commit 1ffa6f80da2691017c51a9aa8dff41fa7dacc54c
author Nick Kralevich <nnk@google.com> Mon May 08 19:07:54 2017 +0000
committer android-build-merger <android-build-merger@google.com> Mon May 08 19:07:54 2017 +0000
tree dfb2c29d247a2b24c06642bcea840dce6e03af84
parent b00a85c3f8786365e02d18dc8474468416e42128
parent b49bc8212aca4c94802f8587c61fd9302f2cabec

Merge "Further restrict SELinux API access" am: 076677330d
am: b49bc8212a

Change-Id: I4e13baad4cc463142b5899855e0613c5ea829c8d

private/app.te

diff --git a/private/app.te b/private/app.te
index 81de403..1cf86ff 100644
--- a/private/app.te
+++ b/private/app.te
@@ -276,11 +276,6 @@
 allow appdomain runas_exec:file getattr;
 # Others are either allowed elsewhere or not desired.
 
-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@@ -441,6 +436,11 @@
 # Access to syslog(2) or /proc/kmsg.
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index c24bfd3..9bc0bd1 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -13,3 +13,7 @@
 
 # allow shell to call dumpsys storaged
 binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)

public/domain_deprecated.te

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 5702ace..64ad3e6 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -292,33 +292,3 @@
   -vold
 } proc_meminfo:file r_file_perms;
 ')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')