PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
016e636539
android_system_sepolicy/unconfined.te
Stephen Smalley 853ffaad32 Deduplicate neverallow rules on selinuxfs operations. 
We already have neverallow rules for all domains about
loading policy, setting enforcing mode, and setting
checkreqprot, so we can drop redundant ones from netd and appdomain.
Add neverallow rules to domain.te for setbool and setsecparam
and exclude them from unconfined to allow fully eliminating
separate neverallow rules on the :security class from anything
other than domain.te.

Change-Id: I0122e23ccb2b243f4c5376893e0c894f01f548fc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-10 20:41:34 +00:00

44 lines
2.4 KiB
Plaintext
Raw Blame History

#######################################################
#
# This is the unconfined template. This template is the base policy
# which is used by daemons and other privileged components of
# Android.
#
# Historically, this template was called "unconfined" because it
# allowed the domain to do anything it wanted. Over time,
# this has changed, and will continue to change in the future.
# The rules in this file will be removed when no remaining
# unconfined domains require it, or when the rules contradict
# Android security best practices. Domains which need rules not
# provided by the unconfined template should add them directly to
# the relevant policy.
#
# The use of this template is discouraged.
######################################################
allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system *;
allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain { rootfs system_file exec_type }:file execute;
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain port_type:socket_class_set name_bind;
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
allow unconfineddomain property_type:property_service set;
Reference in New Issue View Git Blame Copy Permalink