/perfprofd/. GMS core will need to list all +# data stored in that directory to process them one by one. +userdebug_or_eng(` + allow untrusted_app perfprofd_data_file:file r_file_perms; + allow untrusted_app perfprofd_data_file:dir r_dir_perms; +') + +# Programs routinely attempt to scan through /system, looking +# for files. Suppress the denials when they occur. +dontaudit untrusted_app exec_type:file getattr; ### ### neverallow rules @@ -81,7 +81,7 @@ allow vold self:capability { sys_ptrace kill }; # XXX Label sysfs files with a specific type? allow vold sysfs:file rw_file_perms; -write_klog(vold) +allow vold kmsg_device:chr_file rw_file_perms; # Run fsck. allow vold fsck_exec:file rx_file_perms; @@ -94,9 +94,6 @@ allow vold fscklogs:file create_file_perms; # Rules to support encrypted fs support. # -# Set property. -unix_socket_connect(vold, property, init) - # Unmount and mount the fs. allow vold labeledfs:filesystem { mount unmount remount }; @@ -111,9 +108,10 @@ allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; allow vold kernel:process setsched; # Property Service -allow vold vold_prop:property_service set; -allow vold powerctl_prop:property_service set; -allow vold ctl_fuse_prop:property_service set; +set_prop(vold, vold_prop) +set_prop(vold, powerctl_prop) +set_prop(vold, ctl_fuse_prop) +set_prop(vold, restorecon_prop) # ASEC allow vold asec_image_file:file create_file_perms; @@ -143,15 +141,30 @@ allow vold userdata_block_device:blk_file rw_file_perms; # Access metadata block device used for encryption meta-data. allow vold metadata_block_device:blk_file rw_file_perms; -# Allow init to manipulate /data/unencrypted -allow vold unencrypted_data_file:{ file lnk_file } create_file_perms; +# Allow vold to manipulate /data/unencrypted +allow vold unencrypted_data_file:{ file } create_file_perms; allow vold unencrypted_data_file:dir create_dir_perms; +# Write to /proc/sys/vm/drop_caches +allow vold proc_drop_caches:file w_file_perms; + # Give vold a place where only vold can store files; everyone else is off limits -allow vold vold_data_file:dir rw_dir_perms; +allow vold vold_data_file:dir create_dir_perms; allow vold vold_data_file:file create_file_perms; -neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto }; +# linux keyring configuration +allow vold init:key { write search setattr }; +allow vold vold:key { write search setattr }; + +# vold temporarily changes its priority when running benchmarks +allow vold self:capability sys_nice; + +# vold needs to chroot into app namespaces to remount when runtime permissions change +allow vold self:capability sys_chroot; +allow vold storage_file:dir mounton; + +neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -vold -init } vold_data_file:dir *; neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *; +neverallow { domain -vold -init } restorecon_prop:property_service set; diff --git a/watchdogd.te b/watchdogd.te index ab93560..00292a9 100644 --- a/watchdogd.te +++ b/watchdogd.te @@ -1,9 +1,4 @@ # watchdogd seclabel is specified in init.<board>.rc type watchdogd, domain; -allow watchdogd self:capability mknod; -allow watchdogd device:dir { add_name write remove_name }; allow watchdogd watchdog_device:chr_file rw_file_perms; -# because of /dev/__kmsg__ and /dev/__null__ -write_klog(watchdogd) -type_transition watchdogd device:chr_file null_device "__null__"; -allow watchdogd null_device:chr_file { create unlink }; +allow watchdogd kmsg_device:chr_file rw_file_perms; @@ -53,7 +53,8 @@ allow zygote rootfs:dir mounton; allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M dontaudit zygote self:capability fsetid; # TODO: deprecated in M allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M -allow zygote tmpfs:filesystem mount; # TODO: deprecated in M +allow zygote tmpfs:filesystem { mount unmount }; +allow zygote fuse:filesystem { unmount }; allow zygote labeledfs:filesystem remount; # TODO: deprecated in M # Allowed to create user-specific storage source if started before vold @@ -64,3 +65,15 @@ allow zygote storage_file:dir { search mounton }; # Handle --invoke-with command when launching Zygote with a wrapper command. allow zygote zygote_exec:file rx_file_perms; + +### +### neverallow rules +### + +# Ensure that all types assigned to app processes are included +# in the appdomain attribute, so that all allow and neverallow rules +# written on appdomain are applied to all app processes. +# This is achieved by ensuring that it is impossible for zygote to +# setcon (dyntransition) to any types other than those associated +# with appdomain plus system_server. +neverallow zygote ~{ appdomain system_server }:process dyntransition; |