PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d86a30a273
android_system_sepolicy/public/zygote.te

126 lines
4.4 KiB
Plaintext
Raw Normal View History

SE Android policy.
2012-01-04 09:33:27 -08:00
# zygote
Create attribute for moving perms out of domain Motivation: Domain is overly permissive. Start removing permissions from domain and assign them to the domain_deprecated attribute. Domain_deprecated and domain can initially be assigned to all domains. The goal is to not assign domain_deprecated to new domains and to start removing domain_deprecated where it is not required or reassigning the appropriate permissions to the inheriting domain when necessary. Bug: 25433265 Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
2015-11-03 09:54:39 -08:00
type zygote, domain, domain_deprecated;
SE Android policy.
2012-01-04 09:33:27 -08:00
type zygote_exec, exec_type, file_type;
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
typeattribute zygote mlstrustedsubject;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
# Override DAC on files and switch uid/gid.
Change zygote sepolicy whitelist. Allow the zygote to create instruction set specific directories under /data/dalvik-cache and to change their owner to the system UID. These subdirectories are required in order to support instruction set specific dex caches on devices that support multiple instruction sets. We can't ask init to create these directories for us, because init doesn't have any knowledge about the list of runtime instruction sets the device supports. The owner needs to be system because the package manager (running in the system_server) is allowed to manipulate files under this directory. (cherry picked from commit 032e5b0ae1ff14f9f9eeb6b7b749307124b49e1a) Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361
2014-04-28 07:17:29 -07:00
allow zygote self:capability { dac_override setgid setuid fowner chown };
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
# Switch SELinux context to app domains.
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 08:26:19 -07:00
allow zygote self:process setcurrent;
1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
2013-09-13 15:59:04 -07:00
allow zygote system_server:process dyntransition;
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 13:15:44 -07:00
allow zygote { appdomain ephemeral_app }:process dyntransition;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# Allow zygote to read app /proc/pid dirs (b/10455872).
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 13:15:44 -07:00
allow zygote { appdomain ephemeral_app }:dir { getattr search };
allow zygote { appdomain ephemeral_app }:file { r_file_perms };
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
# Move children into the peer process group.
1/2: Rename domain "system" to "system_server". This is a follow-up CL to the extraction of "system_app" domain from the "system" domain which left the "system" domain encompassing just the system_server. Since this change cannot be made atomically across different repositories, it temporarily adds a typealias "server" pointing to "system_server". Once all other repositories have been switched to "system_server", this alias will be removed. Change-Id: I90a6850603dcf60049963462c5572d36de62bc00
2013-09-13 15:59:04 -07:00
allow zygote system_server:process { getpgid setpgid };
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 13:15:44 -07:00
allow zygote { appdomain ephemeral_app }:process { getpgid setpgid };
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
Remove zygote write access to system_data_file. These rules seem to be a legacy of old Android or perhaps old policy before we began splitting types on /data. I have not been able to trigger the auditallow rules on AOSP master. Reduce the rules to only read access to system data. If we need write access to some specific directory under /data, we should introduce a type for it. Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-14 05:58:06 -07:00
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
Remove zygote write access to system_data_file. These rules seem to be a legacy of old Android or perhaps old policy before we began splitting types on /data. I have not been able to trigger the auditallow rules on AOSP master. Reduce the rules to only read access to system data. If we need write access to some specific directory under /data, we should introduce a type for it. Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-14 05:58:06 -07:00
# Write to /data/dalvik-cache.
Change zygote sepolicy whitelist. Allow the zygote to create instruction set specific directories under /data/dalvik-cache and to change their owner to the system UID. These subdirectories are required in order to support instruction set specific dex caches on devices that support multiple instruction sets. We can't ask init to create these directories for us, because init doesn't have any knowledge about the list of runtime instruction sets the device supports. The owner needs to be system because the package manager (running in the system_server) is allowed to manipulate files under this directory. (cherry picked from commit 032e5b0ae1ff14f9f9eeb6b7b749307124b49e1a) Change-Id: I3a85e8a6b4eed003a93490e7b93a4fd68c41a361
2014-04-28 07:17:29 -07:00
allow zygote dalvikcache_data_file:dir create_dir_perms;
Do not allow zygote to execve dalvikcache files. x_file_perms and friends allow execve; we only want to permit mmap/mprotect PROT_EXEC here. Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-09 06:27:15 -08:00
allow zygote dalvikcache_data_file:file create_file_perms;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# Create symlinks in /data/dalvik-cache.
zygote/dex2oat: Grant additional symlink permissions * zygote needs to be able to symlink from dalvik cache to system to avoid having to copy boot.oat (when the boot.oat file was built with --compile-pic) * dex2oat needs to be able to read the symlink in the dalvik cache (the one that zygote creates) Bug: 18035729 Change-Id: Ie1acad81a0fd8b2f24e1f3f07a06e6fdb548be62
2014-10-24 14:22:12 -07:00
allow zygote dalvikcache_data_file:lnk_file create_file_perms;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# Write to /data/resource-cache.
Fix SELinux policies to allow resource overlays. The following commits added support for runtime resource overlays. New command line tool 'idmap' * 65a05fd56dbc9fd9c2511a97f49c445a748fb3c5 Runtime resource overlay, iteration 2 * 48d22323ce39f9aab003dce74456889b6414af55 Runtime resource overlay, iteration 2, test cases * ad6ed950dbfa152c193dd7e49c369d9e831f1591 During SELinux tightening, support for these runtime resource overlays was unknowingly broken. Fix it. This change has been tested by hackbod and she reports that everything is working after this change. I haven't independently verified the functionality. Test cases are available for this by running: * python frameworks/base/core/tests/overlaytests/testrunner.py Change-Id: I1c70484011fd9041bec4ef34f93f7a5509906f40
2014-06-16 14:19:31 -07:00
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
Do not allow zygote to execve dalvikcache files. x_file_perms and friends allow execve; we only want to permit mmap/mprotect PROT_EXEC here. Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-09 06:27:15 -08:00
# For art.
Audit access to libart Grant access to all processes and audit access. The end goal is to whitelist all access to the interpreter. Several processes including dex2oat, apps, and zygote were observed using libart, so omit them from auditing and explicitly grant them access. Test: Angler builds and boots Bug: 29795519 Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88
2016-09-19 13:40:25 -07:00
allow zygote libart_file:file { execute read open getattr };
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# When WITH_DEXPREOPT is true, the zygote does not load executable content from
# /data/dalvik-cache.
allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
Run idmap in its own domain. Run idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-06-19 10:47:26 -07:00
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
# used by installd or stay in-domain for zygote?
allow zygote idmap_exec:file rx_file_perms;
reconcile aosp (c103da877b72aae80616dbc192982aaf75dfe888) after branching. Please do not merge. Change-Id: Ic9dde806a30d3e7b9c4a066f247a9207fe9b94b4
2014-07-14 23:32:08 -07:00
allow zygote dex2oat_exec:file rx_file_perms;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow zygote cgroup:{ file lnk_file } r_file_perms;
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
allow zygote self:capability sys_admin;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
Allow the zygote to stat all files it opens. (cherry picked from commit 63203a015c1a86d24bd4440bbecdd5ac57b89d04) bug: 30963384 Change-Id: I62b5ffd43469dbb0bba67e1bb1d3416e7354f9e5
2016-08-23 09:02:57 -07:00
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# if necessary: b/30963384.
zygote: drop braces on single item rule commit 221938cbee580d0d1627db98f8b74e4d68dbc557 introduces a fix that uses braces around a single item. This is not within the normal style of no brace around a single item. Drop the braces. Change-Id: Ibeee1e682c0face97f18d5e5177be13834485676 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-11-28 08:07:25 -08:00
allow zygote pmsg_device:chr_file getattr;
allow zygote debugfs_trace_marker:file getattr;
Allow the zygote to stat all files it opens. (cherry picked from commit 63203a015c1a86d24bd4440bbecdd5ac57b89d04) bug: 30963384 Change-Id: I62b5ffd43469dbb0bba67e1bb1d3416e7354f9e5
2016-08-23 09:02:57 -07:00
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
zygote: allow replacing /proc/cpuinfo Android's native bridge functionality allows an Android native app written on one CPU architecture to run on a different architecture. For example, Android ARM apps may run on an x86 CPU. To support this, the native bridge functionality needs to replace /proc/cpuinfo with the version from /system/lib/<ISA>/cpuinfo using a bind mount. See commit ab0da5a9a6860046619629b8e6b83692d35dff86 in system/core. This change: 1) Creates a new label proc_cpuinfo, and assigns /proc/cpuinfo that label. 2) Grants read-only access to all SELinux domains, to avoid breaking pre-existing apps. 3) Grants zygote mounton capabilities for that file, so zygote can replace the file as necessary. Addresses the following denial: avc: denied { mounton } for path="/proc/cpuinfo" dev="proc" ino=4026532012 scontext=u:r:zygote:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 17671501 (cherry picked from commit 2de02877a30e73bdf30fb2bf9cc4957f9ddbf996) Change-Id: I2c2366bee4fe365288d14bca9778d23a43c368cb
2014-09-26 10:51:12 -07:00
# Native bridge functionality requires that zygote replaces
# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
allow zygote proc_cpuinfo:file mounton;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# Allow remounting rootfs as MS_SLAVE.
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
allow zygote rootfs:dir mounton;
Let's reinvent storage, yet again! Now that we're treating storage as a runtime permission, we need to grant read/write access without killing the app. This is really tricky, since we had been using GIDs for access control, and they're set in stone once Zygote drops privileges. The only thing left that can change dynamically is the filesystem itself, so let's do that. This means changing the FUSE daemon to present itself as three different views: /mnt/runtime_default/foo - view for apps with no access /mnt/runtime_read/foo - view for apps with read access /mnt/runtime_write/foo - view for apps with write access There is still a single location for all the backing files, and filesystem permissions are derived the same way for each view, but the file modes are masked off differently for each mountpoint. During Zygote fork, it wires up the appropriate storage access into an isolated mount namespace based on the current app permissions. When the app is granted permissions dynamically at runtime, the system asks vold to jump into the existing mount namespace and bind mount the newly granted access model into place. avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1 avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1 avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0 Bug: 21858077 Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
2015-06-25 16:13:59 -07:00
allow zygote tmpfs:filesystem { mount unmount };
Let Zygote unmount inherited storage devices. For example, when launching into an isolated process, we need to drop all mounts inherited from the root namespace. avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1 Bug: 22192518 Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
2015-06-30 15:56:46 -07:00
allow zygote fuse:filesystem { unmount };
sepolicy: Add policy for sdcardfs and configfs Change-Id: I4c318efba76e61b6ab0be9491c352f281b1c2bff Bug: 19160983
2016-03-01 16:13:50 -08:00
allow zygote sdcardfs:filesystem { unmount };
Updated policy for external storage. An upcoming platform release is redesigning how external storage works. At a high level, vold is taking on a more active role in managing devices that dynamically appear. This change also creates further restricted domains for tools doing low-level access of external storage devices, including sgdisk and blkid. It also extends sdcardd to be launchable by vold, since launching by init will eventually go away. For compatibility, rules required to keep AOSP builds working are marked with "TODO" to eventually remove. Slightly relax system_server external storage rules to allow calls like statfs(). Still neverallow open file descriptors, since they can cause kernel to kill us. Here are the relevant violations that this CL is designed to allow: avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 11:25:39 -07:00
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# Allow creating user-specific storage source if started before vold.
Updated policy for external storage. An upcoming platform release is redesigning how external storage works. At a high level, vold is taking on a more active role in managing devices that dynamically appear. This change also creates further restricted domains for tools doing low-level access of external storage devices, including sgdisk and blkid. It also extends sdcardd to be launchable by vold, since launching by init will eventually go away. For compatibility, rules required to keep AOSP builds working are marked with "TODO" to eventually remove. Slightly relax system_server external storage rules to allow calls like statfs(). Still neverallow open file descriptors, since they can cause kernel to kill us. Here are the relevant violations that this CL is designed to allow: avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 11:25:39 -07:00
allow zygote mnt_user_file:dir create_dir_perms;
allow zygote mnt_user_file:lnk_file create_file_perms;
# Allowed to mount user-specific storage into place
allow zygote storage_file:dir { search mounton };
zygote: enable SELinux restrictions This change enables SELinux security enforcement on zygote (but not zygote spawned apps). For the zygote.te file only, this change is equivalent to reverting the following commits: * 50e37b93ac97631dcac6961285b92af5026557af * 77d4731e9d30c8971e076e2469d6957619019921 No other changes were required. Testing: As much as possible, I've tested that zygote properly starts up, and that there's no problem spawning zygote or zygote apps. There were no denials in the kernel dmesg log, and everything appears to work correctly. It's quite possible I've missed something. If we experience problems, I happy to roll back this change. Bug: 9657732 Change-Id: Id2a7adcbeebda5d1606cb13470fad6c3fcffd558
2013-07-01 12:07:03 -07:00
# Handle --invoke-with command when launching Zygote with a wrapper command.
Allow stat of /system/bin/app_process by zygote. This resolves denials such as: type=1400 audit(7803852.559:251): avc: denied { getattr } for pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file (triggered on an art crash seen in recent AOSP master) Rather than just adding this permission individually, just rewrite the existing rule to use the rx_file_perms macro. We already allowed most of these permissions by way of the domain_auto_trans() rule via init_daemon_domain() and the rule for the --invoke-with support. Using macros helps reduce policy fragility/brittleness. Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-10 07:31:09 -07:00
allow zygote zygote_exec:file rx_file_perms;
Ensure that domain and appdomain attributes are assigned. Prevent defining any process types without the domain attribute so that all allow and neverallow rules written on domain are applied to all processes. Prevent defining any app process types without the appdomain attribute so that all allow and neverallow rules written on appdomain are applied to all app processes. Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-01 07:09:43 -07:00
zygote: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2
2016-01-27 10:54:16 -08:00
# Read access to pseudo filesystems.
r_dir_file(zygote, proc_net)
# Root fs.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(zygote, rootfs)
zygote: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2
2016-01-27 10:54:16 -08:00
# System file accesses.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(zygote, system_file)
zygote: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2
2016-01-27 10:54:16 -08:00
Add SElinux rules for /data/misc/trace The directory is to be used in eng/userdebug build to store method traces (previously stored in /data/dalvik-cache/profiles). Bug: 25612377 Change-Id: Ia4365a8d1f13d33ee54115dc5e3bf62786503993
2015-11-10 10:49:57 -08:00
userdebug_or_eng(`
# Allow zygote to create and write method traces in /data/misc/trace.
allow zygote method_trace_data_file:dir w_dir_perms;
allow zygote method_trace_data_file:file { create w_file_perms };
')
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow zygote ion_device:chr_file r_file_perms;
allow zygote tmpfs:dir r_dir_perms;
Use with_dexpreopt macro for zygote execute permissions. When WITH_DEXPREOPT is set, the zygote does not need to execute dalvikcache_data_file objects. Bug: 32970029 Test: Add policy line inside macro, build with and without WITH_DEXPREOPT. Test: HiKey builds, boots, no zygote denials. Change-Id: I4dace93e8044267232f0f26cfe427fc250d351fb
2016-11-18 05:42:35 -08:00
# Let the zygote access overlays so it can initialize the AssetManager.
Add persist.vendor.overlay. to properties Allow the system_server to change. Allow the zygote to read it as well. Test: Have system_server set a property Change-Id: Ie90eec8b733fa7193861026a3a6e0fb0ba5d5318
2016-11-09 12:19:05 -08:00
get_prop(zygote, overlay_prop)
Ensure that domain and appdomain attributes are assigned. Prevent defining any process types without the domain attribute so that all allow and neverallow rules written on domain are applied to all processes. Prevent defining any app process types without the appdomain attribute so that all allow and neverallow rules written on appdomain are applied to all app processes. Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-01 07:09:43 -07:00
###
### neverallow rules
###
# Ensure that all types assigned to app processes are included
# in the appdomain attribute, so that all allow and neverallow rules
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server.
Rename autoplay_app to ephemeral_app Test: Builds and boots Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-06 13:15:44 -07:00
neverallow zygote ~{ appdomain ephemeral_app system_server }:process dyntransition;
neverallow: domain execute data_file_type To help reduce code injection paths, a neverallow is placed to prevent domain, sans untrusted_app and shell, execute on data_file_type. A few data_file_type's are also exempt from this rule as they label files that should be executable. Additional constraints, on top of the above, are placed on domains system_server and zygote. They can only execute data_file_type's of type dalvikcache_data_file. Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-06-22 07:26:26 -07:00
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
data_file_type
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
Reference in New Issue Copy Permalink