PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
20151072a7
android_system_sepolicy/public/recovery.te
Alex Klyubin 20151072a7 Restrict access to ro.serialno and ro.boot.serialno 
This restricts access to ro.serialno and ro.boot.serialno, the two
system properties which contain the device's serial number, to a
select few SELinux domains which need the access. In particular, this
removes access to these properties from Android apps. Apps can access
the serial number via the public android.os.Build API. System
properties are not public API for apps.

The reason for the restriction is that serial number is a globally
unique identifier which cannot be reset by the user. Thus, it can be
used as a super-cookie by apps. Apps need to wean themselves off of
identifiers not resettable by the user.

Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome
Test: Access the device via ADB (ADBD exposes serial number)
Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo
Bug: 31402365
Bug: 33700679
Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-22 11:38:29 -08:00

129 lines
4.8 KiB
Plaintext
Raw Blame History

# recovery console (used in recovery init.rc for /sbin/recovery)
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
type recovery, domain, domain_deprecated;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
typeattribute recovery update_engine_common, boot_control_hal;
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin;
# Run helpers from / or /system without changing domain.
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
allow recovery toolbox_exec:file rx_file_perms;
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
# some directories are inappropriately labeled as exec_type. This is
# only transient, and subsequent steps in the OTA script correct this
# mistake. New devices are moving to block based OTAs, so this is not
# worth fixing. b/15575013
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
allow recovery sysfs_devices_system_cpu:file w_file_perms;
allow recovery sysfs_batteryinfo:file r_file_perms;
allow recovery kernel:system syslog_read;
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
allow recovery functionfs:dir search;
allow recovery functionfs:file rw_file_perms;
# Required to e.g. wipe userdata/cache.
allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms;
allow recovery dev_type:blk_file rw_file_perms;
# GUI
allow recovery graphics_device:chr_file rw_file_perms;
allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms;
allow recovery tty_device:chr_file rw_file_perms;
# Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms };
allow recovery tmpfs:dir create_dir_perms;
# Manage files on /cache and /cache/recovery
allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
allow recovery { cache_file cache_recovery_file }:file create_file_perms;
# Read files on /oem.
r_dir_file(recovery, oemfs);
# Reboot the device
set_prop(recovery, powerctl_prop)
# Start/stop adbd via ctl.start adbd
set_prop(recovery, ctl_default_prop)
# Read device's serial number from system properties
get_prop(recovery, serialno_prop)
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
# Allow recovery to create a fuse filesystem, and read files from it.
allow recovery fuse_device:chr_file rw_file_perms;
allow recovery fuse:dir r_dir_perms;
allow recovery fuse:file r_file_perms;
wakelock_use(recovery)
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched;
')
###
### neverallow rules
###
# Recovery should never touch /data.
#
# In particular, if /data is encrypted, it is not accessible
# to recovery anyway.
#
# For now, we only enforce write/execute restrictions, as domain.te
# contains a number of read-only rules that apply to all
# domains, including recovery.
#
# TODO: tighten this up further.
neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
neverallow recovery data_file_type:dir no_w_dir_perms;
Reference in New Issue View Git Blame Copy Permalink