diff options
85 files changed, 1750 insertions, 740 deletions
@@ -2,87 +2,35 @@ LOCAL_PATH:= $(call my-dir) include $(CLEAR_VARS) -# Force permissive domains to be unconfined+enforcing? -# -# During development, this should be set to false. -# Permissive means permissive. -# -# When we're close to a release and SELinux new policy development -# is frozen, we should flip this to true. This forces any currently -# permissive domains into unconfined+enforcing. -# -FORCE_PERMISSIVE_TO_UNCONFINED:=true - -ifeq ($(TARGET_BUILD_VARIANT),user) - # User builds are always forced unconfined+enforcing - FORCE_PERMISSIVE_TO_UNCONFINED:=true -endif - # SELinux policy version. -# Must be <= /selinux/policyvers reported by the Android kernel. +# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. # Must be within the compatibility range reported by checkpolicy -V. POLICYVERS ?= 26 MLS_SENS=1 MLS_CATS=1024 -# Quick edge case error detection for BOARD_SEPOLICY_REPLACE. -# Builds the singular path for each replace file. -sepolicy_replace_paths := -$(foreach pf, $(BOARD_SEPOLICY_REPLACE), \ - $(if $(filter $(pf), $(BOARD_SEPOLICY_UNION)), \ - $(error Ambiguous request for sepolicy $(pf). Appears in both \ - BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION), \ - ) \ - $(eval _paths := $(filter-out $(BOARD_SEPOLICY_IGNORE), \ - $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))) \ - $(eval _occurrences := $(words $(_paths))) \ - $(if $(filter 0,$(_occurrences)), \ - $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \ - ) \ - $(if $(filter 1, $(_occurrences)), \ - $(eval sepolicy_replace_paths += $(_paths)), \ - $(error Multiple occurrences of replace file $(pf) in $(_paths)) \ - ) \ - $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(LOCAL_PATH))))), \ - $(error Specified the sepolicy file $(pf) in BOARD_SEPOLICY_REPLACE, \ - but none found in $(LOCAL_PATH)), \ - ) \ -) - -# Quick edge case error detection for BOARD_SEPOLICY_UNION. -# This ensures that a requested union file exists somewhere -# in one of the listed BOARD_SEPOLICY_DIRS. -$(foreach pf, $(BOARD_SEPOLICY_UNION), \ - $(if $(filter 0, $(words $(wildcard $(addsuffix /$(pf), $(BOARD_SEPOLICY_DIRS))))), \ - $(error No sepolicy file found for $(pf) in $(BOARD_SEPOLICY_DIRS)), \ - ) \ -) - -# Builds paths for all requested policy files w.r.t -# both BOARD_SEPOLICY_REPLACE and BOARD_SEPOLICY_UNION -# product variables. +ifdef BOARD_SEPOLICY_REPLACE +$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) +endif + +ifdef BOARD_SEPOLICY_IGNORE +$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) +endif + +ifdef BOARD_SEPOLICY_UNION +$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) +endif + +# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS. # $(1): the set of policy name paths to build -build_policy = $(foreach type, $(1), \ - $(filter-out $(BOARD_SEPOLICY_IGNORE), \ - $(foreach expanded_type, $(notdir $(wildcard $(addsuffix /$(type), $(LOCAL_PATH)))), \ - $(if $(filter $(expanded_type), $(BOARD_SEPOLICY_REPLACE)), \ - $(wildcard $(addsuffix $(expanded_type), $(sort $(dir $(sepolicy_replace_paths))))), \ - $(LOCAL_PATH)/$(expanded_type) \ - ) \ - ) \ - $(foreach union_policy, $(wildcard $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS))), \ - $(if $(filter $(notdir $(union_policy)), $(BOARD_SEPOLICY_UNION)), \ - $(union_policy), \ - ) \ - ) \ - ) \ -) +build_policy = $(foreach type, $(1), $(wildcard $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)))) sepolicy_build_files := security_classes \ initial_sids \ access_vectors \ global_macros \ + neverallow_macros \ mls_macros \ mls \ policy_capabilities \ @@ -113,7 +61,6 @@ $(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files)) @mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \ - -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit @@ -141,7 +88,6 @@ $(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files)) @mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=$(TARGET_BUILD_VARIANT) \ - -D force_permissive_to_unconfined=$(FORCE_PERMISSIVE_TO_UNCONFINED) \ -D target_recovery=true \ -s $^ > $@ @@ -170,7 +116,6 @@ $(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files) mkdir -p $(dir $@) $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ -D target_build_variant=user \ - -D force_permissive_to_unconfined=true \ -s $^ > $@ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit @@ -200,6 +145,23 @@ built_fc := $(LOCAL_BUILT_MODULE) ################################## include $(CLEAR_VARS) + +LOCAL_MODULE := general_file_contexts +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_TAGS := tests + +include $(BUILD_SYSTEM)/base_rules.mk + +$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) +$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, file_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc + @mkdir -p $(dir $@) + $(hide) m4 -s $< > $@ + $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $@ + +GENERAL_FILE_CONTEXTS := $(LOCAL_BUILT_MODULE) + +################################## +include $(CLEAR_VARS) LOCAL_MODULE := seapp_contexts LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_TAGS := optional @@ -222,6 +184,27 @@ seapp_contexts.tmp := ################################## include $(CLEAR_VARS) +LOCAL_MODULE := general_seapp_contexts +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_TAGS := tests + +include $(BUILD_SYSTEM)/base_rules.mk + +general_seapp_contexts.tmp := $(intermediates)/general_seapp_contexts.tmp +$(general_seapp_contexts.tmp): $(addprefix $(LOCAL_PATH)/, seapp_contexts) + @mkdir -p $(dir $@) + $(hide) m4 -s $^ > $@ + +$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) +$(LOCAL_BUILT_MODULE) : $(general_seapp_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkseapp + @mkdir -p $(dir $@) + $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $< + +GENERAL_SEAPP_CONTEXTS := $(LOCAL_BUILT_MODULE) +general_seapp_contexts.tmp := + +################################## +include $(CLEAR_VARS) LOCAL_MODULE := property_contexts LOCAL_MODULE_CLASS := ETC @@ -243,6 +226,23 @@ built_pc := $(LOCAL_BUILT_MODULE) ################################## include $(CLEAR_VARS) +LOCAL_MODULE := general_property_contexts +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_TAGS := tests + +include $(BUILD_SYSTEM)/base_rules.mk + +$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) +$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, property_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc + @mkdir -p $(dir $@) + $(hide) m4 -s $< > $@ + $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@ + +GENERAL_PROPERTY_CONTEXTS := $(LOCAL_BUILT_MODULE) + +################################## +include $(CLEAR_VARS) + LOCAL_MODULE := service_contexts LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_TAGS := optional @@ -261,17 +261,21 @@ $(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLE built_svc := $(LOCAL_BUILT_MODULE) ################################## - -################################## include $(CLEAR_VARS) -LOCAL_MODULE := selinux-network.sh -LOCAL_SRC_FILES := $(LOCAL_MODULE) -LOCAL_MODULE_CLASS := EXECUTABLES -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES) +LOCAL_MODULE := general_service_contexts +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_TAGS := tests + +include $(BUILD_SYSTEM)/base_rules.mk + +$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) +$(LOCAL_BUILT_MODULE) : $(addprefix $(LOCAL_PATH)/, service_contexts) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc + @mkdir -p $(dir $@) + $(hide) m4 -s $< > $@ + $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@ -include $(BUILD_PREBUILT) +GENERAL_SERVICE_CONTEXTS := $(LOCAL_BUILT_MODULE) ################################## include $(CLEAR_VARS) @@ -314,7 +318,6 @@ $(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $( build_policy := sepolicy_build_files := -sepolicy_replace_paths := built_sepolicy := built_sc := built_fc := @@ -1,83 +1,30 @@ +This directory contains the core Android SELinux policy configuration. +It defines the domains and types for the AOSP services and apps common to +all devices. Device-specific policy should be placed under a +separate device/<vendor>/<board>/sepolicy subdirectory and linked +into the policy build as described below. + Policy Generation: Additional, per device, policy files can be added into the policy build. -They can be configured through the use of four variables, -they are: -1. BOARD_SEPOLICY_REPLACE -2. BOARD_SEPOLICY_UNION -3. BOARD_SEPOLICY_DIRS -4. BOARD_SEPOLICY_IGNORE - -The variables should be set in the BoardConfig.mk file in +They can be configured through the use of the BOARD_SEPOLICY_DIRS +variable. This variable should be set in the BoardConfig.mk file in the device or vendor directories. -BOARD_SEPOLICY_UNION is a list of files that will be -"unioned", IE concatenated, at the END of their respective -file in external/sepolicy. Note, to add a unique file you -would use this variable. - -BOARD_SEPOLICY_REPLACE is a list of files that will be -used instead of the corresponding file in external/sepolicy. - BOARD_SEPOLICY_DIRS contains a list of directories to search -for BOARD_SEPOLICY_UNION and BOARD_SEPOLICY_REPLACE files. Order -matters in this list. -eg.) If you have BOARD_SEPOLICY_UNION += widget.te and have 2 -instances of widget.te files on BOARD_SEPOLICY_DIRS search path. -The first one found (at the first search dir containing the file) -gets processed first. +for additional policy files. Order matters in this list. +For example, if you have 2 instances of widget.te files in the +BOARD_SEPOLICY_DIRS search path, then the first one found (at the +first search dir containing the file) will be concatenated first. Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf will help sort out ordering issues. -It is an error to specify a BOARD_POLICY_REPLACE file that does -not exist in external/sepolicy. - -It is an error to specify a BOARD_POLICY_REPLACE file that appears -multiple times on the policy search path defined by BOARD_SEPOLICY_DIRS. -eg.) if you specify shell.te in BOARD_SEPOLICY_REPLACE and -BOARD_SEPOLICY_DIRS is set to -"vendor/widget/common/sepolicy device/widget/x/sepolicy" and shell.te -appears in both locations, it is an error. Unless it is in -BOARD_SEPOLICY_IGNORE to be filtered out. See BOARD_SEPOLICY_IGNORE -for more details. - -It is an error to specify the same file name in both -BOARD_POLICY_REPLACE and BOARD_POLICY_UNION. - -It is an error to specify a BOARD_SEPOLICY_DIRS that has no entries when -specifying BOARD_SEPOLICY_REPLACE. - -It is an error to specify a BOARD_POLICY_UNION file that -doesn't appear in any of the BOARD_SEPOLICY_DIRS locations. - -BOARD_SEPOLICY_IGNORE is a list of paths (directory + filename) of -files that are not to be included in the resulting policy. This list -is passed to filter-out to remove any paths you may want to ignore. This -is useful if you have numerous config directories that contain a file -and you want to NOT include a particular file in your resulting -policy file, either by UNION or REPLACE. -Eg.) Suppose the following: - BOARD_SEPOLICY_DIRS += X Y - BOARD_SEPOLICY_REPLACE += A - BOARD_SEPOLICY_IGNORE += X/A - - Directories X and Y contain A. - - The resulting policy is created by using Y/A only, thus X/A was - ignored. - Example BoardConfig.mk Usage: From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk -BOARD_SEPOLICY_DIRS += \ - device/samsung/tuna/sepolicy - -BOARD_SEPOLICY_UNION += \ - genfs_contexts \ - file_contexts \ - sepolicy.te +BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy SPECIFIC POLICY FILE INFORMATION @@ -89,9 +36,7 @@ mac_permissions.xml: top of that file. The seinfo string, previously mentioned, is the same string that is referenced in seapp_contexts. - This file can be replaced through BOARD_SEPOLICY_REPLACE containing the - value "mac_permissions.xml", or appended to by using the BOARD_SEPOLICY_UNION - variable. It is important to note the final processed version of this file + It is important to note the final processed version of this file is stripped of comments and whitespace. This is to preserve space on the system.img. If one wishes to view it in a more human friendly format, the "tidy" or "xmllint" command will assist you. @@ -108,8 +53,7 @@ mac_permissions.xml: keys.conf The keys.conf file is used for controlling the mapping of "tags" found in the mac_permissions.xml signature stanzas with actual public keys found in - pem files. The configuration file can be used in BOARD_SEPOLICY_UNION and - BOARD_SEPOLICY_REPLACE variables and is processed via m4. + pem files. The configuration file is processed via m4. The script allows for mapping any string contained in TARGET_BUILD_VARIANT with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either diff --git a/access_vectors b/access_vectors index 74a377c..65b7e22 100644 --- a/access_vectors +++ b/access_vectors @@ -876,14 +876,6 @@ class binder transfer } -class zygote -{ - specifyids - specifyrlimits - specifyinvokewith - specifyseinfo -} - class property_service { set @@ -917,4 +909,22 @@ class keystore_key reset_uid sync_uid password_uid + add_auth +} + +class debuggerd +{ + dump_tombstone + dump_backtrace +} + +class drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread } @@ -1,6 +1,6 @@ # adbd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. -type adbd, domain; +type adbd, domain, mlstrustedsubject; userdebug_or_eng(` allow adbd self:process setcurrent; @@ -41,10 +41,11 @@ allow adbd sdcard_type:file create_file_perms; allow adbd anr_data_file:dir r_dir_perms; allow adbd anr_data_file:file r_file_perms; -# Set service.adb.*, sys.powerctl properties. +# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. unix_socket_connect(adbd, property, init) allow adbd shell_prop:property_service set; allow adbd powerctl_prop:property_service set; +allow adbd ffs_prop:property_service set; # Run /system/bin/bu allow adbd system_file:file rx_file_perms; @@ -82,3 +83,14 @@ allow adbd zygote_exec:file r_file_perms; allow adbd system_file:file r_file_perms; allow adbd kernel:security read_policy; + +allow adbd surfaceflinger_service:service_manager find; +allow adbd bootchart_data_file:dir search; +allow adbd bootchart_data_file:file r_file_perms; + +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary +allow adbd storage_file:dir r_dir_perms; +allow adbd storage_file:lnk_file r_file_perms; +allow adbd mnt_user_file:dir r_dir_perms; +allow adbd mnt_user_file:lnk_file r_file_perms; @@ -27,6 +27,11 @@ allow appdomain zygote_tmpfs:file read; # Notify zygote of death; allow appdomain zygote:process sigchld; +# Notify zygote of the wrapped process PID when using --invoke-with. +userdebug_or_eng(` + allow appdomain zygote:fifo_file write; +') + # Notify shell and adbd of death when spawned via runas for ndk-gdb. allow appdomain shell:process sigchld; allow appdomain adbd:process sigchld; @@ -46,13 +51,16 @@ allow appdomain appdomain:fifo_file rw_file_perms; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; # App sandbox file accesses. -allow appdomain app_data_file:dir create_dir_perms; -allow appdomain app_data_file:notdevfile_class_set create_file_perms; +allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; +allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:file { execute execute_no_trans open execmod }; +# Traverse into expanded storage +allow appdomain mnt_expand_file:dir r_dir_perms; + # Keychain and user-trusted credentials allow appdomain keychain_data_file:dir r_dir_perms; allow appdomain keychain_data_file:file r_file_perms; @@ -82,6 +90,14 @@ allow appdomain dumpstate:fd use; allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; allow appdomain shell_data_file:file { write getattr }; +# Send heap dumps to system_server via an already open file descriptor +# % adb shell am set-watch-heap com.android.systemui 1048576 +# % adb shell dumpsys procstats --start-testing +# debuggable builds only. +userdebug_or_eng(` + allow appdomain heapdump_data_file:file append; +') + # Write to /proc/net/xt_qtaguid/ctrl file. allow appdomain qtaguid_proc:file rw_file_perms; # Everybody can read the xt_qtaguid resource tracking misc dev. @@ -90,7 +106,7 @@ allow appdomain qtaguid_device:chr_file r_file_perms; # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. -allow appdomain gpu_device:chr_file { rw_file_perms execute }; +allow { appdomain -isolated_app } gpu_device:chr_file { rw_file_perms execute }; # Use the Binder. binder_use(appdomain) @@ -119,18 +135,21 @@ allow appdomain media_rw_data_file:file { read getattr }; # Read and write /data/data/com.android.providers.telephony files passed over Binder. allow appdomain radio_data_file:file { read write getattr }; -# Read and write system app data files passed over Binder. -# Motivating case was /data/data/com.android.settings/cache/*.jpg for -# cropping or taking user photos. -allow untrusted_app system_app_data_file:file { read write getattr }; +# Allow access to external storage; we have several visible mount points under /storage +# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary +allow appdomain storage_file:dir r_dir_perms; +allow appdomain storage_file:lnk_file r_file_perms; +allow appdomain mnt_user_file:dir r_dir_perms; +allow appdomain mnt_user_file:lnk_file r_file_perms; -# Access SDcard via the fuse mount. +# Read/write visible storage allow appdomain fuse:dir create_dir_perms; allow appdomain fuse:file create_file_perms; # Access OBBs (vfat images) mounted by vold (b/17633509) +# File write access allowed for FDs returned through Storage Access Framework allow appdomain vfat:dir r_dir_perms; -allow appdomain vfat:file r_file_perms; +allow appdomain vfat:file rw_file_perms; # Allow apps to use the USB Accessory interface. # http://developer.android.com/guide/topics/connectivity/usb/accessory.html @@ -160,18 +179,22 @@ allow appdomain apk_data_file:file { rx_file_perms execmod }; allow appdomain resourcecache_data_file:file r_file_perms; allow appdomain resourcecache_data_file:dir r_dir_perms; +# logd access +read_logd(appdomain) +control_logd(appdomain) +# application inherit logd write socket (urge is to deprecate this long term) +allow appdomain zygote:unix_dgram_socket write; + +allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify }; + +use_keystore({ appdomain -isolated_app }) + +allow appdomain console_device:chr_file { read write }; + ### ### CTS-specific rules ### -# For cts/tools/device-setup/TestDeviceSetup/src/android/tests/getinfo/RootProcessScanner.java. -# Reads /proc/pid/status and statm entries to check that -# no unexpected root processes are running. -# Also for cts/tests/tests/security/src/android/security/cts/VoldExploitTest.java -# Reads /proc/pid/cmdline of vold. -allow appdomain domain:dir { open read search getattr }; -allow appdomain domain:{ file lnk_file } { open read getattr }; - # For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. # testRunAsHasCorrectCapabilities allow appdomain runas_exec:file getattr; @@ -181,18 +204,6 @@ allow appdomain runas_exec:file getattr; # Check SELinux policy and contexts. selinux_check_access(appdomain) selinux_check_context(appdomain) -# Validate that each process is running in the correct security context. -allow appdomain domain:process getattr; - -# logd access -read_logd(appdomain) -control_logd(appdomain) -# application inherit logd write socket (urge is to deprecate this long term) -allow appdomain zygote:unix_dgram_socket write; - -allow appdomain keystore:keystore_key { test get insert delete exist saw sign verify }; - -use_keystore(appdomain) ### ### Neverallow rules @@ -270,8 +281,9 @@ neverallow appdomain { domain -appdomain }:process { sigkill sigstop signal }; # Transition to a non-app domain. -# Exception for the shell domain, can transition to runas, etc. -neverallow { appdomain -shell } { domain -appdomain }:process +# Exception for the shell domain and the su domain, can transition to runas, +# etc. +neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process { transition dyntransition }; # Write to rootfs. @@ -42,6 +42,15 @@ attribute port_type; # All types used for property service attribute property_type; +# All service_manager types created by system_server +attribute system_server_service; + +# services which should be available to all but isolated apps +attribute app_api_service; + +# services which export only system_api +attribute system_api_service; + # All types used for services managed by service_manager. attribute service_manager_type; @@ -53,9 +62,6 @@ attribute mlstrustedsubject; # i.e. files that can be read by lower and written by higher attribute mlstrustedobject; -# Domains that are allowed all permissions ("unconfined"). -attribute unconfineddomain; - # All domains used for apps. attribute appdomain; @@ -67,3 +73,6 @@ attribute bluetoothdomain; # All domains used for binder service domains. attribute binderservicedomain; + +# All domains that are excluded from the domain.te auditallow. +attribute service_manager_local_audit; diff --git a/blkid.te b/blkid.te new file mode 100644 index 0000000..15b6a85 --- /dev/null +++ b/blkid.te @@ -0,0 +1,20 @@ +# blkid called from vold +type blkid, domain; +type blkid_exec, exec_type, file_type; + +# Allowed read-only access to encrypted devices to extract UUID/label +allow blkid block_device:dir search; +allow blkid userdata_block_device:blk_file r_file_perms; +allow blkid dm_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid vold:fd use; +allow blkid vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid blkid_exec:file rx_file_perms; + +# Only allow entry from vold +neverallow { domain -vold } blkid:process transition; +neverallow domain blkid:process dyntransition; +neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/blkid_untrusted.te b/blkid_untrusted.te new file mode 100644 index 0000000..df8e447 --- /dev/null +++ b/blkid_untrusted.te @@ -0,0 +1,36 @@ +# blkid for untrusted block devices +type blkid_untrusted, domain; + +# Allowed read-only access to vold block devices to extract UUID/label +allow blkid_untrusted block_device:dir search; +allow blkid_untrusted vold_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid_untrusted vold:fd use; +allow blkid_untrusted vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid_untrusted blkid_exec:file rx_file_perms; + +### +### neverallow rules +### + +# Untrusted blkid should never be run on block devices holding sensitive data +neverallow blkid_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via blkid binary +neverallow { domain -vold } blkid_untrusted:process transition; +neverallow domain blkid_untrusted:process dyntransition; +neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/bluetooth.te b/bluetooth.te index 2b108a9..890c1d9 100644 --- a/bluetooth.te +++ b/bluetooth.te @@ -49,6 +49,18 @@ allow bluetooth bluetooth_prop:property_service set; allow bluetooth pan_result_prop:property_service set; allow bluetooth ctl_dhcp_pan_prop:property_service set; +allow bluetooth bluetooth_service:service_manager find; +allow bluetooth mediaserver_service:service_manager find; +allow bluetooth radio_service:service_manager find; +allow bluetooth surfaceflinger_service:service_manager find; +allow bluetooth app_api_service:service_manager find; +allow bluetooth system_api_service:service_manager find; + +# already open bugreport file descriptors may be shared with +# the bluetooth process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow bluetooth shell_data_file:file read; + ### ### Neverallow rules ### diff --git a/bootanim.te b/bootanim.te index 35a4176..dd1e57a 100644 --- a/bootanim.te +++ b/bootanim.te @@ -15,3 +15,5 @@ allow bootanim oemfs:file r_file_perms; allow bootanim audio_device:dir r_dir_perms; allow bootanim audio_device:chr_file rw_file_perms; + +allow bootanim surfaceflinger_service:service_manager find; @@ -17,6 +17,14 @@ allow clatd netd:unix_dgram_socket { read write }; allow clatd self:capability { net_admin net_raw setuid setgid }; +# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks +# capable(CAP_IPC_LOCK), and then checks to see the requested amount is +# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd +# does not need CAP_IPC_LOCK, so we suppress any denials we see +# from clatd asking for this capability. +# See https://android-review.googlesource.com/127940 +dontaudit clatd self:capability ipc_lock; + allow clatd self:netlink_route_socket nlmsg_write; allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms; allow clatd tun_device:chr_file rw_file_perms; diff --git a/debuggerd.te b/debuggerd.te index 16f4cbe..4f84813 100644 --- a/debuggerd.te +++ b/debuggerd.te @@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog }; allow debuggerd domain:dir r_dir_perms; allow debuggerd domain:file r_file_perms; allow debuggerd domain:lnk_file read; -allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace; +allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr }; security_access_policy(debuggerd) allow debuggerd system_data_file:dir create_dir_perms; allow debuggerd system_data_file:dir relabelfrom; @@ -22,6 +22,10 @@ allow debuggerd domain:process { sigstop signal }; allow debuggerd exec_type:file r_file_perms; # Access app library allow debuggerd system_data_file:file open; +# Allow debuggerd to redirect a dump_backtrace request to itself. +# This only happens on 64 bit systems, where all requests go to the 64 bit +# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit. +allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; # Connect to system_server via /data/system/ndebugsocket. unix_socket_connect(debuggerd, system_ndebug, system_server) @@ -33,3 +37,6 @@ userdebug_or_eng(` # logd access read_logd(debuggerd) + +# Check SELinux permissions. +selinux_check_access(debuggerd) @@ -9,8 +9,10 @@ type block_device, dev_type; type camera_device, dev_type; type dm_device, dev_type; type loop_device, dev_type; +type pmsg_device, dev_type, mlstrustedobject; type radio_device, dev_type; type ram_device, dev_type; +type vold_device, dev_type; type console_device, dev_type; type cpuctl_device, dev_type; type fscklogs, dev_type; @@ -28,16 +30,16 @@ type nfc_device, dev_type; type ptmx_device, dev_type, mlstrustedobject; type kmsg_device, dev_type; type null_device, dev_type, mlstrustedobject; -type random_device, dev_type; +type random_device, dev_type, mlstrustedobject; type sensors_device, dev_type; type serial_device, dev_type; type socket_device, dev_type; type owntty_device, dev_type, mlstrustedobject; type tty_device, dev_type; -type urandom_device, dev_type; +type urandom_device, dev_type, mlstrustedobject; type video_device, dev_type; type vcs_device, dev_type; -type zero_device, dev_type; +type zero_device, dev_type, mlstrustedobject; type fuse_device, dev_type; type iio_device, dev_type; type ion_device, dev_type, mlstrustedobject; @@ -47,8 +49,8 @@ type watchdog_device, dev_type; type uhid_device, dev_type; type uio_device, dev_type; type tun_device, dev_type, mlstrustedobject; -type usbaccessory_device, dev_type; -type usb_device, dev_type; +type usbaccessory_device, dev_type, mlstrustedobject; +type usb_device, dev_type, mlstrustedobject; type klog_device, dev_type; type properties_device, dev_type; @@ -67,3 +69,26 @@ type root_block_device, dev_type; # factory reset protection block device type frp_block_device, dev_type; + +# System block device mounted on /system. +type system_block_device, dev_type; + +# Recovery block device. +type recovery_block_device, dev_type; + +# boot block device. +type boot_block_device, dev_type; + +# Userdata block device mounted on /data. +type userdata_block_device, dev_type; + +# Cache block device mounted on /cache. +type cache_block_device, dev_type; + +# Block device for any swap partition. +type swap_block_device, dev_type; + +# Metadata block device used for encryption metadata. +# Assign this type to the partition specified by the encryptable= +# mount option in your fstab file in the entry for userdata. +type metadata_block_device, dev_type; @@ -13,3 +13,4 @@ allow dex2oat installd:fd use; allow dex2oat asec_apk_file:file read; allow dex2oat unlabeled:file read; allow dex2oat oemfs:file read; +allow dex2oat apk_tmp_file:file read; @@ -51,7 +51,7 @@ userdebug_or_eng(` allow domain su:fd use; allow domain su:unix_stream_socket { getattr getopt read write shutdown }; - binder_call(domain, su) + binder_call({ domain -init }, su) # Running something like "pm dump com.android.bluetooth" requires # fifo writes @@ -88,12 +88,11 @@ allow domain zero_device:chr_file rw_file_perms; allow domain ashmem_device:chr_file rw_file_perms; allow domain binder_device:chr_file rw_file_perms; allow domain ptmx_device:chr_file rw_file_perms; -allow domain log_device:dir search; -allow domain log_device:chr_file rw_file_perms; allow domain alarm_device:chr_file r_file_perms; allow domain urandom_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms; allow domain properties_device:file r_file_perms; +allow domain init:key search; # logd access write_logd(domain) @@ -108,6 +107,10 @@ allow domain system_file:file r_file_perms; allow domain system_file:file execute; allow domain system_file:lnk_file r_file_perms; +# Run toolbox. +# Kernel and init never run anything without changing domains. +allow { domain -kernel -init } toolbox_exec:file rx_file_perms; + # Read files already opened under /data. allow domain system_data_file:dir { search getattr }; allow domain system_data_file:file { getattr read }; @@ -163,22 +166,26 @@ allow domain security_file:lnk_file r_file_perms; allow domain asec_public_file:file r_file_perms; allow domain { asec_public_file asec_apk_file }:dir r_dir_perms; -allow domain servicemanager:service_manager list; -allow domain service_manager_type:service_manager find; - ### ### neverallow rules ### -# Do not allow any confined domain to create new unlabeled files. -neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create; +# Do not allow any domain other than init or recovery to create unlabeled files. +neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these whitelisted domains. -neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; +neverallow { + domain + -debuggerd + -vold + -dumpstate + -system_server + userdebug_or_eng(`-procrank') +} self:capability sys_ptrace; # Limit device node creation to these whitelisted domains. -neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod; +neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod; # Limit raw I/O to these whitelisted domains. neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; @@ -231,7 +238,7 @@ neverallow domain kernel:security setbool; neverallow { domain -init } kernel:security setsecparam; # Only init, ueventd and system_server should be able to access HW RNG -neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; +neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *; # Ensure that all entrypoint executables are in exec_type. neverallow domain { file_type -exec_type }:file entrypoint; @@ -248,18 +255,19 @@ neverallow { domain -init } proc_security:file { append write }; # No domain should be allowed to ptrace init. neverallow domain init:process ptrace; -# Init can't receive binder calls. If this neverallow rule is being +# Init can't do anything with binder calls. If this neverallow rule is being # triggered, it's probably due to a service with no SELinux domain. -neverallow domain init:binder call; +neverallow domain init:binder *; # Don't allow raw read/write/open access to block_device # Rather force a relabel to a more specific type -neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write }; +neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write }; # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. -# ueventd is exempt from this, as its managing these devices. -neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write }; +# init is exempt from this as there are character devices that only it uses. +# ueventd is exempt from this, as it is managing these devices. +neverallow { domain -init -ueventd -recovery } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need @@ -286,12 +294,16 @@ neverallow { } { fs_type -rootfs }:file execute; # Only the init property service should write to /data/property. -neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir }; -neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename }; +neverallow { domain -init } property_data_file:dir no_w_dir_perms; +neverallow { domain -init } property_data_file:file no_w_file_perms; # Only recovery should be doing writes to /system neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; + { create write setattr relabelfrom append unlink link rename }; +neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto; + +# Don't allow mounting on top of /system files or directories +neverallow domain { system_file exec_type }:dir_file_class_set mounton; # Nothing should be writing to files in the rootfs. neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; @@ -313,4 +325,78 @@ neverallow { domain -recovery } contextmount_type:dir_file_class_set # from service name to service_type are defined in service_contexts. neverallow domain default_android_service:service_manager add; +# Require that domains explicitly label unknown properties, and do not allow +# anyone but init to modify unknown properties. +neverallow { domain -init } default_prop:property_service set; + neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms; + +# No domain other than recovery can write to system. +neverallow { domain -recovery } system_block_device:blk_file write; + +# No domains other than install_recovery or recovery can write to recovery. +neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; + +# Only servicemanager should be able to register with binder as the context manager +neverallow { domain -servicemanager } *:binder set_context_mgr; + +# Only authorized processes should be writing to files in /data/dalvik-cache +# (excluding /data/dalvik-cache/profiles, which is labeled differently) +neverallow { + domain + -init # TODO: limit init to relabelfrom for files + -zygote + -installd + -dex2oat +} dalvikcache_data_file:file no_w_file_perms; + +# Only system_server should be able to send commands via the zygote socket +neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; +neverallow { domain -system_server } zygote_socket:sock_file write; + +# Android does not support System V IPCs. +# +# The reason for this is due to the fact that, by design, they lead to global +# kernel resource leakage. +# +# For example, there is no way to automatically release a SysV semaphore +# allocated in the kernel when: +# +# - a buggy or malicious process exits +# - a non-buggy and non-malicious process crashes or is explicitly killed. +# +# Killing processes automatically to make room for new ones is an +# important part of Android's application lifecycle implementation. This means +# that, even assuming only non-buggy and non-malicious code, it is very likely +# that over time, the kernel global tables used to implement SysV IPCs will fill +# up. +neverallow domain domain:{ shm sem msg msgq } *; + +# Do not mount on top of symlinks, fifos, or sockets. +# Feature parity with Chromium LSM. +neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; + +# Nobody should be able to execute su on user builds. +# On userdebug/eng builds, only dumpstate, shell, and +# su itself execute su. +neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; + +# Do not allow the introduction of new execmod rules. Text relocations +# and modification of executable pages are unsafe. +# The only exceptions are for NDK text relocations associated with +# https://code.google.com/p/android/issues/detail?id=23203 +# which, long term, need to go away. +neverallow domain { + file_type + -system_file # needs to die. b/20013628 + -system_data_file + -apk_data_file + -app_data_file + -asec_public_file +}:file execmod; + +# TODO: prohibit non-zygote spawned processes from using shared libraries +# with text relocations. b/20013628 . +# neverallow { domain -appdomain } file_type:file execmod; + +neverallow { domain -init } proc:{ file dir } mounton; diff --git a/drmserver.te b/drmserver.te index 7bc9e6a..d76d3be 100644 --- a/drmserver.te +++ b/drmserver.te @@ -45,8 +45,11 @@ allow drmserver asec_apk_file:file { read getattr }; # Read /data/data/com.android.providers.telephony files passed over Binder. allow drmserver radio_data_file:file { read getattr }; -allow drmserver drmserver_service:service_manager add; - # /oem access allow drmserver oemfs:dir search; allow drmserver oemfs:file r_file_perms; + +allow drmserver drmserver_service:service_manager { add find }; +allow drmserver permission_service:service_manager find; + +selinux_check_access(drmserver) diff --git a/dumpstate.te b/dumpstate.te index d9baada..43daac4 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -1,13 +1,14 @@ # dumpstate -type dumpstate, domain; +type dumpstate, domain, mlstrustedsubject; type dumpstate_exec, exec_type, file_type; init_daemon_domain(dumpstate) net_domain(dumpstate) binder_use(dumpstate) -# Drop privileges by switching UID / GID -allow dumpstate self:capability { setuid setgid }; +# Allow setting process priority, protect from OOM killer, and dropping +# privileges by switching UID / GID +allow dumpstate self:capability { setuid setgid sys_resource }; # Allow dumpstate to scan through /proc/pid for all processes r_dir_file(dumpstate, domain) @@ -48,6 +49,8 @@ allow dumpstate { appdomain system_server }:process signal; # Signal native processes to dump their stack. # This list comes from native_processes_to_dump in dumpstate/utils.c allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; +# Ask debuggerd for the backtraces of these processes. +allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace; # Execute and transition to the vdc domain domain_auto_trans(dumpstate, vdc_exec, vdc) @@ -60,6 +63,8 @@ allow dumpstate sysfs:file w_file_perms; # Other random bits of data we want to collect allow dumpstate qtaguid_proc:file r_file_perms; allow dumpstate debugfs:file r_file_perms; +# df for /storage/emulated needs search +allow dumpstate storage_file:dir search; # Allow dumpstate to make binder calls to any binder service binder_call(dumpstate, binderservicedomain) @@ -85,6 +90,7 @@ allow dumpstate dumpstate_tmpfs:file execute; allow dumpstate self:process execmem; # For art. allow dumpstate dalvikcache_data_file:file execute; +allow dumpstate dalvikcache_data_file:lnk_file r_file_perms; # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access allow dumpstate gpu_device:chr_file rw_file_perms; @@ -101,5 +107,8 @@ allow dumpstate net_data_file:file r_file_perms; allow dumpstate tombstone_data_file:dir r_dir_perms; allow dumpstate tombstone_data_file:file r_file_perms; -# Access /system/bin executables to determine type of executable. -allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms; +allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find; +allow dumpstate servicemanager:service_manager list; +service_manager_local_audit_domain(dumpstate) + +allow dumpstate devpts:chr_file rw_file_perms; @@ -13,7 +13,7 @@ type proc_bluetooth_writable, fs_type; type proc_cpuinfo, fs_type; type proc_net, fs_type; type proc_sysrq, fs_type; -type selinuxfs, fs_type; +type selinuxfs, fs_type, mlstrustedobject; type cgroup, fs_type, mlstrustedobject; type sysfs, fs_type, sysfs_type, mlstrustedobject; type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; @@ -38,15 +38,20 @@ type pstorefs, fs_type; type functionfs, fs_type; type oemfs, fs_type, contextmount_type; type usbfs, fs_type; +type binfmt_miscfs, fs_type; # File types type unlabeled, file_type; # Default type for anything under /system. type system_file, file_type; +# Type for /system/bin/logcat. +type logcat_exec, exec_type, file_type; # /cores for coredumps on userdebug / eng builds type coredump_file, file_type; # Default type for anything under /data. type system_data_file, file_type, data_file_type; +# Unencrypted data +type unencrypted_data_file, file_type, data_file_type; # /data/.layout_version or other installd-created files that # are created in a system_data_file directory. type install_data_file, file_type, data_file_type; @@ -67,41 +72,57 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; # /data/dalvik-cache type dalvikcache_data_file, file_type, data_file_type; # /data/dalvik-cache/profiles -type dalvikcache_profiles_data_file, file_type, data_file_type; +type dalvikcache_profiles_data_file, file_type, data_file_type, mlstrustedobject; # /data/resource-cache type resourcecache_data_file, file_type, data_file_type; # /data/local - writable by shell -type shell_data_file, file_type, data_file_type; +type shell_data_file, file_type, data_file_type, mlstrustedobject; # /data/gps type gps_data_file, file_type, data_file_type; # /data/property type property_data_file, file_type, data_file_type; +# /data/bootchart +type bootchart_data_file, file_type, data_file_type; +# /data/system/heapdump +type heapdump_data_file, file_type, data_file_type, mlstrustedobject; + +# Mount locations managed by vold +type mnt_media_rw_file, file_type; +type mnt_user_file, file_type; +type mnt_expand_file, file_type; +type storage_file, file_type; + +# Label for storage dirs which are just mount stubs +type mnt_media_rw_stub_file, file_type; +type storage_stub_file, file_type; # /data/misc subdirectories type adb_keys_file, file_type, data_file_type; type audio_data_file, file_type, data_file_type; type bluetooth_data_file, file_type, data_file_type; type camera_data_file, file_type, data_file_type; +type gatekeeper_data_file, file_type, data_file_type; type keychain_data_file, file_type, data_file_type; type keystore_data_file, file_type, data_file_type; type media_data_file, file_type, data_file_type; -type media_rw_data_file, file_type, data_file_type; +type media_rw_data_file, file_type, data_file_type, mlstrustedobject; type misc_user_data_file, file_type, data_file_type; type net_data_file, file_type, data_file_type; type nfc_data_file, file_type, data_file_type; -type radio_data_file, file_type, data_file_type; +type radio_data_file, file_type, data_file_type, mlstrustedobject; type shared_relro_file, file_type, data_file_type; type systemkeys_data_file, file_type, data_file_type; type vpn_data_file, file_type, data_file_type; type wifi_data_file, file_type, data_file_type; type zoneinfo_data_file, file_type, data_file_type; +type vold_data_file, file_type, data_file_type; # Compatibility with type names used in vanilla Android 4.3 and 4.4. typealias audio_data_file alias audio_firmware_file; # /data/data subdirectories - app sandboxes type app_data_file, file_type, data_file_type; # /data/data subdirectory for system UID apps. -type system_app_data_file, file_type, data_file_type; +type system_app_data_file, file_type, data_file_type, mlstrustedobject; # Compatibility with type name used in Android 4.3 and 4.4. typealias app_data_file alias platform_app_data_file; typealias app_data_file alias download_file; @@ -115,7 +136,7 @@ type efs_file, file_type; # Type for wallpaper file. type wallpaper_file, file_type, mlstrustedobject; # /mnt/asec -type asec_apk_file, file_type, data_file_type; +type asec_apk_file, file_type, data_file_type, mlstrustedobject; # Elements of asec files (/mnt/asec) that are world readable type asec_public_file, file_type, data_file_type; # /data/app-asec @@ -138,12 +159,11 @@ type fwmarkd_socket, file_type, mlstrustedobject; type gps_socket, file_type; type installd_socket, file_type; type lmkd_socket, file_type; -type logd_debug, file_type; -type logd_socket, file_type; -type logdr_socket, file_type; -type logdw_socket, file_type; +type logd_socket, file_type, mlstrustedobject; +type logdr_socket, file_type, mlstrustedobject; +type logdw_socket, file_type, mlstrustedobject; type mdns_socket, file_type; -type mdnsd_socket, file_type; +type mdnsd_socket, file_type, mlstrustedobject; type mtpd_socket, file_type; type netd_socket, file_type; type property_socket, file_type; diff --git a/file_contexts b/file_contexts index 62802e0..0fc096d 100644 --- a/file_contexts +++ b/file_contexts @@ -12,7 +12,7 @@ # Executables /charger u:object_r:rootfs:s0 -/init u:object_r:rootfs:s0 +/init u:object_r:init_exec:s0 /sbin(/.*)? u:object_r:rootfs:s0 # Empty directories @@ -40,7 +40,9 @@ /dev/audio.* u:object_r:audio_device:s0 /dev/binder u:object_r:binder_device:s0 /dev/block(/.*)? u:object_r:block_device:s0 +/dev/block/dm-[0-9]+ u:object_r:dm_device:s0 /dev/block/loop[0-9]* u:object_r:loop_device:s0 +/dev/block/vold/.+ u:object_r:vold_device:s0 /dev/block/ram[0-9]* u:object_r:ram_device:s0 /dev/bus/usb(.*)? u:object_r:usb_device:s0 /dev/cam u:object_r:camera_device:s0 @@ -64,6 +66,7 @@ /dev/mpuirq u:object_r:gps_device:s0 /dev/mtd(/.*)? u:object_r:mtd_device:s0 /dev/mtp_usb u:object_r:mtp_device:s0 +/dev/pmsg0 u:object_r:pmsg_device:s0 /dev/pn544 u:object_r:nfc_device:s0 /dev/ppp u:object_r:ppp_device:s0 /dev/ptmx u:object_r:ptmx_device:s0 @@ -83,7 +86,6 @@ /dev/socket/gps u:object_r:gps_socket:s0 /dev/socket/installd u:object_r:installd_socket:s0 /dev/socket/lmkd u:object_r:lmkd_socket:s0 -/dev/logd_debug u:object_r:logd_debug:s0 /dev/socket/logd u:object_r:logd_socket:s0 /dev/socket/logdr u:object_r:logdr_socket:s0 /dev/socket/logdw u:object_r:logdw_socket:s0 @@ -123,6 +125,12 @@ # System files # /system(/.*)? u:object_r:system_file:s0 +/system/bin/e2fsck -- u:object_r:fsck_exec:s0 +/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0 +/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 +/system/bin/toolbox -- u:object_r:toolbox_exec:s0 +/system/bin/toybox -- u:object_r:toolbox_exec:s0 +/system/bin/logcat -- u:object_r:logcat_exec:s0 /system/bin/sh -- u:object_r:shell_exec:s0 /system/bin/run-as -- u:object_r:runas_exec:s0 /system/bin/bootanimation u:object_r:bootanim_exec:s0 @@ -139,6 +147,7 @@ /system/bin/mdnsd u:object_r:mdnsd_exec:s0 /system/bin/installd u:object_r:installd_exec:s0 /system/bin/keystore u:object_r:keystore_exec:s0 +/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0 /system/bin/debuggerd u:object_r:debuggerd_exec:s0 /system/bin/debuggerd64 u:object_r:debuggerd_exec:s0 /system/bin/wpa_supplicant u:object_r:wpa_exec:s0 @@ -149,6 +158,7 @@ /system/bin/tf_daemon u:object_r:tee_exec:s0 /system/bin/racoon u:object_r:racoon_exec:s0 /system/xbin/su u:object_r:su_exec:s0 +/system/xbin/procrank u:object_r:procrank_exec:s0 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0 /system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 /system/bin/hostapd u:object_r:hostapd_exec:s0 @@ -163,17 +173,30 @@ /system/bin/dex2oat u:object_r:dex2oat_exec:s0 # patchoat executable has (essentially) the same requirements as dex2oat. /system/bin/patchoat u:object_r:dex2oat_exec:s0 +/system/bin/sgdisk u:object_r:sgdisk_exec:s0 +/system/bin/blkid u:object_r:blkid_exec:s0 +/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0 ############################# # Vendor files # /vendor(/.*)? u:object_r:system_file:s0 /vendor/bin/gpsd u:object_r:gpsd_exec:s0 + +############################# +# ODM files +# +/odm(/.*)? u:object_r:system_file:s0 + ############################# # Data files # +# NOTE: When modifying existing label rules, changes may also need to +# propagate to the "Expanded data files" section. +# /data(/.*)? u:object_r:system_data_file:s0 /data/.layout_version u:object_r:install_data_file:s0 +/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0 /data/backup(/.*)? u:object_r:backup_data_file:s0 /data/secure/backup(/.*)? u:object_r:backup_data_file:s0 /data/security(/.*)? u:object_r:security_file:s0 @@ -186,7 +209,9 @@ /data/adb(/.*)? u:object_r:adb_data_file:s0 /data/anr(/.*)? u:object_r:anr_data_file:s0 /data/app(/.*)? u:object_r:apk_data_file:s0 -/data/app/vmdl.*\.tmp(/.*)? u:object_r:apk_tmp_file:s0 +/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 +/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 /data/app-private(/.*)? u:object_r:apk_private_data_file:s0 /data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0 /data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 @@ -204,6 +229,7 @@ /data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0 /data/misc/camera(/.*)? u:object_r:camera_data_file:s0 /data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0 +/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0 /data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0 /data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 /data/misc/media(/.*)? u:object_r:media_data_file:s0 @@ -218,6 +244,23 @@ /data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0 /data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0 /data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 +/data/misc/vold(/.*)? u:object_r:vold_data_file:s0 +/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0 + +# Bootchart data +/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0 + +############################# +# Expanded data files +# +/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0 +/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0 +/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0 +/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 +/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 +/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0 +/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0 # coredump directory for userdebug/eng devices /cores(/.*)? u:object_r:coredump_file:s0 @@ -252,3 +295,9 @@ /mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0 /mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0 /data/app-asec(/.*)? u:object_r:asec_image_file:s0 + +############################# +# external storage +/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0 +/mnt/user(/.*)? u:object_r:mnt_user_file:s0 +/storage(/.*)? u:object_r:storage_file:s0 @@ -7,6 +7,7 @@ fs_use_xattr ext4 u:object_r:labeledfs:s0; fs_use_xattr xfs u:object_r:labeledfs:s0; fs_use_xattr btrfs u:object_r:labeledfs:s0; fs_use_xattr f2fs u:object_r:labeledfs:s0; +fs_use_xattr squashfs u:object_r:labeledfs:s0; # Label inodes from task label. fs_use_task pipefs u:object_r:pipefs:s0; @@ -0,0 +1,43 @@ +# Any fsck program run by init +type fsck, domain; +type fsck_exec, exec_type, file_type; + +init_daemon_domain(fsck) + +# /dev/__null__ created by init prior to policy load, +# open fd inherited by fsck. +allow fsck tmpfs:chr_file { read write ioctl }; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow fsck devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow fsck vold:fd use; +allow fsck vold:fifo_file { read write getattr }; + +# Run fsck on certain block devices +allow fsck block_device:dir search; +allow fsck userdata_block_device:blk_file rw_file_perms; +allow fsck cache_block_device:blk_file rw_file_perms; +allow fsck dm_device:blk_file rw_file_perms; + +### +### neverallow rules +### + +# fsck should never be run on these block devices +neverallow fsck { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + vold_device +}:blk_file no_rw_file_perms; + +# Only allow entry from init or vold via fsck binaries +neverallow { domain -init -vold } fsck:process transition; +neverallow domain fsck:process dyntransition; +neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/fsck_untrusted.te b/fsck_untrusted.te new file mode 100644 index 0000000..67c67b7 --- /dev/null +++ b/fsck_untrusted.te @@ -0,0 +1,36 @@ +# Any fsck program run on untrusted block devices +type fsck_untrusted, domain; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow fsck_untrusted vold:fd use; +allow fsck_untrusted vold:fifo_file { read write getattr }; + +# Run fsck on vold block devices +allow fsck_untrusted block_device:dir search; +allow fsck_untrusted vold_device:blk_file rw_file_perms; + +### +### neverallow rules +### + +# Untrusted fsck should never be run on block devices holding sensitive data +neverallow fsck_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via fsck binaries +neverallow { domain -vold } fsck_untrusted:process transition; +neverallow domain fsck_untrusted:process dyntransition; +neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/gatekeeperd.te b/gatekeeperd.te new file mode 100644 index 0000000..39d9d21 --- /dev/null +++ b/gatekeeperd.te @@ -0,0 +1,24 @@ +type gatekeeperd, domain; +type gatekeeperd_exec, exec_type, file_type; + +# gatekeeperd +init_daemon_domain(gatekeeperd) +binder_use(gatekeeperd) +allow gatekeeperd tee_device:chr_file rw_file_perms; + +# need to find KeyStore and add self +allow gatekeeperd gatekeeper_service:service_manager { add find }; + +# Need to add auth tokens to KeyStore +use_keystore(gatekeeperd) +allow gatekeeperd keystore:keystore_key { add_auth }; + +# For permissions checking +allow gatekeeperd system_server:binder call; +allow gatekeeperd permission_service:service_manager find; + +# for SID file access +allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; +allow gatekeeperd gatekeeper_data_file:file create_file_perms; + +neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add; diff --git a/genfs_contexts b/genfs_contexts index 31b7e4f..4b16ffc 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -32,3 +32,4 @@ genfscon fuse / u:object_r:fuse:s0 genfscon pstore / u:object_r:pstorefs:s0 genfscon functionfs / u:object_r:functionfs:s0 genfscon usbfs / u:object_r:usbfs:s0 +genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0 diff --git a/global_macros b/global_macros index 62d5934..8d72868 100644 --- a/global_macros +++ b/global_macros @@ -25,14 +25,13 @@ define(`rx_file_perms', `{ r_file_perms x_file_perms }') define(`ra_file_perms', `{ r_file_perms append }') define(`rw_file_perms', `{ r_file_perms w_file_perms }') define(`rwx_file_perms', `{ rw_file_perms x_file_perms }') -define(`link_file_perms', `{ getattr link unlink rename }') -define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }') +define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }') define(`r_dir_perms', `{ open getattr read search ioctl }') define(`w_dir_perms', `{ open search write add_name remove_name }') define(`ra_dir_perms', `{ r_dir_perms add_name write }') define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }') -define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }') +define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }') define(`r_ipc_perms', `{ getattr read associate unix_read }') define(`w_ipc_perms', `{ write unix_write }') @@ -18,3 +18,11 @@ allow gpsd gps_device:chr_file rw_file_perms; # Execute the shell or system commands. allow gpsd shell_exec:file rx_file_perms; allow gpsd system_file:file rx_file_perms; + +### +### neverallow +### + +# gpsd can never have capabilities other than block_suspend +neverallow gpsd self:capability *; +neverallow gpsd self:capability2 ~block_suspend; @@ -38,7 +38,7 @@ allow healthd self:process execmem; allow healthd proc_sysrq:file rw_file_perms; allow healthd self:capability sys_boot; -allow healthd healthd_service:service_manager add; +allow healthd healthd_service:service_manager { add find }; # Healthd needs to tell init to continue the boot # process when running in charger mode. @@ -1,19 +1,78 @@ -# init switches to init domain (via init.rc). -type init, domain; -# init is unconfined. -unconfined_domain(init) +# init is its own domain. +type init, domain, mlstrustedsubject; tmpfs_domain(init) -allow init self:capability { sys_rawio mknod }; +# The init domain is entered by execing init. +type init_exec, exec_type, file_type; + +# /dev/__null__ node created by init. +allow init tmpfs:chr_file create_file_perms; + +# +# init direct restorecon calls. +# +# /dev/socket +allow init { device socket_device }:dir relabelto; +# /dev/__properties__ +allow init tmpfs:file relabelfrom; +allow init properties_device:file relabelto; + +# setrlimit +allow init self:capability sys_resource; + +# Remove /dev/.booting, created before initial policy load or restorecon /dev. +allow init tmpfs:file unlink; + +# Access pty created for fsck. +allow init devpts:chr_file { read write open }; + +# Create /dev/fscklogs files. +allow init fscklogs:file create_file_perms; + +# Access /dev/__null__ node created prior to initial policy load. +allow init tmpfs:chr_file write; + +# Access /dev/console. +allow init console_device:chr_file rw_file_perms; + +# Access /dev/tty0. +allow init tty_device:chr_file rw_file_perms; + +# Call mount(2). +allow init self:capability sys_admin; + +# Create and mount on directories in /. +allow init rootfs:dir create_dir_perms; +allow init rootfs:dir mounton; + +# Mount on /dev/usb-ffs/adb. +allow init device:dir mounton; -# Run helpers from / or /system without changing domain. -# We do not include exec_type here since generally those -# should always involve a domain transition. -allow init rootfs:file execute_no_trans; -allow init system_file:file execute_no_trans; +# Create and remove symlinks in /. +allow init rootfs:lnk_file { create unlink }; -# Running e2fsck or mkswap via fs_mgr. -allow init dev_type:blk_file rw_file_perms; +# Mount debugfs on /sys/kernel/debug. +allow init sysfs:dir mounton; + +# Create cgroups mount points in tmpfs and mount cgroups on them. +allow init tmpfs:dir create_dir_perms; +allow init tmpfs:dir mounton; +allow init cgroup:dir create_dir_perms; +allow init cpuctl_device:dir { create mounton }; + +# Use tmpfs as /data, used for booting when /data is encrypted +allow init tmpfs:dir relabelfrom; + +# Create directories under /dev/cpuctl after chowning it to system. +allow init self:capability dac_override; + +# Set system clock. +allow init self:capability sys_time; + +allow init self:capability { sys_rawio mknod }; + +# Mounting filesystems from block devices. +allow init dev_type:blk_file r_file_perms; # Mounting filesystems. # Only allow relabelto for types used in context= mount options, @@ -31,12 +90,29 @@ allow init contextmount_type:notdevfile_class_set r_file_perms; # restorecon /adb_keys or any other rootfs files to a more specific type. allow init rootfs:file relabelfrom; -# restorecon and restorecon_recursive calls from init.rc files. +# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. +# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). # system/core/init.rc requires at least cache_file and data_file_type. # init.<board>.rc files often include device-specific types, so # we just allow all file types except /system files here. +allow init self:capability { chown fowner fsetid }; +allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr }; +allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; +allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink }; +allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; +allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; +allow init sysfs:{ dir file lnk_file } { getattr relabelfrom }; allow init sysfs_type:{ dir file lnk_file } relabelto; +allow init dev_type:dir create_dir_perms; +allow init dev_type:lnk_file create; + +# chown/chmod on pseudo files. +allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; +allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; + +# chown/chmod on devices. +allow init { dev_type -kmem_device }:chr_file { read open setattr }; # Unlabeled file access for upgrades from 4.2. allow init unlabeled:dir { create_dir_perms relabelfrom }; @@ -45,9 +121,6 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; # Create /data/security from init.rc post-fs-data. allow init security_file:dir { create setattr }; -# setprop selinux.reload_policy 1 from init.rc post-fs-data. -allow init security_prop:property_service set; - # Reload policy upon setprop selinux.reload_policy 1. r_dir_file(init, security_file) allow init kernel:security load_policy; @@ -55,28 +128,42 @@ allow init kernel:security load_policy; # Any operation that can modify the kernel ring buffer, e.g. clear # or a read that consumes the messages that were read. allow init kernel:system syslog_mod; +allow init self:capability2 syslog; # Set usermodehelpers and /proc security settings. allow init usermodehelper:file rw_file_perms; allow init proc_security:file rw_file_perms; +# Write to /proc/sys/kernel/panic_on_oops. +allow init proc:file w_file_perms; + +# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. +allow init proc_net:file w_file_perms; +allow init self:capability net_admin; + +# Write to /proc/sysrq-trigger. +allow init proc_sysrq:file w_file_perms; + +# Reboot. +allow init self:capability sys_boot; + +# Write to sysfs nodes. +allow init sysfs_type:dir r_dir_perms; +allow init sysfs_type:file w_file_perms; + # Transitions to seclabel processes in init.rc domain_trans(init, rootfs, adbd) domain_trans(init, rootfs, healthd) +domain_trans(init, rootfs, slideshow) recovery_only(` domain_trans(init, rootfs, recovery) ') domain_trans(init, shell_exec, shell) -domain_trans(init, rootfs, ueventd) -domain_trans(init, rootfs, watchdogd) - -# Certain domains need LD_PRELOAD passed from init. -# https://android-review.googlesource.com/94851 -# For now, allow it to most domains. -# TODO: scope this down. -allow init { domain -lmkd }:process noatsecure; +domain_trans(init, init_exec, ueventd) +domain_trans(init, init_exec, watchdogd) # Support "adb shell stop" +allow init self:capability kill; allow init domain:process sigkill; # Init creates keystore's directory on boot, and walks through @@ -84,16 +171,39 @@ allow init domain:process sigkill; allow init keystore_data_file:dir { open create read getattr setattr search }; allow init keystore_data_file:file { getattr }; +# Init creates vold's directory on boot, and walks through +# the directory as part of a recursive restorecon. +allow init vold_data_file:dir { open create read getattr setattr search }; +allow init vold_data_file:file { getattr }; + # Init creates /data/local/tmp at boot allow init shell_data_file:dir { open create read getattr setattr search }; allow init shell_data_file:file { getattr }; +# Set UID and GID for services. +allow init self:capability { setuid setgid }; + +# For bootchart to read the /proc/$pid/cmdline file of each process, +# we need to have following line to allow init to have access +# to different domains. +r_dir_file(init, domain) + # Use setexeccon(), setfscreatecon(), and setsockcreatecon(). # setexec is for services with seclabel options. # setfscreate is for labeling directories and socket files. # setsockcreate is for labeling local/unix domain sockets. allow init self:process { setexec setfscreate setsockcreate }; +# Perform SELinux access checks on setting properties. +selinux_check_access(init) + +# Ask the kernel for the new context on services to label their sockets. +allow init kernel:security compute_create; + +# Create sockets for the services. +allow init domain:unix_stream_socket { create bind }; +allow init domain:unix_dgram_socket { create bind }; + # Create /data/property and files within it. allow init property_data_file:dir create_dir_perms; allow init property_data_file:file create_file_perms; @@ -103,17 +213,72 @@ allow init property_type:property_service set; # Run "ifup lo" to bring up the localhost interface allow init self:udp_socket { create ioctl }; +allow init self:capability net_raw; # This line seems suspect, as it should not really need to # set scheduling parameters for a kernel domain task. allow init kernel:process setsched; +# swapon() needs write access to swap device +# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all +allow init swap_block_device:blk_file rw_file_perms; + +# Read from /dev/hw_random if present. +# system/core/init/init.c - mix_hwrng_into_linux_rng_action +allow init hw_random_device:chr_file r_file_perms; + +# Create and access /dev files without a specific type, +# e.g. /dev/.coldboot_done, /dev/.booting +# TODO: Move these files into their own type unless they are +# only ever accessed by init. +allow init device:file create_file_perms; + +# Access character devices without a specific type, +# e.g. /dev/keychord. +# TODO: Move these devices into their own type unless they +# are only ever accessed by init. +allow init device:chr_file { rw_file_perms setattr }; + +# keychord configuration +allow init self:capability sys_tty_config; + +# Access device mapper for setting up dm-verity +allow init dm_device:chr_file rw_file_perms; +allow init dm_device:blk_file rw_file_perms; + +# Access metadata block device for storing dm-verity state +allow init metadata_block_device:blk_file rw_file_perms; + +# Read /sys/fs/pstore/console-ramoops to detect restarts caused +# by dm-verity detecting corrupted blocks +allow init pstorefs:dir search; +allow init pstorefs:file r_file_perms; + +# linux keyring configuration +allow init init:key { write search setattr }; + +# Allow init to link temp fs to unencrypted data on userdata +allow init tmpfs:lnk_file { create read getattr relabelfrom }; + +# Allow init to manipulate /data/unencrypted +allow init unencrypted_data_file:{ file lnk_file } create_file_perms; +allow init unencrypted_data_file:dir create_dir_perms; + +unix_socket_connect(init, vold, vold) + ### ### neverallow rules ### # The init domain is only entered via setcon from the kernel domain, # never via an exec-based transition. -neverallow { domain -kernel} init:process dyntransition; -neverallow domain init:process transition; -neverallow init { file_type fs_type }:file entrypoint; +neverallow domain init:process dyntransition; +neverallow { domain -kernel} init:process transition; +neverallow init { file_type fs_type -init_exec }:file entrypoint; + +# Never read/follow symlinks created by shell or untrusted apps. +neverallow init shell_data_file:lnk_file read; +neverallow init app_data_file:lnk_file read; + +# init should never execute a program without changing to another domain. +neverallow init { file_type fs_type }:file execute_no_trans; diff --git a/init_shell.te b/init_shell.te deleted file mode 100644 index 51dbd07..0000000 --- a/init_shell.te +++ /dev/null @@ -1,10 +0,0 @@ -# Restricted domain for shell processes spawned by init. -# Normally these are shell commands or scripts invoked via sh -# from an init*.rc file. No service should ever run in this domain. -type init_shell, domain; -domain_auto_trans(init, shell_exec, init_shell) -permissive_or_unconfined(init_shell) - -# Run helpers from / or /system without changing domain. -allow init_shell rootfs:file execute_no_trans; -allow init_shell system_file:file execute_no_trans; diff --git a/inputflinger.te b/inputflinger.te index 283bbba..11a60a6 100644 --- a/inputflinger.te +++ b/inputflinger.te @@ -8,4 +8,8 @@ binder_service(inputflinger) binder_call(inputflinger, system_server) -allow inputflinger inputflinger_service:service_manager add; +wakelock_use(inputflinger) + +allow inputflinger inputflinger_service:service_manager { add find }; +allow inputflinger input_device:dir r_dir_perms; +allow inputflinger input_device:chr_file rw_file_perms; diff --git a/install_recovery.te b/install_recovery.te index 138134a..1385220 100644 --- a/install_recovery.te +++ b/install_recovery.te @@ -13,11 +13,10 @@ allow install_recovery shell_exec:file rx_file_perms; # Execute /system/bin/applypatch allow install_recovery system_file:file rx_file_perms; -# Update the recovery block device -# TODO: Limit this to only recovery block device when we -# create an appropriate label for it. +# Update the recovery block device based off a diff of the boot block device allow install_recovery block_device:dir search; -allow install_recovery block_device:blk_file rw_file_perms; +allow install_recovery boot_block_device:blk_file r_file_perms; +allow install_recovery recovery_block_device:blk_file rw_file_perms; # Create and delete /cache/saved.file allow install_recovery cache_file:dir rw_dir_perms; diff --git a/installd.te b/installd.te index 6b1b2b8..3f685f1 100644 --- a/installd.te +++ b/installd.te @@ -5,15 +5,18 @@ type installd_exec, exec_type, file_type; init_daemon_domain(installd) typeattribute installd mlstrustedsubject; allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; -allow installd apk_data_file:file rename; -allow installd apk_data_file:dir create_dir_perms; +allow installd apk_data_file:file { rename unlink }; +allow installd dalvikcache_data_file:dir relabelto; +allow installd apk_data_file:dir { create_dir_perms relabelfrom }; allow installd apk_data_file:lnk_file { create read unlink }; allow installd asec_apk_file:file r_file_perms; -allow installd apk_tmp_file:file r_file_perms; +allow installd apk_tmp_file:file { r_file_perms unlink }; +allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; allow installd oemfs:dir r_dir_perms; allow installd oemfs:file r_file_perms; allow installd system_file:file x_file_perms; allow installd cgroup:dir create_dir_perms; +allow installd mnt_expand_file:dir search; # Check validity of SELinux context before use. selinux_check_context(installd) # Read /seapp_contexts and /data/security/seapp_contexts @@ -61,9 +64,6 @@ allow installd resourcecache_data_file:file create_file_perms; # Run dex2oat in its own sandbox. domain_auto_trans(installd, dex2oat_exec, dex2oat) -# dex2oat needs LD_PRELOAD, passed down from init -# https://android-review.googlesource.com/94851 -allow installd dex2oat:process noatsecure; # Upgrade from unlabeled userdata. # Just need enough to remove and/or relabel it. @@ -83,5 +83,7 @@ allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlin # upon package uninstall. # Types extracted from seapp_contexts type= fields. allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto }; -allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:lnk_file { create setattr getattr unlink rename relabelfrom relabelto }; -allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr }; +allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto }; + +# Create and use pty created by android_fork_execvp(). +allow installd devpts:chr_file rw_file_perms; diff --git a/isolated_app.te b/isolated_app.te index a156838..1cede96 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -11,10 +11,30 @@ type isolated_app, domain; app_domain(isolated_app) -net_domain(isolated_app) -# read and write access to app_data_file is already -# granted via app.te. Allow execute. -# Needed to allow dlopen() from Chrome renderer processes. -# See b/15902433 for details. -allow isolated_app app_data_file:file execute; +# Access already open app data files received over Binder or local socket IPC. +allow isolated_app app_data_file:file { read write getattr lock }; + +allow isolated_app activity_service:service_manager find; +allow isolated_app display_service:service_manager find; + +service_manager_local_audit_domain(isolated_app) + +##### +##### Neverallow +##### + +# Isolated apps should not directly open app data files themselves. +neverallow isolated_app app_data_file:file open; + +# b/17487348 +# Isolated apps can only access two services, +# activity_service and display_service +neverallow isolated_app { + service_manager_type + -activity_service + -display_service +}:service_manager find; + +# Isolated apps shouldn't be able to access the driver directly. +neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; @@ -1,41 +1,36 @@ # Life begins with the kernel. -type kernel, domain; +type kernel, domain, mlstrustedsubject; -# Run /init before we have switched domains. -allow kernel rootfs:file execute_no_trans; +allow kernel self:capability sys_nice; -# setcon to init domain. -allow kernel self:process setcurrent; -allow kernel init:process dyntransition; - -# The kernel is unconfined. -unconfined_domain(kernel) +# Allow init relabel itself. +allow kernel rootfs:file relabelfrom; +allow kernel init_exec:file relabelto; +# TODO: investigate why we need this. +allow kernel init:process share; # cgroup filesystem initialization prior to setting the cgroup root directory label. allow kernel unlabeled:dir search; # Mount usbfs. allow kernel usbfs:filesystem mount; - -# init direct restorecon calls prior to switching to init domain -# /dev and /dev/socket -allow kernel { device socket_device }:dir relabelto; -# /dev/__properties__ -allow kernel properties_device:file relabelto; -# /sys -allow kernel sysfs:{ dir file lnk_file } relabelfrom; -allow kernel sysfs_type:{ dir file lnk_file } relabelto; +allow kernel usbfs:dir search; # Initial setenforce by init prior to switching to init domain. # We use dontaudit instead of allow to prevent a kernel spawned userspace # process from turning off SELinux once enabled. dontaudit kernel self:security setenforce; +# Write to /proc/1/oom_adj prior to switching to init domain. +allow kernel self:capability sys_resource; + # Set checkreqprot by init.rc prior to switching to init domain. +allow kernel selinuxfs:file write; allow kernel self:security setcheckreqprot; # MTP sync (b/15835289) # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) +allow kernel untrusted_app:fd use; allow kernel sdcard_type:file { read write }; # Allow the kernel to read OBB files from app directories. (b/17428116) @@ -43,7 +38,11 @@ allow kernel sdcard_type:file { read write }; # Fixes CTS tests: # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs +allow kernel vold:fd use; allow kernel app_data_file:file read; +allow kernel asec_image_file:file read; + +domain_auto_trans(kernel, init_exec, init) ### ### neverallow rules diff --git a/keystore.te b/keystore.te index afa701c..3561fed 100644 --- a/keystore.te +++ b/keystore.te @@ -12,6 +12,11 @@ allow keystore keystore_exec:file { getattr }; allow keystore tee_device:chr_file rw_file_perms; allow keystore tee:unix_stream_socket connectto; +allow keystore keystore_service:service_manager { add find }; + +# Check SELinux permissions. +selinux_check_access(keystore) + ### ### Neverallow rules ### @@ -21,12 +26,7 @@ allow keystore tee:unix_stream_socket connectto; neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto }; neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; -neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *; -neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *; +neverallow { domain -keystore -init } keystore_data_file:dir *; +neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; neverallow domain keystore:process ptrace; - -allow keystore keystore_service:service_manager add; - -# Check SELinux permissions. -selinux_check_access(keystore) @@ -1,5 +1,5 @@ # lmkd low memory killer daemon -type lmkd, domain; +type lmkd, domain, mlstrustedsubject; type lmkd_exec, exec_type, file_type; init_daemon_domain(lmkd) @@ -1,5 +1,5 @@ # android user-space log manager -type logd, domain; +type logd, domain, mlstrustedsubject; type logd_exec, exec_type, file_type; init_daemon_domain(logd) @@ -9,15 +9,13 @@ allow logd self:capability2 syslog; allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write }; allow logd kernel:system syslog_read; allow logd kmsg_device:chr_file w_file_perms; +allow logd system_data_file:file r_file_perms; r_dir_file(logd, domain) -userdebug_or_eng(` - # Debug output - type_transition logd device:file logd_debug; - allow logd device:dir rw_dir_perms; - allow logd logd_debug:file create_file_perms; -') +allow logd kernel:system syslog_mod; + +control_logd(logd) ### ### Neverallow rules @@ -1,5 +1,5 @@ # mdns daemon -type mdnsd, domain; +type mdnsd, domain, mlstrustedsubject; type mdnsd_exec, exec_type, file_type; init_daemon_domain(mdnsd) diff --git a/mediaserver.te b/mediaserver.te index 704b723..d269097 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -78,8 +78,29 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth) # Connect to tee service. allow mediaserver tee:unix_stream_socket connectto; -allow mediaserver mediaserver_service:service_manager add; +allow mediaserver activity_service:service_manager find; +allow mediaserver appops_service:service_manager find; +allow mediaserver batterystats_service:service_manager find; +allow mediaserver drmserver_service:service_manager find; +allow mediaserver mediaserver_service:service_manager { add find }; +allow mediaserver permission_service:service_manager find; +allow mediaserver power_service:service_manager find; +allow mediaserver processinfo_service:service_manager find; +allow mediaserver scheduling_policy_service:service_manager find; +allow mediaserver surfaceflinger_service:service_manager find; # /oem access allow mediaserver oemfs:dir search; allow mediaserver oemfs:file r_file_perms; + +use_drmservice(mediaserver) +allow mediaserver drmserver:drmservice { + consumeRights + setPlaybackStatus + openDecryptSession + closeDecryptSession + initializeDecryptUnit + decrypt + finalizeDecryptUnit + pread +}; @@ -26,9 +26,9 @@ mlsconstrain process { transition dyntransition } mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } (l1 dom l2 or t1 == mlstrustedsubject); -# Process write operations: No write down unless trusted. +# Process write operations: Require equivalence unless trusted. mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } - (l1 domby l2 or t1 == mlstrustedsubject); + (l1 eq l2 or t1 == mlstrustedsubject); # # Socket constraints @@ -39,10 +39,10 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit mlsconstrain socket_class_set { create relabelfrom relabelto } ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); -# Datagram send: Sender must be dominated by receiver unless one of them is -# trusted. +# Datagram send: Sender must be equivalent to the receiver unless one of them +# is trusted. mlsconstrain unix_dgram_socket { sendto } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); # Stream connect: Client must be equivalent to server unless one of them # is trusted. @@ -59,47 +59,48 @@ mlsconstrain unix_stream_socket { connectto } mlsconstrain dir_file_class_set { create relabelfrom relabelto } (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); +# +# Constraints for app data files only. +# + +# Only constrain open, not read/write. +# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. +# Subject must be equivalent to object unless the subject is trusted. +mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } + (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); +mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } + (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); + +# +# Constraints for file types other than app data files. +# + # Read operations: Subject must dominate object unless the subject # or the object is trusted. mlsconstrain dir { read getattr search } - (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } - (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); -# Write operations: Subject must be dominated by the object unless the +# Write operations: Subject must be equivalent to the object unless the # subject or the object is trusted. mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Special case for FIFOs. # These can be unnamed pipes, in which case they will be labeled with the # creating process' label. Thus we also have an exemption when the "object" -# is a MLS trusted subject and can receive data at any level. +# is a domain type, so that processes can communicate via unnamed pipes +# passed by binder or local socket IPC. mlsconstrain fifo_file { read getattr } - (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); + (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); mlsconstrain fifo_file { write setattr append unlink link rename } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject); - -# -# IPC constraints -# - -# Create/destroy: equivalence or trusted. -mlsconstrain ipc_class_set { create destroy } - (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); - -# Read ops: No read up unless trusted. -mlsconstrain ipc_class_set r_ipc_perms - (l1 dom l2 or t1 == mlstrustedsubject); - -# Write ops: No write down unless trusted. -mlsconstrain ipc_class_set w_ipc_perms - (l1 domby l2 or t1 == mlstrustedsubject); + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); # # Binder IPC constraints @@ -1,5 +1,5 @@ # network manager -type netd, domain; +type netd, domain, mlstrustedsubject; type netd_exec, exec_type, file_type; init_daemon_domain(netd) @@ -11,13 +11,13 @@ allow netd self:capability { net_admin net_raw kill }; # than one of the groups assigned to the current process to see if # the setgid bit should be cleared, regardless of whether the setgid # bit was even set. We do not appear to truly need this capability -# for netd to operate. Uncomment the dontaudit rule below after -# sufficient testing of the fsetid removal. -# dontaudit netd self:capability fsetid; +# for netd to operate. +dontaudit netd self:capability fsetid; allow netd self:netlink_kobject_uevent_socket create_socket_perms; allow netd self:netlink_route_socket nlmsg_write; allow netd self:netlink_nflog_socket create_socket_perms; +allow netd self:netlink_socket create_socket_perms; allow netd shell_exec:file rx_file_perms; allow netd system_file:file x_file_perms; allow netd devpts:chr_file rw_file_perms; diff --git a/neverallow_macros b/neverallow_macros new file mode 100644 index 0000000..b36cceb --- /dev/null +++ b/neverallow_macros @@ -0,0 +1,6 @@ +# +# Common neverallow permissions +define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }') +define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }') +define(`no_x_file_perms', `{ execute execute_no_trans }') +define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }') @@ -18,4 +18,15 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms; allow nfc sysfs_nfc_power_writable:file rw_file_perms; allow nfc sysfs:file write; -allow nfc nfc_service:service_manager add; +allow nfc drmserver_service:service_manager find; +allow nfc mediaserver_service:service_manager find; +allow nfc nfc_service:service_manager { add find }; +allow nfc radio_service:service_manager find; +allow nfc surfaceflinger_service:service_manager find; +allow nfc app_api_service:service_manager find; +allow nfc system_api_service:service_manager find; + +# already open bugreport file descriptors may be shared with +# the nfc process, from a file in +# /data/data/com.android.shell/files/bugreports/bugreport-*. +allow nfc shell_data_file:file read; diff --git a/platform_app.te b/platform_app.te index 7ff8d62..2afe4d8 100644 --- a/platform_app.te +++ b/platform_app.te @@ -27,3 +27,17 @@ allow platform_app media_rw_data_file:file create_file_perms; # Write to /cache. allow platform_app cache_file:dir create_dir_perms; allow platform_app cache_file:file create_file_perms; + +# Direct access to vold-mounted storage under /mnt/media_rw +# This is a performance optimization that allows platform apps to bypass the FUSE layer +allow platform_app mnt_media_rw_file:dir r_dir_perms; +allow platform_app vfat:dir create_dir_perms; +allow platform_app vfat:file create_file_perms; + +allow platform_app drmserver_service:service_manager find; +allow platform_app mediaserver_service:service_manager find; +allow platform_app persistent_data_block_service:service_manager find; +allow platform_app radio_service:service_manager find; +allow platform_app surfaceflinger_service:service_manager find; +allow platform_app app_api_service:service_manager find; +allow platform_app system_api_service:service_manager find; diff --git a/procrank.te b/procrank.te new file mode 100644 index 0000000..680d549 --- /dev/null +++ b/procrank.te @@ -0,0 +1,15 @@ +# File types must be defined for file_contexts. +type procrank_exec, exec_type, file_type; + +userdebug_or_eng(` + type procrank, domain, mlstrustedsubject; + + domain_auto_trans(shell, procrank_exec, procrank) + domain_auto_trans(dumpstate, procrank_exec, procrank) + allow procrank self:capability sys_ptrace; + allow procrank devpts:chr_file { read write getattr ioctl }; + allow procrank dumpstate:unix_stream_socket { read write getattr }; + r_dir_file(procrank, domain) + allow procrank { shell dumpstate }:fd use; + allow procrank adbd:process sigchld; +') diff --git a/property.te b/property.te index aff073a..94ae714 100644 --- a/property.te +++ b/property.te @@ -4,6 +4,7 @@ type debug_prop, property_type; type debuggerd_prop, property_type; type dhcp_prop, property_type; type fingerprint_prop, property_type; +type ffs_prop, property_type; type radio_prop, property_type; type net_radio_prop, property_type; type system_radio_prop, property_type; @@ -17,6 +18,7 @@ type ctl_fuse_prop, property_type; type ctl_mdnsd_prop, property_type; type ctl_rildaemon_prop, property_type; type ctl_bugreport_prop, property_type; +type ctl_console_prop, property_type; type audio_prop, property_type; type logd_prop, property_type; type security_prop, property_type; @@ -24,3 +26,5 @@ type bluetooth_prop, property_type; type pan_result_prop, property_type; type powerctl_prop, property_type; type nfc_prop, property_type; +type dalvik_prop, property_type; +type config_prop, property_type; diff --git a/property_contexts b/property_contexts index 91ab594..1844910 100644 --- a/property_contexts +++ b/property_contexts @@ -20,6 +20,7 @@ runtime. u:object_r:system_prop:s0 hw. u:object_r:system_prop:s0 sys. u:object_r:system_prop:s0 sys.powerctl u:object_r:powerctl_prop:s0 +sys.usb.ffs. u:object_r:ffs_prop:s0 service. u:object_r:system_prop:s0 wlan. u:object_r:system_prop:s0 dhcp. u:object_r:dhcp_prop:s0 @@ -61,7 +62,14 @@ ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0 ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0 ctl.bugreport u:object_r:ctl_bugreport_prop:s0 ctl.dhcpcd_bt-pan u:object_r:ctl_dhcp_pan_prop:s0 +ctl.console u:object_r:ctl_console_prop:s0 ctl. u:object_r:ctl_default_prop:s0 # NFC properties nfc. u:object_r:nfc_prop:s0 + +# These properties are not normally set by processes other than init. +# They are only distinguished here for setting by qemu-props on the +# emulator/goldfish. +config. u:object_r:config_prop:s0 +dalvik. u:object_r:dalvik_prop:s0 @@ -1,5 +1,5 @@ # phone subsystem -type radio, domain; +type radio, domain, mlstrustedsubject; app_domain(radio) net_domain(radio) bluetooth_domain(radio) @@ -30,4 +30,9 @@ auditallow radio system_radio_prop:property_service set; # ctl interface allow radio ctl_rildaemon_prop:property_service set; -allow radio radio_service:service_manager add; +allow radio drmserver_service:service_manager find; +allow radio mediaserver_service:service_manager find; +allow radio radio_service:service_manager { add find }; +allow radio surfaceflinger_service:service_manager find; +allow radio app_api_service:service_manager find; +allow radio system_api_service:service_manager find; diff --git a/recovery.te b/recovery.te index 821da01..8576356 100644 --- a/recovery.te +++ b/recovery.te @@ -36,11 +36,9 @@ recovery_only(` # support to OTAs. However, that code has a bug. When an update occurs, # some directories are inappropriately labeled as exec_type. This is # only transient, and subsequent steps in the OTA script correct this - # mistake. - # Allow this behavior for now until we can fix the underlying bug. - # b/15575013 + # mistake. New devices are moving to block based OTAs, so this is not + # worth fixing. b/15575013 allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; - auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; # Write to /proc/sys/vm/drop_caches # TODO: create more specific label? @@ -100,3 +98,20 @@ recovery_only(` # set scheduling parameters for a kernel domain task. allow recovery kernel:process setsched; ') + +### +### neverallow rules +### + +# Recovery should never touch /data. +# +# In particular, if /data is encrypted, it is not accessible +# to recovery anyway. +# +# For now, we only enforce write/execute restrictions, as domain.te +# contains a number of read-only rules that apply to all +# domains, including recovery. +# +# TODO: tighten this up further. +neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms }; +neverallow recovery data_file_type:dir no_w_dir_perms; @@ -25,3 +25,11 @@ security_access_policy(runas) selinux_check_context(runas) # validate context allow runas self:process setcurrent; allow runas non_system_app_set:process dyntransition; # setcon + +### +### neverallow rules +### + +# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID +neverallow runas self:capability ~{ setuid setgid }; +neverallow runas self:capability2 *; @@ -1,11 +1,14 @@ type sdcardd, domain; type sdcardd_exec, exec_type, file_type; -init_daemon_domain(sdcardd) +init_daemon_domain(sdcardd) # TODO: deprecated in M allow sdcardd cgroup:dir create_dir_perms; allow sdcardd fuse_device:chr_file rw_file_perms; -allow sdcardd rootfs:dir mounton; +allow sdcardd rootfs:dir mounton; # TODO: deprecated in M +allow sdcardd mnt_media_rw_file:dir r_dir_perms; +allow sdcardd storage_file:dir search; +allow sdcardd storage_stub_file:dir { search mounton }; allow sdcardd sdcard_type:filesystem { mount unmount }; allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; @@ -21,3 +24,10 @@ allow sdcardd system_data_file:file r_file_perms; # Read /data/.layout_version allow sdcardd install_data_file:file r_file_perms; + +# Allow stdin/out back to vold +allow sdcardd vold:fd use; +allow sdcardd vold:fifo_file { read write getattr }; + +# Allow running on top of expanded storage +allow sdcardd mnt_expand_file:dir search; diff --git a/seapp_contexts b/seapp_contexts index 26d0c8f..8b2b59c 100644 --- a/seapp_contexts +++ b/seapp_contexts @@ -1,12 +1,15 @@ # Input selectors: # isSystemServer (boolean) +# isOwner (boolean) # user (string) # seinfo (string) # name (string) # path (string) -# sebool (string) # isSystemServer=true can only be used once. # An unspecified isSystemServer defaults to false. +# isOwner=true will only match for the owner/primary user. +# isOwner=false will only match for secondary users. +# If unspecified, the entry can match either case. # An unspecified string selector will match any value. # A user string selector that ends in * will perform a prefix match. # user=_app will match any regular app UID. @@ -16,13 +19,13 @@ # # Precedence rules: # (1) isSystemServer=true before isSystemServer=false. -# (2) Specified user= string before unspecified user= string. -# (3) Fixed user= string before user= prefix (i.e. ending in *). -# (4) Longer user= prefix before shorter user= prefix. -# (5) Specified seinfo= string before unspecified seinfo= string. -# (6) Specified name= string before unspecified name= string. -# (7) Specified path= string before unspecified path= string. -# (8) Specified sebool= string before unspecified sebool= string. +# (2) Specified isOwner= before unspecified isOwner= boolean. +# (3) Specified user= string before unspecified user= string. +# (4) Fixed user= string before user= prefix (i.e. ending in *). +# (5) Longer user= prefix before shorter user= prefix. +# (6) Specified seinfo= string before unspecified seinfo= string. +# (7) Specified name= string before unspecified name= string. +# (8) Specified path= string before unspecified path= string. # # Outputs: # domain (string) @@ -36,12 +39,12 @@ # level may be used to specify a fixed level for any UID. # isSystemServer=true domain=system_server -user=system domain=system_app type=system_app_data_file -user=bluetooth domain=bluetooth type=bluetooth_data_file -user=nfc domain=nfc type=nfc_data_file -user=radio domain=radio type=radio_data_file +user=system seinfo=platform domain=system_app type=system_app_data_file +user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file +user=nfc seinfo=platform domain=nfc type=nfc_data_file +user=radio seinfo=platform domain=radio type=radio_data_file user=shared_relro domain=shared_relro -user=shell domain=shell type=shell_data_file -user=_isolated domain=isolated_app -user=_app seinfo=platform domain=platform_app type=app_data_file -user=_app domain=untrusted_app type=app_data_file +user=shell seinfo=platform domain=shell type=shell_data_file +user=_isolated domain=isolated_app levelFrom=user +user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user +user=_app domain=untrusted_app type=app_data_file levelFrom=user diff --git a/security_classes b/security_classes index fcee928..9cd3f1c 100644 --- a/security_classes +++ b/security_classes @@ -143,4 +143,8 @@ class service_manager # userspace # Keystore Key class keystore_key # userspace +# debuggerd service +class debuggerd # userspace + +class drmservice # userspace # FLASK diff --git a/selinux-network.sh b/selinux-network.sh deleted file mode 100755 index d6fe527..0000000 --- a/selinux-network.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/system/bin/sh - -IPTABLES="/system/bin/iptables" - -#$IPTABLES -t security -A INPUT -i wlan0 -j SECMARK --selctx u:object_r:packet:s0 -#$IPTABLES -t security -A INPUT -i lo -j SECMARK --selctx u:object_r:lo_packet:s0 -#$IPTABLES -t security -A INPUT -i ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0 -#$IPTABLES -t security -A INPUT -i ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0 -#$IPTABLES -t security -A INPUT -i ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0 -#$IPTABLES -t security -A INPUT -i ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0 - -#$IPTABLES -t security -A OUTPUT -o wlan0 -j SECMARK --selctx u:object_r:packet:s0 -#$IPTABLES -t security -A OUTPUT -o lo -j SECMARK --selctx u:object_r:lo_packet:s0 -#$IPTABLES -t security -A OUTPUT -o ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0 -#$IPTABLES -t security -A OUTPUT -o ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0 -#$IPTABLES -t security -A OUTPUT -o ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0 -#$IPTABLES -t security -A OUTPUT -o ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0 @@ -4,9 +4,99 @@ type drmserver_service, service_manager_type; type healthd_service, service_manager_type; type inputflinger_service, service_manager_type; type keystore_service, service_manager_type; +type gatekeeper_service, service_manager_type; type mediaserver_service, service_manager_type; type nfc_service, service_manager_type; type radio_service, service_manager_type; type surfaceflinger_service, service_manager_type; type system_app_service, service_manager_type; -type system_server_service, service_manager_type; + +# system_server_services broken down +type accessibility_service, app_api_service, system_server_service, service_manager_type; +type account_service, app_api_service, system_server_service, service_manager_type; +type activity_service, app_api_service, system_server_service, service_manager_type; +type alarm_service, app_api_service, system_server_service, service_manager_type; +type appops_service, app_api_service, system_server_service, service_manager_type; +type appwidget_service, app_api_service, system_server_service, service_manager_type; +type assetatlas_service, app_api_service, system_server_service, service_manager_type; +type audio_service, app_api_service, system_server_service, service_manager_type; +type backup_service, app_api_service, system_server_service, service_manager_type; +type batterystats_service, app_api_service, system_server_service, service_manager_type; +type battery_service, system_server_service, service_manager_type; +type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type; +type clipboard_service, app_api_service, system_server_service, service_manager_type; +type IProxyService_service, system_api_service, system_server_service, service_manager_type; +type commontime_management_service, system_server_service, service_manager_type; +type connectivity_service, app_api_service, system_server_service, service_manager_type; +type consumer_ir_service, app_api_service, system_server_service, service_manager_type; +type content_service, app_api_service, system_server_service, service_manager_type; +type country_detector_service, system_api_service, system_server_service, service_manager_type; +type cpuinfo_service, system_api_service, system_server_service, service_manager_type; +type dbinfo_service, system_api_service, system_server_service, service_manager_type; +type device_policy_service, app_api_service, system_server_service, service_manager_type; +type deviceidle_service, system_server_service, service_manager_type; +type devicestoragemonitor_service, system_server_service, service_manager_type; +type diskstats_service, system_api_service, system_server_service, service_manager_type; +type display_service, app_api_service, system_server_service, service_manager_type; +type DockObserver_service, system_server_service, service_manager_type; +type dreams_service, system_api_service, system_server_service, service_manager_type; +type dropbox_service, app_api_service, system_server_service, service_manager_type; +type ethernet_service, app_api_service, system_server_service, service_manager_type; +type fingerprint_service, app_api_service, system_server_service, service_manager_type; +type gfxinfo_service, system_api_service, system_server_service, service_manager_type; +type graphicsstats_service, app_api_service, system_server_service, service_manager_type; +type hardware_service, system_server_service, service_manager_type; +type hdmi_control_service, system_api_service, system_server_service, service_manager_type; +type input_method_service, app_api_service, system_server_service, service_manager_type; +type input_service, app_api_service, system_server_service, service_manager_type; +type imms_service, app_api_service, system_server_service, service_manager_type; +type jobscheduler_service, app_api_service, system_server_service, service_manager_type; +type launcherapps_service, app_api_service, system_server_service, service_manager_type; +type location_service, app_api_service, system_server_service, service_manager_type; +type lock_settings_service, system_api_service, system_server_service, service_manager_type; +type media_projection_service, app_api_service, system_server_service, service_manager_type; +type media_router_service, app_api_service, system_server_service, service_manager_type; +type media_session_service, app_api_service, system_server_service, service_manager_type; +type meminfo_service, system_api_service, system_server_service, service_manager_type; +type midi_service, app_api_service, system_server_service, service_manager_type; +type mount_service, app_api_service, system_server_service, service_manager_type; +type netpolicy_service, app_api_service, system_server_service, service_manager_type; +type netstats_service, system_api_service, system_server_service, service_manager_type; +type network_management_service, system_api_service, system_server_service, service_manager_type; +type network_score_service, system_api_service, system_server_service, service_manager_type; +type notification_service, app_api_service, system_server_service, service_manager_type; +type package_service, app_api_service, system_server_service, service_manager_type; +type permission_service, app_api_service, system_server_service, service_manager_type; +type persistent_data_block_service, system_api_service, system_server_service, service_manager_type; +type power_service, app_api_service, system_server_service, service_manager_type; +type print_service, app_api_service, system_server_service, service_manager_type; +type processinfo_service, system_server_service, service_manager_type; +type procstats_service, app_api_service, system_server_service, service_manager_type; +type registry_service, app_api_service, system_server_service, service_manager_type; +type restrictions_service, app_api_service, system_server_service, service_manager_type; +type rttmanager_service, app_api_service, system_server_service, service_manager_type; +type samplingprofiler_service, system_server_service, service_manager_type; +type scheduling_policy_service, system_server_service, service_manager_type; +type search_service, app_api_service, system_server_service, service_manager_type; +type sensorservice_service, app_api_service, system_server_service, service_manager_type; +type serial_service, system_api_service, system_server_service, service_manager_type; +type servicediscovery_service, app_api_service, system_server_service, service_manager_type; +type statusbar_service, app_api_service, system_server_service, service_manager_type; +type task_service, system_server_service, service_manager_type; +type textservices_service, app_api_service, system_server_service, service_manager_type; +type telecom_service, app_api_service, system_server_service, service_manager_type; +type trust_service, system_api_service, system_server_service, service_manager_type; +type tv_input_service, app_api_service, system_server_service, service_manager_type; +type uimode_service, app_api_service, system_server_service, service_manager_type; +type updatelock_service, system_api_service, system_server_service, service_manager_type; +type usagestats_service, app_api_service, system_server_service, service_manager_type; +type usb_service, app_api_service, system_server_service, service_manager_type; +type user_service, app_api_service, system_server_service, service_manager_type; +type vibrator_service, app_api_service, system_server_service, service_manager_type; +type voiceinteraction_service, app_api_service, system_server_service, service_manager_type; +type wallpaper_service, app_api_service, system_server_service, service_manager_type; +type webviewupdate_service, system_api_service, system_server_service, service_manager_type; +type wifip2p_service, app_api_service, system_server_service, service_manager_type; +type wifiscanner_service, system_api_service, system_server_service, service_manager_type; +type wifi_service, app_api_service, system_server_service, service_manager_type; +type window_service, system_api_service, system_server_service, service_manager_type; diff --git a/service_contexts b/service_contexts index 767d7db..49773b7 100644 --- a/service_contexts +++ b/service_contexts @@ -1,124 +1,127 @@ -accessibility u:object_r:system_server_service:s0 -account u:object_r:system_server_service:s0 -activity u:object_r:system_server_service:s0 -alarm u:object_r:system_server_service:s0 +accessibility u:object_r:accessibility_service:s0 +account u:object_r:account_service:s0 +activity u:object_r:activity_service:s0 +alarm u:object_r:alarm_service:s0 android.security.keystore u:object_r:keystore_service:s0 -appops u:object_r:system_server_service:s0 -appwidget u:object_r:system_server_service:s0 -assetatlas u:object_r:system_server_service:s0 -audio u:object_r:system_server_service:s0 -backup u:object_r:system_server_service:s0 +android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 +appops u:object_r:appops_service:s0 +appwidget u:object_r:appwidget_service:s0 +assetatlas u:object_r:assetatlas_service:s0 +audio u:object_r:audio_service:s0 +backup u:object_r:backup_service:s0 batteryproperties u:object_r:healthd_service:s0 batterypropreg u:object_r:healthd_service:s0 -batterystats u:object_r:system_server_service:s0 -battery u:object_r:system_server_service:s0 -bluetooth_manager u:object_r:system_server_service:s0 +batterystats u:object_r:batterystats_service:s0 +battery u:object_r:battery_service:s0 +bluetooth_manager u:object_r:bluetooth_manager_service:s0 bluetooth u:object_r:bluetooth_service:s0 -clipboard u:object_r:system_server_service:s0 -com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0 -com.android.net.IProxyService u:object_r:system_server_service:s0 -commontime_management u:object_r:system_server_service:s0 +carrier_config u:object_r:radio_service:s0 +clipboard u:object_r:clipboard_service:s0 +com.android.net.IProxyService u:object_r:IProxyService_service:s0 +commontime_management u:object_r:commontime_management_service:s0 common_time.clock u:object_r:mediaserver_service:s0 common_time.config u:object_r:mediaserver_service:s0 -connectivity u:object_r:system_server_service:s0 -consumer_ir u:object_r:system_server_service:s0 -content u:object_r:system_server_service:s0 -country_detector u:object_r:system_server_service:s0 -cpuinfo u:object_r:system_server_service:s0 -dbinfo u:object_r:system_server_service:s0 -device_policy u:object_r:system_server_service:s0 -devicestoragemonitor u:object_r:system_server_service:s0 -diskstats u:object_r:system_server_service:s0 +connectivity u:object_r:connectivity_service:s0 +consumer_ir u:object_r:consumer_ir_service:s0 +content u:object_r:content_service:s0 +country_detector u:object_r:country_detector_service:s0 +cpuinfo u:object_r:cpuinfo_service:s0 +dbinfo u:object_r:dbinfo_service:s0 +device_policy u:object_r:device_policy_service:s0 +deviceidle u:object_r:deviceidle_service:s0 +devicestoragemonitor u:object_r:devicestoragemonitor_service:s0 +diskstats u:object_r:diskstats_service:s0 display.qservice u:object_r:surfaceflinger_service:s0 -display u:object_r:system_server_service:s0 -DockObserver u:object_r:system_server_service:s0 -dreams u:object_r:system_server_service:s0 +display u:object_r:display_service:s0 +DockObserver u:object_r:DockObserver_service:s0 +dreams u:object_r:dreams_service:s0 drm.drmManager u:object_r:drmserver_service:s0 -dropbox u:object_r:system_server_service:s0 -entropy u:object_r:system_server_service:s0 -ethernet u:object_r:system_server_service:s0 -fingerprint u:object_r:system_server_service:s0 -gfxinfo u:object_r:system_server_service:s0 -hardware u:object_r:system_server_service:s0 -hdmi_control u:object_r:system_server_service:s0 +dropbox u:object_r:dropbox_service:s0 +ethernet u:object_r:ethernet_service:s0 +fingerprint u:object_r:fingerprint_service:s0 +gfxinfo u:object_r:gfxinfo_service:s0 +graphicsstats u:object_r:graphicsstats_service:s0 +hardware u:object_r:hardware_service:s0 +hdmi_control u:object_r:hdmi_control_service:s0 inputflinger u:object_r:inputflinger_service:s0 -input_method u:object_r:system_server_service:s0 -input u:object_r:system_server_service:s0 +input_method u:object_r:input_method_service:s0 +input u:object_r:input_service:s0 iphonesubinfo_msim u:object_r:radio_service:s0 iphonesubinfo2 u:object_r:radio_service:s0 iphonesubinfo u:object_r:radio_service:s0 ims u:object_r:radio_service:s0 -imms u:object_r:system_server_service:s0 +imms u:object_r:imms_service:s0 isms_msim u:object_r:radio_service:s0 isms2 u:object_r:radio_service:s0 isms u:object_r:radio_service:s0 isub u:object_r:radio_service:s0 -jobscheduler u:object_r:system_server_service:s0 -launcherapps u:object_r:system_server_service:s0 -location u:object_r:system_server_service:s0 -lock_settings u:object_r:system_server_service:s0 +jobscheduler u:object_r:jobscheduler_service:s0 +launcherapps u:object_r:launcherapps_service:s0 +location u:object_r:location_service:s0 +lock_settings u:object_r:lock_settings_service:s0 media.audio_flinger u:object_r:mediaserver_service:s0 media.audio_policy u:object_r:mediaserver_service:s0 media.camera u:object_r:mediaserver_service:s0 media.log u:object_r:mediaserver_service:s0 media.player u:object_r:mediaserver_service:s0 media.sound_trigger_hw u:object_r:mediaserver_service:s0 -media_projection u:object_r:system_server_service:s0 -media_router u:object_r:system_server_service:s0 -media_session u:object_r:system_server_service:s0 -meminfo u:object_r:system_server_service:s0 -mount u:object_r:system_server_service:s0 -netpolicy u:object_r:system_server_service:s0 -netstats u:object_r:system_server_service:s0 -network_management u:object_r:system_server_service:s0 -network_score u:object_r:system_server_service:s0 +media_projection u:object_r:media_projection_service:s0 +media_router u:object_r:media_router_service:s0 +media_session u:object_r:media_session_service:s0 +meminfo u:object_r:meminfo_service:s0 +midi u:object_r:midi_service:s0 +mount u:object_r:mount_service:s0 +netpolicy u:object_r:netpolicy_service:s0 +netstats u:object_r:netstats_service:s0 +network_management u:object_r:network_management_service:s0 +network_score u:object_r:network_score_service:s0 nfc u:object_r:nfc_service:s0 -notification u:object_r:system_server_service:s0 -package u:object_r:system_server_service:s0 -permission u:object_r:system_server_service:s0 -persistent_data_block u:object_r:system_server_service:s0 +notification u:object_r:notification_service:s0 +package u:object_r:package_service:s0 +permission u:object_r:permission_service:s0 +persistent_data_block u:object_r:persistent_data_block_service:s0 phone_msim u:object_r:radio_service:s0 phone1 u:object_r:radio_service:s0 phone2 u:object_r:radio_service:s0 phone u:object_r:radio_service:s0 -power u:object_r:system_server_service:s0 -print u:object_r:system_server_service:s0 -procstats u:object_r:system_server_service:s0 +power u:object_r:power_service:s0 +print u:object_r:print_service:s0 +processinfo u:object_r:processinfo_service:s0 +procstats u:object_r:procstats_service:s0 radio.phonesubinfo u:object_r:radio_service:s0 radio.phone u:object_r:radio_service:s0 radio.sms u:object_r:radio_service:s0 -restrictions u:object_r:system_server_service:s0 -rttmanager u:object_r:system_server_service:s0 -samplingprofiler u:object_r:system_server_service:s0 -scheduling_policy u:object_r:system_server_service:s0 -search u:object_r:system_server_service:s0 -sensorservice u:object_r:system_server_service:s0 -serial u:object_r:system_server_service:s0 -servicediscovery u:object_r:system_server_service:s0 +restrictions u:object_r:restrictions_service:s0 +rttmanager u:object_r:rttmanager_service:s0 +samplingprofiler u:object_r:samplingprofiler_service:s0 +scheduling_policy u:object_r:scheduling_policy_service:s0 +search u:object_r:search_service:s0 +sensorservice u:object_r:sensorservice_service:s0 +serial u:object_r:serial_service:s0 +servicediscovery u:object_r:servicediscovery_service:s0 simphonebook_msim u:object_r:radio_service:s0 simphonebook2 u:object_r:radio_service:s0 simphonebook u:object_r:radio_service:s0 sip u:object_r:radio_service:s0 -statusbar u:object_r:system_server_service:s0 +statusbar u:object_r:statusbar_service:s0 SurfaceFlinger u:object_r:surfaceflinger_service:s0 -task u:object_r:system_server_service:s0 -telecom u:object_r:system_server_service:s0 -telephony.registry u:object_r:system_server_service:s0 -textservices u:object_r:system_server_service:s0 -trust u:object_r:system_server_service:s0 -tv_input u:object_r:system_server_service:s0 -uimode u:object_r:system_server_service:s0 -updatelock u:object_r:system_server_service:s0 -usagestats u:object_r:system_server_service:s0 -usb u:object_r:system_server_service:s0 -user u:object_r:system_server_service:s0 -vibrator u:object_r:system_server_service:s0 -voiceinteraction u:object_r:system_server_service:s0 -wallpaper u:object_r:system_server_service:s0 -webviewupdate u:object_r:system_server_service:s0 -wifip2p u:object_r:system_server_service:s0 -wifiscanner u:object_r:system_server_service:s0 -wifi u:object_r:system_server_service:s0 -window u:object_r:system_server_service:s0 - +task u:object_r:task_service:s0 +telecom u:object_r:telecom_service:s0 +telephony.registry u:object_r:registry_service:s0 +textservices u:object_r:textservices_service:s0 +trust u:object_r:trust_service:s0 +tv_input u:object_r:tv_input_service:s0 +uimode u:object_r:uimode_service:s0 +updatelock u:object_r:updatelock_service:s0 +usagestats u:object_r:usagestats_service:s0 +usb u:object_r:usb_service:s0 +user u:object_r:user_service:s0 +vibrator u:object_r:vibrator_service:s0 +voiceinteraction u:object_r:voiceinteraction_service:s0 +wallpaper u:object_r:wallpaper_service:s0 +webviewupdate u:object_r:webviewupdate_service:s0 +wifip2p u:object_r:wifip2p_service:s0 +wifiscanner u:object_r:wifiscanner_service:s0 +wifi u:object_r:wifi_service:s0 +window u:object_r:window_service:s0 * u:object_r:default_android_service:s0 diff --git a/servicemanager.te b/servicemanager.te index a928916..9947aa7 100644 --- a/servicemanager.te +++ b/servicemanager.te @@ -1,5 +1,5 @@ # servicemanager - the Binder context manager -type servicemanager, domain; +type servicemanager, domain, mlstrustedsubject; type servicemanager_exec, exec_type, file_type; init_daemon_domain(servicemanager) @@ -11,7 +11,7 @@ init_daemon_domain(servicemanager) # created by other domains. It never passes its own references # or initiates a Binder IPC. allow servicemanager self:binder set_context_mgr; -allow servicemanager domain:binder transfer; +allow servicemanager { domain -init }:binder transfer; # Check SELinux permissions. selinux_check_access(servicemanager) diff --git a/sgdisk.te b/sgdisk.te new file mode 100644 index 0000000..8a689a1 --- /dev/null +++ b/sgdisk.te @@ -0,0 +1,22 @@ +# sgdisk called from vold +type sgdisk, domain; +type sgdisk_exec, exec_type, file_type; + +# Allowed to read/write low-level partition tables +allow sgdisk block_device:dir search; +allow sgdisk vold_device:blk_file rw_file_perms; + +# Inherit and use pty created by android_fork_execvp() +allow sgdisk devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow sgdisk vold:fd use; +allow sgdisk vold:fifo_file { read write getattr }; + +# Used to probe kernel to reload partition tables +allow sgdisk self:capability sys_admin; + +# Only allow entry from vold +neverallow { domain -vold } sgdisk:process transition; +neverallow domain sgdisk:process dyntransition; +neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; diff --git a/shared_relro.te b/shared_relro.te index 54bdbb9..6a1dfd4 100644 --- a/shared_relro.te +++ b/shared_relro.te @@ -8,3 +8,6 @@ app_domain(shared_relro) # Grant write access to the shared relro files/directory. allow shared_relro shared_relro_file:dir rw_dir_perms; allow shared_relro shared_relro_file:file create_file_perms; + +# Needs to contact the "webviewupdate" and "activity" services +allow shared_relro webviewupdate_service:service_manager find; @@ -9,9 +9,12 @@ net_domain(shell) # XXX Transition into its own domain? app_domain(shell) -# logd access +# logcat read_logd(shell) control_logd(shell) +# logcat -L (directly, or via dumpstate) +allow shell pstorefs:dir search; +allow shell pstorefs:file r_file_perms; # read files in /data/anr allow shell anr_data_file:dir r_dir_perms; @@ -53,3 +56,30 @@ allow shell debugfs:file r_file_perms; # allow shell to run dmesg allow shell kernel:system syslog_read; + +# allow shell access to services +allow shell servicemanager:service_manager list; +# don't allow shell to access GateKeeper service +allow shell { service_manager_type -gatekeeper_service }:service_manager find; +service_manager_local_audit_domain(shell) + +# allow shell to look through /proc/ for ps, top +allow shell domain:dir { search open read getattr }; +allow shell domain:{ file lnk_file } { open read getattr }; + +# allow shell to read /proc/pid/attr/current for ps -Z +allow shell domain:process getattr; + +# enable shell domain to read/write files/dirs for bootchart data +# User will creates the start and stop file via adb shell +# and read other files created by init process under /data/bootchart +allow shell bootchart_data_file:dir rw_dir_perms; +allow shell bootchart_data_file:file create_file_perms; + +# Do not allow shell to hard link to any files. +# In particular, if shell hard links to app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure the shell user never has this +# capability. +neverallow shell file_type:file link; diff --git a/slideshow.te b/slideshow.te new file mode 100644 index 0000000..2b82b3e --- /dev/null +++ b/slideshow.te @@ -0,0 +1,14 @@ +# slideshow seclabel is specified in init.rc since +# it lives in the rootfs and has no unique file type. +type slideshow, domain; + +write_klog(slideshow) +wakelock_use(slideshow) +allow slideshow device:dir r_dir_perms; +allow slideshow self:capability { mknod sys_tty_config }; +allow slideshow graphics_device:dir r_dir_perms; +allow slideshow graphics_device:chr_file rw_file_perms; +allow slideshow input_device:dir r_dir_perms; +allow slideshow input_device:chr_file r_file_perms; +allow slideshow tty_device:chr_file rw_file_perms; + @@ -5,13 +5,17 @@ userdebug_or_eng(` # Domain used for su processes, as well as for adbd and adb shell # after performing an adb root command. The domain definition is # wrapped to ensure that it does not exist at all on -user builds. - type su, domain; + type su, domain, mlstrustedsubject; domain_auto_trans(shell, su_exec, su) # Allow dumpstate to call su on userdebug / eng builds to collect # additional information. domain_auto_trans(dumpstate, su_exec, su) + # Make sure that dumpstate runs the same from the "su" domain as + # from the "init" domain. + domain_auto_trans(su, dumpstate_exec, dumpstate) + # su is also permissive to permit setenforce. permissive su; @@ -41,4 +45,10 @@ userdebug_or_eng(` dontaudit su domain:peer *; dontaudit su domain:binder *; dontaudit su property_type:property_service *; + dontaudit su service_manager_type:service_manager *; + dontaudit su keystore:keystore_key *; + dontaudit su domain:debuggerd *; + dontaudit su domain:drmservice *; + dontaudit su unlabeled:filesystem *; + service_manager_local_audit_domain(su) ') diff --git a/surfaceflinger.te b/surfaceflinger.te index c508612..c85df82 100644 --- a/surfaceflinger.te +++ b/surfaceflinger.te @@ -57,7 +57,13 @@ r_dir_file(surfaceflinger, dumpstate) allow surfaceflinger tee:unix_stream_socket connectto; allow surfaceflinger tee_device:chr_file rw_file_perms; -allow surfaceflinger surfaceflinger_service:service_manager add; + +# media.player service +allow surfaceflinger mediaserver_service:service_manager find; +allow surfaceflinger permission_service:service_manager find; +allow surfaceflinger power_service:service_manager find; +allow surfaceflinger surfaceflinger_service:service_manager { add find }; +allow surfaceflinger window_service:service_manager find; ### ### Neverallow rules diff --git a/system_app.te b/system_app.te index 0930ca0..895ff71 100644 --- a/system_app.te +++ b/system_app.te @@ -10,7 +10,7 @@ binder_service(system_app) # Read and write /data/data subdirectory. allow system_app system_app_data_file:dir create_dir_perms; -allow system_app system_app_data_file:file create_file_perms; +allow system_app system_app_data_file:{ file lnk_file } create_file_perms; # Read /data/misc/keychain subdirectory. allow system_app keychain_data_file:dir r_dir_perms; @@ -48,7 +48,13 @@ allow system_app anr_data_file:file create_file_perms; # Settings need to access app name and icon from asec allow system_app asec_apk_file:file r_file_perms; +allow system_app mediaserver_service:service_manager find; +allow system_app nfc_service:service_manager find; +allow system_app radio_service:service_manager find; +allow system_app surfaceflinger_service:service_manager find; allow system_app system_app_service:service_manager add; +allow system_app app_api_service:service_manager find; +allow system_app system_api_service:service_manager find; allow system_app keystore:keystore_key { test diff --git a/system_server.te b/system_server.te index d45d5de..d8e5978 100644 --- a/system_server.te +++ b/system_server.te @@ -14,6 +14,7 @@ allow system_server system_server_tmpfs:file execute; # For art. allow system_server dalvikcache_data_file:file execute; +allow system_server dalvikcache_data_file:dir r_dir_perms; # /data/resource-cache allow system_server resourcecache_data_file:file r_file_perms; @@ -49,7 +50,6 @@ allow system_server self:capability { net_broadcast net_raw sys_boot - sys_module sys_nice sys_resource sys_time @@ -76,10 +76,6 @@ allow system_server self:netlink_route_socket nlmsg_write; # Kill apps. allow system_server appdomain:process { sigkill signal }; -# This line seems suspect, as it should not really need to -# set scheduling parameters for a kernel domain task. -allow system_server kernel:process setsched; - # Set scheduling info for apps. allow system_server appdomain:process { getsched setsched }; allow system_server mediaserver:process { getsched setsched }; @@ -89,9 +85,6 @@ allow system_server mediaserver:process { getsched setsched }; # all processes on the device. r_dir_file(system_server, domain) -# Write to /proc/pid/oom_adj_score for apps. -allow system_server appdomain:file write; - # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. allow system_server qtaguid_proc:file rw_file_perms; allow system_server qtaguid_device:chr_file rw_file_perms; @@ -129,10 +122,14 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt }; # Perform Binder IPC. binder_use(system_server) binder_call(system_server, binderservicedomain) +binder_call(system_server, gatekeeperd) binder_call(system_server, appdomain) binder_call(system_server, dumpstate) binder_service(system_server) +# Ask debuggerd to dump backtraces for native stacks of interest. +allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; + # Read /proc/pid files for dumping stack traces of native processes. r_dir_file(system_server, mediaserver) r_dir_file(system_server, sdcardd) @@ -179,7 +176,7 @@ allow system_server keychain_data_file:file create_file_perms; # Manage /data/app. allow system_server apk_data_file:dir create_dir_perms; -allow system_server apk_data_file:file create_file_perms; +allow system_server apk_data_file:file { create_file_perms link }; allow system_server apk_tmp_file:dir create_dir_perms; allow system_server apk_tmp_file:file create_file_perms; @@ -206,6 +203,10 @@ allow system_server backup_data_file:file create_file_perms; allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms; allow system_server dalvikcache_profiles_data_file:file create_file_perms; +# Write to /data/system/heapdump +allow system_server heapdump_data_file:dir rw_dir_perms; +allow system_server heapdump_data_file:file create_file_perms; + # Manage /data/misc/adb. allow system_server adb_keys_file:dir create_dir_perms; allow system_server adb_keys_file:file create_file_perms; @@ -298,9 +299,6 @@ allow system_server wpa_socket:sock_file unlink; type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; allow system_server system_ndebug_socket:sock_file create_file_perms; -# Specify any arguments to zygote. -allow system_server self:zygote { specifyids specifyrlimits specifyseinfo }; - # Manage cache files. allow system_server cache_file:dir { relabelfrom create_dir_perms }; allow system_server cache_file:file { relabelfrom create_file_perms }; @@ -315,7 +313,7 @@ allow system_server gps_control:file rw_file_perms; # Allow system_server to use app-created sockets and pipes. allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; -allow system_server appdomain:fifo_file { getattr read write }; +allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; # Allow abstract socket connection allow system_server rild:unix_stream_socket connectto; @@ -365,7 +363,15 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; allow system_server pstorefs:dir r_dir_perms; allow system_server pstorefs:file r_file_perms; -allow system_server system_server_service:service_manager add; +allow system_server drmserver_service:service_manager find; +allow system_server healthd_service:service_manager find; +allow system_server keystore_service:service_manager find; +allow system_server gatekeeper_service:service_manager find; +allow system_server mediaserver_service:service_manager find; +allow system_server nfc_service:service_manager find; +allow system_server radio_service:service_manager find; +allow system_server system_server_service:service_manager { add find }; +allow system_server surfaceflinger_service:service_manager find; allow system_server keystore:keystore_key { test @@ -387,6 +393,7 @@ allow system_server keystore:keystore_key { reset_uid sync_uid password_uid + add_auth }; # Allow system server to search and write to the persistent factory reset @@ -400,11 +407,41 @@ allow system_server cgroup:dir { remove_name rmdir }; # /oem access r_dir_file(system_server, oemfs) +# Allow resolving per-user storage symlinks +allow system_server { mnt_user_file storage_file }:dir { getattr search }; +allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; + +# Allow statfs() on storage devices, which happens fast enough that +# we shouldn't be killed during unsafe removal +allow system_server sdcard_type:dir { getattr search }; + +# Traverse into expanded storage +allow system_server mnt_expand_file:dir r_dir_perms; + ### ### Neverallow rules ### ### system_server should NEVER do any of this -# Do not allow accessing SDcard files as unsafe ejection could -# cause the kernel to kill the system_server. +# Do not allow opening files from external storage as unsafe ejection +# could cause the kernel to kill the system_server. +neverallow system_server sdcard_type:dir { open read write }; neverallow system_server sdcard_type:file rw_file_perms; + +# system server should never be opening zygote spawned app data +# files directly. Rather, they should always be passed via a +# file descriptor. +# Types extracted from seapp_contexts type= fields, excluding +# those types that system_server needs to open directly. +neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open; + +# system_server should never be executing dex2oat. This is either +# a bug (for example, bug 16317188), or represents an attempt by +# system server to dynamically load a dex file, something we do not +# want to allow. +neverallow system_server dex2oat_exec:file no_x_file_perms; + +# The only block device system_server should be accessing is +# the frp_block_device. This helps avoid a system_server to root +# escalation by writing to raw block devices. +neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; @@ -71,17 +71,6 @@ allow $1 $2:{ file lnk_file } r_file_perms; ') ##################################### -# unconfined_domain(domain) -# Allow the specified domain to perform more privileged operations -# than would be typically allowed. Please see the comments at the -# top of unconfined.te. -# -define(`unconfined_domain', ` -typeattribute $1 mlstrustedsubject; -typeattribute $1 unconfineddomain; -') - -##################################### # tmpfs_domain(domain) # Define and allow access to a unique type for # this domain when creating tmpfs / shmem / ashmem files. @@ -308,32 +297,20 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, )) define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) ##################################### -# permissive_or_unconfined -# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false, -# and "unconfined($1)" otherwise. -# -# This is used for experimental domains, where we want to ensure -# the domain is unconfined+enforcing once new SELinux policy development -# has ceased. -# -define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1))) - -##################################### # write_logd(domain) # Ability to write to android log # daemon via sockets define(`write_logd', ` -userdebug_or_eng(` - allow $1 logd_debug:file w_file_perms; -') unix_socket_send($1, logdw, logd) +allow $1 pmsg_device:chr_file w_file_perms; ') ##################################### # read_logd(domain) -# Ability to read from android +# Ability to run logcat and read from android # log daemon via sockets define(`read_logd', ` +allow $1 logcat_exec:file rx_file_perms; unix_socket_connect($1, logdr, logd) ') @@ -356,5 +333,24 @@ define(`use_keystore', ` allow keystore $1:dir search; allow keystore $1:file { read open }; allow keystore $1:process getattr; + allow $1 keystore_service:service_manager find; binder_call($1, keystore) ') + +########################################### +# service_manager_local_audit_domain(domain) +# Has its own auditallow rule on service_manager +# and should be excluded from the domain.te auditallow. +define(`service_manager_local_audit_domain', ` + typeattribute $1 service_manager_local_audit; +') + +########################################### +# use_drmservice(domain) +# Ability to use DrmService which requires +# DrmService to call getpidcon. +define(`use_drmservice', ` + allow drmserver $1:dir search; + allow drmserver $1:file { read open }; + allow drmserver $1:process getattr; +') diff --git a/toolbox.te b/toolbox.te new file mode 100644 index 0000000..4341102 --- /dev/null +++ b/toolbox.te @@ -0,0 +1,26 @@ +# Any toolbox command run by init. +# At present, the only known usage is for running mkswap via fs_mgr. +# Do NOT use this domain for toolbox when run by any other domain. +type toolbox, domain; +type toolbox_exec, exec_type, file_type; + +init_daemon_domain(toolbox) + +# /dev/__null__ created by init prior to policy load, +# open fd inherited by fsck. +allow toolbox tmpfs:chr_file { read write ioctl }; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow toolbox devpts:chr_file { read write getattr ioctl }; + +# mkswap-specific. +# Read/write block devices used for swap partitions. +# Assign swap_block_device type any such partition in your +# device/<vendor>/<product>/sepolicy/file_contexts file. +allow toolbox block_device:dir search; +allow toolbox swap_block_device:blk_file rw_file_perms; + +# Only allow entry from init via the toolbox binary. +neverallow { domain -init } toolbox:process transition; +neverallow domain toolbox:process dyntransition; +neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; diff --git a/tools/README b/tools/README index 1ffe409..899b981 100644 --- a/tools/README +++ b/tools/README @@ -50,4 +50,4 @@ sepolicy-check sepolicy-analyze A tool for performing various kinds of analysis on a sepolicy - file.
\ No newline at end of file + file. diff --git a/tools/check_seapp.c b/tools/check_seapp.c index 39fe77e..d5d15b0 100644 --- a/tools/check_seapp.c +++ b/tools/check_seapp.c @@ -36,6 +36,12 @@ enum map_match { map_matched }; +const char *map_match_str[] = { + "do not match", + "match on all inputs", + "match on everything" +}; + /** * Whether or not the "key" from a key vaue pair is considered an * input or an output. @@ -126,9 +132,6 @@ struct policy_info { /** Set to !0 to enable verbose logging */ static int logging_verbose = 0; -/** set to !0 to enable strict checking of duplicate entries */ -static int is_strict = 0; - /** file handle to the output file */ static FILE *output_file = NULL; @@ -157,11 +160,11 @@ static policy_info pol = { key_map rules[] = { /*Inputs*/ { .name = "isSystemServer", .type = dt_bool, .dir = dir_in, .data = NULL }, + { .name = "isOwner", .type = dt_bool, .dir = dir_in, .data = NULL }, { .name = "user", .type = dt_string, .dir = dir_in, .data = NULL }, { .name = "seinfo", .type = dt_string, .dir = dir_in, .data = NULL }, { .name = "name", .type = dt_string, .dir = dir_in, .data = NULL }, { .name = "path", .type = dt_string, .dir = dir_in, .data = NULL }, - { .name = "sebool", .type = dt_string, .dir = dir_in, .data = NULL }, /*Outputs*/ { .name = "domain", .type = dt_string, .dir = dir_out, .data = NULL }, { .name = "type", .type = dt_string, .dir = dir_out, .data = NULL }, @@ -244,11 +247,9 @@ static int key_map_validate(key_map *m, int lineno) { int rc = 1; int ret = 1; - int resp; char *key = m->name; char *value = m->data; data_type type = m->type; - sepol_bool_key_t *se_key; log_info("Validating %s=%s\n", key, value); @@ -280,34 +281,6 @@ static int key_map_validate(key_map *m, int lineno) { if (!pol.policy_file) { goto out; } - else if (!strcasecmp(key, "sebool")) { - - ret = sepol_bool_key_create(pol.handle, value, &se_key); - if (ret < 0) { - log_error("Could not create selinux boolean key, error: %s\n", - strerror(errno)); - rc = 0; - goto out; - } - - ret = sepol_bool_exists(pol.handle, pol.db, se_key, &resp); - if (ret < 0) { - log_error("Could not check selinux boolean, error: %s\n", - strerror(errno)); - rc = 0; - sepol_bool_key_free(se_key); - goto out; - } - - if(!resp) { - log_error("Could not find selinux boolean \"%s\" on line: %d in file: %s\n", - value, lineno, out_file_name); - rc = 0; - sepol_bool_key_free(se_key); - goto out; - } - sepol_bool_key_free(se_key); - } else if (!strcasecmp(key, "type") || !strcasecmp(key, "domain")) { if(!check_type(pol.db, value)) { @@ -520,6 +493,10 @@ static rule_map *rule_map_new(kvp keys[], size_t num_of_keys, int lineno) { rule_map *new_map = NULL; kvp *k = NULL; key_map *r = NULL, *x = NULL; + bool seen[KVP_NUM_OF_RULES]; + + for (i = 0; i < KVP_NUM_OF_RULES; i++) + seen[i] = false; new_map = calloc(1, (num_of_keys * sizeof(key_map)) + sizeof(rule_map)); if (!new_map) @@ -545,6 +522,12 @@ static rule_map *rule_map_new(kvp keys[], size_t num_of_keys, int lineno) { continue; } + if (seen[j]) { + log_error("Duplicated key: %s\n", k->key); + goto err; + } + seen[j] = true; + memcpy(r, x, sizeof(key_map)); /* Assign rule map value to one from file */ @@ -608,7 +591,7 @@ err: free_kvp(k); } } - exit(EXIT_FAILURE); + return NULL; } /** @@ -621,7 +604,6 @@ static void usage() { "and allows later declarations to override previous ones on a match.\n" "Options:\n" "-h - print this help message\n" - "-s - enable strict checking of duplicates. This causes the program to exit on a duplicate entry with a non-zero exit status\n" "-v - enable verbose debugging informations\n" "-p policy file - specify policy file for strict checking of output selectors against the policy\n" "-o output file - specify output file, default is stdout\n"); @@ -721,9 +703,6 @@ static void handle_options(int argc, char *argv[]) { case 'p': pol.policy_file_name = optarg; break; - case 's': - is_strict = 1; - break; case 'v': log_set_verbose(); break; @@ -821,7 +800,6 @@ static void rule_add(rule_map *rm) { ENTRY *f; hash_entry *entry; hash_entry *tmp; - char *preserved_key; e.key = rm->key; @@ -838,41 +816,12 @@ static void rule_add(rule_map *rm) { log_info("Existing entry found!\n"); tmp = (hash_entry *)f->data; cmp = rule_map_cmp(rm, tmp->r); - log_info("Comparing on rule map ret: %d\n", cmp); - /* Override be freeing the old rule map and updating - the pointer */ - if(cmp != map_matched) { - - /* - * DO NOT free key pointers given to the hash map, instead - * free the new key. The ordering here is critical! - */ - preserved_key = tmp->r->key; - rule_map_free(tmp->r, rule_map_preserve_key); -/* hdestroy() frees comparsion keys for non glibc */ -#ifdef __GLIBC__ - free(rm->key); -#endif - rm->key = preserved_key; - tmp->r = rm; - } - /* Duplicate */ - else { - /* if is_strict is set, then don't allow duplicates */ - if(is_strict) { - log_error("Duplicate line detected in file: %s\n" - "Lines %d and %d match!\n", - out_file_name, tmp->r->lineno, rm->lineno); - rule_map_free(rm, rule_map_destroy_key); - goto err; - } - - /* Allow duplicates, just drop the entry*/ - log_info("Duplicate line detected in file: %s\n" - "Lines %d and %d match!\n", - out_file_name, tmp->r->lineno, rm->lineno); - rule_map_free(rm, rule_map_destroy_key); - } + log_error("Duplicate line detected in file: %s\n" + "Lines %d and %d %s!\n", + out_file_name, tmp->r->lineno, rm->lineno, + map_match_str[cmp]); + rule_map_free(rm, rule_map_destroy_key); + goto err; } /* It wasn't found, just add the rule map to the table */ else { @@ -966,6 +915,8 @@ static void parse() { } /*End token parsing */ rule_map *r = rule_map_new(keys, token_cnt, lineno); + if (!r) + goto err; rule_add(r); } /* End file parsing */ diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk index 2667d56..e65efe9 100644 --- a/tools/sepolicy-analyze/Android.mk +++ b/tools/sepolicy-analyze/Android.mk @@ -7,7 +7,7 @@ LOCAL_MODULE := sepolicy-analyze LOCAL_MODULE_TAGS := optional LOCAL_C_INCLUDES := external/libsepol/include LOCAL_CFLAGS := -Wall -Werror -LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c utils.c +LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c LOCAL_STATIC_LIBRARIES := libsepol include $(BUILD_HOST_EXECUTABLE) diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README index f78eb66..d18609a 100644 --- a/tools/sepolicy-analyze/README +++ b/tools/sepolicy-analyze/README @@ -53,6 +53,18 @@ sepolicy-analyze permissive domains can be helpful during development, they should not be present in a final -user build. + BOOLEANS (booleans) + sepolicy-analyze out/target/product/<board>/root/sepolicy booleans + + Displays the boolean names in the policy (if any). + Policy booleans are forbidden in Android policy, so if there is any + output, the policy will fail CTS. + + ATTRIBUTE (attribute) + sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name> + + Displays the types associated with the specified attribute name. + NEVERALLOW CHECKING (neverallow) sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \ [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"] diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c new file mode 100644 index 0000000..474bda2 --- /dev/null +++ b/tools/sepolicy-analyze/attribute.c @@ -0,0 +1,39 @@ +#include "attribute.h" + +void attribute_usage() { + fprintf(stderr, "\tattribute <attribute-name>\n"); +} + +static int list_attribute(policydb_t * policydb, char *name) +{ + struct type_datum *attr; + struct ebitmap_node *n; + unsigned int bit; + + attr = hashtab_search(policydb->p_types.table, name); + if (!attr) { + fprintf(stderr, "%s is not defined in this policy.\n", name); + return -1; + } + + if (attr->flavor != TYPE_ATTRIB) { + fprintf(stderr, "%s is a type not an attribute in this policy.\n", name); + return -1; + } + + ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) { + if (!ebitmap_node_get_bit(n, bit)) + continue; + printf("%s\n", policydb->p_type_val_to_name[bit]); + } + + return 0; +} + +int attribute_func (int argc, char **argv, policydb_t *policydb) { + if (argc != 2) { + USAGE_ERROR = true; + return -1; + } + return list_attribute(policydb, argv[1]); +} diff --git a/tools/sepolicy-analyze/attribute.h b/tools/sepolicy-analyze/attribute.h new file mode 100644 index 0000000..05adcbd --- /dev/null +++ b/tools/sepolicy-analyze/attribute.h @@ -0,0 +1,11 @@ +#ifndef ATTRIBUTE_H +#define ATTRIBUTE_H + +#include <sepol/policydb/policydb.h> + +#include "utils.h" + +void attribute_usage(void); +int attribute_func(int argc, char **argv, policydb_t *policydb); + +#endif /* ATTRIBUTE_H */ diff --git a/tools/sepolicy-analyze/booleans.c b/tools/sepolicy-analyze/booleans.c new file mode 100644 index 0000000..c3b605d --- /dev/null +++ b/tools/sepolicy-analyze/booleans.c @@ -0,0 +1,22 @@ +#include "booleans.h" + +void booleans_usage() { + fprintf(stderr, "\tbooleans\n"); +} + +static int list_booleans(hashtab_key_t k, + __attribute__ ((unused)) hashtab_datum_t d, + __attribute__ ((unused)) void *args) +{ + const char *name = k; + printf("%s\n", name); + return 0; +} + +int booleans_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) { + if (argc != 1) { + USAGE_ERROR = true; + return -1; + } + return hashtab_map(policydb->p_bools.table, list_booleans, NULL); +} diff --git a/tools/sepolicy-analyze/booleans.h b/tools/sepolicy-analyze/booleans.h new file mode 100644 index 0000000..bfbe0e1 --- /dev/null +++ b/tools/sepolicy-analyze/booleans.h @@ -0,0 +1,11 @@ +#ifndef BOOLEANS_H +#define BOOLEANS_H + +#include <sepol/policydb/policydb.h> + +#include "utils.h" + +void booleans_usage(void); +int booleans_func(int argc, char **argv, policydb_t *policydb); + +#endif /* BOOLEANS_H */ diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c index 1da88c0..b288ea7 100644 --- a/tools/sepolicy-analyze/neverallow.c +++ b/tools/sepolicy-analyze/neverallow.c @@ -257,7 +257,7 @@ static int read_classperms(policydb_t *policydb, char **ptr, char *end, node = calloc(1, sizeof *node); if (!node) goto err; - node->class = cls->s.value; + node->tclass = cls->s.value; node->next = classperms; classperms = node; free(id); @@ -332,13 +332,13 @@ static int read_classperms(policydb_t *policydb, char **ptr, char *end, } for (node = classperms; node; node = node->next) { - cls = policydb->class_val_to_struct[node->class-1]; + cls = policydb->class_val_to_struct[node->tclass-1]; perm = hashtab_search(cls->permissions.table, id); if (cls->comdatum && !perm) perm = hashtab_search(cls->comdatum->permissions.table, id); if (!perm) { if (warn) - fprintf(stderr, "Warning! Permission %s used in neverallow undefined in class %s in policy being checked.\n", id, policydb->p_class_val_to_name[node->class-1]); + fprintf(stderr, "Warning! Permission %s used in neverallow undefined in class %s in policy being checked.\n", id, policydb->p_class_val_to_name[node->tclass-1]); continue; } node->data |= 1U << (perm->s.value - 1); diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c index 8c0c423..b70eaaa 100644 --- a/tools/sepolicy-analyze/sepolicy-analyze.c +++ b/tools/sepolicy-analyze/sepolicy-analyze.c @@ -6,6 +6,8 @@ #include "neverallow.h" #include "perm.h" #include "typecmp.h" +#include "booleans.h" +#include "attribute.h" #include "utils.h" #define NUM_COMPONENTS (int) (sizeof(analyze_components)/sizeof(analyze_components[0])) @@ -20,7 +22,9 @@ static struct { COMP(dups), COMP(neverallow), COMP(permissive), - COMP(typecmp) + COMP(typecmp), + COMP(booleans), + COMP(attribute) }; void usage(char *arg0) diff --git a/tzdatacheck.te b/tzdatacheck.te new file mode 100644 index 0000000..a95dc0d --- /dev/null +++ b/tzdatacheck.te @@ -0,0 +1,8 @@ +# The tzdatacheck command run by init. +type tzdatacheck, domain; +type tzdatacheck_exec, exec_type, file_type; + +init_daemon_domain(tzdatacheck) + +allow tzdatacheck zoneinfo_data_file:dir create_dir_perms; +allow tzdatacheck zoneinfo_data_file:file unlink; @@ -23,3 +23,14 @@ allow ueventd efs_file:file r_file_perms; # Use setfscreatecon() to label /dev directories and files. allow ueventd self:process setfscreate; + +##### +##### neverallow rules +##### + +# ueventd must never set properties, otherwise deadlocks may occur. +# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 +# No writing to the property socket, connecting to init, or setting properties. +neverallow ueventd property_socket:sock_file write; +neverallow ueventd init:unix_stream_socket connectto; +neverallow ueventd property_type:property_service set; diff --git a/unconfined.te b/unconfined.te deleted file mode 100644 index a76c3d8..0000000 --- a/unconfined.te +++ /dev/null @@ -1,90 +0,0 @@ -####################################################### -# -# This is the unconfined template. This template is the base policy -# which is used by daemons and other privileged components of -# Android. -# -# Historically, this template was called "unconfined" because it -# allowed the domain to do anything it wanted. Over time, -# this has changed, and will continue to change in the future. -# The rules in this file will be removed when no remaining -# unconfined domains require it, or when the rules contradict -# Android security best practices. Domains which need rules not -# provided by the unconfined template should add them directly to -# the relevant policy. -# -# The use of this template is discouraged. -###################################################### - -allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable }; -allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; -allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; -allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; -allow unconfineddomain domain:fd *; -allow unconfineddomain domain:dir r_dir_perms; -allow unconfineddomain domain:lnk_file r_file_perms; -allow unconfineddomain domain:{ fifo_file file } rw_file_perms; -allow unconfineddomain domain:{ - socket - netlink_socket - key_socket - unix_stream_socket - unix_dgram_socket - netlink_route_socket - netlink_firewall_socket - netlink_tcpdiag_socket - netlink_nflog_socket - netlink_xfrm_socket - netlink_selinux_socket - netlink_audit_socket - netlink_ip6fw_socket - netlink_dnrt_socket - netlink_kobject_uevent_socket - tun_socket -} *; -allow unconfineddomain domain:ipc_class_set *; -allow unconfineddomain domain:key *; -allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain { - file_type - -keystore_data_file - -property_data_file - -system_file - -exec_type - -security_file - -shell_data_file - -app_data_file -}:{ dir lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain exec_type:dir r_dir_perms; -allow unconfineddomain exec_type:file { r_file_perms execute }; -allow unconfineddomain exec_type:lnk_file r_file_perms; -allow unconfineddomain system_file:dir r_dir_perms; -allow unconfineddomain system_file:file { r_file_perms execute }; -allow unconfineddomain system_file:lnk_file r_file_perms; -allow unconfineddomain { - fs_type - -usermodehelper - -proc_security - -contextmount_type - -rootfs - -sdcard_type -}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain { - file_type - -keystore_data_file - -property_data_file - -system_file - -exec_type - -security_file - -shell_data_file - -app_data_file -}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto}; -allow unconfineddomain rootfs:file execute; -allow unconfineddomain contextmount_type:dir r_dir_perms; -allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms; -allow unconfineddomain node_type:node *; -allow unconfineddomain netif_type:netif *; -allow unconfineddomain domain:peer recv; -allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr }; @@ -1,5 +1,5 @@ # uncrypt -type uncrypt, domain; +type uncrypt, domain, mlstrustedsubject; type uncrypt_exec, exec_type, file_type; init_daemon_domain(uncrypt) @@ -28,3 +28,6 @@ allow uncrypt powerctl_prop:property_service set; allow uncrypt self:capability sys_rawio; allow uncrypt block_device:blk_file w_file_perms; allow uncrypt block_device:dir r_dir_perms; + +# Access userdata block device. +allow uncrypt userdata_block_device:blk_file w_file_perms; diff --git a/untrusted_app.te b/untrusted_app.te index c5c887f..1b7aaee 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -55,6 +55,11 @@ allow untrusted_app shell_data_file:dir r_dir_perms; # This line needs to be deleted. allow untrusted_app anr_data_file:file r_file_perms; +# Read and write system app data files passed over Binder. +# Motivating case was /data/data/com.android.settings/cache/*.jpg for +# cropping or taking user photos. +allow untrusted_app system_app_data_file:file { read write getattr }; + # # Rules migrated from old app domains coalesced into untrusted_app. # This includes what used to be media_app, shared_app, and release_app. @@ -71,6 +76,27 @@ allow untrusted_app media_rw_data_file:file create_file_perms; allow untrusted_app cache_file:dir create_dir_perms; allow untrusted_app cache_file:file create_file_perms; +allow untrusted_app drmserver_service:service_manager find; +allow untrusted_app mediaserver_service:service_manager find; +allow untrusted_app nfc_service:service_manager find; +allow untrusted_app radio_service:service_manager find; +allow untrusted_app surfaceflinger_service:service_manager find; +allow untrusted_app app_api_service:service_manager find; + +# TODO: remove this once priv-apps are no longer running in untrusted_app +allow untrusted_app system_api_service:service_manager find; + +# TODO: remove and replace with specific package that accesses this +allow untrusted_app persistent_data_block_service:service_manager find; + +# Allow verifier to access staged apks. +allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; +allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; + +# Apps using KeyStore API will request the SID from GateKeeper +allow untrusted_app gatekeeper_service:service_manager find; +binder_call(untrusted_app, gatekeeperd) + ### ### neverallow rules ### @@ -96,6 +122,20 @@ neverallow untrusted_app property_socket:sock_file write; neverallow untrusted_app init:unix_stream_socket connectto; neverallow untrusted_app property_type:property_service set; -# Allow verifier to access staged apks. -allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; -allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; +# Do not allow untrusted_app to be assigned mlstrustedsubject. +# This would undermine the per-user isolation model being +# enforced via levelFrom=user in seapp_contexts and the mls +# constraints. As there is no direct way to specify a neverallow +# on attribute assignment, this relies on the fact that fork +# permission only makes sense within a domain (hence should +# never be granted to any other domain within mlstrustedsubject) +# and untrusted_app is allowed fork permission to itself. +neverallow untrusted_app mlstrustedsubject:process fork; + +# Do not allow untrusted_app to hard link to any files. +# In particular, if untrusted_app links to other app data +# files, installd will not be able to guarantee the deletion +# of the linked to file. Hard links also contribute to security +# bugs, so we want to ensure untrusted_app never has this +# capability. +neverallow untrusted_app file_type:file link; @@ -4,17 +4,63 @@ type vold_exec, exec_type, file_type; init_daemon_domain(vold) +# Switch to more restrictive domains when executing common tools +domain_auto_trans(vold, sgdisk_exec, sgdisk); +domain_auto_trans(vold, sdcardd_exec, sdcardd); + +# For a handful of probing tools, we choose an even more restrictive +# domain when working with untrusted block devices +domain_trans(vold, shell_exec, blkid); +domain_trans(vold, shell_exec, blkid_untrusted); +domain_trans(vold, fsck_exec, fsck); +domain_trans(vold, fsck_exec, fsck_untrusted); + +# Allow us to jump into execution domains of above tools +allow vold self:process setexec; + +# For sgdisk launched through popen() +allow vold shell_exec:file rx_file_perms; + typeattribute vold mlstrustedsubject; +allow vold self:process setfscreate; allow vold system_file:file x_file_perms; allow vold block_device:dir create_dir_perms; allow vold block_device:blk_file create_file_perms; +auditallow vold block_device:blk_file create_file_perms; allow vold device:dir write; allow vold devpts:chr_file rw_file_perms; allow vold rootfs:dir mounton; -allow vold sdcard_type:dir mounton; -allow vold sdcard_type:filesystem { mount remount unmount }; -allow vold sdcard_type:dir create_dir_perms; -allow vold sdcard_type:file create_file_perms; +allow vold sdcard_type:dir mounton; # TODO: deprecated in M +allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M +allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M +allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M + +# Manage locations where storage is mounted +allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; +allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms; + +# Access to storage that backs emulated FUSE daemons for migration optimization +allow vold media_rw_data_file:dir create_dir_perms; +allow vold media_rw_data_file:file create_file_perms; + +# Newly created storage dirs are always treated as mount stubs to prevent us +# from accidentally writing when the mount point isn't present. +type_transition vold storage_file:dir storage_stub_file; +type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; + +# Allow mounting of storage devices +allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; +allow vold sdcard_type:filesystem { mount unmount remount }; + +# Manage per-user primary symlinks +allow vold mnt_user_file:dir create_dir_perms; +allow vold mnt_user_file:lnk_file create_file_perms; + +# Allow to create and mount expanded storage +allow vold mnt_expand_file:dir { create_dir_perms mounton }; +allow vold apk_data_file:dir { create getattr setattr }; +allow vold shell_data_file:dir { create getattr setattr }; + allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir create_dir_perms; allow vold tmpfs:dir mounton; @@ -22,22 +68,24 @@ allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner allow vold self:netlink_kobject_uevent_socket create_socket_perms; allow vold app_data_file:dir search; allow vold app_data_file:file rw_file_perms; -allow vold loop_device:blk_file rw_file_perms; +allow vold loop_device:blk_file create_file_perms; +allow vold vold_device:blk_file create_file_perms; allow vold dm_device:chr_file rw_file_perms; +allow vold dm_device:blk_file rw_file_perms; # For vold Process::killProcessesWithOpenFiles function. allow vold domain:dir r_dir_perms; allow vold domain:{ file lnk_file } r_file_perms; allow vold domain:process { signal sigkill }; allow vold self:capability { sys_ptrace kill }; -# For blkid -allow vold shell_exec:file rx_file_perms; - # XXX Label sysfs files with a specific type? allow vold sysfs:file rw_file_perms; write_klog(vold) +# Run fsck. +allow vold fsck_exec:file rx_file_perms; + # Log fsck results allow vold fscklogs:dir rw_dir_perms; allow vold fscklogs:file create_file_perms; @@ -56,8 +104,8 @@ allow vold labeledfs:filesystem { mount unmount remount }; # XXX Split into a separate type? allow vold efs_file:file rw_file_perms; -# Create and mount on /data/tmp_mnt. -allow vold system_data_file:dir { create rw_dir_perms mounton }; +# Create and mount on /data/tmp_mnt and management of expansion mounts +allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; # Set scheduling policy of kernel processes allow vold kernel:process setsched; @@ -71,7 +119,7 @@ allow vold ctl_fuse_prop:property_service set; allow vold asec_image_file:file create_file_perms; allow vold asec_image_file:dir rw_dir_perms; security_access_policy(vold) -allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto }; +allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; allow vold asec_public_file:dir { relabelto setattr }; allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; allow vold asec_public_file:file { relabelto setattr }; @@ -89,3 +137,21 @@ binder_call(vold, healthd) # talk to keymaster allow vold tee_device:chr_file rw_file_perms; +# Access userdata block device. +allow vold userdata_block_device:blk_file rw_file_perms; + +# Access metadata block device used for encryption meta-data. +allow vold metadata_block_device:blk_file rw_file_perms; + +# Allow init to manipulate /data/unencrypted +allow vold unencrypted_data_file:{ file lnk_file } create_file_perms; +allow vold unencrypted_data_file:dir create_dir_perms; + +# Give vold a place where only vold can store files; everyone else is off limits +allow vold vold_data_file:dir rw_dir_perms; +allow vold vold_data_file:file create_file_perms; + +neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto }; +neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; +neverallow { domain -vold -init } vold_data_file:dir *; +neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *; @@ -37,3 +37,11 @@ allow wpa keystore:keystore_key { userdebug_or_eng(` unix_socket_send(wpa, wpa, su) ') + +### +### neverallow rules +### + +# wpa_supplicant should not trust any data from sdcards +neverallow wpa sdcard_type:dir ~getattr; +neverallow wpa sdcard_type:file *; @@ -48,13 +48,19 @@ security_access_policy(zygote) # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount allow zygote proc_cpuinfo:file mounton; -# Setting up /storage/emulated. +# Allow remounting rootfs as MS_SLAVE allow zygote rootfs:dir mounton; -allow zygote sdcard_type:dir { write search setattr create add_name mounton }; -dontaudit zygote self:capability fsetid; -allow zygote tmpfs:dir { write create add_name setattr mounton search }; -allow zygote tmpfs:filesystem mount; -allow zygote labeledfs:filesystem remount; +allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M +dontaudit zygote self:capability fsetid; # TODO: deprecated in M +allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M +allow zygote tmpfs:filesystem mount; # TODO: deprecated in M +allow zygote labeledfs:filesystem remount; # TODO: deprecated in M + +# Allowed to create user-specific storage source if started before vold +allow zygote mnt_user_file:dir create_dir_perms; +allow zygote mnt_user_file:lnk_file create_file_perms; +# Allowed to mount user-specific storage into place +allow zygote storage_file:dir { search mounton }; # Handle --invoke-with command when launching Zygote with a wrapper command. allow zygote zygote_exec:file rx_file_perms; |