PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
51cc740ca8
android_system_sepolicy/public/wificond.te

45 lines
1.5 KiB
Plaintext
Raw Normal View History

Sepolicy files for wificond This sepolicy change allows wificond to run as a deamon. BUG=28865186 TEST=compile TEST=compile with ag/1059605 Add wificond to '/target/product/base.mk' Adb shell ps -A | grep 'wificond' Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d (cherry picked from commit 4ef44a616ee5888023e5c53bbc2c4df6549f748a)
2016-05-19 19:31:20 -07:00
# wificond
type wificond, domain;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 10:21:37 -07:00
type wificond_exec, system_file_type, exec_type, file_type;
Sepolicy files for wificond This sepolicy change allows wificond to run as a deamon. BUG=28865186 TEST=compile TEST=compile with ag/1059605 Add wificond to '/target/product/base.mk' Adb shell ps -A | grep 'wificond' Change-Id: If1e4a8542ac03e8ae42371d75aa46b90c3d8545d (cherry picked from commit 4ef44a616ee5888023e5c53bbc2c4df6549f748a)
2016-05-19 19:31:20 -07:00
sepolicy: add sepolicy binder support for wificond This allows wificond to publish binder interface using service manager. Denial warnings: wificond: type=1400 audit(0.0:8): avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 wificond: type=1400 audit(0.0:9): avc: denied { transfer } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 servicemanager: type=1400 audit(0.0:10): avc: denied { search } for name="6085" dev="proc" ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=dir permissive=1 servicemanager: type=1400 audit(0.0:11): avc: denied { read } for name="current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:13): avc: denied { getattr } for scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process permissive=1 SELinux : avc: denied { add } for service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0 tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1 BUG=28867093 TEST=compile TEST=use a client to call wificond service through binder Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f (cherry picked from commit d56bcb1c5452c8dcdda7e4ef5d0f44b91b6bb08b)
2016-06-03 10:08:56 -07:00
binder_use(wificond)
binder_call(wificond, system_server)
sepolicy(wifi): Allow keystore-wificond communication Denial log: 1. 10-30 11:02:50.279 wifi 1119 1119 W HwBinder:1119_1: type=1400 audit(0.0:113): avc: denied { transfer } for scontext=u:r:wificond:s0 tcontext=u:r:keystore:s0 tclass=binder permissive=0 2. 01-15 16:24:04.214 W/keystore( 1007): type=1400 audit(0.0:109): avc: denied { call } for scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0 tclass=binder permissive=0 3. 01-16 12:11:19.704 W/keystore( 1021): type=1400 audit(0.0:163): avc: denied { transfer } for scontext=u:r:keystore:s0 tcontext=u:r:wificond:s0 tclass=binder permissive=0 Bug: 143638513 Bug: 145310496 Test: Installed CA and wifi certificates and connects to enterprise network. No selinux denial seen from wificond and keystore. Change-Id: I9727add13844b1ff1875e493b777e3a294e00ffa
2020-01-16 10:17:20 -08:00
binder_call(wificond, keystore)
sepolicy: add sepolicy binder support for wificond This allows wificond to publish binder interface using service manager. Denial warnings: wificond: type=1400 audit(0.0:8): avc: denied { call } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 wificond: type=1400 audit(0.0:9): avc: denied { transfer } for scontext=u:r:wificond:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 servicemanager: type=1400 audit(0.0:10): avc: denied { search } for name="6085" dev="proc" ino=40626 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=dir permissive=1 servicemanager: type=1400 audit(0.0:11): avc: denied { read } for name="current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:12): avc: denied { open } for path="/proc/6085/attr/current" dev="proc" ino=40641 scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=file permissive=1 servicemanager: type=1400 audit(0.0:13): avc: denied { getattr } for scontext=u:r:servicemanager:s0 tcontext=u:r:wificond:s0 tclass=process permissive=1 SELinux : avc: denied { add } for service=wificond pid=6085 uid=0 scontext=u:r:wificond:s0 tcontext=u:object_r:wifi_service:s0 tclass=service_manager permissive=1 BUG=28867093 TEST=compile TEST=use a client to call wificond service through binder Change-Id: I9312892caff171f17b04c30a415c07036b39ea7f (cherry picked from commit d56bcb1c5452c8dcdda7e4ef5d0f44b91b6bb08b)
2016-06-03 10:08:56 -07:00
DO NOT MERGE Add fake 30.0 prebuilts This prebuilt is based on the AOSP policy, but slightly manipulated so that the set of types and attributes are identical with R policy. Following types are removed. boot_status_prop dalvik_config_prop gnss_device surfaceflinger_color_prop surfaceflinger_prop systemsound_config_prop vold_config_prop vold_status_prop Following type is renamed. wificond_service -> wifinl80211_service Bug: 153661471 Test: N/A Change-Id: I018d5e43f53c2bf721db1d13f5f4be42b9782b29
2020-05-07 03:14:36 -07:00
add_service(wificond, wifinl80211_service)
SEPolicy for Netlink Interceptor Make Netlink Interceptor work when SELinux is enforcing Test: Netlink Interceptor HAL comes up and works Bug: 194683902 Change-Id: I3afc7ae04eba82f2f6385b66ddd5f4a8310dff88
2021-10-05 16:53:52 -07:00
hal_client_domain(wificond, hal_nlinterceptor)
Define explicit label for wlan sysfs fwpath avc: denied { write } for name="fwpath" dev="sysfs" ino=6863 scontext=u:r:wificond:s0 tcontext=u:object_r:sysfs_wlan_fwpath:s0 tclass=file permissive=0 Test: wificond and netd can write to this path, wifi works Test: `runtest frameworks-wifi` passes Bug: 29579539 Change-Id: Ia21c654b00b09b9fe3e50d564b82966c9c8e6994 (cherry picked from commit 7d13dd806f37523ba8164325fef9b000d6eacd7c)
2016-06-30 14:23:12 -07:00
Allow wificond to mark interfaces up and down avc: denied { create } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0 avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=capability permissive=0 avc: denied { read } for name="psched" dev="proc" ino=4026535377 scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Test: fixes above avc denials Bug: 29579539 Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b (cherry picked from commit b6a6561d0ef37ad86802ef1ceeefc59a42612435)
2016-06-30 17:48:12 -07:00
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
Allow wificond to set interfaces up and down This is apparently a privileged ioctl. Being able to do this allows us to no longer kill hostapd with SIGTERM, since we can cleanup after hard stops. Bug: 31023120 Test: wificond unit and integration tests pass Change-Id: Icdf2469d403f420c742871f54b9fb17432805991 (cherry picked from commit ca7b04ba525a61cb8663e5e6faf52bfcdb80dde8)
2016-08-22 17:47:13 -07:00
# setting interface state up/down is a privileged ioctl
MAC Anonymization: wificond SIOCSIFHWADDR sepolicy Add sepolicy rules to grant wificond permission to use SIOCSIFHWADDR ioctl. This permission is needed to dynamically change MAC address of the device when connecting to wifi networks. Bug: 63905794 Test: Verified manually that wificond can dynamically change MAC address. Change-Id: If2c6b955b0b792f706d8438e8e2e018c0b4cfc31
2018-01-22 20:42:12 -08:00
allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow wificond self:global_capability_class_set { net_admin net_raw };
Allow wificond to set interfaces up and down This is apparently a privileged ioctl. Being able to do this allows us to no longer kill hostapd with SIGTERM, since we can cleanup after hard stops. Bug: 31023120 Test: wificond unit and integration tests pass Change-Id: Icdf2469d403f420c742871f54b9fb17432805991 (cherry picked from commit ca7b04ba525a61cb8663e5e6faf52bfcdb80dde8)
2016-08-22 17:47:13 -07:00
# allow wificond to speak to nl80211 in the kernel
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
Fix wificond permissions for hikey Newer kernels apparently introduce a new SELinux label "netlink_generic_socket". AOSP is missing some patches for ioctl whitelisting and it was suggested we add unpriv_socket_ioctls as a stopgap. Bug: 31226503 Change-Id: Ie4dd499925f74747c0247e5d7ad0de0f673b5ed2
2016-08-31 17:46:42 -07:00
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
Allow wificond to mark interfaces up and down avc: denied { create } for scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=udp_socket permissive=0 avc: denied { net_raw } for capability=13 scontext=u:r:wificond:s0 tcontext=u:r:wificond:s0 tclass=capability permissive=0 avc: denied { read } for name="psched" dev="proc" ino=4026535377 scontext=u:r:wificond:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 Test: fixes above avc denials Bug: 29579539 Change-Id: Ie1dff80103e81cfba8064a22b5dd3e1e8f29471b (cherry picked from commit b6a6561d0ef37ad86802ef1ceeefc59a42612435)
2016-06-30 17:48:12 -07:00
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 12:47:48 -07:00
r_dir_file(wificond, proc_net_type)
Allow wificond to write wifi component config files We need the ability to set file permissions, create files, write files, chown files. Test: integration tests that start/stop hostapd and write its config file via wificond pass without SELinux denials. Bug: 30040724 Change-Id: Iee15fb36a6a4a89009d4b45281060379d70cd53c (cherry picked from commit f83da1421b38b021d9c0b829e791c84a1c6d9e1e)
2016-07-21 09:12:28 -07:00
Allow wificond to find permission This is used for wificond to check if it is allowed to dump logs. Bug: 31336376 Test: compile, manual test Change-Id: I8a1b681255398f9a1f2cf79fd0891e58283aa747
2017-04-04 16:52:25 -07:00
# allow wificond to check permission for dumping logs
allow wificond permission_service:service_manager find;
dumpstate: Fix wificond access Bug: 31246864 Change-Id: I8319e632b3be1e558dfc550453b8298914c89064 Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2016-09-07 13:58:04 -07:00
# dumpstate support
allow wificond dumpstate:fd use;
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow wificond dumpstate:fifo_file write;
sepolicy: Move wifi keystore HAL service to wificond Bug: 142969896 Test: Verified connecting to passpoint networks. Change-Id: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3 Merged-In: Iac72b13e24f45bbf834d698cfcfd0fe9177a80d3
2019-10-20 19:44:38 -07:00
#### Offer the Wifi Keystore HwBinder service ###
hwbinder_use(wificond)
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
allow wificond keystore:keystore_key get;
Allow wificond access wifi keys in KeyStore2 Bug: 171305388 Test: manual Change-Id: If2ce168e1415c28259d5fa2ad9d2b409bd977756
2021-02-11 16:33:45 -08:00
# Allow keystore2 binder access to serve the HwBinder service.
allow wificond wifi_key:keystore2_key {
get_info
use
};
Reference in New Issue Copy Permalink