PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4f81c8771b
android_system_sepolicy/public/ueventd.te

77 lines
3.0 KiB
Plaintext
Raw Normal View History

SE Android policy.
2012-01-04 09:33:27 -08:00
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
2017-05-15 13:19:03 -07:00
type ueventd, domain;
Properly Treble-ize tmpfs access This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358 Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358 (cherry picked from commit e16fb9109c678f47aa7698605477d9a6baf398fb)
2019-01-23 15:07:40 -08:00
type ueventd_tmpfs, file_type;
Allow /dev/klog access, drop mknod and __null__ access Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg. These processes log to the kernel dmesg ring buffer, so they need write access to that file. Addresses the following denials: avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 These denials were triggered by the change in https://android-review.googlesource.com/151209 . Prior to that change, any code which called klog_init would (unnecessarily) create the device node themselves, rather than using the already existing device node. Drop special /dev/__null__ handling from watchdogd. As of https://android-review.googlesource.com/148288 , watchdogd no longer creates it's own /dev/null device, so it's unnecessary for us to allow for it. Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow only needed mknod to create /dev/__kmsg__, which is now obsolete. watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__, which again is now obsolete. Bug: 21242418 Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-06 07:42:37 -07:00
Simplify /dev/kmsg SELinux policy. Bug: http://b/30317429 Change-Id: I5c499c48d5e321ebdf588a162d29e949935ad8ee Test: adb shell dmesg | grep ueventd
2016-07-26 09:46:20 -07:00
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
Allow /dev/klog access, drop mknod and __null__ access Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg. These processes log to the kernel dmesg ring buffer, so they need write access to that file. Addresses the following denials: avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 These denials were triggered by the change in https://android-review.googlesource.com/151209 . Prior to that change, any code which called klog_init would (unnecessarily) create the device node themselves, rather than using the already existing device node. Drop special /dev/__null__ handling from watchdogd. As of https://android-review.googlesource.com/148288 , watchdogd no longer creates it's own /dev/null device, so it's unnecessary for us to allow for it. Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow only needed mknod to create /dev/__kmsg__, which is now obsolete. watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__, which again is now obsolete. Bug: 21242418 Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-06 07:42:37 -07:00
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-06 15:19:40 -07:00
allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b
2013-10-06 12:36:11 -07:00
allow ueventd device:file create_file_perms;
Auditing init and ueventd access to chr device files. It seems likely that there is no reason to keep around a number of devices that are configured to be included into the pixel kernels. Init and ueventd should be the only processes with r/w access to these devices, so auditallow rules have been added to ensure that they aren't actually used. /dev/keychord was given its own type since it's one of the few character devices that's actually legitimately used and would cause log spam in the auditallow otherwise. Bug: 33347297 Test: The phone boots without any apparent log spam. Change-Id: I3dd9557df8a9218b8c802e33ff549d15849216fb
2017-01-09 14:57:03 -08:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(ueventd, rootfs)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
# ueventd needs write access to files in /sys to regenerate uevents
allow ueventd sysfs_type:file w_file_perms;
r_dir_file(ueventd, sysfs_type)
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b
2013-10-06 12:36:11 -07:00
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
ueventd: allow getattr on blk and chr types. The commit: d41ad551189c1b7be26a1807980418858b2a132e fixes a race in coldboot. However, introduced a seperate bug where existing character files were being relabeled. The fix was to have ueventd ensure their was a delta between the old and new labels and only then call lsetfilecon(). To do this we call lgetfilecon() which calls lgetxattr(), this requires getattr permissions. This patch is void of any relabelfrom/to for ueventd on chr_file as those can be added as they occur. Bug: 29106809 Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-06-02 15:06:02 -07:00
allow ueventd dev_type:chr_file { getattr create setattr unlink };
allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
Start confining ueventd * Keep ueventd in permissive * Drop unconfined macro to collect logs * Restore allow rules to current NSA maintained policy Change-Id: Ic4ee8e24ccd8887fed151ae1e4f197512849f57b
2013-10-06 12:36:11 -07:00
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
sepolicy: relabel /vendor The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-01 17:17:12 -07:00
# Access for /vendor/ueventd.rc and /vendor/firmware
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
sepolicy: relabel /vendor The CL splits /vendor labeling from /system. Which was allowing all processes read, execute access to /vendor. Following directories will remain world readable /vendor/etc /vendor/lib(64)/hw/ Following are currently world readable but their scope will be minimized to platform processes that require access /vendor/app /vendor/framework/ /vendor/overlay Files labelled with 'same_process_hal_file' are allowed to be read + executed from by the world. This is for Same process HALs and their dependencies. Bug: 36527360 Bug: 36832490 Bug: 36681210 Bug: 36680116 Bug: 36690845 Bug: 36697328 Bug: 36696623 Bug: 36806861 Bug: 36656392 Bug: 36696623 Bug: 36792803 All of the tests were done on sailfish, angler, bullhead, dragon Test: Boot and connect to wifi Test: Run chrome and load websites, play video in youtube, load maps w/ current location, take pictures and record video in camera, playback recorded video. Test: Connect to BT headset and ensure BT audio playback works. Test: OTA sideload using recovery Test: CTS SELinuxHostTest pass Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-01 17:17:12 -07:00
file_context: explicitly label all file context files file_context files need to be explicitly labeled as they are now split across system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'file_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospFileContexts Change-Id: I603157e9fa7d1de3679d41e343de397631666273 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-24 15:02:13 -07:00
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
neverallow ueventd to set properties Add a compile time assertion that no SELinux rules exist which allow ueventd to set properties, or even connect to the property socket. See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 for details. Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32
2015-03-02 20:10:48 -08:00
ueventd: allow reading kernel cmdline This is needed when ueventd needs to read device tree files (/proc/device-tree). Prior to acccess, it tries to read "androidboot.android_dt_dir" from kernel cmdline for a custom Android DT path. Bug: 78613232 Test: boot a device without unknown SELinux denials Change-Id: Iff9c882b4fcad5e384757a1e42e4a1d1259bb574
2018-05-17 03:28:33 -07:00
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file r_file_perms;
init is a dynamic executable init is now a dynamic executable. So it has to be able to execute the dynamic linker (/system/bin/linker) and shared libraries (e.g., /system/lib/libc.so). Furthermore, when in recovery mode, the files are all labeled as rootfs - because the recovery ramdisk does not support xattr, so files of type rootfs is allowed to be executed. Do the same for kernel and ueventd because they are executing the init executable. Bug: 63673171 Test: `adb reboot recovery; adb devices` shows the device ID Change-Id: Ic6225bb8e129a00771e1455e259ff28241b70396
2018-06-01 03:28:59 -07:00
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
recovery_only(`
allow ueventd rootfs:file { r_file_perms execute };
')
Suppress denial for ueventd to getattr From now on, linker will resolve dir.${section} paths of ld.config.txt. This is added to suppress SELinux denial during resolving /postinstall. Bug: http://b/80422611 Test: on taimen m -j, logcat | grep denied, atest on bionic/linker/tests Change-Id: I12c2bb76d71ae84055b5026933dcaa6ef2808590
2018-06-18 18:34:15 -07:00
# Suppress denials for ueventd to getattr /postinstall. This occurs when the
# linker tries to resolve paths in ld.config.txt.
dontaudit ueventd postinstall_mnt_dir:dir getattr;
Allow ueventd to insert modules avc: denied { sys_module } for comm="ueventd" capability=16 scontext=u:r:ueventd:s0 tcontext=u:r:ueventd:s0 tclass=capability avc: denied { module_load } for pid=581 comm="ueventd" path="/vendor/lib/modules/module.ko" dev="dm-2" ino=1381 scontext=u:r:ueventd:s0 tcontext=u:object_r:vendor_file:s0 tclass=system avc: denied { search } for pid=556 comm="ueventd" scontext=u:r:ueventd:s0 tcontext=u:r:kernel:s0 tclass=key Bug: 111916071 Test: ueventd can insert modules Change-Id: I2906495796c3655b5add19af8cf64458f753b891
2018-07-31 15:00:20 -07:00
# ueventd loads modules in response to modalias events.
allow ueventd self:global_capability_class_set sys_module;
allow ueventd vendor_file:system module_load;
allow ueventd kernel:key search;
neverallow ueventd to set properties Add a compile time assertion that no SELinux rules exist which allow ueventd to set properties, or even connect to the property socket. See https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 for details. Change-Id: Ia9e932a3d94443d70644b14f36c74df4be7e9e32
2015-03-02 20:10:48 -08:00
#####
##### neverallow rules
#####
# ueventd must never set properties, otherwise deadlocks may occur.
# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
# No writing to the property socket, connecting to init, or setting properties.
neverallow ueventd property_socket:sock_file write;
neverallow ueventd init:unix_stream_socket connectto;
neverallow ueventd property_type:property_service set;
ueventd: allow getattr on blk and chr types. The commit: d41ad551189c1b7be26a1807980418858b2a132e fixes a race in coldboot. However, introduced a seperate bug where existing character files were being relabeled. The fix was to have ueventd ensure their was a delta between the old and new labels and only then call lsetfilecon(). To do this we call lgetfilecon() which calls lgetxattr(), this requires getattr permissions. This patch is void of any relabelfrom/to for ueventd on chr_file as those can be added as they occur. Bug: 29106809 Change-Id: I84f60539252fc2b4a71cf01f78e3cadcfad443ef Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-06-02 15:06:02 -07:00
# Restrict ueventd access on block devices to maintenence operations.
neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
Remove kmem_device selinux type. kmem_device was used to label /dev/mem and /dev/kmem. We already have multiple layers of protection against those /dev nodes being present on devices. CTS checks that /dev/mem and /dev/kmem don't exist: https://android.googlesource.com/platform/cts/+/master/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java#233 VTS enforces our base kernel configs, which have CONFIG_DEVKMEM and CONFIG_DEVMEM disabled: https://android.googlesource.com/kernel/configs/+/master/android-4.9/android-base.config#2 Bug: 110962171 Test: m selinux_policy Change-Id: I246740684218dee0cddf81dabf84d4763a753cde
2018-11-13 17:55:06 -08:00
# Only relabelto as we would never want to relabelfrom port_device
neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
Strengthen ptrace neverallow rules Add additional compile time constraints on the ability to ptrace various sensitive domains. llkd: remove some domains which llkd should never ptrace, even on debuggable builds, such as kernel threads and init. crash_dump neverallows: Remove the ptrace neverallow checks because it duplicates other neverallow assertions spread throughout the policy. Test: policy compiles and device boots Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
2018-09-13 11:07:14 -07:00
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
Reference in New Issue Copy Permalink