am f3926937
: Merge "Switch kernel and init to permissive_or_unconfined()."
* commit 'f39269371e24147f4a45ba281a79d800ec3e56c7': Switch kernel and init to permissive_or_unconfined().
This commit is contained in:
commit
0a296fb019
114
init.te
114
init.te
@ -1,9 +1,57 @@
|
||||
# init switches to init domain (via init.rc).
|
||||
type init, domain;
|
||||
# init is unconfined.
|
||||
unconfined_domain(init)
|
||||
permissive_or_unconfined(init)
|
||||
tmpfs_domain(init)
|
||||
|
||||
# setrlimit
|
||||
allow init self:capability sys_resource;
|
||||
|
||||
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
|
||||
allow init tmpfs:file unlink;
|
||||
|
||||
# Access pty created for fsck.
|
||||
allow init devpts:chr_file { read write open };
|
||||
|
||||
# Create /dev/fscklogs files.
|
||||
allow init fscklogs:file create_file_perms;
|
||||
|
||||
# Access /dev/__null__ node created prior to initial policy load.
|
||||
allow init tmpfs:chr_file write;
|
||||
|
||||
# Access /dev/console.
|
||||
allow init console_device:chr_file rw_file_perms;
|
||||
|
||||
# Access /dev/tty0.
|
||||
allow init tty_device:chr_file rw_file_perms;
|
||||
|
||||
# Call mount(2).
|
||||
allow init self:capability sys_admin;
|
||||
|
||||
# Create and mount on directories in /.
|
||||
allow init rootfs:dir create_dir_perms;
|
||||
allow init rootfs:dir mounton;
|
||||
|
||||
# Mount on /dev/usb-ffs/adb.
|
||||
allow init device:dir mounton;
|
||||
|
||||
# Create symlinks in /.
|
||||
allow init rootfs:lnk_file create;
|
||||
|
||||
# Mount debugfs on /sys/kernel/debug.
|
||||
allow init sysfs:dir mounton;
|
||||
|
||||
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
||||
allow init tmpfs:dir create_dir_perms;
|
||||
allow init tmpfs:dir mounton;
|
||||
allow init cgroup:dir create_dir_perms;
|
||||
allow init cpuctl_device:dir { create mounton };
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
allow init self:capability dac_override;
|
||||
|
||||
# Set system clock.
|
||||
allow init self:capability sys_time;
|
||||
|
||||
allow init self:capability { sys_rawio mknod };
|
||||
|
||||
# Mounting filesystems from block devices.
|
||||
@ -25,12 +73,28 @@ allow init contextmount_type:notdevfile_class_set r_file_perms;
|
||||
# restorecon /adb_keys or any other rootfs files to a more specific type.
|
||||
allow init rootfs:file relabelfrom;
|
||||
|
||||
# restorecon and restorecon_recursive calls from init.rc files.
|
||||
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
|
||||
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
|
||||
# system/core/init.rc requires at least cache_file and data_file_type.
|
||||
# init.<board>.rc files often include device-specific types, so
|
||||
# we just allow all file types except /system files here.
|
||||
allow init self:capability { chown fowner fsetid };
|
||||
allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
|
||||
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir };
|
||||
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:file { create getattr open read write setattr relabelfrom unlink };
|
||||
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
||||
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
|
||||
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
||||
allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
|
||||
allow init sysfs_type:{ dir file lnk_file } relabelto;
|
||||
allow init dev_type:dir create_dir_perms;
|
||||
allow init dev_type:lnk_file create;
|
||||
|
||||
# chown/chmod on pseudo files.
|
||||
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:{ dir file } { open read setattr };
|
||||
|
||||
# chown/chmod on devices.
|
||||
allow init qtaguid_device:chr_file { read open setattr };
|
||||
|
||||
# Unlabeled file access for upgrades from 4.2.
|
||||
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
||||
@ -39,9 +103,6 @@ allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
||||
# Create /data/security from init.rc post-fs-data.
|
||||
allow init security_file:dir { create setattr };
|
||||
|
||||
# setprop selinux.reload_policy 1 from init.rc post-fs-data.
|
||||
allow init security_prop:property_service set;
|
||||
|
||||
# Reload policy upon setprop selinux.reload_policy 1.
|
||||
r_dir_file(init, security_file)
|
||||
allow init kernel:security load_policy;
|
||||
@ -49,11 +110,32 @@ allow init kernel:security load_policy;
|
||||
# Any operation that can modify the kernel ring buffer, e.g. clear
|
||||
# or a read that consumes the messages that were read.
|
||||
allow init kernel:system syslog_mod;
|
||||
allow init self:capability2 syslog;
|
||||
|
||||
# Triggered by chmod 0444 /sys/fs/selinux/policy.
|
||||
allow init kernel:security read_policy;
|
||||
|
||||
# Set usermodehelpers and /proc security settings.
|
||||
allow init usermodehelper:file rw_file_perms;
|
||||
allow init proc_security:file rw_file_perms;
|
||||
|
||||
# Write to /proc/sys/kernel/panic_on_oops.
|
||||
allow init proc:file w_file_perms;
|
||||
|
||||
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
|
||||
allow init proc_net:file w_file_perms;
|
||||
allow init self:capability net_admin;
|
||||
|
||||
# Write to /proc/sysrq-trigger.
|
||||
allow init proc_sysrq:file w_file_perms;
|
||||
|
||||
# Reboot.
|
||||
allow init self:capability sys_boot;
|
||||
|
||||
# Write to sysfs nodes.
|
||||
allow init sysfs_type:dir r_dir_perms;
|
||||
allow init sysfs_type:file w_file_perms;
|
||||
|
||||
# Transitions to seclabel processes in init.rc
|
||||
domain_trans(init, rootfs, adbd)
|
||||
domain_trans(init, rootfs, healthd)
|
||||
@ -71,6 +153,7 @@ domain_trans(init, rootfs, watchdogd)
|
||||
allow init { domain -lmkd }:process noatsecure;
|
||||
|
||||
# Support "adb shell stop"
|
||||
allow init self:capability kill;
|
||||
allow init domain:process sigkill;
|
||||
|
||||
# Init creates keystore's directory on boot, and walks through
|
||||
@ -82,12 +165,25 @@ allow init keystore_data_file:file { getattr };
|
||||
allow init shell_data_file:dir { open create read getattr setattr search };
|
||||
allow init shell_data_file:file { getattr };
|
||||
|
||||
# Set UID and GID for services.
|
||||
allow init self:capability { setuid setgid };
|
||||
|
||||
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
||||
# setexec is for services with seclabel options.
|
||||
# setfscreate is for labeling directories and socket files.
|
||||
# setsockcreate is for labeling local/unix domain sockets.
|
||||
allow init self:process { setexec setfscreate setsockcreate };
|
||||
|
||||
# Perform SELinux access checks on setting properties.
|
||||
selinux_check_access(init)
|
||||
|
||||
# Ask the kernel for the new context on services to label their sockets.
|
||||
allow init kernel:security compute_create;
|
||||
|
||||
# Create sockets for the services.
|
||||
allow init domain:unix_stream_socket { create bind };
|
||||
allow init domain:unix_dgram_socket { create bind };
|
||||
|
||||
# Create /data/property and files within it.
|
||||
allow init property_data_file:dir create_dir_perms;
|
||||
allow init property_data_file:file create_file_perms;
|
||||
@ -97,6 +193,7 @@ allow init property_type:property_service set;
|
||||
|
||||
# Run "ifup lo" to bring up the localhost interface
|
||||
allow init self:udp_socket { create ioctl };
|
||||
allow init self:capability net_raw;
|
||||
|
||||
# This line seems suspect, as it should not really need to
|
||||
# set scheduling parameters for a kernel domain task.
|
||||
@ -111,7 +208,7 @@ allow init swap_block_device:blk_file rw_file_perms;
|
||||
allow init hw_random_device:chr_file r_file_perms;
|
||||
|
||||
# Create and access /dev files without a specific type,
|
||||
# e.g. /dev/.coldboot_done.
|
||||
# e.g. /dev/.coldboot_done, /dev/.booting
|
||||
# TODO: Move these files into their own type unless they are
|
||||
# only ever accessed by init.
|
||||
allow init device:file create_file_perms;
|
||||
@ -124,6 +221,9 @@ auditallow init device:file create_file_perms;
|
||||
allow init device:chr_file { rw_file_perms setattr };
|
||||
auditallow init device:chr_file { rw_file_perms setattr };
|
||||
|
||||
# keychord configuration
|
||||
allow init self:capability sys_tty_config;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
16
kernel.te
16
kernel.te
@ -1,16 +1,19 @@
|
||||
# Life begins with the kernel.
|
||||
type kernel, domain;
|
||||
permissive_or_unconfined(kernel)
|
||||
|
||||
allow kernel self:capability sys_nice;
|
||||
|
||||
# Run /init before we have switched domains.
|
||||
allow kernel rootfs:file execute_no_trans;
|
||||
|
||||
# /dev/__null__ node created by init prior to policy load.
|
||||
allow kernel tmpfs:chr_file rw_file_perms;
|
||||
|
||||
# setcon to init domain.
|
||||
allow kernel self:process setcurrent;
|
||||
allow kernel init:process dyntransition;
|
||||
|
||||
# The kernel is unconfined.
|
||||
unconfined_domain(kernel)
|
||||
|
||||
# cgroup filesystem initialization prior to setting the cgroup root directory label.
|
||||
allow kernel unlabeled:dir search;
|
||||
|
||||
@ -19,19 +22,26 @@ allow kernel usbfs:filesystem mount;
|
||||
|
||||
# init direct restorecon calls prior to switching to init domain
|
||||
# /dev and /dev/socket
|
||||
allow kernel tmpfs:dir relabelfrom;
|
||||
allow kernel { device socket_device }:dir relabelto;
|
||||
# /dev/__properties__
|
||||
allow kernel tmpfs:file relabelfrom;
|
||||
allow kernel properties_device:file relabelto;
|
||||
# /sys
|
||||
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
|
||||
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
|
||||
allow kernel sysfs_type:dir r_dir_perms;
|
||||
|
||||
# Initial setenforce by init prior to switching to init domain.
|
||||
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
||||
# process from turning off SELinux once enabled.
|
||||
dontaudit kernel self:security setenforce;
|
||||
|
||||
# Write to /proc/1/oom_adj prior to switching to init domain.
|
||||
allow kernel self:capability sys_resource;
|
||||
|
||||
# Set checkreqprot by init.rc prior to switching to init domain.
|
||||
allow kernel selinuxfs:file write;
|
||||
allow kernel self:security setcheckreqprot;
|
||||
|
||||
# MTP sync (b/15835289)
|
||||
|
Loading…
Reference in New Issue
Block a user