aboutsummaryrefslogtreecommitdiffstats
path: root/rild.te
Commit message (Collapse)AuthorAgeFilesLines
* Replace unix_socket_connect() and explicit property sets with macroWilliam Roberts2015-05-071-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. (cherrypicked from commit 625a3526f1ebaaa014bb563239cc33829f616232) Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
* Align SELinux property policy with init property_perms.Stephen Smalley2014-06-231-1/+4
| | | | | | | | | | | | | | | | | | Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Introduce wakelock_use()Nick Kralevich2014-05-231-1/+1
| | | | | | | | | | | | | Introduce wakelock_use(). This macro declares that a domain uses wakelocks. Wakelocks require both read-write access to files in /sys/power, and CAP_BLOCK_SUSPEND. This macro helps ensure that both capabilities and file access are granted at the same time. Still TODO: fix device specific wakelock use. Change-Id: Ib98ff374a73f89e403acd9f5e024988f59f08115
* Drop dontaudit sys_admin rule from rild.Stephen Smalley2014-04-021-1/+0
| | | | | | | | | | | Old Android kernels (e.g. kernel/goldfish android-2.6.29 commit 2bda29) fell back to a CAP_SYS_ADMIN check even before checking uids if the cgroup subsystem did not define its own can_attach handler. This doesn't appear to have ever been the case of mainline, and is not true of the 3.4 Android kernels. So we no longer need to dontaudit sys_admin to avoid log noise. Change-Id: I2faade6665a4adad91472c95f94bd922a449b240 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Remove write access to system_data_file from rild.Stephen Smalley2014-03-181-4/+2
| | | | | | | | Anything writable by rild should be in radio_data_file or efs_file. System data should be read-only. Change-Id: I442a253c22f567a147d0591d623e97a6ee8b76e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Audit attempts by rild to create/write to system_data_file.Stephen Smalley2014-03-131-0/+2
| | | | | | | | | | Audit attempts by rild to create/write to system_data_file with avc: granted messages so that we can identify any such instances and put such directories/files into radio_data_file or some other type and then remove these rules. Change-Id: Ice20fed1733a3f4208d541a4baaa8b6c6f44fbb0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* rild: move to enforcingNick Kralevich2014-03-121-1/+0
| | | | | | | | Move the rild domain into SELinux enforcing mode. This will start enforcing SELinux rules; security policy violations will return EPERM. Change-Id: Iadb51616ecf6f56148ce076d47f04511810de94c
* Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.Stephen Smalley2014-02-251-2/+0
| | | | | Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Clean up socket rules.Stephen Smalley2014-02-251-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Support forcing permissive domains to unconfined.Nick Kralevich2014-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | Permissive domains are only intended for development. When a device launches, we want to ensure that all permissive domains are in, at a minimum, unconfined+enforcing. Add FORCE_PERMISSIVE_TO_UNCONFINED to Android.mk. During development, this flag is false, and permissive domains are allowed. When SELinux new feature development has been frozen immediately before release, this flag will be flipped to true. Any previously permissive domains will move into unconfined+enforcing. This will ensure that all SELinux domains have at least a minimal level of protection. Unconditionally enable this flag for all user builds. Change-Id: I1632f0da0022c80170d8eb57c82499ac13fd7858
* Fix new rild denials.Robert Craig2013-12-051-0/+2
| | | | | | | | | | | Denials seen on hammerhead but seem appropriate for general policy. <5>[ 8.339347] type=1400 audit(3731546.390:17): avc: denied { ioctl } for pid=314 comm="rild" path="socket:[7996]" dev="sockfs" ino=7996 scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket <5>[ 8.339065] type=1400 audit(3731546.390:16): avc: denied { create } for pid=314 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket <5>[ 11.232121] type=1400 audit(3731549.289:22): avc: denied { read } for pid=620 comm="rild" scontext=u:r:rild:s0 tcontext=u:r:rild:s0 tclass=socket Change-Id: Ieaca5360afbb44d5da21c7c24bdd5e7c5758f0a2
* Confine rild, but leave it permissive for now.Stephen Smalley2013-11-131-1/+38
| | | | | Change-Id: I6df9981b2af0150c6379a0ebdbe0a8597c994f4a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Move unconfined domains out of permissive mode.Nick Kralevich2013-10-211-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change removes the permissive line from unconfined domains. Unconfined domains can do (mostly) anything, so moving these domains into enforcing should be a no-op. The following domains were deliberately NOT changed: 1) kernel 2) init In the future, this gives us the ability to tighten up the rules in unconfined, and have those tightened rules actually work. When we're ready to tighten up the rules for these domains, we can: 1) Remove unconfined_domain and re-add the permissive line. 2) Submit the domain in permissive but NOT unconfined. 3) Remove the permissive line 4) Wait a few days and submit the no-permissive change. For instance, if we were ready to do this for adb, we'd identify a list of possible rules which allow adbd to work, re-add the permissive line, and then upload those changes to AOSP. After sufficient testing, we'd then move adb to enforcing. We'd repeat this for each domain until everything is enforcing and out of unconfined. Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245
* Introduce controls on wake lock interfaceWilliam Roberts2013-10-031-0/+3
| | | | Change-Id: Ie0ee266e9e6facb2ab2abd652f68765239a41af1
* Make all domains unconfined.repo sync2013-05-201-39/+1
| | | | | | | | This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
* Move domains into per-domain permissive mode.repo sync2013-05-141-0/+1
| | | | | Bug: 4070557 Change-Id: I027f76cff6df90e9909711cb81fbd17db95233c1
* Expand permissions for 3 existing allow policies for rild and a new one for ↵William Luh2013-05-021-3/+5
| | | | | | rild. Change-Id: Iafe68ac1b742e40c1a23a2f6cfd6373ea89cc07b
* Allow rild to create, bind, read, write to itself through a netlink socket.William Luh2013-04-251-0/+3
| | | | Change-Id: Ia7457e3fd4f1100bbee821f412e80ba17fede5ec
* Allow all domains to read /dev symlinks.Stephen Smalley2013-04-051-1/+0
| | | | | Change-Id: I448a5553937a98775178b94f289ccb45ae862876 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Various policy updates.Robert Craig2013-03-271-0/+2
| | | | | | | | | | | | | Assortment of policy changes include: * Bluetooth domain to talk to init and procfs. * New device node domains. * Allow zygote to talk to its executable. * Update system domain access to new device node domains. * Create a post-process sepolicy with dontaudits removed. * Allow rild to use the tty device. Change-Id: Ibb96b590d0035b8f6d1606cd5e4393c174d10ffb Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
* Split internal and external sdcardsWilliam Roberts2013-03-221-1/+1
| | | | | | | | | | | | | | | Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
* Corrected denials for LocationManager when accessing gps over uart.hqjiang2012-07-121-0/+3
|
* This patch fixes rild trying to access the bluetooth efs dir with readWilliam Roberts2012-06-271-0/+1
| | | | perms.
* Remove all denials caused by rild on tuna devices.William Roberts2012-06-071-0/+8
| | | | Tested on a maguro variant.
* Policy for hci_attach service.William Roberts2012-05-311-0/+1
|
* Rework the radio vs rild property split.Stephen Smalley2012-04-041-0/+1
| | | | | | Only label properties with the ril. prefix with rild_prop. Allow rild and system (and radio) to set radio_prop. Only rild can set rild_prop presently.
* Add policy for property service.Stephen Smalley2012-04-041-0/+3
| | | | | | | New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
* Integrate nfc_power and rild rules from tuna sepolicy by Bryan Hinton.Stephen Smalley2012-03-191-0/+1
|
* SE Android policy.Stephen Smalley2012-01-041-0/+21
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 09:25:52 +0000