PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3ba2d46616
android_system_sepolicy/init.te

352 lines
11 KiB
Plaintext
Raw Normal View History

Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
# init is its own domain.
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 09:54:39 -08:00
type init, domain, domain_deprecated, mlstrustedsubject;
SE Android policy.
2012-01-04 09:33:27 -08:00
tmpfs_domain(init)
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
2013-07-10 14:46:05 -07:00
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file create_file_perms;
#
# init direct restorecon calls.
#
# /dev/socket
allow init { device socket_device }:dir relabelto;
# /dev/__properties__
Support fine grain read access control for properties Properties are now broken up from a single /dev/__properties__ file into multiple files, one per property label. This commit provides the mechanism to control read access to each of these files and therefore sets of properties. This allows full access for all domains to each of these new property files to match the current permissions of /dev/__properties__. Future commits will restrict the access. Bug: 21852512 Change-Id: Ie9e43968acc7ac3b88e354a0bdfac75b8a710094
2015-12-01 16:58:27 -08:00
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { create_file_perms relabelto };
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# setrlimit
allow init self:capability sys_resource;
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
allow init tmpfs:file unlink;
# Access pty created for fsck.
allow init devpts:chr_file { read write open };
# Create /dev/fscklogs files.
allow init fscklogs:file create_file_perms;
# Access /dev/__null__ node created prior to initial policy load.
allow init tmpfs:chr_file write;
# Access /dev/console.
allow init console_device:chr_file rw_file_perms;
# Access /dev/tty0.
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
allow init self:capability sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
Allow init to mount filesystems on properly labeled folders Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
2015-07-23 21:01:13 -07:00
allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
init: allow rootfs symlink removal On the Nexus 9, init.rc creates the /vendor -> /system/vendor symlink, then a bit later removes the symlink, creates a proper directory, and mounts /vendor on the directory. The current permissive SELinux policy doesn't allow init to remove the /vendor symlink, which eventually causes the following errors: avc: denied { unlink } for pid=136 comm="init" name="vendor" dev="rootfs" ino=6454 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=lnk_file permissive=1 fs_mgr: Failed to mount an un-encryptable or wiped partition on/dev/block/platform/sdhci-tegra.3/by-name/VNR at /vendor options: (null) error: Too many symbolic links encountered There was an attempt to reorder some of these operations so we didn't have to create / delete the symlink, but it doesn't seem to have gone well. https://android.googlesource.com/platform/system/core/+/f67d6bd3c0fb41d167c675b9d2b5d377b6f38a74 Change-Id: I4d01661d4228e44e18465fe16ce4a70fe2a83042
2014-12-23 17:08:58 -08:00
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Mount debugfs on /sys/kernel/debug.
allow init sysfs:dir mounton;
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms;
allow init cpuctl_device:dir { create mounton };
allow init tmpfs:dir relabelfrom When encrypting a device, or when an encrypted device boots, a tmpfs is mounted in place of /data, so that a pseudo filesystem exists to start system_server and related components. SELinux labels need to be applied to that tmpfs /data so the system boots properly. Allow init to relabel a tmpfs /data. Addresses the following denial: [ 6.294896] type=1400 audit(29413651.850:4): avc: denied { relabelfrom } for pid=1 comm="init" name="/" dev="tmpfs" ino=6360 scontext=u:r:init:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir Steps to reproduce: 1) Go into Settings > Security > Encrypt Phone 2) Encrypt phone 3) See denial 4) reboot phone 5) See denial on boot Bug: 19050686 Change-Id: Ie57864fe1079d9164d5cfea44683a97498598e41
2015-02-27 14:54:40 -08:00
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Create directories under /dev/cpuctl after chowning it to system.
allow init self:capability dac_override;
# Set system clock.
allow init self:capability sys_time;
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-10 13:31:04 -08:00
allow init self:capability { sys_rawio mknod };
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 06:11:30 -07:00
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# Mounting filesystems.
Restrict use of context= mount options. Prior to this change, the init and recovery domains were allowed unrestricted use of context= mount options to force all files within a given filesystem to be treated as having a security context specified at mount time. The context= mount option can be used in device-specific fstab.<board> files to assign a context to filesystems that do not support labeling such as vfat where the default label of sdcard_external is not appropriate (e.g. /firmware on hammerhead). Restrict the use of context= mount options to types marked with the contextmount_type attribute, and then remove write access from such types from unconfineddomain and prohibit write access to such types via neverallow. This ensures that the no write to /system restriction cannot be bypassed via context= mount. Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 10:05:38 -07:00
# Only allow relabelto for types used in context= mount options,
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
# Allow read-only access to context= mounted filesystems.
allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
New postinstall domain and rules to run post-install program. When using the A/B updater, a device specific hook is sometimes needed to run after the new partitions are updated but before rebooting into the new image. This hook is referred to throughout the code as the "postinstall" step. This patch creates a new execution domain "postinstall" which update_engine will use to run said hook. Since the hook needs to run from the new image (namelly, slot "B"), update_engine needs to temporarly mount this B partition into /postinstall and then run a program from there. Since the new program in B runs from the old execution context in A, we can't rely on the labels set in the xattr in the new filesystem to enforce the policies baked into the old running image. Instead, when temporarily mounting the new filesystem in update_engine, we override all the new file attributes with the new postinstall_file type by passing "context=u:object_r:postinstall_file:s0" to the mount syscall. This allows us to set new rules specific to the postinstall environment that are consistent with the rules in the old system. Bug: 27177071 TEST=Deployed a payload with a trivial postinstall script to edison-eng. Change-Id: Ib06fab92afb45edaec3c9c9872304dc9386151b4
2016-03-01 16:14:45 -08:00
# restorecon /adb_keys or any other rootfs files and directories to a more
# specific type.
allow init rootfs:{ dir file } relabelfrom;
Allow init to relabel rootfs files. This is required for the restorecon /adb_keys in init.rc or for any other relabeling of rootfs files to more specific types on kernels that support setting security contexts on rootfs inodes. Addresses denials such as: avc: denied { relabelfrom } for comm="init" name="adb_keys" dev="rootfs" ino=1917 scontext=u:r:init:s0 tcontext=u:object_r:rootfs:s0 tclass=file permissive=0 We do not need to prohibit relabelfrom of such files because our goal is to prevent writing to executable files, while relabeling the file to another type will take it to a non-executable (or non-writable) type. In contrast, relabelto must be prohibited by neverallow so that a modified file in a writable type cannot be made executable. Change-Id: I7595f615beaaa6fa524f3c32041918e197bfbebe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 06:17:51 -07:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability { chown fowner fsetid };
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
allow init {
file_type
-system_file
-exec_type
-app_data_file
init: keep init out of system_app sandboxes Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:53:29 -08:00
-system_app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
}:dir { create search getattr open read setattr ioctl };
allow init {
file_type
-system_file
-exec_type
-keystore_data_file
-app_data_file
init: keep init out of system_app sandboxes Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:53:29 -08:00
-system_app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
-vold_data_file
-misc_logd_file
}:dir { write add_name remove_name rmdir relabelfrom };
allow init {
file_type
-system_file
-exec_type
-keystore_data_file
-app_data_file
init: keep init out of system_app sandboxes Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:53:29 -08:00
-system_app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
-vold_data_file
-misc_logd_file
}:file { create getattr open read write setattr relabelfrom unlink };
allow init {
file_type
-system_file
-exec_type
-keystore_data_file
-app_data_file
init: keep init out of system_app sandboxes Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:53:29 -08:00
-system_app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
-vold_data_file
-misc_logd_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {
file_type
-system_file
-exec_type
-keystore_data_file
-app_data_file
init: keep init out of system_app sandboxes Change-Id: Idaf59ab51f7873d4d75969c5f4e62b5fbf608ef5 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:53:29 -08:00
-system_app_data_file
init: avoid lengthy allow rules Some of the init allow rules were well passed 100 characters and were difficult to read. Format them to use the one-per-line set subtraction format as seen in other locations within sepolicy. Change-Id: Ifeeb3a8a81c4c19bfb1e56e7f2493f817e896eaf Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-03-01 10:47:40 -08:00
-shell_data_file
-vold_data_file
-misc_logd_file
}:lnk_file { create getattr setattr relabelfrom unlink };
Remove /system write from unconfined Don't allow writes to /system from unconfined domains. /system is always mounted read-only, and no process should ever need to write there. Allow recovery to write to /system. This is needed to apply OTA images. Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-20 11:09:16 -07:00
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
Add initial debugfs labeling support and label /sys/kernel/debug/tracing/trace_marker Add initial support for labeling files on /sys/kernel/debug. The kernel support was added in https://android-review.googlesource.com/122130 but the userspace portion of the change was never completed until now. Start labeling the file /sys/kernel/debug/tracing/trace_marker . This is the trace_marker file, which is written to by almost all processes in Android. Allow global write access to this file. This change should be submitted at the same time as the system/core commit with the same Change-Id as this patch. Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
2015-12-07 17:02:31 -08:00
allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
init.te: allow writing to /sys/kernel/debug/tracing/tracing_on Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc Also allow shell getattr access to the tracing file. That way "ls -la" returns something meaningful. Bug: 26217098 Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786
2015-12-16 12:50:06 -08:00
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow init debugfs_tracing:file w_file_perms;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# chown/chmod on pseudo files.
allow init fs_type:dir search We allow chmod/chown of files / directories by init, but don't allow init to search into subdirectories. Feels wrong. Addresses the following denial: avc: denied { search } for pid=1 comm="init" name="/" dev="pstore" ino=5570 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1 which results from the following init.rc statement: # pstore/ramoops previous console log mount pstore pstore /sys/fs/pstore chown system log /sys/fs/pstore/console-ramoops chmod 0440 /sys/fs/pstore/console-ramoops chown system log /sys/fs/pstore/pmsg-ramoops-0 chmod 0440 /sys/fs/pstore/pmsg-ramoops-0 Bug: 19050686 Change-Id: I0528ecb17686891b66262de1f3c229cc68a56830
2015-02-06 13:29:25 -08:00
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# chown/chmod on devices.
Allow init to chown/chmod character devices. init.rc files can potentially chown/chmod any character device, so allow it for everything except for kmem (prohibited by neverallow). While we could whitelist each of the device types, doing so would also require device-specific changes for the device-specific types and may be difficult to maintain. Resolves (permissive) denials such as: avc: denied { read } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1 avc: denied { open } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1 avc: denied { setattr } for pid=1 comm="init" name="ttySAC0" dev="tmpfs" ino=4208 scontext=u:r:init:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1 avc: denied { read } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { open } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=6181 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file avc: denied { read } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file avc: denied { open } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file avc: denied { setattr } for pid=1 comm="init" name="wcnss_wlan" dev="tmpfs" ino=7475 scontext=u:r:init:s0 tcontext=u:object_r:wlan_device:s0 tclass=chr_file Change-Id: If8d14e9e434fab645d43db12cc1bdbfd3fc5d354 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-11-10 09:15:33 -08:00
allow init { dev_type -kmem_device }:chr_file { read open setattr };
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
Explictly allow init and kernel unlabeled access. These permissions are already allowed indirectly via unconfineddomain and via domain, but ultimately we plan to remove them from those two attributes. Explicitly allow the ones we expect to be required, matching the complement of the auditallow rules in domain.te. Change-Id: I43edca89d59c159b97d49932239f8952a848031c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 06:53:00 -07:00
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
remove syslog_* from unconfined As suggested in https://android-review.googlesource.com/95966 , remove various syslog_* from unconfined. SELinux domains which want to use syslog_* can declare it themselves. Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4
2014-05-28 13:48:52 -07:00
allow init kernel:system syslog_mod;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability2 syslog;
Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 11:35:55 -07:00
# Set usermodehelpers and /proc security settings.
Restrict the ability to set usermodehelpers and proc security settings. Limit the ability to write to the files that configure kernel usermodehelpers and security-sensitive proc settings to the init domain. Permissive domains can also continue to set these values. The current list is not exhaustive, just an initial set. Not all of these files will exist on all kernels/devices. Controlling access to certain kernel usermodehelpers, e.g. cgroup release_agent, will require kernel changes to support and cannot be addressed here. Expected output on e.g. flo after the change: ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper -rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper -rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable -rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern -rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug -rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd -rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space -rw------- root root u:object_r:usermodehelper:s0 bset -rw------- root root u:object_r:usermodehelper:s0 inheritable Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-06 06:31:40 -08:00
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-24 20:43:07 -08:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Write to /proc/sys/kernel/panic_on_oops.
allow init proc:file w_file_perms;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
Revert /proc/net related changes Revert the tightening of /proc/net access. These changes are causing a lot of denials, and I want additional time to figure out a better solution. Addresses the following denials (and many more): avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file This reverts commit 0f0324cc826afb9beefda802d496befe823a081e and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 Bug: 9496886 Bug: 19034637 Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
2015-02-25 13:28:40 -08:00
allow init proc_net:file w_file_perms;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability net_admin;
# Write to /proc/sysrq-trigger.
allow init proc_sysrq:file w_file_perms;
# Reboot.
allow init self:capability sys_boot;
# Write to sysfs nodes.
allow init sysfs_type:dir r_dir_perms;
allow init to read symlinks in sys avc: denied { read } for name="device" dev="sysfs" ino=36099 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_rmtfs:s0 tclass=lnk_file init is already allowed to read directories, this is an obvious omission. Change-Id: I5131a84bb67e73aaed235c3cbab95c365eaaa2f0
2016-05-10 11:25:33 -07:00
allow init sysfs_type:lnk_file read;
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init sysfs_type:file w_file_perms;
Create sysfs_zram label. Address following denials: avc: denied { getattr } for path="/sys/devices/virtual/block/zram0/disksize" dev="sysfs" ino=14958 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { search } for name="zram0" dev="sysfs" ino=14903 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { read } for name="mem_used_total" dev="sysfs" ino=14970 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { write } for name="uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { open } for path="/sys/devices/virtual/block/zram0/uevent" dev="sysfs" ino=14904 scontext=u:r:ueventd:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=file permissive=0 avc: denied { read } for pid=348 comm="vold" name="zram0" dev="sysfs" ino=15223 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 avc: denied { search } for pid=3494 comm="ContactsProvide" name="zram0"dev="sysfs" ino=15223 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_zram:s0 tclass=dir permissive=0 Bug: 22032619 Change-Id: I40cf918b7cafdba6cb3d42b04b1616a84e4ce158
2016-01-04 14:23:23 -08:00
# disksize
allow init sysfs_zram:file getattr;
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
2014-01-24 20:43:07 -08:00
# Transitions to seclabel processes in init.rc
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-03 22:13:14 -07:00
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, healthd)
Allow init to execute /sbin/slideshow Add rules to allow /sbin/slideshow to access framebuffer and input devices at early stages of boot, and rules to allow init to execute the program (from init.rc using exec). Needed by changes from I58c79a7f3ac747eec0d73a10f018d3d8ade9df7d Change-Id: I1d5018feb7025853f0bf81651f497fef8c3a6ab0
2015-02-18 05:59:38 -08:00
domain_trans(init, rootfs, slideshow)
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-03 22:13:14 -07:00
recovery_only(`
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
logd: logpersistd - Enable logpersistd to write to /data/misc/logd - Enable logpersistd to read from pstore to help complete any content lost by reboot disruption - Enable shell readonly ability logpersistd files in /data/misc/logd - Enable logcat -f when placed into logd context to act as a logpersistd (nee logcatd) agent, restrict access to run only in userdebug or eng Bug: 19608716 Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-05-26 15:12:45 -07:00
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logd)
')
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-03 22:13:14 -07:00
refine /data/misc/logd rules Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa. Move misc_logd_file neverallow rule from domain.te to logd.te, since the goal of the neverallow rule is to protect logd / logpersist files from other processes. Switch the misc_logd_file neverallow rule from using "rw_file_perms" to "no_rw_file_perms". The latter covers more cases of file modifications. Add more neverallow rules covering misc_logd_file directories. Instead of using not_userdebug_nor_eng(), modify the rules to be consistent with other highly constrained file types such as keystore_data_file or vold_data_file. See, for example, https://android-review.googlesource.com/144768 To see the net effect of this change, you can use the following command line: sesearch --allow -t misc_logd_file -c file,dir,lnk_file \ out/target/product/bullhead/root/sepolicy Before this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open }; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file relabelto; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; After this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
2016-03-26 07:43:38 -07:00
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
allow init misc_logd_file:dir { open create read getattr setattr search };
allow init misc_logd_file:file { getattr };
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-03 22:13:14 -07:00
# Support "adb shell stop"
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability kill;
Allows init to send signals. This will allow init to terminate services cleanly (SIGTERM, wait, SIGKILL) when needed. Bug: 26216447 Test: manual: init is able to send a SIGTERM signal without denials. Change-Id: Id2471ca08c0b011be64a36956628e965bc999bc6
2016-01-07 15:14:00 -08:00
allow init domain:process { sigkill signal };
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf
2014-05-08 23:28:52 -07:00
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
Directory for vold to store private data. Creates new directory at /data/misc/vold for storing key material on internal storage. Only vold should have access to this label. Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
2015-03-31 15:03:13 -07:00
# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };
remove shell_data_file from unconfined. Domains which want to access /data/local/tmp must do so by creating their own SELinux domain. Bug: 15164984 Change-Id: I0061129c64e659c552cf6565058b0786fba59ae0
2014-06-07 10:00:59 -07:00
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Set UID and GID for services.
allow init self:capability { setuid setgid };
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-04 21:40:22 -08:00
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
# to different domains.
r_dir_file(init, domain)
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };
Protect /data/property. /data/property is only accessible by root and is used by the init property service for storing persistent property values. Create a separate type for it and only allow init to write to the directory and files within it. Ensure that we do not allow access to other domains in future changes or device-specific policy via a neverallow rule. Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 06:22:16 -07:00
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# Perform SELinux access checks on setting properties.
selinux_check_access(init)
# Ask the kernel for the new context on services to label their sockets.
allow init kernel:security compute_create;
# Create sockets for the services.
allow init domain:unix_stream_socket { create bind };
allow init domain:unix_dgram_socket { create bind };
Protect /data/property. /data/property is only accessible by root and is used by the init property service for storing persistent property values. Create a separate type for it and only allow init to write to the directory and files within it. Ensure that we do not allow access to other domains in future changes or device-specific policy via a neverallow rule. Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 06:22:16 -07:00
# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 07:09:35 -07:00
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 07:27:02 -07:00
# Set any property.
allow init property_type:property_service set;
unconfined: remove internet access Don't allow unconfined domains to access the internet. Restrict internet functionality to domains which explicitly declare their use. Removing internet access from unconfined domains helps protect daemons from network level attacks. In unconfined.te, expand out socket_class_set, and explicitly remove tcp_socket, udp_socket, rawip_socket, packet_socket, and appletalk_socket. Remove name_bind, node_bind and name_connect rules, since they only apply to internet accessible rules. Add limited udp support to init.te. This is needed to bring up the loopback interface at boot. Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
2014-06-20 21:15:56 -07:00
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
allow init self:capability net_raw;
unconfined: remove internet access Don't allow unconfined domains to access the internet. Restrict internet functionality to domains which explicitly declare their use. Removing internet access from unconfined domains helps protect daemons from network level attacks. In unconfined.te, expand out socket_class_set, and explicitly remove tcp_socket, udp_socket, rawip_socket, packet_socket, and appletalk_socket. Remove name_bind, node_bind and name_connect rules, since they only apply to internet accessible rules. Add limited udp support to init.te. This is needed to bring up the loopback interface at boot. Change-Id: If756f3fed857f11e63a6c3a1a13263c57fdf930a
2014-06-20 21:15:56 -07:00
Remove domain:process from unconfined Prune down unconfined so it doesn't allow process access to all other domains. Use domain_trans() for transitions to seclabeled domains. Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-03 22:13:14 -07:00
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow init kernel:process setsched;
allow init swapon() swapon(2) requires write access to the underlying block device. Allow it. Addresses the following denial: avc: denied { write } for pid=1 comm="init" name="zram0" dev="tmpfs" ino=6267 scontext=u:r:init:s0 tcontext=u:object_r:swap_block_device:s0 tclass=blk_file permissive=0 Change-Id: Id1a4f51038d0b6ce7351294698a0ff146d6e4643
2014-10-20 11:52:19 -07:00
# swapon() needs write access to swap device
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
Remove -unconfineddomain from neverallow rules. With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 07:09:33 -07:00
# Read from /dev/hw_random if present.
# system/core/init/init.c - mix_hwrng_into_linux_rng_action
allow init hw_random_device:chr_file r_file_perms;
# Create and access /dev files without a specific type,
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# e.g. /dev/.coldboot_done, /dev/.booting
Remove -unconfineddomain from neverallow rules. With the sepolicy-analyze neverallow checking, attribute expansion is performed against the device policy and therefore we do not want our neverallow rules to exempt domains from consideration based on an attribute (e.g. -unconfineddomain). Otherwise, device policy could pass the neverallow check just by adding more domains to unconfineddomain. We could of course add a CTS test to check the list of unconfineddomains against a whitelist, but it seems desirable regardless to narrow these neverallow rules to only the specific domains required. There are three such neverallow rules in current policy: one on creating unlabeled files, one on accessing /dev/hw_random, and one on accessing a character device without a specific type. The only domain in unconfineddomain that appears to have a legitimate need for any of these permissions is the init domain. Replace -unconfineddomain with -init in these neverallow rules, exclude these permissions from unconfineddomain, and add these permissions to init if not already explicitly allowed. auditallow accesses by init to files and character devices left in the generic device type so we can monitor what is being left there, although it is not necessarily a problem unless the file or device should be accessible to others. Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 07:09:33 -07:00
# TODO: Move these files into their own type unless they are
# only ever accessed by init.
allow init device:file create_file_perms;
# Access character devices without a specific type,
# e.g. /dev/keychord.
# TODO: Move these devices into their own type unless they
# are only ever accessed by init.
allow init device:chr_file { rw_file_perms setattr };
Switch kernel and init to permissive_or_unconfined(). Switch the kernel and init domains from unconfined_domain() to permissive_or_unconfined() so that we can start collecting and addressing denials in -userdebug/-eng builds. Also begin to address denials for kernel and init seen after making this switch. I intentionally did not allow the following denials on hammerhead: avc: denied { create } for pid=1 comm="init" name="memory.move_charge_at_immigrate" scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file avc: denied { open } for pid=1 comm="init" name="memory.move_charge_at_immigrate" dev="tmpfs" ino=6550 scontext=u:r:init:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file These occur when init.rc does: write /sys/fs/cgroup/memory/memory.move_charge_at_immigrate 1 because the prior command to mount the cgroup failed: mount cgroup none /sys/fs/cgroup/memory memory I think this is because that cgroup is not enabled in the kernel configuration. If the cgroup mount succeeded, then this would have been a write to a cgroup:file and would have been allowed already. Change-Id: I9d7e31bef6ea91435716aa4312c721fbeaeb69c0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-24 12:56:15 -07:00
# keychord configuration
allow init self:capability sys_tty_config;
Allow init to set up dm-verity Allow init to 1. Access device mapper to set up dm-verity devices avc: denied { write } for pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0 2. Access the metadata partition to load and store dm-verity state avc: denied { write } for pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered by dm-verity avc: denied { getattr } for pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0 These can be reproduced using the following steps: 1. Add fs_mgr flag verify to the system partition in fstab 2. Add a device specific init.rc handler for the init action that calls the built-in command verity_load_state. Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
2015-03-04 16:55:29 -08:00
# Access device mapper for setting up dm-verity
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
# Read /sys/fs/pstore/console-ramoops to detect restarts caused
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
init: allow to access console-ramoops with newer kernels Since linux 3.18, commit 68c4a4f8abc60c9440ede9cd123d48b78325f7a3 has been integrated and requires syslog_read capability a process accessing console-ramoops file. sepolicy must be adapted to this new requirement. Change-Id: Ib4032a6bd96b1828a0154edc8fb510e3c1d3bdc2 Signed-off-by: Sylvain Chouleur <sylvain.chouleur@intel.com>
2016-01-27 07:27:23 -08:00
allow init kernel:system syslog_read;
Allow init to set up dm-verity Allow init to 1. Access device mapper to set up dm-verity devices avc: denied { write } for pid=156 comm="init" name="device-mapper" dev="tmpfs" ino=6229 scontext=u:r:init:s0 tcontext=u:object_r:dm_device:s0 tclass=chr_file permissive=0 2. Access the metadata partition to load and store dm-verity state avc: denied { write } for pid=1 comm="init" name="mmcblk0p25" dev="tmpfs" ino=6408 scontext=u:r:init:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0 3. Read /sys/fs/pstore/console-ramoops to detect restarts triggered by dm-verity avc: denied { getattr } for pid=1 comm="init" path="/sys/fs/pstore/console-ramoops" dev="pstore" ino=9911 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=file permissive=0 These can be reproduced using the following steps: 1. Add fs_mgr flag verify to the system partition in fstab 2. Add a device specific init.rc handler for the init action that calls the built-in command verity_load_state. Change-Id: Id8790ae4b204ca66e671eefd3820d649f1d1e7ba
2015-03-04 16:55:29 -08:00
Adding e4crypt support Add selinux rules to allow file level encryption to work Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-11 15:44:14 -07:00
# linux keyring configuration
allow init init:key { write search setattr };
Securely encrypt the master key Move all key management into vold Reuse vold's existing key management through the crypto footer to manage the device wide keys. Use ro.crypto.type flag to determine crypto type, which prevents any issues when running in block encrypted mode, as well as speeding up boot in block or no encryption. This is one of four changes to enable this functionality: https://android-review.googlesource.com/#/c/148586/ https://android-review.googlesource.com/#/c/148604/ https://android-review.googlesource.com/#/c/148606/ https://android-review.googlesource.com/#/c/148607/ Bug: 18151196 Change-Id: I3208b76147df9da83d34cf9034675b0689b6c3a5
2015-04-28 15:06:29 -07:00
# Allow init to create /data/unencrypted
Adding e4crypt support Add selinux rules to allow file level encryption to work Change-Id: I1e4bba23e99cf5b2624a7df843688fba6f3c3209
2015-03-11 15:44:14 -07:00
allow init unencrypted_data_file:dir create_dir_perms;
unix_socket_connect(init, vold, vold)
Prevent adding transitions to kernel or init domains. Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-18 07:09:35 -07:00
###
### neverallow rules
###
# The init domain is only entered via setcon from the kernel domain,
# never via an exec-based transition.
Revert "Revert "SELinux policy changes for re-execing init."" This reverts commit c450759e8e67caa7a77ca078b1478b018a9b848b. There was nothing wrong with this change originally --- the companion change in init was broken. Bug: http://b/19702273 Change-Id: I9d806f6ac251734a61aa90c0741bec7118ea0387
2015-04-24 11:38:10 -07:00
neverallow domain init:process dyntransition;
neverallow { domain -kernel} init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;
Prohibit reading of untrusted symlinks via neverallow. Change-Id: Id669fa1850edf2adee230e71bca2278f215e39f4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-02 14:05:44 -07:00
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init app_data_file:lnk_file read;
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 06:11:30 -07:00
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
neverallow service_manager / service_manager_type Init never uses / add service manager services. It doesn't make sense to allow these rules to init. Adding a rule of this type is typically caused by a process inappropriately running in init's SELinux domain, and the warning message: Warning! Service %s needs a SELinux domain defined; please fix! is ignored. In addition, add neverallow rules to domain.te which prevent nonsense SELinux service_manager rules from being added. Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
2015-07-14 11:46:30 -07:00
# Init never adds or uses services via service_manager.
neverallow init service_manager_type:service_manager { add find };
neverallow init servicemanager:service_manager list;
Add /data/local/tmp neverallow rules Add a neverallow rule (compile time assertion) for /data/local/tmp access. /data/local/tmp is intended entirely for the shell user, and it's dangerous for other SELinux domains to access it. See, for example, this commit from 2012: https://android.googlesource.com/platform/system/core/+/f3ef1271f225d9f00bb4ebb0573eb3e03829f9a8 Change-Id: I5a7928ae2b51a574fad4e572b09e60e05b121cfe
2015-08-22 14:47:00 -07:00
# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };
Reference in New Issue Copy Permalink