Merge "Add permissions for hal_boot"
diff --git a/Android.mk b/Android.mk
index 6af3af9..3eddee8 100644
--- a/Android.mk
+++ b/Android.mk
@@ -140,6 +140,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_build_treble=$(ENABLE_TREBLE) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_with_dexpreopt_pic=$(WITH_DEXPREOPT_PIC) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -158,6 +159,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_build_treble=$(ENABLE_TREBLE) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_with_dexpreopt_pic=$(WITH_DEXPREOPT_PIC) \
-D target_arch=$(LOCAL_TARGET_ARCH) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -200,6 +202,7 @@
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
-D target_build_treble=$(ENABLE_TREBLE) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_with_dexpreopt_pic=$(WITH_DEXPREOPT_PIC) \
-D target_recovery=true \
-s $^ > $@
@@ -237,6 +240,7 @@
-D target_build_variant=user \
-D target_build_treble=$(ENABLE_TREBLE) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
+ -D target_with_dexpreopt_pic=$(WITH_DEXPREOPT_PIC) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
diff --git a/private/access_vectors b/private/access_vectors
index 26286b2..6393c16 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -24,7 +24,6 @@
link
rename
execute
- swapon
quotaon
mounton
}
@@ -57,8 +56,6 @@
shutdown
recvfrom
sendto
- recv_msg
- send_msg
name_bind
}
@@ -97,7 +94,6 @@
getattr
relabelfrom
relabelto
- transition
associate
quotamod
quotaget
@@ -184,9 +180,6 @@
class tcp_socket
inherits socket
{
- connectto
- newconn
- acceptfrom
node_bind
name_connect
}
@@ -205,29 +198,12 @@
class node
{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
- dccp_recv
- dccp_send
recvfrom
sendto
}
class netif
{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- dccp_recv
- dccp_send
ingress
egress
}
@@ -245,8 +221,6 @@
inherits socket
{
connectto
- newconn
- acceptfrom
}
class unix_dgram_socket
diff --git a/private/file_contexts b/private/file_contexts
index f1d736d..1be0eb0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -29,6 +29,7 @@
/sys u:object_r:sysfs:s0
# Symlinks
+/bugreports u:object_r:rootfs:s0
/d u:object_r:rootfs:s0
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
@@ -134,7 +135,7 @@
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:urandom_device:s0
+/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
diff --git a/public/app.te b/public/app.te
index 7f51574..14e3011 100644
--- a/public/app.te
+++ b/public/app.te
@@ -215,7 +215,7 @@
# Allow apps to read/execute installed binaries
allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file { rx_file_perms execmod };
+allow appdomain apk_data_file:file rx_file_perms;
# /data/resource-cache
allow appdomain resourcecache_data_file:file r_file_perms;
diff --git a/public/device.te b/public/device.te
index b4ca618..f01dc66 100644
--- a/public/device.te
+++ b/public/device.te
@@ -40,7 +40,6 @@
type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
type tty_device, dev_type;
-type urandom_device, dev_type, mlstrustedobject;
type video_device, dev_type;
type vcs_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 56424e9..c78af07 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -76,7 +76,6 @@
allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
-allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:dir r_dir_perms;
allow domain properties_serial:file r_file_perms;
@@ -172,6 +171,11 @@
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
###
### neverallow rules
@@ -180,6 +184,11 @@
# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
@@ -483,7 +492,7 @@
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
-neverallow { domain -appdomain } file_type:file execmod;
+neverallow { domain -untrusted_app } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 226cc0f..a8320b5 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,13 +1,5 @@
# rules removed from the domain attribute
-# Read access to properties mapping.
-allow domain_deprecated kernel:fd use;
-allow domain_deprecated tmpfs:file { read getattr };
-allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow { domain_deprecated -init } kernel:fd use;
-auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
-auditallow domain_deprecated tmpfs:lnk_file { read getattr };
-
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
@@ -18,12 +10,8 @@
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:unix_stream_socket connectto;
allow domain_deprecated adbd:fd use;
-allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket connectto;
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
@@ -33,17 +21,13 @@
auditallow { domain_deprecated -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
auditallow { domain_deprecated -appdomain -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-# Device accesses.
-allow domain_deprecated device:file read;
-auditallow domain_deprecated device:file read;
-
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
-allow domain_deprecated system_file:lnk_file r_file_perms;
auditallow {
domain_deprecated
-appdomain
+ -fingerprintd
-init
-installd
-rild
@@ -60,16 +44,6 @@
-system_server
-zygote
} system_file:file { ioctl lock }; # read open getattr in domain
-auditallow {
- domain_deprecated
- -appdomain
- -init
- -installd
- -rild
- -surfaceflinger
- -system_server
- -zygote
-} system_file:lnk_file { getattr open ioctl lock }; # read in domain
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
@@ -85,32 +59,6 @@
auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
-# Read /data/dalvik-cache.
-allow domain_deprecated dalvikcache_data_file:dir { search getattr };
-allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow {
- domain_deprecated
- -appdomain
- -debuggerd
- -dex2oat
- -dumpstate
- -init
- -installd
- -system_server
- -zygote
-} dalvikcache_data_file:dir { search getattr };
-auditallow {
- domain_deprecated
- -appdomain
- -debuggerd
- -dex2oat
- -dumpstate
- -init
- -installd
- -system_server
- -zygote
-} dalvikcache_data_file:file r_file_perms;
-
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
@@ -130,7 +78,6 @@
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
r_dir_file(domain_deprecated, proc_net)
@@ -140,8 +87,6 @@
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow domain_deprecated inotify:dir r_dir_perms;
-auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
auditallow {
domain_deprecated
-appdomain
@@ -194,9 +139,3 @@
allow domain_deprecated selinuxfs:file r_file_perms;
auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-
-# World readable asec image contents
-allow domain_deprecated asec_public_file:file r_file_perms;
-allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
-auditallow domain_deprecated asec_public_file:file r_file_perms;
-auditallow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 481cfa5..44572e1 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -116,3 +116,7 @@
# access files in /sys with the default sysfs label
neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index b541e34..b27f014 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -3,6 +3,9 @@
binder_use(fingerprintd)
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
# need to find KeyStore and add self
allow fingerprintd fingerprintd_service:service_manager { add find };
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 13d2db7..f6ec1ab 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -10,6 +10,9 @@
# need to find KeyStore and add self
allow gatekeeperd gatekeeper_service:service_manager { add find };
+# Scan through /system/lib64/hw looking for installed HALs
+allow gatekeeperd system_file:dir r_dir_perms;
+
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index cbb47e5..f179599 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -13,6 +13,9 @@
set_prop(hwservicemanager, hwservicemanager_prop)
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
# TODO once hwservicemanager checks whether HALs are
# allowed to register a certain service, add policy here
# for allowing to check SELinux permissions.
diff --git a/public/init.te b/public/init.te
index bef8de7..235f70c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -21,7 +21,6 @@
allow init { device socket_device }:dir relabelto;
# /dev/random, /dev/urandom
allow init random_device:chr_file relabelto;
-allow init urandom_device:chr_file relabelto;
# /dev/device-mapper, /dev/block(/.*)?
allow init tmpfs:{ chr_file blk_file } relabelfrom;
allow init tmpfs:blk_file getattr;
diff --git a/public/inputflinger.te b/public/inputflinger.te
index bee392f..14cfdc7 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -1,5 +1,5 @@
# inputflinger
-type inputflinger, domain, domain_deprecated;
+type inputflinger, domain;
type inputflinger_exec, exec_type, file_type;
binder_use(inputflinger)
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 122e1f0..e8cc086 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -42,10 +42,16 @@
}')
# commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
# commonly used TTY ioctls
-define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW TCFLSH
+ TIOCSPGRP TIOCGPGRP
+}')
# point to point ioctls
define(`ppp_ioctls', `{
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 007fc74..008e0e2 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -109,3 +109,7 @@
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/lmkd.te b/public/lmkd.te
index 8e3c61a..e25a77f 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -1,5 +1,5 @@
# lmkd low memory killer daemon
-type lmkd, domain, domain_deprecated, mlstrustedsubject;
+type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
allow lmkd self:capability { dac_override sys_resource kill };
diff --git a/public/logd.te b/public/logd.te
index 1171ebf..3e6f7b6 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -22,10 +22,6 @@
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
-# Set persist.sys. and sys.powerctl
-set_prop(logd, safemode_prop)
-set_prop(logd, powerctl_prop)
-
# Access device logging gating property
get_prop(logd, device_logging_prop)
userdebug_or_eng(`get_prop(logd, logpersistd_logging_prop)')
diff --git a/public/recovery.te b/public/recovery.te
index bd701d9..32601e3 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -51,6 +51,9 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
+ # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
+ allow recovery sysfs_devices_system_cpu:file w_file_perms;
+
allow recovery sysfs_batteryinfo:file r_file_perms;
allow recovery kernel:system syslog_read;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 469c637..46b3b0e 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -1,5 +1,5 @@
# servicemanager - the Binder context manager
-type servicemanager, domain, domain_deprecated, mlstrustedsubject;
+type servicemanager, domain, mlstrustedsubject;
type servicemanager_exec, exec_type, file_type;
# Note that we do not use the binder_* macros here.
diff --git a/public/system_server.te b/public/system_server.te
index 06ec624..f9dbc89 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -391,11 +391,8 @@
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-# Run system programs, e.g. dexopt. Needed? (b/28035297)
-allow system_server system_file:file rx_file_perms;
allow system_server system_file:dir r_dir_perms;
allow system_server system_file:lnk_file r_file_perms;
-auditallow system_server system_file:file execute_no_trans;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
@@ -599,7 +596,7 @@
# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
# Prevent the addition of new file execs to stop the problem from
# getting worse. b/28035297
-neverallow system_server { file_type -toolbox_exec -logcat_exec -system_file }:file execute_no_trans;
+neverallow system_server { file_type -toolbox_exec -logcat_exec }:file execute_no_trans;
# System server should never transition to a new domain. This compliments
# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
diff --git a/public/te_macros b/public/te_macros
index 9664b31..6a1a5ff 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -237,7 +237,7 @@
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
')
#####################################
@@ -259,6 +259,11 @@
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')
@@ -279,7 +284,6 @@
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-define(`eng', ifelse(target_build_variant, `eng', $1))
#####################################
# SELinux rules for HALs that have either been binderized or are
@@ -290,9 +294,9 @@
#####################################
# WITH_DEXPREOPT builds
-# SELinux rules which apply only when pre-opting.
+# SELinux rules which apply only when pre-opting with PIC.
#
-define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', ifelse(target_with_dexpreopt_pic, `true', $1)))
#####################################
# write_logd(domain)
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index b968728..16edf79 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -25,6 +25,9 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# Legacy text relocations
+allow untrusted_app apk_data_file:file execmod;
+
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow untrusted_app app_data_file:file { rx_file_perms execmod };
@@ -190,3 +193,7 @@
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow untrusted_app anr_data_file:file ~{ open append };
neverallow untrusted_app anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow untrusted_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/zygote.te b/public/zygote.te
index b2374f1..aabf12f 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -58,8 +58,8 @@
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
# if necessary: b/30963384.
-allow zygote pmsg_device:chr_file { getattr };
-allow zygote debugfs_trace_marker:file { getattr };
+allow zygote pmsg_device:chr_file getattr;
+allow zygote debugfs_trace_marker:file getattr;
# Check validity of SELinux context before use.
selinux_check_context(zygote)