PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d9514b860e
android_system_sepolicy/public/logd.te

74 lines
2.4 KiB
Plaintext
Raw Normal View History

sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-12 15:34:52 -08:00
# android user-space log manager
logd: remove domain_deprecated attribute Test: builds/boots on Angler. No "granted" messages for the removed permissions observed in three months of log audits. Bug: 28760354 Change-Id: I76c2752f806b83a6c21fcb17b6f445368936f61b
2016-09-24 14:26:45 -07:00
type logd, domain, mlstrustedsubject;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 10:21:37 -07:00
type logd_exec, system_file_type, exec_type, file_type;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-12 15:34:52 -08:00
logd: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02
2016-01-27 19:23:10 -08:00
# Read access to pseudo filesystems.
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(logd, cgroup)
Explicitly label logd's dependencies in /proc. labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to proc_kmsg, and added a compat mapping. Bug: 65643247 Test: device boots without selinux denials to the newly introduced proc_kmsg Test: logd-unit-tests passes Merged-In: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e (partial CP of commit 528da6fe3a0dbe4ae15355dff0152ab5f55197da)
2017-09-13 14:34:56 -07:00
r_dir_file(logd, proc_kmsg)
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
r_dir_file(logd, proc_meminfo)
logd: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02
2016-01-27 19:23:10 -08:00
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-09 14:51:26 -08:00
allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe
2016-05-16 21:12:17 -07:00
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
logd: add auditd Change-Id: Iec4bfc08ced20c0d4c74e07baca6cff812c9ba00
2014-04-01 11:02:57 -07:00
allow logd kernel:system syslog_read;
Allow to getattr kmsg_device These denials occur on boot when android_get_control_file also changes from readlink() to realpath(), because realpath() will lstat() the given path. Some other domains (fastbootd, update_engine, etc.) also uses libcutils to write to kernel log, where android_get_control_file() is invoked, hence getattr is added to them as well. 04-28 06:15:22.290 618 618 I auditd : type=1400 audit(0.0:4): avc: denied { getattr } for comm="logd" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:logd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 03-20 19:52:23.431 900 900 I auditd : type=1400 audit(0.0:7): avc: denied { getattr } for comm="android.hardwar" path="/dev/kmsg" dev="tmpfs" ino=20917 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 ... 03-20 22:40:42.316 1 1 W init : type=1400 audit(0.0:33): avc: denied { getattr } for path="/dev/kmsg" dev="tmpfs" ino=21999 scontext=u:r:init:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 Test: no denials related to these Change-Id: I5263dd6b64c06fb092f3461858f57a1a09107429
2019-03-20 15:36:26 -07:00
allow logd kmsg_device:chr_file { getattr w_file_perms };
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b
2016-09-09 16:27:17 -07:00
allow logd system_data_file:{ file lnk_file } r_file_perms;
Relabel /data/system/packages.list to new type. Conservatively grant access to packages_list_file to everything that had access to system_data_file:file even if the comment in the SELinux policy suggests it was for another use. Ran a diff on the resulting SEPolicy, the only difference of domains being granted is those that had system_data_file:dir permissiosn which is clearly not applicable for packages.list diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new) --- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000 +++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000 @@ -3 +2,0 @@ -allow appdomain packages_list_file:dir getattr; @@ -6 +4,0 @@ -allow coredomain packages_list_file:dir getattr; @@ -8 +5,0 @@ -allow domain packages_list_file:dir search; @@ -35 +31,0 @@ -allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name }; @@ -40 +35,0 @@ -allow tee packages_list_file:dir { search read lock getattr ioctl open }; @@ -43,3 +37,0 @@ -allow traced_probes packages_list_file:dir { read getattr open search }; -allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name }; -allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name }; @@ -48 +39,0 @@ -allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name }; @@ -50 +40,0 @@ -allow zygote packages_list_file:dir { search read lock getattr ioctl open }; Bug: 123186697 Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-19 11:14:38 -07:00
allow logd packages_list_file:file r_file_perms;
logd: add getEventTag command and service The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
2016-09-13 09:33:35 -07:00
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
userdebug_or_eng(`
# Access to /data/misc/logd/event-log-tags
allow logd misc_logd_file:dir r_dir_perms;
allow logd misc_logd_file:file rw_file_perms;
')
allow logd runtime_event_log_tags_file:file rw_file_perms;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-12 15:34:52 -08:00
SELinux rule for ro.device_owner and persist.logd.security They are introduced for the device owner process logging feature. That is, for enterprise-owned devices with device owner app provisioned, the device owner may choose to turn on additional device-wide logging for auditing and intrusion detection purposes. Logging includes histories of app process startup, commands issued over ADB and lockscreen unlocking attempts. These logs will available to the device owner for analysis, potentially shipped to a remote server if it chooses to. ro.device_owner will be a master switch to turn off logging, if the device has no device owner provisioned. persist.logd.security is a switch that device owner can toggle (via DevicePoliyManager) to enable/disable logging. Writing to both properties should be only allowed by the system server. Bug: 22860162 Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
2016-01-04 07:20:45 -08:00
# Access device logging gating property
get_prop(logd, device_logging_prop)
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-12 15:34:52 -08:00
r_dir_file(logd, domain)
logd: Add klogd Change-Id: Ib9bc89b05771a12c6bb9a25cf59ea51afd22ae15
2014-10-15 15:49:37 -07:00
allow logd kernel:system syslog_mod;
logd: allow access to system files - allow access for /data/system/packages.xml. - deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging) - allow access to /dev/socket/logd for 'logd --reinit' Bug: 19681572 Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
2015-03-10 13:46:37 -07:00
control_logd(logd)
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-07 15:11:39 -08:00
read_runtime_log_tags(logd)
allow runtime_event_log_tags_file tmpfs:filesystem associate;
# Typically harmlessly blindly trying to access via liblog
# event tag mapping while in the untrusted_app domain.
# Access for that domain is controlled and gated via the
# event log tag service (albeit at a performance penalty,
# expected to be locally cached).
runtime_event_log_tags_file: dontaudit map permission In permissive mode, map denials may occur on runtime_event_log_tags_file. Suppress. Fixes: 122803985 Test: build Change-Id: I4aebd4363091685185e0c5f98895c4a9301b9cfe
2019-01-14 12:59:54 -08:00
dontaudit domain runtime_event_log_tags_file:file { map open read };
logd: allow access to system files - allow access for /data/system/packages.xml. - deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging) - allow access to /dev/socket/logd for 'logd --reinit' Bug: 19681572 Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
2015-03-10 13:46:37 -07:00
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-12 15:34:52 -08:00
###
### Neverallow rules
###
### logd should NEVER do any of this
# Block device access.
neverallow logd dev_type:blk_file { read write };
# ptrace any other app
neverallow logd domain:process ptrace;
Prevent ptrace of logd on user builds system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd doesn't want it's memory accessible by anyone else. Unfortunately, setting DUMPABLE isn't sufficient against a root level process such with ptrace. Only one such process exists, "debuggerd". Block debuggerd from accessing logd's memory on user builds. Userdebug and eng builds are unaffected. Add a neverallow rule (compile time assertion + CTS test) to prevent regressions. Bug: 32450474 Test: Policy compiles. Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
2016-12-05 14:01:28 -08:00
# ... and nobody may ptrace me (except on userdebug or eng builds)
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
2018-08-07 16:03:47 -07:00
neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
Prevent ptrace of logd on user builds system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd doesn't want it's memory accessible by anyone else. Unfortunately, setting DUMPABLE isn't sufficient against a root level process such with ptrace. Only one such process exists, "debuggerd". Block debuggerd from accessing logd's memory on user builds. Userdebug and eng builds are unaffected. Add a neverallow rule (compile time assertion + CTS test) to prevent regressions. Bug: 32450474 Test: Policy compiles. Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
2016-12-05 14:01:28 -08:00
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
2013-11-12 15:34:52 -08:00
# Write to /system.
neverallow logd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
Relabel /data/system/packages.list to new type. Conservatively grant access to packages_list_file to everything that had access to system_data_file:file even if the comment in the SELinux policy suggests it was for another use. Ran a diff on the resulting SEPolicy, the only difference of domains being granted is those that had system_data_file:dir permissiosn which is clearly not applicable for packages.list diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy | sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new) --- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000 +++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000 @@ -3 +2,0 @@ -allow appdomain packages_list_file:dir getattr; @@ -6 +4,0 @@ -allow coredomain packages_list_file:dir getattr; @@ -8 +5,0 @@ -allow domain packages_list_file:dir search; @@ -35 +31,0 @@ -allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name }; @@ -40 +35,0 @@ -allow tee packages_list_file:dir { search read lock getattr ioctl open }; @@ -43,3 +37,0 @@ -allow traced_probes packages_list_file:dir { read getattr open search }; -allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name }; -allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name }; @@ -48 +39,0 @@ -allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name }; @@ -50 +40,0 @@ -allow zygote packages_list_file:dir { search read lock getattr ioctl open }; Bug: 123186697 Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07
2019-03-19 11:14:38 -07:00
neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
init: only allowed to transition to logpersist or logd Generate a compile time error if someone unexpectedly tries to transition into logpersist or logd domain. Test: compile Bug: 30566487 Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d
2016-12-06 08:57:23 -08:00
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
neverallow * logd:process dyntransition;
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
2016-11-07 15:11:39 -08:00
# protect the event-log-tags file
logd: add getEventTag command and service The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
2016-09-13 09:33:35 -07:00
neverallow {
domain
-init
-logd
} runtime_event_log_tags_file:file no_w_file_perms;
Reference in New Issue Copy Permalink