PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ccc8608cc6
android_system_sepolicy/netd.te

87 lines
2.8 KiB
Plaintext
Raw Normal View History

SE Android policy.
2012-01-04 09:33:27 -08:00
# network manager
Annotate MLS trusted subjects and objects. When using MLS (i.e. enabling levelFrom= in seapp_contexts), certain domains and types must be exempted from the normal constraints defined in the mls file. Beyond the current set, adbd, logd, mdnsd, netd, and servicemanager need to be able to read/write to any level in order to communicate with apps running with any level, and the logdr and logdw sockets need to be writable by apps running with any level. This change has no impact unless levelFrom= is specified in seapp_contexts, so by itself it is a no-op. Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-08 13:06:40 -07:00
type netd, domain, mlstrustedsubject;
SE Android policy.
2012-01-04 09:33:27 -08:00
type netd_exec, exec_type, file_type;
init_daemon_domain(netd)
put netd into net_domain This addresses the review comments from https://android-review.googlesource.com/#/c/69855/ Change-Id: I4d4633db711695c7f959b60f247772b0ac67931f
2013-12-15 19:04:09 -08:00
net_domain(netd)
Remove fsetid from netd. fsetid checks are triggered by chmod on a directory or file owned by a group other than one of the groups assigned to the current process to see if the setgid bit should be cleared, regardless of whether the setgid bit was even set. We do not appear to truly need this capability for netd to operate, so remove it. Potential dontaudit candidate. Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 10:00:59 -08:00
allow netd self:capability { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
netd dontaudit fsetid For the reasons explained in the pre-existing code, we don't want to grant fsetid to netd, nor do we want denial messages to be generated. Change-Id: I34dcea81acd25b4eddc46bb54ea0d828b33c5fdc
2015-04-02 15:36:51 -07:00
# for netd to operate.
dontaudit netd self:capability fsetid;
Remove fsetid from netd. fsetid checks are triggered by chmod on a directory or file owned by a group other than one of the groups assigned to the current process to see if the setgid bit should be cleared, regardless of whether the setgid bit was even set. We do not appear to truly need this capability for netd to operate, so remove it. Potential dontaudit candidate. Change-Id: I5ab4fbaaa056dcd1c7e60ec28632e7bc06f826bf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 10:00:59 -08:00
Clean up socket rules. Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-24 12:06:11 -08:00
allow netd self:netlink_kobject_uevent_socket create_socket_perms;
allow netd self:netlink_route_socket nlmsg_write;
allow netd self:netlink_nflog_socket create_socket_perms;
Rules to let netd read packets from NFLOG target. avc: denied { create } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1 avc: denied { setopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1 avc: denied { bind } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1 avc: denied { getopt } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1 avc: denied { write } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1 avc: denied { read } for scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=netlink_socket permissive=1 Bug: 18335678 Change-Id: I7c03d55b4719d0fd8057507bf8ac1cf573e4744a
2014-12-16 13:08:16 -08:00
allow netd self:netlink_socket create_socket_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
Revert /proc/net related changes Revert the tightening of /proc/net access. These changes are causing a lot of denials, and I want additional time to figure out a better solution. Addresses the following denials (and many more): avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file This reverts commit 0f0324cc826afb9beefda802d496befe823a081e and commit 99940d1af5719f1622fa2a17f8daf6cb21de3ad1 Bug: 9496886 Bug: 19034637 Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868
2015-02-25 13:28:40 -08:00
allow netd proc_net:file write;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
# For /sys/modules/bcmdhd/parameters/firmware_path
# XXX Split into its own type.
allow netd sysfs:file write;
# Set dhcp lease for PAN connection
unix_socket_connect(netd, property, init)
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 07:27:02 -07:00
allow netd dhcp_prop:property_service set;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
allow netd system_prop:property_service set;
Align SELinux property policy with init property_perms. Introduce a net_radio_prop type for net. properties that can be set by radio or system. Introduce a system_radio_prop type for sys. properties that can be set by radio or system. Introduce a dhcp_prop type for properties that can be set by dhcp or system. Drop the rild_prop vs radio_prop distinction; this was an early experiment to see if we could separate properties settable by rild versus other radio UID processes but it did not pan out. Remove the ability to set properties from unconfineddomain. Allow init to set any property. Allow recovery to set ctl_default_prop to restart adbd. Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 07:27:02 -07:00
auditallow netd system_prop:property_service set;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
# Connect to PAN
Strip unnecessary trailing semicolon on macro calls. Change-Id: I013e08bcd82a9e2311a958e1c98931f53f6720c9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-04-04 08:31:00 -07:00
domain_auto_trans(netd, dhcp_exec, dhcp)
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
allow netd dhcp:process signal;
# Needed to update /data/misc/wifi/hostapd.conf
# TODO: See what we can do to reduce the need for
# these capabilities
allow netd self:capability { dac_override chown fowner };
allow netd wifi_data_file:file create_file_perms;
allow netd wifi_data_file:dir rw_dir_perms;
Allow netd to create data files in /data/misc/net/. This will be used to populate rt_tables (a mapping from routing table numbers to table names) that's read by the iproute2 utilities. Change-Id: I69deb1a64d5d6647470823405bf0cc55b24b22de
2014-07-07 22:04:57 -07:00
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
Enable SELinux protections for netd. This change does several things: 1) Restore domain.te to the version present at cd516a32663b4eb11b2e3356b86450020e59e279 . This is the version currently being distributed in AOSP. 2) Add "allow domain properties_device:file r_file_perms;" to domain.te, to allow all domains to read /dev/__properties__ . This change was missing from AOSP. 3) Restore netd.te to the version present at 80c9ba5267f1a6ceffcf979471d101948b520ad6 . This is the version currently being distributed in AOSP. 4) Remove anything involving module loading from netd.te. CTS enforces that Android kernels can't have module loading enabled. 5) Add several new capabilities, plus data file rules, to netd.te, since netd needs to write to files owned by wifi. 6) Add a new unconfined domain called dnsmasq.te, and allow transitions from netd to that domain. Over time, we'll tighten up the dnsmasq.te domain. 7) Add a new unconfined domain called hostapd.te, and allow transitions from netd to that domain. Over time, we'll tighten up the hostapd.te domain. The net effect of these changes is to re-enable SELinux protections for netd. The policy is FAR from perfect, and allows a lot of wiggle room, but we can improve it over time. Testing: as much as possible, I've exercised networking related functionality, including turning on and off wifi, entering airplane mode, and enabling tethering and portable wifi hotspots. It's quite possible I've missed something, and if we experience problems, I can roll back this change. Bug: 9618347 Change-Id: I23ff3eebcef629bc7baabcf6962f25f116c4a3c0
2013-06-27 15:11:02 -07:00
# Allow netd to spawn hostapd in it's own domain
domain_auto_trans(netd, hostapd_exec, hostapd)
allow netd hostapd:process signal;
# Allow netd to spawn dnsmasq in it's own domain
domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
allow netd dnsmasq:process signal;
Fix clatd, broken by selinux policing /dev/tun Bug: 10175701 Change-Id: I185df22bdbaafd56725760ec6c71340b67455046
2013-08-04 23:32:56 -07:00
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
allow netd clatd:process signal;
Replace ctl_default_prop access with explicit service property keys. The ctl_default_prop label is a bit too generic for some of the priveleged domains when describing access rights. Instead, be explicit about which services are being started and stopped by introducing new ctl property keys. Change-Id: I1d0c6f6b3e8bd63da30bd6c7b084da44f063246a Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-18 10:24:26 -08:00
allow netd ctl_mdnsd_prop:property_service set;
remove "self:process ptrace" from domain, netd neverallow rules Remove "self:process ptrace" from all SELinux enforced domains. In general, a process should never need to ptrace itself. We can add this back to more narrowly scoped domains as needed. Add a bunch of neverallow assertions to netd.te, to verify that netd never gets unexpected capabilities. Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
Introduce fwmarkd: a service to set the fwmark of sockets. (cherry picked from commit 7d51096d4106a441a15741592d9ccdd0bfaca907) Change-Id: Ib6198e19dbc306521a26fcecfdf6e8424d163fc9
2014-05-01 11:12:10 -07:00
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
remove "self:process ptrace" from domain, netd neverallow rules Remove "self:process ptrace" from all SELinux enforced domains. In general, a process should never need to ptrace itself. We can add this back to more narrowly scoped domains as needed. Add a bunch of neverallow assertions to netd.te, to verify that netd never gets unexpected capabilities. Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
2013-07-12 21:28:41 -07:00
###
### Neverallow rules
###
### netd should NEVER do any of this
# Block device access.
neverallow netd dev_type:blk_file { read write };
# ptrace any other app
neverallow netd { domain }:process ptrace;
# Write to /system.
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
Reference in New Issue Copy Permalink