diff options
| -rw-r--r-- | bluetooth.te | 8 | ||||
| -rw-r--r-- | clatd.te | 2 | ||||
| -rw-r--r-- | dhcp.te | 3 | ||||
| -rw-r--r-- | dnsmasq.te | 5 | ||||
| -rw-r--r-- | domain.te | 3 | ||||
| -rw-r--r-- | drmserver.te | 4 | ||||
| -rw-r--r-- | dumpstate.te | 3 | ||||
| -rw-r--r-- | hostapd.te | 7 | ||||
| -rw-r--r-- | logd.te | 1 | ||||
| -rw-r--r-- | mtp.te | 3 | ||||
| -rw-r--r-- | net.te | 13 | ||||
| -rw-r--r-- | netd.te | 8 | ||||
| -rw-r--r-- | ppp.te | 3 | ||||
| -rw-r--r-- | racoon.te | 8 | ||||
| -rw-r--r-- | rild.te | 9 | ||||
| -rw-r--r-- | surfaceflinger.te | 2 | ||||
| -rw-r--r-- | system_server.te | 10 | ||||
| -rw-r--r-- | tee.te | 2 | ||||
| -rw-r--r-- | ueventd.te | 2 | ||||
| -rw-r--r-- | vold.te | 2 | ||||
| -rw-r--r-- | wpa_supplicant.te | 10 |
21 files changed, 45 insertions, 63 deletions
diff --git a/bluetooth.te b/bluetooth.te index d1fed20..16e7b0b 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -20,17 +20,21 @@ allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms # Other domains that can create and use bluetooth sockets. # SELinux does not presently define a specific socket class for # bluetooth sockets, nor does it distinguish among the bluetooth protocols. -allow bluetoothdomain self:socket *; +# TODO: This should no longer be needed with bluedroid for bluetooth +# but may be getting used for other non-bluetooth sockets that has no +# specific class defined. Consider taking to specific domains. +allow bluetoothdomain self:socket create_socket_perms; # sysfs access. allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; allow bluetooth self:capability net_admin; # Allow clients to use a socket provided by the bluetooth app. +# TODO: See if this is still required under bluedroid. allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown }; # tethering -allow bluetooth self:{ tun_socket udp_socket } { ioctl create }; +allow bluetooth self:tun_socket create_socket_perms; allow bluetooth efs_file:dir search; # Talk to init over the property socket. @@ -19,7 +19,7 @@ allow clatd self:capability { net_admin setuid setgid }; # TODO: Run clatd in vpn group to avoid need for this on /dev/tun. allow clatd self:capability dac_override; -allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write }; +allow clatd self:netlink_route_socket nlmsg_write; allow clatd self:tun_socket create_socket_perms; allow clatd tun_device:chr_file rw_file_perms; allow clatd proc_net:file rw_file_perms;; @@ -9,8 +9,7 @@ net_domain(dhcp) allow dhcp cgroup:dir { create write add_name }; allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service }; allow dhcp self:packet_socket create_socket_perms; -allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write }; -allow dhcp self:rawip_socket create_socket_perms; +allow dhcp self:netlink_route_socket nlmsg_write; allow dhcp shell_exec:file rx_file_perms; allow dhcp system_file:file rx_file_perms; # For /proc/sys/net/ipv4/conf/*/promote_secondaries @@ -3,10 +3,9 @@ type dnsmasq, domain; permissive_or_unconfined(dnsmasq) type dnsmasq_exec, exec_type, file_type; +net_domain(dnsmasq) + allow dnsmasq self:capability { net_bind_service setgid setuid }; -allow dnsmasq self:tcp_socket create_socket_perms; allow dnsmasq dhcp_data_file:dir w_dir_perms; allow dnsmasq dhcp_data_file:file create_file_perms; -allow dnsmasq port:tcp_socket name_bind; -allow dnsmasq node:tcp_socket node_bind; @@ -16,7 +16,8 @@ allow domain self:fd use; allow domain self:dir r_dir_perms; allow domain self:lnk_file r_file_perms; allow domain self:{ fifo_file file } rw_file_perms; -allow domain self:{ unix_dgram_socket unix_stream_socket } *; +allow domain self:unix_dgram_socket { create_socket_perms sendto }; +allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; # Inherit or receive open files from others. allow domain init:fd use; diff --git a/drmserver.te b/drmserver.te index eb050a2..a11700c 100644 --- a/drmserver.te +++ b/drmserver.te @@ -5,6 +5,8 @@ type drmserver_exec, exec_type, file_type; init_daemon_domain(drmserver) typeattribute drmserver mlstrustedsubject; +net_domain(drmserver) + # Perform Binder IPC to system server. binder_use(drmserver) binder_call(drmserver, system_server) @@ -17,8 +19,6 @@ binder_call(drmserver, mediaserver) allow drmserver sdcard_type:dir search; allow drmserver drm_data_file:dir create_dir_perms; allow drmserver drm_data_file:file create_file_perms; -allow drmserver self:{ tcp_socket udp_socket } *; -allow drmserver port:tcp_socket name_connect; allow drmserver tee_device:chr_file rw_file_perms; allow drmserver platform_app_data_file:file { read write getattr }; allow drmserver app_data_file:file { read write getattr }; diff --git a/dumpstate.te b/dumpstate.te index 8ecb6cc..749cc46 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -47,9 +47,6 @@ allow dumpstate { appdomain system_server }:process signal; # This list comes from native_processes_to_dump in dumpstate/utils.c allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; -# The /system/bin/ip command needs this for routing table information. -allow dumpstate self:netlink_route_socket { write getattr setopt }; - # The vdc command needs to talk to the vold socket. unix_socket_connect(dumpstate, vold, vold) @@ -3,11 +3,12 @@ type hostapd, domain; permissive_or_unconfined(hostapd) type hostapd_exec, exec_type, file_type; +net_domain(hostapd) + allow hostapd self:capability { net_admin net_raw setuid setgid }; allow hostapd self:netlink_socket create_socket_perms; -allow hostapd self:packet_socket { create write read }; -allow hostapd self:netlink_route_socket { bind create write nlmsg_write read }; -allow hostapd self:udp_socket { create ioctl }; +allow hostapd self:packet_socket create_socket_perms; +allow hostapd self:netlink_route_socket nlmsg_write; allow hostapd wifi_data_file:file rw_file_perms; allow hostapd wifi_data_file:dir create_dir_perms; @@ -3,7 +3,6 @@ type logd, domain; type logd_exec, exec_type, file_type; init_daemon_domain(logd) -allow logd self:unix_stream_socket *; allow logd self:capability { setuid setgid sys_nice }; @@ -7,10 +7,7 @@ init_daemon_domain(mtp) net_domain(mtp) # pptp policy -allow mtp self:tcp_socket create_socket_perms; allow mtp self:socket create_socket_perms; -allow mtp self:rawip_socket create_socket_perms; allow mtp self:capability net_raw; allow mtp ppp:process signal; -allow mtp port:tcp_socket name_connect; allow mtp vpn_data_file:dir search; @@ -13,18 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind; allow netdomain port_type:udp_socket name_bind; allow netdomain port_type:tcp_socket name_bind; # See changes to the routing table. -allow netdomain self:netlink_route_socket { - read - bind - create - nlmsg_read - ioctl - getattr - setattr - getopt - setopt - shutdown -}; +allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read }; # Talks to netd via dnsproxyd socket. unix_socket_connect(netdomain, dnsproxyd, netd) @@ -15,11 +15,9 @@ allow netd self:capability { net_admin net_raw kill }; # sufficient testing of the fsetid removal. # dontaudit netd self:capability fsetid; -allow netd self:netlink_kobject_uevent_socket *; -allow netd self:netlink_route_socket *; -allow netd self:netlink_nflog_socket *; -allow netd self:rawip_socket *; -allow netd self:unix_stream_socket *; +allow netd self:netlink_kobject_uevent_socket create_socket_perms; +allow netd self:netlink_route_socket nlmsg_write; +allow netd self:netlink_nflog_socket create_socket_perms; allow netd shell_exec:file rx_file_perms; allow netd system_file:file x_file_perms; allow netd devpts:chr_file rw_file_perms; @@ -5,10 +5,11 @@ type ppp_device, dev_type; type ppp_exec, exec_type, file_type; domain_auto_trans(mtp, ppp_exec, ppp) +net_domain(ppp) + allow ppp mtp:socket rw_socket_perms; allow ppp ppp_device:chr_file rw_file_perms; allow ppp self:capability net_admin; -allow ppp self:udp_socket create_socket_perms; allow ppp system_file:file rx_file_perms; allow ppp vpn_data_file:dir w_dir_perms; allow ppp vpn_data_file:file create_file_perms; @@ -6,17 +6,17 @@ type racoon_exec, exec_type, file_type; init_daemon_domain(racoon) typeattribute racoon mlstrustedsubject; +net_domain(racoon) + binder_call(racoon, servicemanager) binder_call(racoon, keystore) allow racoon tun_device:chr_file r_file_perms; allow racoon cgroup:dir { add_name create }; allow racoon kernel:system module_request; -allow racoon port:udp_socket name_bind; -allow racoon node:udp_socket node_bind; -allow racoon self:{ key_socket udp_socket } create_socket_perms; -allow racoon self:tun_socket create; +allow racoon self:key_socket create_socket_perms; +allow racoon self:tun_socket create_socket_perms; allow racoon self:capability { net_admin net_bind_service net_raw setuid }; # XXX: should we give ip-up-vpn its own label (currently racoon domain) @@ -5,7 +5,7 @@ type rild_exec, exec_type, file_type; init_daemon_domain(rild) net_domain(rild) -allow rild self:netlink_route_socket { setopt write }; +allow rild self:netlink_route_socket nlmsg_write; allow rild kernel:system module_request; unix_socket_connect(rild, property, init) unix_socket_connect(rild, qemud, qemud) @@ -38,10 +38,9 @@ allow rild gps_device:chr_file rw_file_perms; allow rild tty_device:chr_file rw_file_perms; -# Allow rild to create, bind, read, write to itself through a netlink socket -allow rild self:netlink_socket { create bind read write }; - -allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt }; +# Allow rild to create and use netlink sockets. +allow rild self:netlink_socket create_socket_perms; +allow rild self:netlink_kobject_uevent_socket create_socket_perms; # Access to wake locks allow rild sysfs_wake_lock:file rw_file_perms; diff --git a/surfaceflinger.te b/surfaceflinger.te index 2a3087b..7d73696 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -28,7 +28,7 @@ allow surfaceflinger video_device:dir r_dir_perms; allow surfaceflinger video_device:chr_file rw_file_perms; # Create and use netlink kobject uevent sockets. -allow surfaceflinger self:netlink_kobject_uevent_socket *; +allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms; # Set properties. allow surfaceflinger system_prop:property_service set; diff --git a/system_server.te b/system_server.te index ca95abf..2d5c331 100644 --- a/system_server.te +++ b/system_server.te @@ -21,10 +21,6 @@ allow system_server zygote:fd use; allow system_server zygote:process sigchld; allow system_server zygote_tmpfs:file read; -# Needed to close the zygote socket, which involves getopt / getattr -# This should be deleted after b/12061011 is fixed -allow system_server zygote:unix_stream_socket { getopt getattr }; - # system server gets network and bluetooth permissions. net_domain(system_server) bluetooth_domain(system_server) @@ -54,7 +50,7 @@ dontaudit system_server self:capability sys_ptrace; allow system_server kernel:system module_request; # Use netlink uevent sockets. -allow system_server self:netlink_kobject_uevent_socket *; +allow system_server self:netlink_kobject_uevent_socket create_socket_perms; # Kill apps. allow system_server appdomain:process { sigkill signal }; @@ -75,10 +71,10 @@ allow system_server qtaguid_device:chr_file rw_file_perms; allow system_server debugfs:file r_file_perms; # WifiWatchdog uses a packet_socket -allow system_server self:packet_socket *; +allow system_server self:packet_socket create_socket_perms; # 3rd party VPN clients require a tun_socket to be created -allow system_server self:tun_socket create; +allow system_server self:tun_socket create_socket_perms; # Notify init of death. allow system_server init:process sigchld; @@ -11,4 +11,4 @@ allow tee self:capability { dac_override }; allow tee tee_device:chr_file rw_file_perms; allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:file create_file_perms; -allow tee self:netlink_socket { create bind read }; +allow tee self:netlink_socket create_socket_perms; @@ -19,6 +19,6 @@ allow ueventd dev_type:dir create_dir_perms; allow ueventd dev_type:lnk_file { create unlink }; allow ueventd dev_type:chr_file { create setattr unlink }; allow ueventd dev_type:blk_file { create setattr unlink }; -allow ueventd self:netlink_kobject_uevent_socket *; +allow ueventd self:netlink_kobject_uevent_socket create_socket_perms; allow ueventd efs_file:dir search; allow ueventd efs_file:file r_file_perms; @@ -19,7 +19,7 @@ allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir create_dir_perms; allow vold tmpfs:dir mounton; allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; -allow vold self:netlink_kobject_uevent_socket *; +allow vold self:netlink_kobject_uevent_socket create_socket_perms; allow vold app_data_file:dir search; allow vold app_data_file:file rw_file_perms; allow vold loop_device:blk_file rw_file_perms; diff --git a/wpa_supplicant.te b/wpa_supplicant.te index fd454bf..5961f98 100644 --- a/wpa_supplicant.te +++ b/wpa_supplicant.te @@ -3,13 +3,15 @@ type wpa, domain; type wpa_exec, exec_type, file_type; init_daemon_domain(wpa) + +net_domain(wpa) + allow wpa kernel:system module_request; allow wpa self:capability { setuid net_admin setgid net_raw }; allow wpa cgroup:dir create_dir_perms; -allow wpa self:netlink_route_socket *; -allow wpa self:netlink_socket *; -allow wpa self:packet_socket *; -allow wpa self:udp_socket *; +allow wpa self:netlink_route_socket nlmsg_write; +allow wpa self:netlink_socket create_socket_perms; +allow wpa self:packet_socket create_socket_perms; allow wpa wifi_data_file:dir create_dir_perms; allow wpa wifi_data_file:file create_file_perms; unix_socket_send(wpa, system_wpa, system_server) |