PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
04641948c0
android_system_sepolicy/public/init.te

383 lines
13 KiB
Plaintext
Raw Normal View History

Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
# init is its own domain.
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 09:54:39 -08:00
type init, domain, domain_deprecated, mlstrustedsubject;
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 14:46:05 -07:00
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
# /dev/__null__ node created by init.
Adding a neverallow rule to prevent renaming of device and char files This neverallow addition addresses the renaming of files in exploits in order to bypass denied permissions. An example of a similar use case of using mv to bypass permission denials appeared in a recent project zero ChromeOS exploit as one of the steps in the exploit chain. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html Additionally, vold and init both had permission sets that allowed them to rename, but neither of them seem to need it. Therefore the rename permission has also been removed from these two .te files. Test: The device boots successfully Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80
2017-01-20 14:26:05 -08:00
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
#
# init direct restorecon calls.
#
Fix init's restorecon of /dev/kmsg. Bug: http://b/30699558 Change-Id: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69 Merged-In: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69
2016-08-11 09:16:39 -07:00
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { write relabelto };
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
# /dev/__properties__
Support fine grain read access control for properties Properties are now broken up from a single /dev/__properties__ file into multiple files, one per property label. This commit provides the mechanism to control read access to each of these files and therefore sets of properties. This allows full access for all domains to each of these new property files to match the current permissions of /dev/__properties__. Future commits will restrict the access. Bug: 21852512 Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
2015-12-01 16:58:27 -08:00
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { create_file_perms relabelto };
Fix init's restorecon of /dev/kmsg. Bug: http://b/30699558 Change-Id: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69 Merged-In: Id9b213967ab290f45d1b8a5ab6712845ac9a0b69
2016-08-11 09:16:39 -07:00
# /dev/socket
allow init { device socket_device }:dir relabelto;
Let init restorecon /dev/random and /dev/urandom. Bug: http://b/29622562 Change-Id: I21bc79f31ffd0b002b4a25d3ceefaf12f42f05c4
2016-09-01 14:04:37 -07:00
# /dev/random, /dev/urandom
allow init random_device:chr_file relabelto;
Allow init to mount /odm, /vendor early Specifically we need init to relabel (/dev/device-mapper, /dev/block/dm-?) and other files in /dev/block/* from tmpfs to dm_device and block_device respectively. BUG=27805372 Change-Id: I16af6e803f8e4150481137aba24d5406872f9c62
2016-01-28 01:40:42 -08:00
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow init kernel:fd use;
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# setrlimit
allow init self:capability sys_resource;
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
allow init tmpfs:file unlink;
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
# Create /dev/fscklogs files.
allow init fscklogs:file create_file_perms;
# Access /dev/__null__ node created prior to initial policy load.
allow init tmpfs:chr_file write;
# Access /dev/console.
allow init console_device:chr_file rw_file_perms;
# Access /dev/tty0.
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
allow init self:capability sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
Allow cppreopts to work with selinux (cherry picked from commit d3edd6b577c1e40834af69420bd77b60c359ef8e) Bug: 29278988 Change-Id: I199572377a6b5c33116c718a545159ddcf50df30
2016-06-22 15:47:09 -07:00
allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
init: allow rootfs symlink removal On the Nexus 9, init.rc creates the /vendor -> /system/vendor symlink, then a bit later removes the symlink, creates a proper directory, and mounts /vendor on the directory. The current permissive SELinux policy doesn't allow init to remove the /vendor symlink, which eventually causes the following errors: avc: denied { unlink } for pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered There was an attempt to reorder some of these operations so we didn't have to create / delete the symlink, but it doesn't seem to have gone well. https://android.googlesource.com/platform/system/core/+/f67d6bd3c0fb41d167c675b9d2b5d377b6f38a74 Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
2014-12-23 17:08:58 -08:00
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(init, cgroup)
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init cpuctl_device:dir { create mounton };
sepolicy: Add policy for sdcardfs and configfs Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff Bug: 19160983
2016-03-01 16:13:50 -08:00
# /config
allow init configfs:dir mounton;
allow init configfs:dir create_dir_perms;
allow init tmpfs:dir relabelfrom When encrypting a device, or when an encrypted device boots, a tmpfs is mounted in place of /data, so that a pseudo filesystem exists to start system_server and related components. SELinux labels need to be applied to that tmpfs /data so the system boots properly. Allow init to relabel a tmpfs /data. Addresses the following denial: [ 6.294896] type=1400 audit(29413651.850:4): avc: denied { relabelfrom } for pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir Steps to reproduce: 1) Go into Settings > Security > Encrypt Phone 2) Encrypt phone 3) See denial 4) reboot phone 5) See denial on boot Bug: 19050686 Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
2015-02-27 14:54:40 -08:00
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Create directories under /dev/cpuctl after chowning it to system.
allow init self:capability dac_override;
# Set system clock.
allow init self:capability sys_time;
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 13:31:04 -08:00
allow init self:capability { sys_rawio mknod };
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 06:11:30 -07:00
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# Mounting filesystems.
Restrict use of context= mount options. Prior to this change, the init and recovery domains were allowed unrestricted use of context= mount options to force all files within a given filesystem to be treated as having a security context specified at mount time. The context= mount option can be used in device-specific fstab.<board> files to assign a context to filesystems that do not support labeling such as vfat where the default label of sdcard_external is not appropriate (e.g. /firmware on hammerhead). Restrict the use of context= mount options to types marked with the contextmount_type attribute, and then remove write access from such types from unconfineddomain and prohibit write access to such types via neverallow. This ensures that the no write to /system restriction cannot be bypassed via context= mount. Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 10:05:38 -07:00
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
New postinstall domain and rules to run post-install program. When using the A/B updater, a device specific hook is sometimes needed to run after the new partitions are updated but before rebooting into the new image. This hook is referred to throughout the code as the "postinstall" step. This patch creates a new execution domain "postinstall" which update_engine will use to run said hook. Since the hook needs to run from the new image (namelly, slot "B"), update_engine needs to temporarly mount this B partition into /postinstall and then run a program from there. Since the new program in B runs from the old execution context in A, we can't rely on the labels set in the xattr in the new filesystem to enforce the policies baked into the old running image. Instead, when temporarily mounting the new filesystem in update_engine, we override all the new file attributes with the new postinstall_file type by passing "context=u:object_r:postinstall_file:s0" to the mount syscall. This allows us to set new rules specific to the postinstall environment that are consistent with the rules in the old system. Bug: 27177071 TEST=Deployed a payload with a trivial postinstall script to edison-eng. Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
2016-03-01 16:14:45 -08:00
# restorecon /adb_keys or any other rootfs files and directories to a more
# specific type.
allow init rootfs:{ dir file } relabelfrom;
Allow init to relabel rootfs files. This is required for the restorecon /adb_keys in init.rc or for any other relabeling of rootfs files to more specific types on kernels that support setting security contexts on rootfs inodes. Addresses denials such as: avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 We do not need to prohibit relabelfrom of such files because our goal is to prevent writing to executable files, while relabeling the file to another type will take it to a non-executable (or non-writable) type. In contrast, relabelto must be prohibited by neverallow so that a modified file in a writable type cannot be made executable. Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 06:17:51 -07:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability { chown fowner fsetid };
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
allow init {
file_type
-app_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-exec_type
-misc_logd_file
init: keep init out of system_app sandboxes Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:53:29 -08:00
-system_app_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-system_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
}:dir { create search getattr open read setattr ioctl };
allow init {
file_type
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-exec_type
-keystore_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-misc_logd_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-system_app_data_file
-system_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
allow init {
file_type
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-exec_type
-keystore_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-misc_logd_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-system_app_data_file
-system_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow init {
file_type
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-exec_type
-keystore_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-misc_logd_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-system_app_data_file
-system_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {
file_type
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-exec_type
-keystore_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-misc_logd_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
-system_app_data_file
-system_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
Remove /system write from unconfined Don't allow writes to /system from unconfined domains. /system is always mounted read-only, and no process should ever need to write there. Allow recovery to write to /system. This is needed to apply OTA images. Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-20 11:09:16 -07:00
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
sepolicy: add support for new tracefs Since kernel 4.1 ftrace is supported as a new separate filesystem. It gets automatically mounted by the kernel under the old path /sys/kernel/debug/tracing. Because it lives now on a separate device some sepolicy rules need to be updated. This patch is doing that. Most of the rules are created based on a conversation happened on the SELinux Android mailing list: http://comments.gmane.org/gmane.comp.security.seandroid/2799 Note, that this also needs 3a343a1 from the 4.4 branch in kernel/common. Also note that when tracefs is auto mounted by the kernel, the kernel does not use the "mode" parameter specified to mount debugfs for tracefs. So an extra line like chmod 0755 /sys/kernel/debug/tracing is necessary in init.${ro.hardware}.rc after debugfs was mounted. Change-Id: I60fb7a90e24628e0370c3bca57644451fce5646d Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
2016-05-13 05:36:33 -07:00
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker Add initial support for labeling files on /sys/kernel/debug. The kernel support was added in https://android-review.googlesource.com/122130 but the userspace portion of the change was never completed until now. Start labeling the file /sys/kernel/debug/tracing/trace_marker . This is the trace_marker file, which is written to by almost all processes in Android. Allow global write access to this file. This change should be submitted at the same time as the system/core commit with the same Change-Id as this patch. Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-07 17:02:31 -08:00
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
init.te: allow writing to /sys/kernel/debug/tracing/tracing_on Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc Also allow shell getattr access to the tracing file. That way "ls -la" returns something meaningful. Bug: 26217098 Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786
2015-12-16 12:50:06 -08:00
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file w_file_perms;
allow init and system_server access to tracing Revise policy, to allow init and system_server to configure, clear, and read kernel trace events. This will enable us to debug certain WiFi failures. Note that system_server is restricted to only accessing a wifi-specific trace instance. (Hence, system_server is not allowed to interfere with atrace.) Moreover, even for the wifi trace instance, system_server is granted limited permissions. (system_server can not, e.g., change which events are traced.) Note also that init and system_server are only granted these powers on userdebug or eng builds. The init.te and system_server.te changes resolve the following denials: // Denials when wifi-events.rc configures tracing { write } for pid=1 comm="init" name="instances" dev="debugfs" ino=755 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { add_name } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { create } for pid=1 comm="init" name="wifi" scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { write } for pid=1 comm="init" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { write } for pid=1 comm="init" name="buffer_size_kb" dev="debugfs" ino=18061 scontext=u:r:init:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=file permissive=1 // Denials when system_server sets up fail-safe // (auto-terminate tracing if system_server dies) { search } for pid=882 comm="system_server" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { read } for pid=882 comm="system_server" name="free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=882 comm="system_server" path="/sys/kernel/debug/tracing/instances/wifi/free_buffer" dev="debugfs" ino=18063 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 // Denials when system_server toggles tracing on or off // (WifiStateMachine is a thread in system_server) { search } for pid=989 comm="WifiStateMachin" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { write } for pid=989 comm="WifiStateMachin" name="tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=989 comm="WifiStateMachin" path="/sys/kernel/debug/tracing/instances/wifi/tracing_on" dev="debugfs" ino=18067 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 // Denials when system_server reads the event trace // (This happens in response to a dumpsys request) { search } for pid=3537 comm="Binder:882_B" name="instances" dev="debugfs" ino=755 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_tracing_instances:s0 tclass=dir permissive=1 { read } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { open } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { getattr } for pid=3537 comm="Binder:882_B" path="/sys/kernel/debug/tracing/instances/wifi/trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 { write } for pid=3537 comm="Binder:882_B" name="trace" dev="debugfs" ino=18059 scontext=u:r:system_server:s0 tcontext=u:object_r:debugfs_wifi_tracing:s0 tclass=file permissive=1 Bug: 27254565 Test: manual Manual test: - Build this CL along with CL:322337 - Verify that system boots, and that we can connect to GoogleGuest. (Testing of actual trace functionality with require some more patches in frameworks/opt/net/wifi.) $ adb root && adb shell dmesg | egrep 'avc: denied.+debugfs' Change-Id: Ib6eb4116549277f85bd510d25fb30200f1752f4d
2016-05-17 15:32:04 -07:00
userdebug_or_eng(`
# Setup and control wifi event tracing (see wifi-events.rc)
allow init debugfs_tracing_instances:dir create_dir_perms;
allow init debugfs_tracing_instances:file w_file_perms;
allow init debugfs_wifi_tracing:file w_file_perms;
')
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# chown/chmod on pseudo files.
allow init fs_type:dir search We allow chmod/chown of files / directories by init, but don't allow init to search into subdirectories. Feels wrong. Addresses the following denial: avc: denied { search } for pid=1 comm="init" name="/" dev="pstore" ino=5570 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1 which results from the following init.rc statement: # pstore/ramoops previous console log mount pstore pstore /sys/fs/pstore chown system log /sys/fs/pstore/console-ramoops chmod 0440 /sys/fs/pstore/console-ramoops chown system log /sys/fs/pstore/pmsg-ramoops-0 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 Bug: 19050686 Change-Id: I0528ecb17686891b66262de1f3c229cc68a56830
2015-02-06 13:29:25 -08:00
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# chown/chmod on devices.
/dev/port does not seem to be used, adding in rules to confirm. Only init and ueventd have any access to /dev/port, and neither should have any use for it. As it stands, leaving port in just represents additional attack surface with no useful functionality, so it should be removed if possible, not only from Pixel devices, but from all Android devices. Test: The phone boots successfully Bug:33301618 Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
2016-12-04 15:11:29 -08:00
allow init { dev_type -kmem_device -port_device }:chr_file { read open setattr };
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
Explictly allow init and kernel unlabeled access. These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 06:53:00 -07:00
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
remove syslog_* from unconfined As suggested in https://android-review.googlesource.com/95966 , remove various syslog_* from unconfined. SELinux domains which want to use syslog_* can declare it themselves. Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
2014-05-28 13:48:52 -07:00
allow init kernel:system syslog_mod;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability2 syslog;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# Set usermodehelpers and /proc security settings.
Restrict the ability to set usermodehelpers and proc security settings. Limit the ability to write to the files that configure kernel usermodehelpers and security-sensitive proc settings to the init domain. Permissive domains can also continue to set these values. The current list is not exhaustive, just an initial set. Not all of these files will exist on all kernels/devices. Controlling access to certain kernel usermodehelpers, e.g. cgroup release_agent, will require kernel changes to support and cannot be addressed here. Expected output on e.g. flo after the change: ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper -rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper -rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable -rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern -rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug -rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd -rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space -rw------- root root u:object_r:usermodehelper:s0 bset -rw------- root root u:object_r:usermodehelper:s0 inheritable Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 06:31:40 -08:00
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-24 20:43:07 -08:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Write to /proc/sys/kernel/panic_on_oops.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(init, proc)
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init proc:file w_file_perms;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(init, proc_net)
Revert /proc/net related changes Revert the tightening of /proc/net access. These changes are causing a lot of denials, and I want additional time to figure out a better solution. Addresses the following denials (and many more): avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file This reverts commit 0f0324cc826afb9beefda802d496befe823a081e and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 Bug: 9496886 Bug: 19034637 Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
2015-02-25 13:28:40 -08:00
allow init proc_net:file w_file_perms;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability net_admin;
# Write to /proc/sysrq-trigger.
allow init proc_sysrq:file w_file_perms;
restrict access to timing information in /proc These APIs expose sensitive information via timing side channels. This leaves access via the adb shell intact along with the current uses by dumpstate, init and system_server. The /proc/interrupts and /proc/stat files were covered in this paper: https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/ The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are also relevant. Access to /proc has been greatly restricted since then, with untrusted apps no longer having direct access to these, but stricter restrictions beyond that would be quite useful. Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
2016-07-29 11:48:19 -07:00
# Read /proc/stat for bootchart.
allow init proc_stat:file r_file_perms;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Reboot.
allow init self:capability sys_boot;
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
allow init to read symlinks in sys avc: denied { read } for name="device" dev="sysfs" ino=36099 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_rmtfs:s0 tclass=lnk_file init is already allowed to read directories, this is an obvious omission. Change-Id: I5131a84bb67e73aaed235c3cbab95c365eaaa2f0
2016-05-10 11:25:33 -07:00
allow init sysfs_type:lnk_file read;
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow init sysfs_type:file rw_file_perms;
Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
2016-01-04 14:23:23 -08:00
refine /data/misc/logd rules Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa. Move misc_logd_file neverallow rule from domain.te to logd.te, since the goal of the neverallow rule is to protect logd / logpersist files from other processes. Switch the misc_logd_file neverallow rule from using "rw_file_perms" to "no_rw_file_perms". The latter covers more cases of file modifications. Add more neverallow rules covering misc_logd_file directories. Instead of using not_userdebug_nor_eng(), modify the rules to be consistent with other highly constrained file types such as keystore_data_file or vold_data_file. See, for example, https://android-review.googlesource.com/144768 To see the net effect of this change, you can use the following command line: sesearch --allow -t misc_logd_file -c file,dir,lnk_file \ out/target/product/bullhead/root/sepolicy Before this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open }; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file relabelto; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; After this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
2016-03-26 07:43:38 -07:00
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { open create read getattr setattr search };
allow init misc_logd_file:file { getattr };
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-03 22:13:14 -07:00
# Support "adb shell stop"
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability kill;
Allows init to send signals. This will allow init to terminate services cleanly (SIGTERM, wait, SIGKILL) when needed. Bug: 26216447 Test: manual: init is able to send a SIGTERM signal without denials. Change-Id: Id2471ca08c0b011be64a36956628e965bc999bc6
2016-01-07 15:14:00 -08:00
allow init domain:process { sigkill signal };
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
2014-05-08 23:28:52 -07:00
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
Directory for vold to store private data. Creates new directory at /data/misc/vold for storing key material on internal storage. Only vold should have access to this label. Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
2015-03-31 15:03:13 -07:00
# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };
remove shell_data_file from unconfined. Domains which want to access /data/local/tmp must do so by creating their own SELinux domain. Bug: 15164984 Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
2014-06-07 10:00:59 -07:00
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
init: Allow SETPCAP for dropping bounding set. This is required for https://android-review.googlesource.com/#/c/295748 so that init can drop the capability bounding set for services. Bug: 32438163 Test: With 295748 and a test service using ambient capabilities. Change-Id: I57788517cfe2ef0e7a2f1dfab94d0cb967ede065
2016-10-31 13:29:34 -07:00
# Set UID, GID, and adjust capability bounding set for services.
allow init self:capability { setuid setgid setpcap };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-04 21:40:22 -08:00
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
# to different domains.
r_dir_file(init, domain)
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
Protect /data/property. /data/property is only accessible by root and is used by the init property service for storing persistent property values. Create a separate type for it and only allow init to write to the directory and files within it. Ensure that we do not allow access to other domains in future changes or device-specific policy via a neverallow rule. Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 06:22:16 -07:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
# Ask the kernel for the new context on services to label their sockets.
allow init kernel:security compute_create;
# Create sockets for the services.
allow init domain:unix_stream_socket { create bind };
allow init domain:unix_dgram_socket { create bind };
Protect /data/property. /data/property is only accessible by root and is used by the init property service for storing persistent property values. Create a separate type for it and only allow init to write to the directory and files within it. Ensure that we do not allow access to other domains in future changes or device-specific policy via a neverallow rule. Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 06:22:16 -07:00
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 07:09:35 -07:00
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 07:27:02 -07:00
# Set any property.
allow init property_type:property_service set;
init.te: allow creating kernel audit entries Allow init to send userspace generated SELinux denials to the kernel audit subsystem. Test: "setprop asdf asdf" from the unprivileged adb shell user generated an SELinux denial processed by logd. Bug: 27878170 Change-Id: I0ecd0601408bbda8227802c13689f98e507282d1
2017-01-03 08:47:17 -08:00
# Send an SELinux userspace denial to the kernel audit subsystem,
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
allow init self:capability audit_write;
unconfined: remove internet access Don't allow unconfined domains to access the internet. Restrict internet functionality to domains which explicitly declare their use. Removing internet access from unconfined domains helps protect daemons from network level attacks. In unconfined.te, expand out socket_class_set, and explicitly remove tcp_socket, udp_socket, rawip_socket, packet_socket, and appletalk_socket. Remove name_bind, node_bind and name_connect rules, since they only apply to internet accessible rules. Add limited udp support to init.te. This is needed to bring up the loopback interface at boot. Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
2014-06-20 21:15:56 -07:00
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability net_raw;
unconfined: remove internet access Don't allow unconfined domains to access the internet. Restrict internet functionality to domains which explicitly declare their use. Removing internet access from unconfined domains helps protect daemons from network level attacks. In unconfined.te, expand out socket_class_set, and explicitly remove tcp_socket, udp_socket, rawip_socket, packet_socket, and appletalk_socket. Remove name_bind, node_bind and name_connect rules, since they only apply to internet accessible rules. Add limited udp support to init.te. This is needed to bring up the loopback interface at boot. Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
2014-06-20 21:15:56 -07:00
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-03 22:13:14 -07:00
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow init kernel:process setsched;
allow init swapon() swapon(2) requires write access to the underlying block device. Allow it. Addresses the following denial: avc: denied { write } for pid=1 comm="init" name="zram0" dev="tmpfs" ino=6267 scontext=u:r:init:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file permissive=0 Change-Id: Id1a4f51038d0b6ce7351294698a0ff146d6e4643
2014-10-20 11:52:19 -07:00
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
Remove -unconfineddomain from neverallow rules. With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 07:09:33 -07:00
# Read from /dev/hw_random if present.
# system/core/init/init.c - mix_hwrng_into_linux_rng_action
allow init hw_random_device:chr_file r_file_perms;
# Create and access /dev files without a specific type,
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# e.g. /dev/.coldboot_done, /dev/.booting
Remove -unconfineddomain from neverallow rules. With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 07:09:33 -07:00
# TODO: Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file create_file_perms;
# Access character devices without a specific type,
Auditing init and ueventd access to chr device files. It seems likely that there is no reason to keep around a number of devices that are configured to be included into the pixel kernels. Init and ueventd should be the only processes with r/w access to these devices, so auditallow rules have been added to ensure that they aren't actually used. /dev/keychord was given its own type since it's one of the few character devices that's actually legitimately used and would cause log spam in the auditallow otherwise. Bug: 33347297 Test: The phone boots without any apparent log spam. Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
2017-01-09 14:57:03 -08:00
# TODO: Remove this access and auditallow (b/33347297)
Remove -unconfineddomain from neverallow rules. With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 07:09:33 -07:00
allow init device:chr_file { rw_file_perms setattr };
Auditing init and ueventd access to chr device files. It seems likely that there is no reason to keep around a number of devices that are configured to be included into the pixel kernels. Init and ueventd should be the only processes with r/w access to these devices, so auditallow rules have been added to ensure that they aren't actually used. /dev/keychord was given its own type since it's one of the few character devices that's actually legitimately used and would cause log spam in the auditallow otherwise. Bug: 33347297 Test: The phone boots without any apparent log spam. Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
2017-01-09 14:57:03 -08:00
auditallow init device:chr_file { rw_file_perms setattr };
Remove -unconfineddomain from neverallow rules. With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 07:09:33 -07:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# keychord configuration
allow init self:capability sys_tty_config;
Auditing init and ueventd access to chr device files. It seems likely that there is no reason to keep around a number of devices that are configured to be included into the pixel kernels. Init and ueventd should be the only processes with r/w access to these devices, so auditallow rules have been added to ensure that they aren't actually used. /dev/keychord was given its own type since it's one of the few character devices that's actually legitimately used and would cause log spam in the auditallow otherwise. Bug: 33347297 Test: The phone boots without any apparent log spam. Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
2017-01-09 14:57:03 -08:00
allow init keychord_device:chr_file rw_file_perms;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
Allow init to set up dm-verity Allow init to 1. Access device mapper to set up dm-verity devices avc: denied { write } for pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0 2. Access the metadata partition to load and store dm-verity state avc: denied { write } for pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered by dm-verity avc: denied { getattr } for pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0 These can be reproduced using the following steps: 1. Add fs_mgr flag verify to the system partition in fstab 2. Add a device specific init.rc handler for the init action that calls the built-in command verity_load_state. Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
2015-03-04 16:55:29 -08:00
# Access device mapper for setting up dm-verity
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
init: allow to access console-ramoops with newer kernels Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has been integrated and requires syslog_read capability a process accessing console-ramoops file. sepolicy must be adapted to this new requirement. Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2 Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
2016-01-27 07:27:23 -08:00
allow init kernel:system syslog_read;
Allow init to set up dm-verity Allow init to 1. Access device mapper to set up dm-verity devices avc: denied { write } for pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0 2. Access the metadata partition to load and store dm-verity state avc: denied { write } for pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered by dm-verity avc: denied { getattr } for pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0 These can be reproduced using the following steps: 1. Add fs_mgr flag verify to the system partition in fstab 2. Add a device specific init.rc handler for the init action that calls the built-in command verity_load_state. Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
2015-03-04 16:55:29 -08:00
Adding e4crypt support Add selinux rules to allow file level encryption to work Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-11 15:44:14 -07:00
# linux keyring configuration
allow init init:key { write search setattr };
Securely encrypt the master key Move all key management into vold Reuse vold's existing key management through the crypto footer to manage the device wide keys. Use ro.crypto.type flag to determine crypto type, which prevents any issues when running in block encrypted mode, as well as speeding up boot in block or no encryption. This is one of four changes to enable this functionality: https://android-review.googlesource.com/#/c/148586/ https://android-review.googlesource.com/#/c/148604/ https://android-review.googlesource.com/#/c/148606/ https://android-review.googlesource.com/#/c/148607/ Bug: 18151196 Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-04-28 15:06:29 -07:00
# Allow init to create /data/unencrypted
Adding e4crypt support Add selinux rules to allow file level encryption to work Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-11 15:44:14 -07:00
allow init unencrypted_data_file:dir create_dir_perms;
init.te: allow writting to /proc/sys/vm/overcommit_memory Since there is "write /proc/sys/vm/overcommit_memory 1" line in init.rc Change-Id: I5899d2802e7fa56b438a06d4cadb4eb6827bfe16 Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2016-07-06 17:24:01 -07:00
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
Adding e4crypt support Add selinux rules to allow file level encryption to work Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-11 15:44:14 -07:00
unix_socket_connect(init, vold, vold)
Allow init and vold writing misc block device. Bug: 27176738 Change-Id: Ib52bb94973d20591dd440cea42aadfa53d476848
2016-04-06 15:53:09 -07:00
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(init, system_file)
allow init proc_meminfo:file r_file_perms;
allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file r_file_perms;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 07:09:35 -07:00
###
### neverallow rules
###
init.te: fixup stale comment init switch from a setcon() based transition to an exec() based transition in bug 19702273. Fixup stale comment. Test: comment only change. Policy compiles. Bug: 19702273 Change-Id: I6e1b4b3680193453adafa8952a7ea343d2977505
2016-12-17 09:18:18 -08:00
# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
neverallow domain init:process dyntransition;
init.te: fixup stale comment init switch from a setcon() based transition to an exec() based transition in bug 19702273. Fixup stale comment. Test: comment only change. Policy compiles. Bug: 19702273 Change-Id: I6e1b4b3680193453adafa8952a7ea343d2977505
2016-12-17 09:18:18 -08:00
neverallow { domain -kernel } init:process transition;
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
neverallow init { file_type fs_type -init_exec }:file entrypoint;
Prohibit reading of untrusted symlinks via neverallow. Change-Id: Id669fa1850edf2adee230e71bca2278f215e39f4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-02 14:05:44 -07:00
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init app_data_file:lnk_file read;
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 06:11:30 -07:00
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
neverallow service_manager / service_manager_type Init never uses / add service manager services. It doesn't make sense to allow these rules to init. Adding a rule of this type is typically caused by a process inappropriately running in init's SELinux domain, and the warning message: Warning! Service %s needs a SELinux domain defined; please fix! is ignored. In addition, add neverallow rules to domain.te which prevent nonsense SELinux service_manager rules from being added. Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
2015-07-14 11:46:30 -07:00
# Init never adds or uses services via service_manager.
neverallow init service_manager_type:service_manager { add find };
neverallow init servicemanager:service_manager list;
Add /data/local/tmp neverallow rules Add a neverallow rule (compile time assertion) for /data/local/tmp access. /data/local/tmp is intended entirely for the shell user, and it's dangerous for other SELinux domains to access it. See, for example, this commit from 2012: https://android.googlesource.com/platform/system/core/+/f3ef1271f225d9f00bb4ebb0573eb3e03829f9a8 Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe
2015-08-22 14:47:00 -07:00
# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };
Reference in New Issue Copy Permalink