PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
04b8a75c2f
android_system_sepolicy/recovery.te

89 lines
3.4 KiB
Plaintext
Raw Normal View History

Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 06:45:45 -08:00
# recovery console (used in recovery init.rc for /sbin/recovery)
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 06:45:45 -08:00
type recovery, domain;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 09:15:22 -07:00
allow recovery rootfs:file { entrypoint execute };
recovery: enable permissive_or_unconfined Switch from using unconfined_domain() to permissive_or_unconfined(). For user builds, or builds with FORCE_PERMISSIVE_TO_UNCONFINED=true, this is a no-op. For userdebug / eng builds, this will allow us to collect denials from /proc/last_kmsg. Change-Id: I41e1a206b2a3b0eee34539bfebfc5deee9e18a42
2014-05-31 08:07:39 -07:00
permissive_or_unconfined(recovery)
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 09:15:22 -07:00
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
# Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin;
Remove MAC capabilities from unconfined domains. Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-30 10:23:08 -08:00
Remove execute_no_trans from unconfineddomain. execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 06:07:17 -07:00
# Run helpers from / or /system without changing domain.
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
# Mount filesystems.
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
allow recovery rootfs:dir mounton;
Restrict use of context= mount options. Prior to this change, the init and recovery domains were allowed unrestricted use of context= mount options to force all files within a given filesystem to be treated as having a security context specified at mount time. The context= mount option can be used in device-specific fstab.<board> files to assign a context to filesystems that do not support labeling such as vfat where the default label of sdcard_external is not appropriate (e.g. /firmware on hammerhead). Restrict the use of context= mount options to types marked with the contextmount_type attribute, and then remove write access from such types from unconfineddomain and prohibit write access to such types via neverallow. This ensures that the no write to /system restriction cannot be bypassed via context= mount. Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 10:05:38 -07:00
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
Add a domain for the recovery console. Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 06:45:45 -08:00
refine recovery domain. Make sure we have all necessary rules to modify system_file and exec_type. Allow writing to /proc/sys/vm/drop_caches and other proc files. Addresses denials like: avc: denied { getattr } for pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { read } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { open } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { remove_name } for pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { add_name } for pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { write } for pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file recovery is still in permissive_or_unconfined(), so no rules are being enforced. Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
2014-06-04 23:43:03 -07:00
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 09:40:12 -07:00
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
# some directories are inappropriately labeled as exec_type. This is
# only transient, and subsequent steps in the OTA script correct this
# mistake.
# Allow this behavior for now until we can fix the underlying bug.
# b/15575013
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
refine recovery domain. Make sure we have all necessary rules to modify system_file and exec_type. Allow writing to /proc/sys/vm/drop_caches and other proc files. Addresses denials like: avc: denied { getattr } for pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { read } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { open } for pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file avc: denied { remove_name } for pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { add_name } for pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir avc: denied { write } for pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file recovery is still in permissive_or_unconfined(), so no rules are being enforced. Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
2014-06-04 23:43:03 -07:00
# Write to /proc/sys/vm/drop_caches
# TODO: create more specific label?
allow recovery proc:file w_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
Address recovery denials. [ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file [ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file [ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability [ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file [ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 09:15:22 -07:00
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
# Access /dev/android_adb.
allow recovery adb_device:chr_file rw_file_perms;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
# Required to e.g. wipe userdata/cache.
recovery: Allow exec_type on dirs, read for /dev When applying a file based OTA, the recovery scripts sometimes transiently label a directory as an exec_type. This occurs on hammerhead when the OTA generation scripts generate lines of the form: set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0"); set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0"); which has the effect of transiently labeling the /system/vendor/bin directory as vss_exec. Allow this behavior for now, even though it's obviously a bug. Also, allow recovery to read through the /dev directory. Addresses the following denials: avc: denied { read } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { open } for pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir avc: denied { relabelto } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { getattr } for pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { setattr } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir avc: denied { relabelfrom } for pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir Bug: 15575013 Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 09:40:12 -07:00
allow recovery device:dir r_dir_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
allow recovery block_device:dir r_dir_perms;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
allow recovery dev_type:blk_file rw_file_perms;
Remove /system write from unconfined Don't allow writes to /system from unconfined domains. /system is always mounted read-only, and no process should ever need to write there. Allow recovery to write to /system. This is needed to apply OTA images. Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-20 11:09:16 -07:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
# GUI
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms;
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 11:48:35 -07:00
allow recovery tty_device:chr_file rw_file_perms;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
# Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms };
allow recovery tmpfs:dir create_dir_perms;
Remove block device access from unconfined domains. Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 11:40:14 -08:00
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
# Manage files on /cache
allow recovery cache_file:dir create_dir_perms;
allow recovery cache_file:file create_file_perms;
# Reboot the device
allow recovery powerctl_prop:property_service set;
unix_socket_connect(recovery, property, init)
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
wakelock_use(recovery)
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 11:48:35 -07:00
recovery: don't use single quote single quotes make the m4 parser think it's at the end of a block, and generates the following compile time warning: external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720: Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b
2014-06-09 20:35:51 -07:00
# This line seems suspect, as it should not really need to
Refine recovery domain. Addresses the following denials: avc: denied { read write } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { open } for pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { ioctl } for pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file avc: denied { sys_tty_config } for pid=132 comm="recovery" capability=26 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability avc: denied { setfcap } for pid=142 comm="update_binary" capability=31 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 11:48:35 -07:00
# set scheduling parameters for a kernel domain task.
More recovery rules Better refine the rules surrounding the recovery SELinux domain, and get rid of dmesg log spam. Recovery is still in permissive_or_unconfined(), so no expected change in behavior. Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-03 16:16:21 -07:00
allow recovery kernel:process setsched;
Create a separate recovery policy. Create a separate recovery policy and only include the recovery domain allow rules in it. Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 13:40:15 -07:00
')
Reference in New Issue Copy Permalink