aboutsummaryrefslogtreecommitdiffstats
path: root/isolated_app.te
Commit message (Collapse)AuthorAgeFilesLines
* Further restrict socket ioctls available to appsJeff Vander Stoep2016-05-271-1/+1
| | | | | | | | | | Restrict unix_dgram_socket and unix_stream_socket to a whitelist for all domains. Remove ioctl permission for netlink_selinux_socket and netlink_route_socket for netdomain. Bug: 28171804 Bug: 27424603 Change-Id: I650639115b8179964ae690a39e4766ead0032d2e
* Remove service_manager_local_audit_domain.dcashman2015-06-081-2/+0
| | | | | | | | | | | service_manager_local_audit_domain was used to fine tune the service_manager auditallow rules when introducing the service_manager SELinux rules. This is no longer needed. (cherry-pick of commit: eab26faa60cc0fdadfe128433e0357bdde3f9d9b) Bug: 21656807 Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
* restrict app access to socket ioctlsJeff Vander Stoep2015-06-051-0/+3
| | | | | | | | | | Create a macro of unprivileged ioctls including - All common socket ioctls except MAC address - All wireless extensions ioctls except get/set ESSID - Some commonly used tty ioctls Bug: 21657002 Change-Id: Ib08be9cb70d08c1fa2c8bddbae519e7c2df5293c
* isolated_app: Do not allow access to the gpu_device.Nick Kralevich2015-04-091-0/+3
| | | | | | Bug: 17471434 Bug: 18609318 Change-Id: Idb3ed8ada03dbc07f35e74fd80cb989c8e6808bc
* isolated_app: allow app_data_file lockNick Kralevich2015-04-091-1/+1
| | | | | | | | | Chrome's WebSQL implementation works by running sqlite in the sandboxed renderer process, and sqlite expects to be able to call flock() on the database file. Bug: 20134929 Change-Id: Id33a2cd19b779144662056c6f3aba3365b0a2a54
* Record observed service accesses.dcashman2015-04-011-0/+2
| | | | | | | Get ready to switch system_server service lookups into enforcing. Bug: 18106000 Change-Id: Iefd4b2eee6cdd680f5ab423d15cc72a2a30e27cf
* update isolated_app service_manager rulesNick Kralevich2015-03-051-16/+12
| | | | | | | | isolated apps should only be able to access 2 services. Remove access permissions for services inappropriately added, and add a neverallow rule to prevent regressions. Change-Id: I2783465c4a22507849b2a64894fb76690a27bc01
* Revert "isolated_app: Do not allow access to the gpu_device."Nick Kralevich2015-01-201-3/+0
| | | | | | | | | | | | Chrome team recommends reverting this patch and introducing it into a future version of Android, to avoid potential compatibility issues. This reverts commit 9de62d6ffed14a6b0abed63d2a915cdae87a7fc4. Bug: 17471434 Bug: 18609318 Change-Id: I9adaa9d0e4cb6a592011336e442e9d414dbac470
* Make system_server_service an attribute.dcashman2015-01-141-0/+16
| | | | | | | | Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
* Restrict service_manager find and list access.dcashman2014-12-151-8/+3
| | | | | | | | | All domains are currently granted list and find service_manager permissions, but this is not necessary. Pare the permissions which did not trigger any of the auditallow reporting. Bug: 18106000 Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
* Do not allow isolated_app to directly open app data files.Stephen Smalley2014-12-021-0/+6
| | | | | | | | Only allow it to read/write/stat already open app data files received via Binder or local socket IPC. Change-Id: Ie66f240e109410a17aa93d9d5dea4c2b87d47009 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Revert "Do not allow isolated_app to directly open app data files."Nick Kralevich2014-10-171-6/+0
| | | | | | | | | | | | | | | | | | This is causing the version of Chrome in Android's tree to crash. The version of Chrome in Android's tree does not have the following patch: https://codereview.chromium.org/630123003 Until Chrome updates the version in Android's tree, we need to revert. Works around the following denials: audit(0.0:19): avc: denied { search } for name="com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir audit(0.0:20): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir audit(0.0:21): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir This reverts commit 669a97730376e919813411fcfdddac35bd7236ae. Bug: 18006219 Change-Id: Id44137ec6a0dfe4a597b34ab3dad9e3feecc2a5e
* Do not allow isolated_app to directly open app data files.Stephen Smalley2014-10-061-0/+6
| | | | | | | | Only allow it to read/write/stat already open app data files received via Binder or local socket IPC. Change-Id: I3c096607a74fd0f360d41f3e6f06535ca00c58ec Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Remove net_domain() from isolated_app.Stephen Smalley2014-10-031-1/+0
| | | | | | | | isolated_app performs no direct network socket communication, so we can remove net_domain() from it. Change-Id: I112aa4140fd577a5ea28f7a3d62567ebabcdb48d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* isolated_app: remove app_data_file executeNick Kralevich2014-10-011-6/+0
| | | | | | | | | | | | | In commit ad891591e6c5d3ffffd2633672c48ab7e263cdec, we allowed isolated processes to execute files from /data/data/APPNAME. I'm pretty sure all the necessary linker changes have been made so that this functionality isn't required anymore. Remove the allow rule. This is essentially a revert of ad891591e6c5d3ffffd2633672c48ab7e263cdec. Change-Id: I1b073916f66f4965dfc53c0ea2b624bbb2fe8816
* isolated_app: Do not allow access to the gpu_device.Robert Sesek2014-09-111-0/+3
| | | | | Bug: 17471434 Change-Id: I6fd1079be29a454f46ab84f0c43fcf816e679c98
* Further refined service_manager auditallow statements.Riley Spahn2014-07-181-1/+6
| | | | | | | | Further refined auditallow statements associated with service_manager and added dumpstate to the service_manager_local_audit_domain. Change-Id: I2ecc42c8660de6a91f3b4e56268344fbd069ccc0
* Add access control for each service_manager action.Riley Spahn2014-07-141-0/+4
| | | | | | | | | | Add SELinux MAC for the service manager actions list and find. Add the list and find verbs to the service_manager class. Add policy requirements for service_manager to enforce policies to binder_use macro. Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
* isolated_app: allow app_data_file executeNick Kralevich2014-06-271-0/+6
| | | | | | | | | | | | | | | | | | Chrome renderer processes dlopen() a shared library from gmscore. Open and read on app data file is already allowed, but execute isn't, so the dlopen() fails. This is a regression from K, where the dlopen succeeded. Longer term, there's questions about whether this is appropriate behavior for an isolated app. For now, allow the behavior. See the discussion in b/15902433 for details. Addresses the following denial: I/auditd ( 5087): type=1400 audit(0.0:76): avc: denied { execute } for comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file Bug: 15902433 Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678
* Clean up, unify, and deduplicate app domain rules.Stephen Smalley2014-03-071-9/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Coalesce a number of allow rules replicated among multiple app domains. Get rid of duplicated rules already covered by domain, appdomain, or platformappdomain rules. Split the platformappdomain rules to their own platformappdomain.te file, document them more fully, and note the inheritance in each of the relevant *_app.te files. Generalize isolated app unix_stream_socket rules to all app domains to resolve denials such as: avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket Change-Id: I770d7d51d498b15447219083739153265d951fe5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Resolve overlapping rules between app.te and net.te.Stephen Smalley2014-02-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | There is some overlap between socket rules in app.te and the net.te rules, but they aren't quite identical since not all app domains presently include the net_domain() macro and because the rules in app.te allow more permissions for netlink_route_socket and allow rawip_socket permissions for ping. The current app.te rules prevent one from ever creating a non-networked app domain. Resolve this overlap by: 1) Adding the missing permissions allowed by app.te to net.te for netlink_route_socket and rawip_socket. 2) Adding net_domain() calls to all existing app domains that do not already have it. 3) Deleting the redundant socket rules from app.te. Then we'll have no effective change in what is allowed for apps but allow one to define app domains in the future that are not allowed network access. Also cleanup net.te to use the create_socket_perms macro rather than * and add macros for stream socket permissions. Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Remove legacy rules from dumpstate in init domain.Stephen Smalley2014-01-091-3/+0
| | | | | | | | From the commit that added these rules, this appears to have been an artifact of having dumpstate running in the init domain. Change-Id: Iec2b9c3f5673d0e2cce9a0bf297e23555c423e87 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Make the isolated_app domain enforcing.Stephen Smalley2013-12-021-1/+0
| | | | | Change-Id: I11be7d1713dd7cb35b8046503a09e42567e53d86 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Remove duplicated rules between appdomain and isolated_app.Stephen Smalley2013-09-131-3/+0
| | | | | | | | | r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te; delete it from isolated_app.te. binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it. Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Fix more long-tail denials.Geremy Condra2013-09-051-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | For additional context- The denials related to init_tmpfs are of the form: denied { read } for pid=12315 comm=""dboxed_process0"" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=""tmpfs"" ino=9464 scontext=u:r:isolated_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file (the path above is "/dev/ashmem/dalvik-heap (deleted)") The denials related to executing things from the dalvik cache are of the form: enied { execute } for pid=3565 comm=""dboxed_process0"" path=""/data/dalvik-cache/system@app@Chrome.apk@classes.dex"" dev=""mmcblk0p28"" ino=105983 scontext=u:r:isolated_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file The denials related to isolated_app and the init socket are: denied { getattr } for pid=3824 comm=""Binder_2"" path=""socket:[14059]"" dev=""sockfs"" ino=14059 scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket The getopt denials for the aforementioned socket are: denied { getopt } for pid=3824 comm=""Binder_2"" path=""/dev/socket/dumpstate"" scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket Change-Id: I3c57702e2af5a779a7618da9aa40930e7f12ee49
* Move isolated_app.te / untrusted_app.te into permissiveNick Kralevich2013-07-161-0/+1
| | | | | | | | | OTAs aren't properly labeling /system, which is causing SELinux breakage. Temporarily put isolated_app.te and untrusted_app.te into permissive. Bug: 9878561 Change-Id: Icaf674ad6b3d59cbca3ae796c930c98ab67cae9c
* untrusted_app.te / isolated_app.te / app.te first passNick Kralevich2013-07-131-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | This is my first attempt at creating an enforcing SELinux domain for apps, untrusted_apps, and isolated_apps. Much of these rules are based on the contents of app.te as of commit 11153ef34928ab9d13658606695cba192aa03e21 with extensive modifications, some of which are included below. * Allow communication with netd/dnsproxyd, to allow netd to handle dns requests * Allow binder communications with the DNS server * Allow binder communications with surfaceflinger * Allow an app to bind to tcp/udp ports * Allow all domains to read files from the root partition, assuming the DAC allows access. In addition, I added a bunch of "neverallow" rules, to assert that certain capabilities are never added. This change has a high probability of breaking someone, somewhere. If it does, then I'm happy to fix the breakage, rollback this change, or put untrusted_app into permissive mode. Change-Id: I83f220135d20ab4f70fbd7be9401b5b1def1fe35
* Move *_app into their own fileNick Kralevich2013-07-121-0/+15
app.te covers a lot of different apps types (platform_app, media_app, shared_app, release_app, isolated_app, and untrusted_app), all of which are going to have slightly different security policies. Separate the different domains from app.te. Over time, these files are likely to grow substantially, and mixing different domain types is a recipe for confusion and mistakes. No functional change. Change-Id: Ida4e77fadb510f5993eb2d32f2f7649227edff4f
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-04 03:56:08 +0000