am 4496a389: am 78b54b5d: am bf323ff8: am 21827ff0: am f82f5e01: Accept command-line input for neverallow-check.
* commit '4496a389b6efd95b174deb8503b8cbb6fcf0a5c5':
diff --git a/Android.mk b/Android.mk
index 3635a01..1b903bd 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,7 +5,7 @@
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 26
+POLICYVERS ?= 30
MLS_SENS=1
MLS_CATS=1024
@@ -36,6 +36,7 @@
policy_capabilities \
te_macros \
attributes \
+ ioctl_macros \
*.te \
roles \
users \
diff --git a/access_vectors b/access_vectors
index 65b7e22..c280f08 100644
--- a/access_vectors
+++ b/access_vectors
@@ -890,26 +890,24 @@
class keystore_key
{
- test
+ get_state
get
insert
delete
exist
- saw
+ list
reset
password
lock
unlock
- zero
+ is_empty
sign
verify
grant
duplicate
clear_uid
- reset_uid
- sync_uid
- password_uid
add_auth
+ user_changed
}
class debuggerd
diff --git a/adbd.te b/adbd.te
index 57b1e48..7ca63d6 100644
--- a/adbd.te
+++ b/adbd.te
@@ -42,10 +42,9 @@
allow adbd anr_data_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-unix_socket_connect(adbd, property, init)
-allow adbd shell_prop:property_service set;
-allow adbd powerctl_prop:property_service set;
-allow adbd ffs_prop:property_service set;
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
@@ -74,10 +73,6 @@
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
-# b/18078338 - allow read access to executable types on /system
-# to assist with debugging OTA issues.
-allow adbd exec_type:file r_file_perms;
-
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
diff --git a/app.te b/app.te
index af8c508..40de074 100644
--- a/app.te
+++ b/app.te
@@ -185,7 +185,7 @@
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
use_keystore({ appdomain -isolated_app })
diff --git a/attributes b/attributes
index a9b211f..e42edd6 100644
--- a/attributes
+++ b/attributes
@@ -73,6 +73,3 @@
# All domains used for binder service domains.
attribute binderservicedomain;
-
-# All domains that are excluded from the domain.te auditallow.
-attribute service_manager_local_audit;
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 82c733d..0bfd33a 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -13,6 +13,6 @@
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
-allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
use_keystore(binderservicedomain)
diff --git a/bluetooth.te b/bluetooth.te
index 890c1d9..a79023d 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -38,16 +38,13 @@
allow bluetooth self:tun_socket create_socket_perms;
allow bluetooth efs_file:dir search;
-# Talk to init over the property socket.
-unix_socket_connect(bluetooth, property, init)
-
# proc access.
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# Allow write access to bluetooth specific properties
-allow bluetooth bluetooth_prop:property_service set;
-allow bluetooth pan_result_prop:property_service set;
-allow bluetooth ctl_dhcp_pan_prop:property_service set;
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+set_prop(bluetooth, ctl_dhcp_pan_prop)
allow bluetooth bluetooth_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
@@ -56,6 +53,9 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+# Bluetooth Sim Access Profile Socket to the RIL
+unix_socket_connect(bluetooth, sap_uim, rild)
+
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
# /data/data/com.android.shell/files/bugreports/bugreport-*.
diff --git a/clatd.te b/clatd.te
index 5c52bdb..21c9ca9 100644
--- a/clatd.te
+++ b/clatd.te
@@ -19,11 +19,12 @@
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
-# does not need CAP_IPC_LOCK, so we suppress any denials we see
-# from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940
-dontaudit clatd self:capability ipc_lock;
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:capability ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
diff --git a/device.te b/device.te
index c155fcc..b2f4f1d 100644
--- a/device.te
+++ b/device.te
@@ -12,6 +12,7 @@
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
type ram_device, dev_type;
+type rtc_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type cpuctl_device, dev_type;
diff --git a/dhcp.te b/dhcp.te
index 32a6ccc..cbf105c 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,9 +13,9 @@
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
-allow dhcp dhcp_prop:property_service set;
-allow dhcp pan_result_prop:property_service set;
-unix_socket_connect(dhcp, property, init)
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
allow dhcp dhcp_data_file:dir create_dir_perms;
diff --git a/domain.te b/domain.te
index 7bc2292..0f6c6da 100644
--- a/domain.te
+++ b/domain.te
@@ -6,6 +6,7 @@
# Read access to properties mapping.
allow domain kernel:fd use;
allow domain tmpfs:file { read getattr };
+allow domain tmpfs:lnk_file { read getattr };
# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;
@@ -93,6 +94,7 @@
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms;
allow domain init:key search;
+allow domain vold:key search;
# logd access
write_logd(domain)
@@ -182,10 +184,17 @@
-dumpstate
-system_server
userdebug_or_eng(`-procrank')
+ userdebug_or_eng(`-perfprofd')
} self:capability sys_ptrace;
# Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:capability mknod;
# Limit raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
@@ -267,7 +276,7 @@
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -init -ueventd } device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
@@ -306,7 +315,7 @@
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -350,6 +359,14 @@
-dex2oat
} dalvikcache_data_file:file no_w_file_perms;
+neverallow {
+ domain
+ -init
+ -installd
+ -dex2oat
+ -zygote
+} dalvikcache_data_file:dir no_w_dir_perms;
+
# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
neverallow { domain -system_server } zygote_socket:sock_file write;
@@ -400,3 +417,59 @@
# neverallow { domain -appdomain } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -system_server
+ -system_app
+ -init
+ -installd # for relabelfrom and unlink, check for this in explicit neverallow
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+ -zygote
+} shell:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -appdomain
+ -installd
+ -uncrypt # TODO: see if we can remove
+} app_data_file:lnk_file read;
+
+neverallow {
+ domain
+ -shell
+ userdebug_or_eng(`-uncrypt')
+ -installd
+} shell_data_file:lnk_file read;
diff --git a/dumpstate.te b/dumpstate.te
index 43daac4..584b140 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -109,6 +109,5 @@
allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
allow dumpstate servicemanager:service_manager list;
-service_manager_local_audit_domain(dumpstate)
allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/file.te b/file.te
index 7bd3843..555b89f 100644
--- a/file.te
+++ b/file.te
@@ -6,6 +6,8 @@
type proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type;
+# Type for /proc/sys/vm/drop_caches
+type proc_drop_caches, fs_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
@@ -13,6 +15,8 @@
type proc_cpuinfo, fs_type;
type proc_net, fs_type;
type proc_sysrq, fs_type;
+type proc_uid_cputime_showstat, fs_type;
+type proc_uid_cputime_removeuid, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
@@ -116,6 +120,7 @@
type wifi_data_file, file_type, data_file_type;
type zoneinfo_data_file, file_type, data_file_type;
type vold_data_file, file_type, data_file_type;
+type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
typealias audio_data_file alias audio_firmware_file;
@@ -149,6 +154,8 @@
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
+# Type for fingerprint template file.
+type fingerprintd_data_file, file_type, data_file_type;
# Socket types
type adbd_socket, file_type;
@@ -164,6 +171,7 @@
type logdw_socket, file_type, mlstrustedobject;
type mdns_socket, file_type;
type mdnsd_socket, file_type, mlstrustedobject;
+type misc_logd_file, file_type;
type mtpd_socket, file_type;
type netd_socket, file_type;
type property_socket, file_type;
@@ -175,7 +183,7 @@
type vold_socket, file_type;
type wpa_socket, file_type;
type zygote_socket, file_type;
-
+type sap_uim_socket, file_type;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/file_contexts b/file_contexts
index 0fc096d..d964f9b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -77,9 +77,12 @@
/dev/random u:object_r:random_device:s0
/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
/dev/rproc_user u:object_r:rpmsg_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0
+/dev/socket/cryptd u:object_r:vold_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
@@ -147,6 +150,7 @@
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/debuggerd u:object_r:debuggerd_exec:s0
/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
@@ -159,6 +163,8 @@
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/xbin/procrank u:object_r:procrank_exec:s0
+/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
+/system/xbin/simpleperf u:object_r:system_file:s0
/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/hostapd u:object_r:hostapd_exec:s0
@@ -184,9 +190,11 @@
/vendor/bin/gpsd u:object_r:gpsd_exec:s0
#############################
-# ODM files
+# OEM and ODM files
#
-/odm(/.*)? u:object_r:system_file:s0
+/odm(/.*)? u:object_r:system_file:s0
+/oem(/.*)? u:object_r:oemfs:s0
+
#############################
# Data files
@@ -232,6 +240,7 @@
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
@@ -245,8 +254,12 @@
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
@@ -261,6 +274,7 @@
/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
@@ -300,4 +314,5 @@
# external storage
/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
diff --git a/fingerprintd.te b/fingerprintd.te
new file mode 100644
index 0000000..4ceb68d
--- /dev/null
+++ b/fingerprintd.te
@@ -0,0 +1,23 @@
+type fingerprintd, domain;
+type fingerprintd_exec, exec_type, file_type;
+
+# fingerprintd
+init_daemon_domain(fingerprintd)
+binder_use(fingerprintd)
+
+# need to find KeyStore and add self
+allow fingerprintd fingerprintd_service:service_manager { add find };
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 39d9d21..ca540c6 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -3,6 +3,7 @@
# gatekeeperd
init_daemon_domain(gatekeeperd)
+binder_service(gatekeeperd)
binder_use(gatekeeperd)
allow gatekeeperd tee_device:chr_file rw_file_perms;
@@ -16,6 +17,8 @@
# For permissions checking
allow gatekeeperd system_server:binder call;
allow gatekeeperd permission_service:service_manager find;
+# For parent user ID lookup
+allow gatekeeperd user_service:service_manager find;
# for SID file access
allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
diff --git a/genfs_contexts b/genfs_contexts
index 4b16ffc..cdf65bc 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -20,6 +20,10 @@
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/healthd.te b/healthd.te
index 2ea825c..cd5429b 100644
--- a/healthd.te
+++ b/healthd.te
@@ -2,12 +2,10 @@
# it lives in the rootfs and has no unique file type.
type healthd, domain;
-write_klog(healthd)
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by healthd.
-allow healthd tmpfs:chr_file { read write };
+# Write to /dev/kmsg
+allow healthd kmsg_device:chr_file rw_file_perms;
-allow healthd self:capability { net_admin mknod sys_tty_config };
+allow healthd self:capability { net_admin sys_tty_config };
wakelock_use(healthd)
allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
binder_use(healthd)
@@ -42,5 +40,4 @@
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
-unix_socket_connect(healthd, property, init)
-allow healthd system_prop:property_service set;
+set_prop(healthd, system_prop)
diff --git a/init.te b/init.te
index 9f624ba..41eafe2 100644
--- a/init.te
+++ b/init.te
@@ -96,7 +96,7 @@
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
-allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
+allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -122,8 +122,10 @@
allow init security_file:dir { create setattr };
# Reload policy upon setprop selinux.reload_policy 1.
+# Note: this requires the following allow rule
+# allow init kernel:security load_policy;
+# which can be configured on a device-by-device basis if needed.
r_dir_file(init, security_file)
-allow init kernel:security load_policy;
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
@@ -161,6 +163,10 @@
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logd)
+')
# Support "adb shell stop"
allow init self:capability kill;
@@ -257,11 +263,7 @@
# linux keyring configuration
allow init init:key { write search setattr };
-# Allow init to link temp fs to unencrypted data on userdata
-allow init tmpfs:lnk_file { create read getattr relabelfrom };
-
-# Allow init to manipulate /data/unencrypted
-allow init unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow init to create /data/unencrypted
allow init unencrypted_data_file:dir create_dir_perms;
unix_socket_connect(init, vold, vold)
diff --git a/install_recovery.te b/install_recovery.te
index 1385220..2d80b08 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -23,6 +23,4 @@
allow install_recovery cache_file:file create_file_perms;
# Write to /proc/sys/vm/drop_caches
-# TODO: create a specific label for this file instead of allowing
-# write for all /proc files.
-allow install_recovery proc:file w_file_perms;
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/installd.te b/installd.te
index 3f685f1..bc4c23e 100644
--- a/installd.te
+++ b/installd.te
@@ -5,10 +5,16 @@
init_daemon_domain(installd)
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
-allow installd apk_data_file:file { rename unlink };
+
+# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
+allow installd dalvikcache_data_file:file { relabelto link };
+
+# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create read unlink };
+
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
@@ -16,7 +22,7 @@
allow installd oemfs:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms;
-allow installd mnt_expand_file:dir search;
+allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
# Read /seapp_contexts and /data/security/seapp_contexts
diff --git a/ioctl_macros b/ioctl_macros
new file mode 100644
index 0000000..e71e0ce
--- /dev/null
+++ b/ioctl_macros
@@ -0,0 +1,11 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927
+0x8900-0x8926 0x8928-0x89ff
+# all wireless extensions ioctls except get/set essid
+# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
+0x8B00-0x8B09 0x8B1C-0x8BFF
+# commonly used TTY ioctls
+0x5411 0x5451
+}')
diff --git a/isolated_app.te b/isolated_app.te
index 1cede96..330f0af 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,7 +18,8 @@
allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find;
-service_manager_local_audit_domain(isolated_app)
+# only allow unprivileged socket ioctl commands
+allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
#####
##### Neverallow
diff --git a/kernel.te b/kernel.te
index 72325c2..6747d1c 100644
--- a/kernel.te
+++ b/kernel.te
@@ -24,6 +24,18 @@
# Write to /proc/1/oom_adj prior to switching to init domain.
allow kernel self:capability sys_resource;
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:capability sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/__kmsg__ which was created prior to
+# loading policy
+allow kernel tmpfs:chr_file write;
+
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel selinuxfs:file write;
allow kernel self:security setcheckreqprot;
diff --git a/keystore.te b/keystore.te
index 3561fed..83a0e85 100644
--- a/keystore.te
+++ b/keystore.te
@@ -23,7 +23,7 @@
### Protect ourself from others
###
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -keystore -init } keystore_data_file:dir *;
diff --git a/logd.te b/logd.te
index 8c28b48..b0d978f 100644
--- a/logd.te
+++ b/logd.te
@@ -10,6 +10,10 @@
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
allow logd system_data_file:file r_file_perms;
+allow logd misc_logd_file:file create_file_perms;
+allow logd misc_logd_file:dir rw_dir_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
r_dir_file(logd, domain)
@@ -17,6 +21,11 @@
control_logd(logd)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ unix_socket_connect(logd, logdr, logd)
+')
+
###
### Neverallow rules
###
diff --git a/mediaserver.te b/mediaserver.te
index d269097..0299466 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -6,7 +6,6 @@
net_domain(mediaserver)
init_daemon_domain(mediaserver)
-unix_socket_connect(mediaserver, property, init)
r_dir_file(mediaserver, sdcard_type)
@@ -27,7 +26,8 @@
allow mediaserver video_device:chr_file rw_file_perms;
allow mediaserver audio_device:dir r_dir_perms;
allow mediaserver tee_device:chr_file rw_file_perms;
-allow mediaserver audio_prop:property_service set;
+
+set_prop(mediaserver, audio_prop)
# Access audio devices at all.
allow mediaserver audio_device:chr_file rw_file_perms;
@@ -80,6 +80,7 @@
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
+allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
diff --git a/netd.te b/netd.te
index f84b452..d4c5153 100644
--- a/netd.te
+++ b/netd.te
@@ -30,9 +30,8 @@
allow netd sysfs:file write;
# Set dhcp lease for PAN connection
-unix_socket_connect(netd, property, init)
-allow netd dhcp_prop:property_service set;
-allow netd system_prop:property_service set;
+set_prop(netd, dhcp_prop)
+set_prop(netd, system_prop)
auditallow netd system_prop:property_service set;
# Connect to PAN
@@ -62,7 +61,7 @@
domain_auto_trans(netd, clatd_exec, clatd)
allow netd clatd:process signal;
-allow netd ctl_mdnsd_prop:property_service set;
+set_prop(netd, ctl_mdnsd_prop)
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
diff --git a/nfc.te b/nfc.te
index 8528b4f..71841be 100644
--- a/nfc.te
+++ b/nfc.te
@@ -5,8 +5,7 @@
binder_service(nfc)
# Set NFC properties
-unix_socket_connect(nfc, property, init)
-allow nfc nfc_prop:property_service set;
+set_prop(nfc, nfc_prop)
# NFC device access.
allow nfc nfc_device:chr_file rw_file_perms;
diff --git a/perfprofd.te b/perfprofd.te
new file mode 100644
index 0000000..58cb3e2
--- /dev/null
+++ b/perfprofd.te
@@ -0,0 +1,56 @@
+# perfprofd - perf profile collection daemon
+type perfprofd_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+
+ type perfprofd, domain, mlstrustedsubject;
+
+ init_daemon_domain(perfprofd)
+
+ # perfprofd needs to control CPU hot-plug in order to avoid kernel
+ # perfevents problems in cases where CPU goes on/off during measurement;
+ # this means read access to /sys/devices/system/cpu/possible
+ # and read/write access to /sys/devices/system/cpu/cpu*/online
+ allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
+
+ # perfprofd checks for the existence of and then invokes simpleperf;
+ # simpleperf retains perfprofd domain after exec
+ allow perfprofd system_file:file rx_file_perms;
+
+ # perfprofd reads a config file from /data/data/com.google.android.gms/files
+ allow perfprofd app_data_file:file r_file_perms;
+ allow perfprofd app_data_file:dir search;
+ allow perfprofd self:capability { dac_override };
+
+ # perfprofd opens a file for writing in /data/misc/perfprofd
+ allow perfprofd perfprofd_data_file:file create_file_perms;
+ allow perfprofd perfprofd_data_file:dir rw_dir_perms;
+
+ # perfprofd uses the system log
+ read_logd(perfprofd);
+ write_logd(perfprofd);
+
+ # perfprofd inspects /sys/power/wake_unlock
+ wakelock_use(perfprofd);
+
+ # simpleperf uses ioctl() to turn on kernel perf events measurements
+ allow perfprofd self:capability sys_admin;
+
+ # simpleperf needs to examine /proc to collect task/thread info
+ r_dir_file(perfprofd, domain)
+
+ # simpleperf needs to access /proc/<pid>/exec
+ allow perfprofd self:capability { sys_resource sys_ptrace };
+ neverallow perfprofd domain:process ptrace;
+
+ # simpleperf needs open/read any file that turns up in a profile
+ # to see whether it has a build ID
+ allow perfprofd exec_type:file r_file_perms;
+
+ # simpleperf is going to execute "sleep"
+ allow perfprofd toolbox_exec:file x_file_perms;
+
+ # needed for simpleperf on some kernels
+ allow perfprofd self:capability ipc_lock;
+
+')
diff --git a/procrank.te b/procrank.te
index 680d549..1aaaad0 100644
--- a/procrank.te
+++ b/procrank.te
@@ -12,4 +12,6 @@
r_dir_file(procrank, domain)
allow procrank { shell dumpstate }:fd use;
allow procrank adbd:process sigchld;
+ # allow procrank write to bugreport.
+ allow procrank shell_data_file:file w_file_perms;
')
diff --git a/property.te b/property.te
index 94ae714..e046f42 100644
--- a/property.te
+++ b/property.te
@@ -21,6 +21,7 @@
type ctl_console_prop, property_type;
type audio_prop, property_type;
type logd_prop, property_type;
+type restorecon_prop, property_type;
type security_prop, property_type;
type bluetooth_prop, property_type;
type pan_result_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 1844910..5bdb3c3 100644
--- a/property_contexts
+++ b/property_contexts
@@ -41,7 +41,8 @@
persist.security. u:object_r:system_prop:s0
# selinux non-persistent properties
-selinux. u:object_r:security_prop:s0
+selinux.restorecon_recursive u:object_r:restorecon_prop:s0
+selinux. u:object_r:security_prop:s0
# default property context
* u:object_r:default_prop:s0
diff --git a/radio.te b/radio.te
index 92f18d2..a01a113 100644
--- a/radio.te
+++ b/radio.te
@@ -5,9 +5,6 @@
bluetooth_domain(radio)
binder_service(radio)
-# Talks to init via the property socket.
-unix_socket_connect(radio, property, init)
-
# Talks to rild via the rild socket.
unix_socket_connect(radio, rild, rild)
@@ -21,14 +18,14 @@
allow radio net_data_file:file r_file_perms;
# Property service
-allow radio radio_prop:property_service set;
-allow radio net_radio_prop:property_service set;
-allow radio system_radio_prop:property_service set;
+set_prop(radio, radio_prop)
+set_prop(radio, system_radio_prop)
+set_prop(radio, net_radio_prop)
auditallow radio net_radio_prop:property_service set;
auditallow radio system_radio_prop:property_service set;
# ctl interface
-allow radio ctl_rildaemon_prop:property_service set;
+set_prop(radio, ctl_rildaemon_prop)
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
diff --git a/recovery.te b/recovery.te
index 8576356..8d6fd62 100644
--- a/recovery.te
+++ b/recovery.te
@@ -41,8 +41,7 @@
allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
# Write to /proc/sys/vm/drop_caches
- # TODO: create more specific label?
- allow recovery proc:file w_file_perms;
+ allow recovery proc_drop_caches:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
@@ -77,12 +76,14 @@
allow recovery cache_file:dir create_dir_perms;
allow recovery cache_file:file create_file_perms;
+ # Read files on /oem.
+ r_dir_file(recovery, oemfs);
+
# Reboot the device
- allow recovery powerctl_prop:property_service set;
- unix_socket_connect(recovery, property, init)
+ set_prop(recovery, powerctl_prop)
# Start/stop adbd via ctl.start adbd
- allow recovery ctl_default_prop:property_service set;
+ set_prop(recovery, ctl_default_prop)
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/rild.te b/rild.te
index d8e48d5..549a4aa 100644
--- a/rild.te
+++ b/rild.te
@@ -6,7 +6,6 @@
net_domain(rild)
allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
-unix_socket_connect(rild, property, init)
allow rild self:capability { setuid net_admin net_raw };
allow rild alarm_device:chr_file rw_file_perms;
allow rild cgroup:dir create_dir_perms;
@@ -26,9 +25,9 @@
allow rild system_file:file x_file_perms;
# property service
-allow rild radio_prop:property_service set;
-allow rild net_radio_prop:property_service set;
-allow rild system_radio_prop:property_service set;
+set_prop(rild, radio_prop)
+set_prop(rild, net_radio_prop)
+set_prop(rild, system_radio_prop)
auditallow rild net_radio_prop:property_service set;
auditallow rild system_radio_prop:property_service set;
diff --git a/sdcardd.te b/sdcardd.te
index cd2bc64..a664820 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,8 +1,6 @@
type sdcardd, domain;
type sdcardd_exec, exec_type, file_type;
-init_daemon_domain(sdcardd) # TODO: deprecated in M
-
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
@@ -31,3 +29,11 @@
# Allow running on top of expanded storage
allow sdcardd mnt_expand_file:dir search;
+
+###
+### neverallow rules
+###
+
+# The sdcard daemon should no longer be started from init
+neverallow init sdcardd_exec:file execute;
+neverallow init sdcardd:process { transition dyntransition };
diff --git a/security_classes b/security_classes
index 9cd3f1c..c0c9659 100644
--- a/security_classes
+++ b/security_classes
@@ -132,7 +132,6 @@
class db_language # userspace
class binder
-class zygote
# Property service
class property_service # userspace
diff --git a/service.te b/service.te
index da01071..56478d0 100644
--- a/service.te
+++ b/service.te
@@ -1,10 +1,11 @@
type bluetooth_service, service_manager_type;
type default_android_service, service_manager_type;
type drmserver_service, service_manager_type;
+type gatekeeper_service, app_api_service, service_manager_type;
+type fingerprintd_service, service_manager_type;
type healthd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type;
-type gatekeeper_service, service_manager_type;
type mediaserver_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
@@ -24,6 +25,7 @@
type batterystats_service, app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, system_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
@@ -34,7 +36,7 @@
type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type deviceidle_service, system_server_service, service_manager_type;
+type deviceidle_service, system_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 49773b7..85dcd3d 100644
--- a/service_contexts
+++ b/service_contexts
@@ -39,6 +39,7 @@
dropbox u:object_r:dropbox_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
hardware u:object_r:hardware_service:s0
@@ -62,8 +63,11 @@
media.audio_flinger u:object_r:mediaserver_service:s0
media.audio_policy u:object_r:mediaserver_service:s0
media.camera u:object_r:mediaserver_service:s0
+media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
+media.resource_manager u:object_r:mediaserver_service:s0
+media.radio u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
media_projection u:object_r:media_projection_service:s0
media_router u:object_r:media_router_service:s0
diff --git a/shell.te b/shell.te
index e7ea149..1be9eec 100644
--- a/shell.te
+++ b/shell.te
@@ -15,6 +15,9 @@
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
+# logpersistd (nee logcatd) files
+allow shell misc_logd_file:dir r_dir_perms;
+allow shell misc_logd_file:file r_file_perms;
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
@@ -41,11 +44,10 @@
r_dir_file(shell, apk_data_file)
# Set properties.
-unix_socket_connect(shell, property, init)
-allow shell shell_prop:property_service set;
-allow shell ctl_dumpstate_prop:property_service set;
-allow shell debug_prop:property_service set;
-allow shell powerctl_prop:property_service set;
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
@@ -61,7 +63,6 @@
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
-service_manager_local_audit_domain(shell)
# allow shell to look through /proc/ for ps, top
allow shell domain:dir { search open read getattr };
diff --git a/slideshow.te b/slideshow.te
index 2b82b3e..86d4bff 100644
--- a/slideshow.te
+++ b/slideshow.te
@@ -2,10 +2,10 @@
# it lives in the rootfs and has no unique file type.
type slideshow, domain;
-write_klog(slideshow)
+allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow self:capability sys_tty_config;
allow slideshow graphics_device:dir r_dir_perms;
allow slideshow graphics_device:chr_file rw_file_perms;
allow slideshow input_device:dir r_dir_perms;
diff --git a/su.te b/su.te
index 9c01fc5..d4a488b 100644
--- a/su.te
+++ b/su.te
@@ -50,5 +50,4 @@
dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
- service_manager_local_audit_domain(su)
')
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c85df82..26a4e48 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -5,9 +5,6 @@
init_daemon_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
-# Talk to init over the property socket.
-unix_socket_connect(surfaceflinger, property, init)
-
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
@@ -37,8 +34,8 @@
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
# Set properties.
-allow surfaceflinger system_prop:property_service set;
-allow surfaceflinger ctl_bootanim_prop:property_service set;
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
diff --git a/system_app.te b/system_app.te
index 895ff71..08e3f5c 100644
--- a/system_app.te
+++ b/system_app.te
@@ -27,19 +27,21 @@
auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
auditallow system_app system_data_file:file { create setattr append write link unlink rename };
+# Access to vold-mounted storage for measuring free space
+allow system_app mnt_media_rw_file:dir search;
+
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
# Write to properties
-unix_socket_connect(system_app, property, init)
-allow system_app debug_prop:property_service set;
-allow system_app net_radio_prop:property_service set;
-allow system_app system_radio_prop:property_service set;
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, ctl_bugreport_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, system_radio_prop)
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
-allow system_app system_prop:property_service set;
-allow system_app ctl_bugreport_prop:property_service set;
-allow system_app logd_prop:property_service set;
# Create /data/anr/traces.txt.
allow system_app anr_data_file:dir ra_dir_perms;
@@ -48,31 +50,27 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-allow system_app mediaserver_service:service_manager find;
-allow system_app nfc_service:service_manager find;
-allow system_app radio_service:service_manager find;
-allow system_app surfaceflinger_service:service_manager find;
-allow system_app system_app_service:service_manager add;
-allow system_app app_api_service:service_manager find;
-allow system_app system_api_service:service_manager find;
+allow system_app servicemanager:service_manager list;
+allow system_app service_manager_type:service_manager find;
allow system_app keystore:keystore_key {
- test
+ get_state
get
insert
delete
exist
- saw
+ list
reset
password
lock
unlock
- zero
+ is_empty
sign
verify
grant
duplicate
clear_uid
+ user_changed
};
control_logd(system_app)
diff --git a/system_server.te b/system_server.te
index d8e5978..0b18eb4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -89,6 +89,12 @@
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
+# Read /proc/uid_cputime/show_uid_stat.
+allow system_server proc_uid_cputime_showstat:file r_file_perms;
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
@@ -105,7 +111,6 @@
allow system_server init:process sigchld;
# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, property, init)
unix_socket_connect(system_server, installd, installd)
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
@@ -123,6 +128,7 @@
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, fingerprintd)
binder_call(system_server, appdomain)
binder_call(system_server, dumpstate)
binder_service(system_server)
@@ -162,8 +168,11 @@
allow system_server video_device:dir r_dir_perms;
allow system_server video_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
-allow system_server audio_device:chr_file r_file_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
# tun device used for 3rd party vpn apps
allow system_server tun_device:chr_file rw_file_perms;
@@ -273,18 +282,18 @@
allow system_server anr_data_file:dir relabelto;
# Property Service write
-allow system_server system_prop:property_service set;
-allow system_server dhcp_prop:property_service set;
-allow system_server net_radio_prop:property_service set;
-allow system_server system_radio_prop:property_service set;
-allow system_server debug_prop:property_service set;
-allow system_server powerctl_prop:property_service set;
-allow system_server fingerprint_prop:property_service set;
+set_prop(system_server, system_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
# ctl interface
-allow system_server ctl_default_prop:property_service set;
-allow system_server ctl_dhcp_pan_prop:property_service set;
-allow system_server ctl_bugreport_prop:property_service set;
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_dhcp_pan_prop)
+set_prop(system_server, ctl_bugreport_prop)
# Create a socket for receiving info from wpa.
type_transition system_server wifi_data_file:sock_file system_wpa_socket;
@@ -302,6 +311,7 @@
# Manage cache files.
allow system_server cache_file:dir { relabelfrom create_dir_perms };
allow system_server cache_file:file { relabelfrom create_file_perms };
+allow system_server cache_file:fifo_file create_file_perms;
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
@@ -367,6 +377,7 @@
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
@@ -374,26 +385,24 @@
allow system_server surfaceflinger_service:service_manager find;
allow system_server keystore:keystore_key {
- test
+ get_state
get
insert
delete
exist
- saw
+ list
reset
password
lock
unlock
- zero
+ is_empty
sign
verify
grant
duplicate
clear_uid
- reset_uid
- sync_uid
- password_uid
add_auth
+ user_changed
};
# Allow system server to search and write to the persistent factory reset
@@ -418,6 +427,9 @@
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
+# Allow system process to relabel the fingerprint directory after mkdir
+allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
+
###
### Neverallow rules
###
diff --git a/te_macros b/te_macros
index fae0e3a..70b1883 100644
--- a/te_macros
+++ b/te_macros
@@ -118,12 +118,32 @@
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
define(`unix_socket_connect', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')
#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+')
+
+#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.
@@ -255,17 +275,6 @@
')
#####################################
-# write_klog(domain)
-# Ability to write to kernel log via
-# klog_write()
-# See system/core/libcutil/klog.c
-define(`write_klog', `
-type_transition $1 device:chr_file klog_device "__kmsg__";
-allow $1 klog_device:chr_file { create open write unlink };
-allow $1 device:dir { write add_name remove_name };
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
@@ -338,14 +347,6 @@
')
###########################################
-# service_manager_local_audit_domain(domain)
-# Has its own auditallow rule on service_manager
-# and should be excluded from the domain.te auditallow.
-define(`service_manager_local_audit_domain', `
- typeattribute $1 service_manager_local_audit;
-')
-
-###########################################
# use_drmservice(domain)
# Ability to use DrmService which requires
# DrmService to call getpidcon.
diff --git a/tools/Android.mk b/tools/Android.mk
index d749dd6..2a2e83d 100644
--- a/tools/Android.mk
+++ b/tools/Android.mk
@@ -4,10 +4,11 @@
LOCAL_MODULE := checkseapp
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include/
+LOCAL_C_INCLUDES := external/selinux/libsepol/include/
LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror
LOCAL_SRC_FILES := check_seapp.c
LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
@@ -16,11 +17,12 @@
LOCAL_MODULE := checkfc
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include \
+LOCAL_C_INCLUDES := external/selinux/libsepol/include \
external/libselinux/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := checkfc.c
LOCAL_STATIC_LIBRARIES := libsepol libselinux
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
@@ -39,11 +41,12 @@
LOCAL_MODULE := sepolicy-check
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include
+LOCAL_C_INCLUDES := external/selinux/libsepol/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-check.c
LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
-include $(call all-makefiles-under,$(LOCAL_PATH))
\ No newline at end of file
+include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index e65efe9..7568351 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -5,9 +5,10 @@
LOCAL_MODULE := sepolicy-analyze
LOCAL_MODULE_TAGS := optional
-LOCAL_C_INCLUDES := external/libsepol/include
+LOCAL_C_INCLUDES := external/selinux/libsepol/include
LOCAL_CFLAGS := -Wall -Werror
LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c
LOCAL_STATIC_LIBRARIES := libsepol
+LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
diff --git a/ueventd.te b/ueventd.te
index 23c93ad..f4884d7 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,7 +2,12 @@
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
tmpfs_domain(ueventd)
-write_klog(ueventd)
+
+# TODO: why is ueventd using __kmsg__ when it should just create
+# and use /dev/kmsg instead?
+type_transition ueventd device:chr_file klog_device "__kmsg__";
+allow ueventd klog_device:chr_file { create open write unlink };
+
security_access_policy(ueventd)
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
diff --git a/uncrypt.te b/uncrypt.te
index 743236d..752124d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -14,15 +14,15 @@
r_dir_file(uncrypt, shell_data_file)
')
-# Create tmp file /cache/recovery/command.tmp
# Read /cache/recovery/command
-# Rename /cache/recovery/command.tmp to /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+# Write to pipe file /cache/recovery/uncrypt_status
allow uncrypt cache_file:dir rw_dir_perms;
allow uncrypt cache_file:file create_file_perms;
+allow uncrypt cache_file:fifo_file w_file_perms;
# Set a property to reboot the device.
-unix_socket_connect(uncrypt, property, init)
-allow uncrypt powerctl_prop:property_service set;
+set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
diff --git a/untrusted_app.te b/untrusted_app.te
index 1b7aaee..693a13c 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,6 +72,10 @@
allow untrusted_app media_rw_data_file:dir create_dir_perms;
allow untrusted_app media_rw_data_file:file create_file_perms;
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app mnt_media_rw_file:dir search;
+
# Write to /cache.
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
@@ -93,9 +97,20 @@
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-# Apps using KeyStore API will request the SID from GateKeeper
-allow untrusted_app gatekeeper_service:service_manager find;
-binder_call(untrusted_app, gatekeeperd)
+# only allow unprivileged socket ioctl commands
+allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow untrusted_app perfprofd_data_file:file r_file_perms;
+ allow untrusted_app perfprofd_data_file:dir r_dir_perms;
+')
+
+# Programs routinely attempt to scan through /system, looking
+# for files. Suppress the denials when they occur.
+dontaudit untrusted_app exec_type:file getattr;
###
### neverallow rules
diff --git a/vold.te b/vold.te
index e72822c..b22436f 100644
--- a/vold.te
+++ b/vold.te
@@ -81,7 +81,7 @@
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
-write_klog(vold)
+allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck.
allow vold fsck_exec:file rx_file_perms;
@@ -94,9 +94,6 @@
# Rules to support encrypted fs support.
#
-# Set property.
-unix_socket_connect(vold, property, init)
-
# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount remount };
@@ -111,9 +108,10 @@
allow vold kernel:process setsched;
# Property Service
-allow vold vold_prop:property_service set;
-allow vold powerctl_prop:property_service set;
-allow vold ctl_fuse_prop:property_service set;
+set_prop(vold, vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
@@ -143,15 +141,30 @@
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
-# Allow init to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms;
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+# vold temporarily changes its priority when running benchmarks
+allow vold self:capability sys_nice;
+
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:capability sys_chroot;
+allow vold storage_file:dir mounton;
+
+neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init } restorecon_prop:property_service set;
diff --git a/watchdogd.te b/watchdogd.te
index ab93560..00292a9 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,9 +1,4 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
-allow watchdogd self:capability mknod;
-allow watchdogd device:dir { add_name write remove_name };
allow watchdogd watchdog_device:chr_file rw_file_perms;
-# because of /dev/__kmsg__ and /dev/__null__
-write_klog(watchdogd)
-type_transition watchdogd device:chr_file null_device "__null__";
-allow watchdogd null_device:chr_file { create unlink };
+allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/zygote.te b/zygote.te
index d2f629c..7029344 100644
--- a/zygote.te
+++ b/zygote.te
@@ -53,7 +53,8 @@
allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M
dontaudit zygote self:capability fsetid; # TODO: deprecated in M
allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M
-allow zygote tmpfs:filesystem mount; # TODO: deprecated in M
+allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
allow zygote labeledfs:filesystem remount; # TODO: deprecated in M
# Allowed to create user-specific storage source if started before vold
@@ -64,3 +65,15 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server.
+neverallow zygote ~{ appdomain system_server }:process dyntransition;