diff options
| -rw-r--r-- | Android.mk | 18 | ||||
| -rw-r--r-- | bootanim.te | 1 | ||||
| -rw-r--r-- | domain.te | 69 | ||||
| -rw-r--r-- | file.te | 9 | ||||
| -rw-r--r-- | genfs_contexts | 1 | ||||
| -rw-r--r-- | init.te | 4 | ||||
| -rw-r--r-- | kernel.te | 3 | ||||
| -rw-r--r-- | keystore.te | 13 | ||||
| -rw-r--r-- | mediaserver.te | 2 | ||||
| -rw-r--r-- | netd.te | 6 | ||||
| -rw-r--r-- | property_contexts | 2 | ||||
| -rw-r--r-- | recovery.te | 10 | ||||
| -rw-r--r-- | su.te | 1 | ||||
| -rw-r--r-- | system_server.te | 11 | ||||
| -rw-r--r-- | vold.te | 26 |
15 files changed, 128 insertions, 48 deletions
@@ -24,7 +24,22 @@ endif # Builds paths for all policy files found in BOARD_SEPOLICY_DIRS. # $(1): the set of policy name paths to build -build_policy = $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)))) +build_policy = $(call uniq,$(foreach type, $(1), \ + $(filter-out $(BOARD_SEPOLICY_IGNORE), \ + $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \ + $(if $(filter $(expanded_type), $(BOARD_SEPOLICY_REPLACE)), \ + $(wildcard $(addsuffix $(expanded_type), $(sort $(dir $(sepolicy_replace_paths))))), \ + $(LOCAL_PATH)/$(expanded_type) \ + ) \ + ) \ + $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \ + $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \ + $(union_policy), \ + ) \ + ) \ + ) \ +)) +build_policy = $(call uniq, $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS))))) sepolicy_build_files := security_classes \ initial_sids \ @@ -62,6 +77,7 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files)) @mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \ + -D shipping_build=$(CYNGN_TARGET) \ -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit diff --git a/bootanim.te b/bootanim.te index dd1e57a..f809fab 100644 --- a/bootanim.te +++ b/bootanim.te @@ -16,4 +16,5 @@ allow bootanim oemfs:file r_file_perms; allow bootanim audio_device:dir r_dir_perms; allow bootanim audio_device:chr_file rw_file_perms; +allow bootanim mediaserver:binder { transfer call }; allow bootanim surfaceflinger_service:service_manager find; @@ -196,8 +196,9 @@ neverallow { -vold } self:capability mknod; +attribute rmt_placeholder; # Limit raw I/O to these whitelisted domains. -neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; +neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee -rmt_placeholder } self:capability sys_rawio; # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). neverallow domain self:memprotect mmap_zero; @@ -227,9 +228,9 @@ neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom re # system_server is for creating subdirectories under /data/security. neverallow { domain -init -system_server } security_file:dir { create setattr }; # Only system_server can create subdirectories and files under /data/security. -neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir }; -neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename }; -neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename }; +neverallow { domain -system_server -recovery } security_file:dir { rename write add_name remove_name rmdir }; +neverallow { domain -system_server -recovery } security_file:file { create setattr write append unlink link rename }; +neverallow { domain -system_server -recovery } security_file:lnk_file { create setattr unlink rename }; # Only init prior to switching context should be able to set enforcing mode. # init starts in kernel domain and switches to init domain via setcon in @@ -253,8 +254,8 @@ neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *; neverallow domain { file_type -exec_type }:file entrypoint; # Ensure that nothing in userspace can access /dev/mem or /dev/kmem -neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; -neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; +neverallow { domain -rmt_placeholder -kernel -ueventd -init } kmem_device:chr_file *; +neverallow { domain -rmt_placeholder } kmem_device:chr_file ~{ create relabelto unlink setattr }; # Only init should be able to configure kernel usermodehelpers or # security-sensitive proc settings. @@ -303,8 +304,8 @@ neverallow { } { fs_type -rootfs }:file execute; # Only the init property service should write to /data/property. -neverallow { domain -init } property_data_file:dir no_w_dir_perms; -neverallow { domain -init } property_data_file:file no_w_file_perms; +neverallow { domain -init -recovery } property_data_file:dir no_w_dir_perms; +neverallow { domain -init -recovery } property_data_file:file no_w_file_perms; # Only recovery should be doing writes to /system neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set @@ -315,11 +316,18 @@ neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class neverallow domain { system_file exec_type }:dir_file_class_set mounton; # Nothing should be writing to files in the rootfs. -neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; +ifelse(shipping_build, `true', + `neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };' +, +) # Restrict context mounts to specific types marked with # the contextmount_type attribute. -neverallow domain {fs_type -contextmount_type}:filesystem relabelto; +ifelse(shipping_build, `true', + `neverallow domain {fs_type -contextmount_type}:filesystem relabelto;' +, + `neverallow domain {fs_type -contextmount_type -sdcard_posix}:filesystem relabelto;' +) # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= @@ -351,21 +359,17 @@ neverallow { domain -servicemanager } *:binder set_context_mgr; # Only authorized processes should be writing to files in /data/dalvik-cache # (excluding /data/dalvik-cache/profiles, which is labeled differently) -neverallow { - domain - -init # TODO: limit init to relabelfrom for files - -zygote - -installd - -dex2oat -} dalvikcache_data_file:file no_w_file_perms; - -neverallow { - domain - -init - -installd - -dex2oat - -zygote -} dalvikcache_data_file:dir no_w_dir_perms; +ifelse(shipping_build, `true', + `neverallow { domain -init -zygote -installd -dex2oat } dalvikcache_data_file:file no_w_file_perms;' +, + `neverallow { domain -init -zygote -installd -dex2oat -system_server -recovery} dalvikcache_data_file:file no_w_file_perms;' +) + +ifelse(shipping_build, `true', + `neverallow { domain -init -installd -dex2oat -zygote } dalvikcache_data_file:dir no_w_dir_perms;' +, + `neverallow { domain -init -installd -dex2oat -zygote -recovery } dalvikcache_data_file:dir no_w_dir_perms;' +) # Only system_server should be able to send commands via the zygote socket neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; @@ -396,7 +400,7 @@ neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file # Nobody should be able to execute su on user builds. # On userdebug/eng builds, only dumpstate, shell, and # su itself execute su. -neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; +neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -init -untrusted_app -sudaemon') } su_exec:file no_x_file_perms; # Do not allow the introduction of new execmod rules. Text relocations # and modification of executable pages are unsafe. @@ -434,13 +438,12 @@ neverallow ~domain domain:process { transition dyntransition }; # Example type transition: # mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) # -neverallow { - domain - -system_server - -system_app - -init - -installd # for relabelfrom and unlink, check for this in explicit neverallow -} system_data_file:file no_w_file_perms; +ifelse(shipping_build, `true', + `neverallow { domain -system_server -system_app -init -installd } system_data_file:file no_w_file_perms;' +, + `neverallow { domain -system_server -system_app -init -installd -recovery } system_data_file:file no_w_file_perms;' +) + # do not grant anything greater than r_file_perms and relabelfrom unlink # to installd neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; @@ -35,6 +35,12 @@ type shm, fs_type; type mqueue, fs_type; type fuse, sdcard_type, fs_type, mlstrustedobject; type vfat, sdcard_type, fs_type, mlstrustedobject; +ifelse(shipping_build, `true', + # Dummy this out in shipping to avoid breaking code mentioning the label + `typealias vfat alias sdcard_posix;' +, + `type sdcard_posix, sdcard_type, fs_type, mlstrustedobject;' +) typealias fuse alias sdcard_internal; typealias vfat alias sdcard_external; type debugfs, fs_type, mlstrustedobject; @@ -187,6 +193,9 @@ type sap_uim_socket, file_type; # UART (for GPS) control proc file type gps_control, file_type; +# Used by vold +type proc_dirty_ratio, fs_type; + # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow sysfs_type sysfs:filesystem associate; diff --git a/genfs_contexts b/genfs_contexts index cdf65bc..0bbf97f 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -21,6 +21,7 @@ genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 +genfscon proc /sys/vm/dirty_ratio u:object_r:proc_dirty_ratio:s0 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 @@ -225,6 +225,10 @@ allow init self:capability net_raw; # set scheduling parameters for a kernel domain task. allow init kernel:process setsched; +# Allow init to read the context on userdirs (but not their contents) +# We need this before relabeling them coming from 4.4 +allow init app_data_file:{ lnk_file dir } { getattr relabelfrom }; + # swapon() needs write access to swap device # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all allow init swap_block_device:blk_file rw_file_perms; @@ -76,3 +76,6 @@ neverallow domain kernel:process { transition dyntransition }; # - You are running an exploit which switched to the init task credentials # and is then trying to exec a shell or other program. You lose! neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans }; + +# For UMS full-device exports +allow kernel block_device:blk_file r_file_perms; diff --git a/keystore.te b/keystore.te index 83a0e85..b5d119f 100644 --- a/keystore.te +++ b/keystore.te @@ -23,10 +23,15 @@ selinux_check_access(keystore) ### Protect ourself from others ### -neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; -neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; +neverallow { domain -keystore -recovery } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; +neverallow { domain -keystore -recovery } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; -neverallow { domain -keystore -init } keystore_data_file:dir *; -neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; +ifelse(shipping_build, `true', + `neverallow { domain -keystore -init } keystore_data_file:dir *; + neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;' +, + `neverallow { domain -keystore -init -recovery } keystore_data_file:dir *; + neverallow { domain -keystore -init -recovery } keystore_data_file:notdevfile_class_set *;' +) neverallow domain keystore:process ptrace; diff --git a/mediaserver.te b/mediaserver.te index 0299466..bc942f3 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -94,6 +94,8 @@ allow mediaserver surfaceflinger_service:service_manager find; allow mediaserver oemfs:dir search; allow mediaserver oemfs:file r_file_perms; +allow mediaserver bootanim:binder { transfer call }; + use_drmservice(mediaserver) allow mediaserver drmserver:drmservice { consumeRights @@ -43,7 +43,11 @@ allow netd dhcp:process signal; # these capabilities allow netd self:capability { dac_override chown fowner }; allow netd wifi_data_file:file create_file_perms; -allow netd wifi_data_file:dir rw_dir_perms; +allow netd wifi_data_file:dir create_dir_perms; +allow netd wifi_data_file:sock_file { create setattr unlink write }; + +# Allow netd to chmod dir /data/misc/dhcp +allow netd dhcp_data_file:dir create_dir_perms; # Needed to update /data/misc/net/rt_tables allow netd net_data_file:file create_file_perms; diff --git a/property_contexts b/property_contexts index 5bdb3c3..2a461e8 100644 --- a/property_contexts +++ b/property_contexts @@ -31,7 +31,7 @@ debug. u:object_r:debug_prop:s0 debug.db. u:object_r:debuggerd_prop:s0 log. u:object_r:shell_prop:s0 service.adb.root u:object_r:shell_prop:s0 -service.adb.tcp.port u:object_r:shell_prop:s0 +service.adb.tcp.port* u:object_r:shell_prop:s0 persist.audio. u:object_r:audio_prop:s0 persist.logd. u:object_r:logd_prop:s0 diff --git a/recovery.te b/recovery.te index 8d6fd62..646e42f 100644 --- a/recovery.te +++ b/recovery.te @@ -114,5 +114,11 @@ recovery_only(` # domains, including recovery. # # TODO: tighten this up further. -neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms }; -neverallow recovery data_file_type:dir no_w_dir_perms; +ifelse(shipping_build, `true', + `neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };' +, +) +ifelse(shipping_build, `true', + `neverallow recovery data_file_type:dir no_w_dir_perms;' +, +) @@ -1,5 +1,6 @@ # File types must be defined for file_contexts. type su_exec, exec_type, file_type; +type sudaemon, domain; userdebug_or_eng(` # Domain used for su processes, as well as for adbd and adb shell diff --git a/system_server.te b/system_server.te index c9d8f3b..36c36e9 100644 --- a/system_server.te +++ b/system_server.te @@ -134,6 +134,7 @@ binder_call(system_server, binderservicedomain) binder_call(system_server, gatekeeperd) binder_call(system_server, fingerprintd) binder_call(system_server, appdomain) +binder_call(system_server, bootanim) binder_call(system_server, dumpstate) binder_service(system_server) @@ -295,6 +296,11 @@ set_prop(system_server, powerctl_prop) set_prop(system_server, fingerprint_prop) # ctl interface +allow system_server ctl_bootanim_prop:property_service set; + +# Use open file provided by bootanim. +allow system_server bootanim:fd use; + set_prop(system_server, ctl_default_prop) set_prop(system_server, ctl_dhcp_pan_prop) set_prop(system_server, ctl_bugreport_prop) @@ -455,7 +461,10 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app # a bug (for example, bug 16317188), or represents an attempt by # system server to dynamically load a dex file, something we do not # want to allow. -neverallow system_server dex2oat_exec:file no_x_file_perms; +ifelse(shipping_build, `true', + `neverallow system_server dex2oat_exec:file no_x_file_perms;' +, +) # The only block device system_server should be accessing is # the frp_block_device. This helps avoid a system_server to root @@ -34,6 +34,10 @@ allow vold sdcard_type:dir mounton; # TODO: deprecated in M allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M +ifelse(shipping_build, `true', , + allow vold sdcard_posix:filesystem { relabelto relabelfrom }; +) +allow vold labeledfs:filesystem { relabelfrom }; # Manage locations where storage is mounted allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; @@ -137,6 +141,10 @@ allow vold tee_device:chr_file rw_file_perms; # Access userdata block device. allow vold userdata_block_device:blk_file rw_file_perms; +auditallow vold userdata_block_device:blk_file rw_file_perms; + +# For UMS tuning +allow vold proc_dirty_ratio:file rw_file_perms; # Access metadata block device used for encryption meta-data. allow vold metadata_block_device:blk_file rw_file_perms; @@ -163,8 +171,16 @@ allow vold self:capability sys_nice; allow vold self:capability sys_chroot; allow vold storage_file:dir mounton; -neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; -neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; -neverallow { domain -vold -init } vold_data_file:dir *; -neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *; -neverallow { domain -vold -init } restorecon_prop:property_service set; +ifelse(shipping_build, `true', + `neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; + neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; + neverallow { domain -vold -init } vold_data_file:dir *; + neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *; + neverallow { domain -vold -init } restorecon_prop:property_service set;' +, + `neverallow { domain -vold -recovery } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; + neverallow { domain -vold -recovery } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; + neverallow { domain -vold -init -recovery } vold_data_file:dir *; + neverallow { domain -vold -init -recovery } vold_data_file:notdevfile_class_set *; + neverallow { domain -vold -init -recovery } restorecon_prop:property_service set;' +) |