android_system_sepolicy/init.te

# init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;

allow init self:capability { sys_rawio mknod };

allow init dev_type:blk_file rw_file_perms;
allow init fs_type:filesystem *;
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow init kernel:security load_policy;
allow init kernel:system syslog_mod;
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;

# Transitions to seclabel processes in init.rc
allow init adbd:process transition;
allow init healthd:process transition;
allow init recovery:process transition;
allow init shell:process transition;
allow init ueventd:process transition;
allow init watchdogd:process transition;

# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };

# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
# setsockcreate is for labeling local/unix domain sockets.
allow init self:process { setexec setfscreate setsockcreate };

# Create /data/property and files within it.
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
SE Android policy. 2012-01-04 09:33:27 -08:00			`# init switches to init domain (via init.rc).`
			`type init, domain;`
			`# init is unconfined.`
			`unconfined_domain(init)`
			`tmpfs_domain(init)`
Make all domains unconfined. This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11 2013-05-17 17:11:29 -07:00			`# add a rule to handle unlabelled mounts`
			`allow init unlabeled:filesystem mount;`
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 2013-07-10 14:46:05 -07:00
Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-10 13:31:04 -08:00			`allow init self:capability { sys_rawio mknod };`

Remove block device access from unconfined domains. Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-11 11:40:14 -08:00			`allow init dev_type:blk_file rw_file_perms;`
Remove mount-related permissions from unconfined domains. Only allow to specific domains as required, and add a neverallow to prevent allowing it to other domains not explicitly whitelisted. sdcard_type is exempted from the neverallow since more domains require the ability to mount it, including device-specific domains. Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-10 10:29:38 -08:00			`allow init fs_type:filesystem *;`
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 2013-07-10 14:46:05 -07:00			`allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;`
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-06 05:05:53 -08:00			`allow init kernel:security load_policy;`
remove syslog_* from unconfined As suggested in https://android-review.googlesource.com/95966 , remove various syslog_* from unconfined. SELinux domains which want to use syslog_* can declare it themselves. Change-Id: I7a8335850d1b8d3463491b4ef8c657f57384cfa4 2014-05-28 13:48:52 -07:00			`allow init kernel:system syslog_mod;`
Restrict the ability to set usermodehelpers and proc security settings. Limit the ability to write to the files that configure kernel usermodehelpers and security-sensitive proc settings to the init domain. Permissive domains can also continue to set these values. The current list is not exhaustive, just an initial set. Not all of these files will exist on all kernels/devices. Controlling access to certain kernel usermodehelpers, e.g. cgroup release_agent, will require kernel changes to support and cannot be addressed here. Expected output on e.g. flo after the change: ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper -rw-r--r-- root root u:object_r:usermodehelper:s0 uevent_helper -rw-r--r-- root root u:object_r:proc_security:s0 suid_dumpable -rw-r--r-- root root u:object_r:usermodehelper:s0 core_pattern -rw-r--r-- root root u:object_r:proc_security:s0 dmesg_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 hotplug -rw-r--r-- root root u:object_r:proc_security:s0 kptr_restrict -rw-r--r-- root root u:object_r:usermodehelper:s0 poweroff_cmd -rw-r--r-- root root u:object_r:proc_security:s0 randomize_va_space -rw------- root root u:object_r:usermodehelper:s0 bset -rw------- root root u:object_r:usermodehelper:s0 inheritable Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-06 06:31:40 -08:00			`allow init usermodehelper:file rw_file_perms;`
			`allow init proc_security:file rw_file_perms;`
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29 2014-01-24 20:43:07 -08:00
			`# Transitions to seclabel processes in init.rc`
			`allow init adbd:process transition;`
			`allow init healthd:process transition;`
			`allow init recovery:process transition;`
			`allow init shell:process transition;`
			`allow init ueventd:process transition;`
			`allow init watchdogd:process transition;`
Protect keystore's files. Only keystore itself should be reading / writing it's files. Remove keystore file access from other SELinux domains, including unconfined. Add neverallow rules to protect against regressions. Allow init limited access to recurse into keystore's directory. Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf 2014-05-08 23:28:52 -07:00
			`# Init creates keystore's directory on boot, and walks through`
			`# the directory as part of a recursive restorecon.`
			`allow init keystore_data_file:dir { open create read getattr setattr search };`
			`allow init keystore_data_file:file { getattr };`
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-23 08:26:19 -07:00
			`# Use setexeccon(), setfscreatecon(), and setsockcreatecon().`
			`# setexec is for services with seclabel options.`
			`# setfscreate is for labeling directories and socket files.`
			`# setsockcreate is for labeling local/unix domain sockets.`
			`allow init self:process { setexec setfscreate setsockcreate };`
Protect /data/property. /data/property is only accessible by root and is used by the init property service for storing persistent property values. Create a separate type for it and only allow init to write to the directory and files within it. Ensure that we do not allow access to other domains in future changes or device-specific policy via a neverallow rule. Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-29 06:22:16 -07:00
			`# Create /data/property and files within it.`
			`allow init property_data_file:dir create_dir_perms;`
			`allow init property_data_file:file create_file_perms;`