Only allow toolbox exec where /system exec was already allowed.

When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 11:38:29 -04:00 · 2015-08-25 11:38:29 -04:00 · a3c97a7660
commit a3c97a7660
parent 4abd409af0
16 changed files with 36 additions and 5 deletions
--- a/adbd.te
+++ b/adbd.te
@ -49,6 +49,10 @@ set_prop(adbd, ffs_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;

+# XXX Run toolbox.  Might not be needed.
+allow adbd toolbox_exec:file rx_file_perms;
+auditallow adbd toolbox_exec:file rx_file_perms;
+
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 binder_use(adbd)
--- a/app.te
+++ b/app.te
@ -74,6 +74,7 @@ allow appdomain oemfs:file rx_file_perms;
 # Execute the shell or other system executables.
 allow appdomain shell_exec:file rx_file_perms;
 allow appdomain system_file:file rx_file_perms;
+allow appdomain toolbox_exec:file rx_file_perms;

 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
--- a/dhcp.te
+++ b/dhcp.te
@ -11,6 +11,9 @@ allow dhcp self:packet_socket create_socket_perms;
 allow dhcp self:netlink_route_socket nlmsg_write;
 allow dhcp shell_exec:file rx_file_perms;
 allow dhcp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow dhcp toolbox_exec:file rx_file_perms;
+auditallow dhcp toolbox_exec:file rx_file_perms;
 # For /proc/sys/net/ipv4/conf/*/promote_secondaries
 allow dhcp proc_net:file write;

--- a/domain.te
+++ b/domain.te
@ -109,10 +109,6 @@ allow domain system_file:file r_file_perms;
 allow domain system_file:file execute;
 allow domain system_file:lnk_file r_file_perms;

-# Run toolbox.
-# Kernel, init, and mediaserver never run anything without changing domains.
-allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
-
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:file { getattr read };
--- a/dumpstate.te
+++ b/dumpstate.te
@ -21,6 +21,7 @@ allow dumpstate self:capability kill;
 #   /system/bin/logcat
 #   /system/bin/dumpsys
 allow dumpstate system_file:file execute_no_trans;
+allow dumpstate toolbox_exec:file rx_file_perms;

 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };
--- a/gpsd.te
+++ b/gpsd.te
@ -18,6 +18,7 @@ allow gpsd gps_device:chr_file rw_file_perms;
 # Execute the shell or system commands.
 allow gpsd shell_exec:file rx_file_perms;
 allow gpsd system_file:file rx_file_perms;
+allow gpsd toolbox_exec:file rx_file_perms;

 ###
 ### neverallow
--- a/install_recovery.te
+++ b/install_recovery.te
@ -13,6 +13,10 @@ allow install_recovery shell_exec:file rx_file_perms;
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;

+# XXX Execute toolbox.  Might not be needed.
+allow install_recovery toolbox_exec:file rx_file_perms;
+auditallow install_recovery toolbox_exec:file rx_file_perms;
+
 # Update the recovery block device based off a diff of the boot block device
 allow install_recovery block_device:dir search;
 allow install_recovery boot_block_device:blk_file r_file_perms;
--- a/netd.te
+++ b/netd.te
@ -20,6 +20,9 @@ allow netd self:netlink_nflog_socket create_socket_perms;
 allow netd self:netlink_socket create_socket_perms;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow netd toolbox_exec:file rx_file_perms;
+auditallow netd toolbox_exec:file rx_file_perms;
 allow netd devpts:chr_file rw_file_perms;

 # For /proc/sys/net/ipv[46]/route/flush.
--- a/perfprofd.te
+++ b/perfprofd.te
@ -48,7 +48,7 @@ userdebug_or_eng(`
  allow perfprofd exec_type:file r_file_perms;

  # simpleperf is going to execute "sleep"
-  allow perfprofd toolbox_exec:file x_file_perms;
+  allow perfprofd toolbox_exec:file rx_file_perms;

  # needed for simpleperf on some kernels
  allow perfprofd self:capability ipc_lock;
--- a/ppp.te
+++ b/ppp.te
@ -11,6 +11,9 @@ allow ppp mtp:unix_dgram_socket rw_socket_perms;
 allow ppp ppp_device:chr_file rw_file_perms;
 allow ppp self:capability net_admin;
 allow ppp system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow ppp toolbox_exec:file rx_file_perms;
+auditallow ppp toolbox_exec:file rx_file_perms;
 allow ppp vpn_data_file:dir w_dir_perms;
 allow ppp vpn_data_file:file create_file_perms;
 allow ppp mtp:fd use;
--- a/racoon.te
+++ b/racoon.te
@ -19,6 +19,9 @@ allow racoon self:capability { net_admin net_bind_service net_raw setuid };

 # XXX: should we give ip-up-vpn its own label (currently racoon domain)
 allow racoon system_file:file rx_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow racoon toolbox_exec:file rx_file_perms;
+auditallow racoon toolbox_exec:file rx_file_perms;
 allow racoon vpn_data_file:file create_file_perms;
 allow racoon vpn_data_file:dir w_dir_perms;

--- a/recovery.te
+++ b/recovery.te
@ -15,6 +15,7 @@ recovery_only(`
  # Run helpers from / or /system without changing domain.
  allow recovery rootfs:file execute_no_trans;
  allow recovery system_file:file execute_no_trans;
+  allow recovery toolbox_exec:file rx_file_perms;

  # Mount filesystems.
  allow recovery rootfs:dir mounton;
--- a/rild.te
+++ b/rild.te
@ -23,6 +23,9 @@ allow rild sdcard_type:dir r_dir_perms;
 allow rild system_data_file:dir r_dir_perms;
 allow rild system_data_file:file r_file_perms;
 allow rild system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow rild toolbox_exec:file rx_file_perms;
+auditallow rild toolbox_exec:file rx_file_perms;

 # property service
 set_prop(rild, radio_prop)
--- a/shell.te
+++ b/shell.te
@ -38,6 +38,7 @@ allow shell console_device:chr_file rw_file_perms;
 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file rw_file_perms;
 allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;

--- a/system_server.te
+++ b/system_server.te
@ -311,6 +311,10 @@ allow system_server cache_file:fifo_file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;

+# XXX Run toolbox.  Might not be needed.
+allow system_server toolbox_exec:file rx_file_perms;
+auditallow system_server toolbox_exec:file rx_file_perms;
+
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_device:chr_file rw_file_perms;
--- a/vold.te
+++ b/vold.te
@ -24,6 +24,9 @@ allow vold shell_exec:file rx_file_perms;
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
+# XXX Run toolbox.  Might not be needed.
+allow vold toolbox_exec:file rx_file_perms;
+auditallow vold toolbox_exec:file rx_file_perms;
 allow vold block_device:dir create_dir_perms;
 allow vold block_device:blk_file create_file_perms;
 auditallow vold block_device:blk_file create_file_perms;