PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f78fb4e0c8
android_system_sepolicy/global_macros
Stephen Smalley 85708ec4f9 Resolve overlapping rules between app.te and net.te. 
There is some overlap between socket rules in app.te and the net.te rules,
but they aren't quite identical since not all app domains presently include
the net_domain() macro and because the rules in app.te allow more permissions
for netlink_route_socket and allow rawip_socket permissions for ping.
The current app.te rules prevent one from ever creating a non-networked app
domain.  Resolve this overlap by:

1) Adding the missing permissions allowed by app.te to net.te for
netlink_route_socket and rawip_socket.
2) Adding net_domain() calls to all existing app domains that do not already
have it.
3) Deleting the redundant socket rules from app.te.

Then we'll have no effective change in what is allowed for apps but
allow one to define app domains in the future that are not allowed
network access.

Also cleanup net.te to use the create_socket_perms macro rather than *
and add macros for stream socket permissions.

Change-Id: I6e80d65b0ccbd48bd2b7272c083a4473e2b588a9
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-25 17:26:06 +00:00

48 lines
2.6 KiB
Plaintext
Raw Blame History

#####################################
# Common groupings of object classes.
#
define(`capability_class_set', `{ capability capability2 }')
define(`devfile_class_set', `{ chr_file blk_file }')
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
define(`dir_file_class_set', `{ dir file_class_set }')
define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
define(`ipc_class_set', `{ sem msgq shm ipc }')
#####################################
# Common groupings of permissions.
#
define(`x_file_perms', `{ getattr execute execute_no_trans }')
define(`r_file_perms', `{ getattr open read ioctl lock }')
define(`w_file_perms', `{ open append write }')
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }')
define(`rw_file_perms', `{ r_file_perms w_file_perms }')
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`link_file_perms', `{ getattr link unlink rename }')
define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }')
define(`r_dir_perms', `{ open getattr read search ioctl }')
define(`w_dir_perms', `{ open search write add_name remove_name }')
define(`ra_dir_perms', `{ r_dir_perms add_name write }')
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }')
define(`r_ipc_perms', `{ getattr read associate unix_read }')
define(`w_ipc_perms', `{ write unix_write }')
define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
#####################################
# Common socket permission sets.
define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }')
define(`create_socket_perms', `{ create rw_socket_perms }')
define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
Reference in New Issue View Git Blame Copy Permalink