android_system_sepolicy/unconfined.te

#######################################################
#
# This is the unconfined template. This template is the base policy
# which is used by daemons and other privileged components of
# Android.
#
# Historically, this template was called "unconfined" because it
# allowed the domain to do anything it wanted. Over time,
# this has changed, and will continue to change in the future.
# The rules in this file will be removed when no remaining
# unconfined domains require it, or when the rules contradict
# Android security best practices. Domains which need rules not
# provided by the unconfined template should add them directly to
# the relevant policy.
#
# The use of this template is discouraged.
######################################################

allow unconfineddomain self:capability_class_set *;
allow unconfineddomain kernel:security ~{ load_policy setenforce };
allow unconfineddomain kernel:system *;
allow unconfineddomain self:memprotect *;
allow unconfineddomain domain:process *;
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain fs_type:filesystem *;
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain domain:binder { call transfer set_context_mgr };
allow unconfineddomain property_type:property_service set;
Clarify the expectations for the unconfined template. In https://android-review.googlesource.com/66562 , there was a discussion about the role the unconfined template plays. Document the unconfined template so that those expectations are better understood. Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f 2013-10-21 13:32:31 -07:00			`#######################################################`
			`#`
			`# This is the unconfined template. This template is the base policy`
			`# which is used by daemons and other privileged components of`
			`# Android.`
			`#`
			`# Historically, this template was called "unconfined" because it`
			`# allowed the domain to do anything it wanted. Over time,`
			`# this has changed, and will continue to change in the future.`
			`# The rules in this file will be removed when no remaining`
			`# unconfined domains require it, or when the rules contradict`
			`# Android security best practices. Domains which need rules not`
			`# provided by the unconfined template should add them directly to`
			`# the relevant policy.`
			`#`
			`# The use of this template is discouraged.`
			`######################################################`

SE Android policy. 2012-01-04 09:33:27 -08:00			`allow unconfineddomain self:capability_class_set *;`
Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-02 11:18:11 -08:00			`allow unconfineddomain kernel:security ~{ load_policy setenforce };`
SE Android policy. 2012-01-04 09:33:27 -08:00			`allow unconfineddomain kernel:system *;`
			`allow unconfineddomain self:memprotect *;`
			`allow unconfineddomain domain:process *;`
			`allow unconfineddomain domain:fd *;`
			`allow unconfineddomain domain:dir r_dir_perms;`
			`allow unconfineddomain domain:lnk_file r_file_perms;`
			`allow unconfineddomain domain:{ fifo_file file } rw_file_perms;`
			`allow unconfineddomain domain:socket_class_set *;`
			`allow unconfineddomain domain:ipc_class_set *;`
			`allow unconfineddomain domain:key *;`
			`allow unconfineddomain fs_type:filesystem *;`
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 2013-07-10 14:46:05 -07:00			`allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;`
Restrict the ability to set usermodehelpers and proc security settings. Limit the ability to write to the files that configure kernel usermodehelpers and security-sensitive proc settings to the init domain. Permissive domains can also continue to set these values. The current list is not exhaustive, just an initial set. Not all of these files will exist on all kernels/devices. Controlling access to certain kernel usermodehelpers, e.g. cgroup release_agent, will require kernel changes to support and cannot be addressed here. Expected output on e.g. flo after the change: ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper -rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper -rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable -rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern -rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug -rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd -rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space -rw------- root root u:object_r:usermodehelper:s0 bset -rw------- root root u:object_r:usermodehelper:s0 inheritable Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-06 06:31:40 -08:00			`allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};`
			`allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};`
			`allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};`
SE Android policy. 2012-01-04 09:33:27 -08:00			`allow unconfineddomain node_type:node *;`
Clean up remaining denials. Bug: 8424461 Change-Id: I8f0b01cdb19b4a479d5de842f4e4844aeab00622 2013-05-22 13:19:58 -07:00			`allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;`
SE Android policy. 2012-01-04 09:33:27 -08:00			`allow unconfineddomain netif_type:netif *;`
			`allow unconfineddomain port_type:socket_class_set name_bind;`
			`allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;`
			`allow unconfineddomain domain:peer recv;`
Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11 2013-05-17 17:11:29 -07:00			`allow unconfineddomain domain:binder { call transfer set_context_mgr };`
Add policy for property service. New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties. 2012-04-04 07:11:16 -07:00			`allow unconfineddomain property_type:property_service set;`