commit 1f065398fc75941f8927887f0da09ecdfa95fb71
author Nick Kralevich <nnk@google.com> Wed May 14 22:30:52 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed May 14 22:30:52 2014 +0000
tree 046f7a19360d6459d272d85fa3113ed01840d202
parent df2547b9b5be0de3806a1426c98efb16b9e3c154
parent df48bd2ca88a94225fbc074d7fe5b542c3d490c8

Merge "Remove zygote write access to system_data_file."

domain.te

diff --git a/domain.te b/domain.te
index 7f0347a..b8ddc2e 100644
--- a/domain.te
+++ b/domain.te
@@ -153,6 +153,9 @@
 # Limit device node creation and raw I/O to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
 
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow domain self:memprotect mmap_zero;
+
 # No domain needs mac_override as it is unused by SELinux.
 neverallow domain self:capability2 mac_override;
 

file.te

diff --git a/file.te b/file.te
index ac4220f..00f1589 100644
--- a/file.te
+++ b/file.te
@@ -118,6 +118,7 @@
 type bluetooth_socket, file_type;
 type dnsproxyd_socket, file_type, mlstrustedobject;
 type dumpstate_socket, file_type;
+type fwmarkd_socket, file_type, mlstrustedobject;
 type gps_socket, file_type;
 type installd_socket, file_type;
 type lmkd_socket, file_type;

file_contexts

diff --git a/file_contexts b/file_contexts
index 0926d74..74c6db3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -79,6 +79,7 @@
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
 /dev/socket/gps		u:object_r:gps_socket:s0
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0

installd.te

diff --git a/installd.te b/installd.te
index cabebc6..3ce2c5d 100644
--- a/installd.te
+++ b/installd.te
@@ -17,6 +17,9 @@
 # Read /seapp_contexts and /data/security/seapp_contexts
 security_access_policy(installd)
 
+# Search /data/app-asec.
+allow installd asec_image_file:dir search;
+
 # Create /data/user and /data/user/0 if necessary.
 # Also required to initially create /data/data subdirectories
 # and lib symlinks before the setfilecon call.  May want to
@@ -26,6 +29,7 @@
 
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
+allow installd media_rw_data_file:file unlink;
 # restorecon new /data/media directory.
 allow installd system_data_file:dir relabelfrom;
 allow installd media_rw_data_file:dir relabelto;

kernel.te

diff --git a/kernel.te b/kernel.te
index c40d08b..0048a62 100644
--- a/kernel.te
+++ b/kernel.te
@@ -17,10 +17,3 @@
 
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
-
-# For operations performed by kernel or init prior to switching to init domain.
-## TODO: Investigate whether it is safe to remove these
-allow kernel self:capability { sys_rawio mknod };
-auditallow kernel self:capability { sys_rawio mknod };
-allow kernel dev_type:blk_file rw_file_perms;
-auditallow kernel dev_type:blk_file rw_file_perms;

net.te

diff --git a/net.te b/net.te
index 9942efe..6aa12f2 100644
--- a/net.te
+++ b/net.te
@@ -18,5 +18,8 @@
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
 
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
 # Connect to mdnsd via mdnsd socket.
 unix_socket_connect(netdomain, mdnsd, mdnsd)

netd.te

diff --git a/netd.te b/netd.te
index 46cc436..6fe1ad3 100644
--- a/netd.te
+++ b/netd.te
@@ -58,6 +58,10 @@
 
 allow netd ctl_mdnsd_prop:property_service set;
 
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
+allow netd netdomain:fd use;
+
 ###
 ### Neverallow rules
 ###

system_server.te

diff --git a/system_server.te b/system_server.te
index 66db7f8..e6fe653 100644
--- a/system_server.te
+++ b/system_server.te
@@ -211,6 +211,10 @@
 allow system_server systemkeys_data_file:dir create_dir_perms;
 allow system_server systemkeys_data_file:file create_file_perms;
 
+# Access /data/tombstones.
+allow system_server tombstone_data_file:dir r_dir_perms;
+allow system_server tombstone_data_file:file r_file_perms;
+
 # Manage /data/misc/vpn.
 allow system_server vpn_data_file:dir create_dir_perms;
 allow system_server vpn_data_file:file create_file_perms;

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index 1d94923..b7a2cef 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -63,3 +63,11 @@
 # Write to /cache.
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow untrusted_app debugfs:file read;