Merge "Allow init to restorecon sysfs files."
diff --git a/Android.mk b/Android.mk
index 1163477..351e81a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -79,6 +79,23 @@
) \
)
+sepolicy_build_files := security_classes \
+ initial_sids \
+ access_vectors \
+ global_macros \
+ mls_macros \
+ mls \
+ policy_capabilities \
+ te_macros \
+ attributes \
+ *.te \
+ roles \
+ users \
+ initial_sid_contexts \
+ fs_use \
+ genfs_contexts \
+ port_contexts
+
##################################
include $(CLEAR_VARS)
@@ -92,7 +109,7 @@
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
+$(sepolicy_policy.conf) : $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
@@ -120,7 +137,7 @@
sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_recovery.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
+$(sepolicy_policy_recovery.conf) : $(call build_policy, $(sepolicy_build_files))
@mkdir -p $(dir $@)
$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
-D target_build_variant=$(TARGET_BUILD_VARIANT) \
@@ -135,7 +152,33 @@
built_sepolicy_recovery := $(LOCAL_BUILT_MODULE)
sepolicy_policy_recovery.conf :=
-###################################
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := general_sepolicy.conf
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+exp_sepolicy_build_files :=\
+ $(wildcard $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files)
+ mkdir -p $(dir $@)
+ $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
+ -D target_build_variant=user \
+ -D force_permissive_to_unconfined=true \
+ -s $^ > $@
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+GENERAL_SEPOLICY_POLICY.CONF = $(LOCAL_BUILT_MODULE)
+
+exp_sepolicy_build_files :=
+
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts
@@ -270,6 +313,7 @@
##################################
build_policy :=
+sepolicy_build_files :=
sepolicy_replace_paths :=
built_sepolicy :=
built_sc :=
diff --git a/README b/README
index e9f37a1..83ee7a2 100644
--- a/README
+++ b/README
@@ -3,7 +3,7 @@
Additional, per device, policy files can be added into the
policy build.
-They can be configured through the use of three variables,
+They can be configured through the use of four variables,
they are:
1. BOARD_SEPOLICY_REPLACE
2. BOARD_SEPOLICY_UNION
diff --git a/access_vectors b/access_vectors
index 5e78341..659fb36 100644
--- a/access_vectors
+++ b/access_vectors
@@ -915,3 +915,20 @@
duplicate
clear_uid
}
+
+class debuggerd
+{
+ dump_tombstone
+ dump_backtrace
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
diff --git a/adbd.te b/adbd.te
index 58fdead..3b654a1 100644
--- a/adbd.te
+++ b/adbd.te
@@ -68,3 +68,9 @@
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
+
+service_manager_local_audit_domain(adbd)
+auditallow adbd {
+ service_manager_type
+ -surfaceflinger_service
+}:service_manager find;
diff --git a/app.te b/app.te
index 8288ea0..e242152 100644
--- a/app.te
+++ b/app.te
@@ -255,7 +255,7 @@
# Transition to a non-app domain.
# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } ~appdomain:process
+neverallow { appdomain -shell } { domain -appdomain }:process
{ transition dyntransition };
# Write to rootfs.
diff --git a/bluetooth.te b/bluetooth.te
index 8ba56b0..56fe170 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -54,6 +54,7 @@
auditallow bluetooth {
service_manager_type
-bluetooth_service
+ -radio_service
-system_server_service
}:service_manager find;
diff --git a/debuggerd.te b/debuggerd.te
index 6bbeac4..22afe63 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,7 @@
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
security_access_policy(debuggerd)
allow debuggerd system_data_file:dir create_dir_perms;
allow debuggerd system_data_file:dir relabelfrom;
@@ -31,3 +31,6 @@
# logd access
read_logd(debuggerd)
+
+# Check SELinux permissions.
+selinux_check_access(debuggerd)
diff --git a/domain.te b/domain.te
index 0913453..9ae611c 100644
--- a/domain.te
+++ b/domain.te
@@ -159,7 +159,7 @@
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
allow domain servicemanager:service_manager list;
-auditallow domain servicemanager:service_manager list;
+auditallow { domain -dumpstate } servicemanager:service_manager list;
allow domain service_manager_type:service_manager find;
auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
@@ -265,7 +265,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
#
neverallow {
domain
@@ -276,6 +276,11 @@
-system_server
-zygote
} { file_type -system_file -exec_type }:file execute;
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
# Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
diff --git a/drmserver.te b/drmserver.te
index 12e3ac7..2a146b6 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -49,4 +49,10 @@
# Audited locally.
service_manager_local_audit_domain(drmserver)
-auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
+auditallow drmserver {
+ service_manager_type
+ -drmserver_service
+ -system_server_service
+}:service_manager find;
+
+selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index 279fd98..e6128e9 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,6 +48,8 @@
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
+# Ask debuggerd for the backtraces of these processes.
+allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
@@ -96,3 +98,22 @@
# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;
+
+# Access /data/tombstones.
+allow dumpstate tombstone_data_file:dir r_dir_perms;
+allow dumpstate tombstone_data_file:file r_file_perms;
+
+service_manager_local_audit_domain(dumpstate)
+auditallow dumpstate {
+ service_manager_type
+ -drmserver_service
+ -healthd_service
+ -inputflinger_service
+ -keystore_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -system_app_service
+ -system_server_service
+}:service_manager find;
diff --git a/file.te b/file.te
index 99c3839..7df06d3 100644
--- a/file.te
+++ b/file.te
@@ -167,4 +167,4 @@
# type apk_data_file, file_type, data_file_type, fs_type;
# Should be:
# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem *;
+neverallow fs_type file_type:filesystem associate;
diff --git a/file_contexts b/file_contexts
index def1e53..33ac8a3 100644
--- a/file_contexts
+++ b/file_contexts
@@ -161,6 +161,8 @@
/system/bin/vdc u:object_r:vdc_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
+# patchoat executable has (essentially) the same requirements as dex2oat.
+/system/bin/patchoat u:object_r:dex2oat_exec:s0
#############################
# Vendor files
diff --git a/healthd.te b/healthd.te
index 940f7c4..3cb69bf 100644
--- a/healthd.te
+++ b/healthd.te
@@ -22,6 +22,12 @@
### healthd: charger mode
###
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow healthd pstorefs:dir r_dir_perms;
+allow healthd pstorefs:file r_file_perms;
+
allow healthd graphics_device:dir r_dir_perms;
allow healthd graphics_device:chr_file rw_file_perms;
allow healthd input_device:dir r_dir_perms;
diff --git a/isolated_app.te b/isolated_app.te
index 27b0e40..5929b25 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,4 +21,9 @@
# Audited locally.
service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app service_manager_type:service_manager find;
+auditallow isolated_app {
+ service_manager_type
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/mediaserver.te b/mediaserver.te
index 52c593e..3eb078d 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -89,3 +89,15 @@
-system_server_service
-surfaceflinger_service
}:service_manager find;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
diff --git a/nfc.te b/nfc.te
index c32e9d5..2b851a2 100644
--- a/nfc.te
+++ b/nfc.te
@@ -21,5 +21,6 @@
auditallow nfc {
service_manager_type
-mediaserver_service
+ -surfaceflinger_service
-system_server_service
}:service_manager find;
diff --git a/radio.te b/radio.te
index 11691cb..5f45df3 100644
--- a/radio.te
+++ b/radio.te
@@ -35,5 +35,6 @@
service_manager_type
-mediaserver_service
-radio_service
+ -surfaceflinger_service
-system_server_service
}:service_manager find;
diff --git a/sdcardd.te b/sdcardd.te
index 7a06998..ad5c58d 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -18,3 +18,6 @@
# Read /data/system/packages.list.
allow sdcardd system_data_file:file r_file_perms;
+
+# Read /data/.layout_version
+allow sdcardd install_data_file:file r_file_perms;
diff --git a/security_classes b/security_classes
index fcee928..9cd3f1c 100644
--- a/security_classes
+++ b/security_classes
@@ -143,4 +143,8 @@
# Keystore Key
class keystore_key # userspace
+# debuggerd service
+class debuggerd # userspace
+
+class drmservice # userspace
# FLASK
diff --git a/system_app.te b/system_app.te
index 24b135e..5a5888f 100644
--- a/system_app.te
+++ b/system_app.te
@@ -69,7 +69,9 @@
service_manager_local_audit_domain(system_app)
auditallow system_app {
service_manager_type
+ -keystore_service
-nfc_service
+ -radio_service
-surfaceflinger_service
-system_server_service
}:service_manager find;
diff --git a/system_server.te b/system_server.te
index 9d973db..9d3dfa1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -127,6 +127,9 @@
binder_call(system_server, dumpstate)
binder_service(system_server)
+# Ask debuggerd to dump backtraces for native stacks of interest.
+allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+
# Read /proc/pid files for dumping stack traces of native processes.
r_dir_file(system_server, mediaserver)
r_dir_file(system_server, sdcardd)
diff --git a/te_macros b/te_macros
index b2913f3..e211a17 100644
--- a/te_macros
+++ b/te_macros
@@ -367,3 +367,13 @@
define(`service_manager_local_audit_domain', `
typeattribute $1 service_manager_local_audit;
')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
diff --git a/untrusted_app.te b/untrusted_app.te
index ef7f1b5..ea20e56 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -69,6 +69,7 @@
auditallow untrusted_app {
service_manager_type
-drmserver_service
+ -keystore_service
-mediaserver_service
-nfc_service
-radio_service
@@ -94,3 +95,7 @@
neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app init:unix_stream_socket connectto;
neverallow untrusted_app property_type:property_service set;
+
+# Allow verifier to access staged apks.
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
\ No newline at end of file