Merge "Make watchdogd enforcing."
diff --git a/adbd.te b/adbd.te
index 84d1c2b..6adba83 100644
--- a/adbd.te
+++ b/adbd.te
@@ -13,3 +13,12 @@
# Allow access in case /data/misc/adb still has the old type.
allow adbd system_data_file:dir search;
allow adbd system_data_file:file r_file_perms;
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
diff --git a/app.te b/app.te
index 6e95ffb..34f99e6 100644
--- a/app.te
+++ b/app.te
@@ -13,24 +13,40 @@
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
+# gdbserver for ndk-gdb reads the zygote.
+allow appdomain zygote_exec:file r_file_perms;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow appdomain self:process ptrace;
+
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
# Notify zygote of death;
allow appdomain zygote:process sigchld;
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
# Communicate with system_server.
allow appdomain system_server:fifo_file rw_file_perms;
allow appdomain system_server:unix_stream_socket { read write setopt };
binder_call(appdomain, system_server)
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
binder_call(appdomain, surfaceflinger)
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
# Read/write data files created by the platform apps if they
# were passed to the app via binder or local IPC. Do not allow open.
@@ -38,11 +54,12 @@
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute open };
+allow appdomain system_data_file:file { execute execute_no_trans open };
# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
+allow appdomain ping_exec:file rx_file_perms;
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { read write };
@@ -57,6 +74,10 @@
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file { rw_file_perms execute };
+
# Use the Binder.
binder_use(appdomain)
# Perform binder IPC to binder services.
diff --git a/bootanim.te b/bootanim.te
new file mode 100644
index 0000000..c716b11
--- /dev/null
+++ b/bootanim.te
@@ -0,0 +1,11 @@
+# bootanimation oneshot service
+type bootanim, domain;
+permissive bootanim;
+type bootanim_exec, exec_type, file_type;
+
+init_daemon_domain(bootanim)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 5a2e5ff..0443aef 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,6 +1,5 @@
# debugger interface
type debuggerd, domain;
-permissive debuggerd;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
@@ -9,7 +8,7 @@
allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
security_access_policy(debuggerd)
allow debuggerd system_data_file:dir create_dir_perms;
allow debuggerd system_data_file:dir relabelfrom;
diff --git a/device.te b/device.te
index d13ca29..5d3ba9c 100644
--- a/device.te
+++ b/device.te
@@ -17,6 +17,8 @@
type cpuctl_device, dev_type;
type fscklogs, dev_type;
type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
type graphics_device, dev_type;
type hw_random_device, dev_type;
type input_device, dev_type;
diff --git a/domain.te b/domain.te
index cf89076..701297f 100644
--- a/domain.te
+++ b/domain.te
@@ -130,8 +130,17 @@
### neverallow rules
###
-# Only init should be able to load SELinux policies and set enforcing mode.
-neverallow { domain -init } kernel:security { load_policy setenforce };
+# Only init should be able to load SELinux policies.
+# The first load technically occurs while still in the kernel domain,
+# but this does not trigger a denial since there is no policy yet.
+# Policy reload requires allowing this to the init domain.
+neverallow { domain -init } kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow { domain -kernel } kernel:security setenforce;
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
@@ -142,3 +151,11 @@
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;
diff --git a/file.te b/file.te
index 9bd88c7..ed56ec9 100644
--- a/file.te
+++ b/file.te
@@ -4,6 +4,10 @@
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, sysfs_type;
type qtaguid_proc, fs_type, mlstrustedobject;
type proc_bluetooth_writable, fs_type;
type selinuxfs, fs_type;
@@ -97,6 +101,7 @@
type gps_socket, file_type;
type installd_socket, file_type;
type keystore_socket, file_type;
+type lmkd_socket, file_type;
type mdns_socket, file_type;
type netd_socket, file_type;
type property_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 7f0486d..ebb3248 100644
--- a/file_contexts
+++ b/file_contexts
@@ -80,6 +80,7 @@
/dev/socket/gps u:object_r:gps_socket:s0
/dev/socket/installd u:object_r:installd_socket:s0
/dev/socket/keystore u:object_r:keystore_socket:s0
+/dev/socket/lmkd u:object_r:lmkd_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
@@ -115,6 +116,7 @@
/system(/.*)? u:object_r:system_file:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/run-as -- u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
/system/bin/app_process u:object_r:zygote_exec:s0
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
@@ -142,6 +144,7 @@
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/hostapd u:object_r:hostapd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
+/system/bin/lmkd u:object_r:lmkd_exec:s0
#############################
# Vendor files
#
@@ -206,6 +209,7 @@
/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0
/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
+/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index 2607b9d..8560e38 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,6 +3,19 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/init.te b/init.te
index 93098e1..abe5e78 100644
--- a/init.te
+++ b/init.te
@@ -8,4 +8,6 @@
allow init unlabeled:filesystem mount;
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
-allow init kernel:security { load_policy setenforce };
+allow init kernel:security load_policy;
+allow init usermodehelper:file rw_file_perms;
+allow init proc_security:file rw_file_perms;
diff --git a/kernel.te b/kernel.te
index d1c1b7f..089786b 100644
--- a/kernel.te
+++ b/kernel.te
@@ -6,3 +6,6 @@
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;
+
+# Initial setenforce by init prior to switching to init domain.
+allow kernel self:security setenforce;
diff --git a/lmkd.te b/lmkd.te
new file mode 100644
index 0000000..9af658f
--- /dev/null
+++ b/lmkd.te
@@ -0,0 +1,7 @@
+# lmkd low memory killer daemon
+type lmkd, domain;
+type lmkd_exec, exec_type, file_type;
+
+init_daemon_domain(lmkd)
+
+unconfined_domain(lmkd);
diff --git a/ping.te b/ping.te
index 9adf079..65612f6 100644
--- a/ping.te
+++ b/ping.te
@@ -1,5 +1,4 @@
type ping, domain;
-permissive ping;
type ping_exec, exec_type, file_type;
domain_auto_trans(shell, ping_exec, ping)
diff --git a/runas.te b/runas.te
index 6446a9e..8648ee7 100644
--- a/runas.te
+++ b/runas.te
@@ -1,6 +1,24 @@
-type runas, domain;
+type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;
-unconfined_domain(runas)
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
+allow runas adbd:process sigchld;
+allow runas shell:fd use;
+allow runas devpts:chr_file { read write ioctl };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+
+# run-as switches to the app security context.
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
+selinux_check_context(runas) # validate context
+allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/shell.te b/shell.te
index 032f70f..17031b9 100644
--- a/shell.te
+++ b/shell.te
@@ -9,3 +9,12 @@
# shell is also permissive to permit setenforce.
permissive shell;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;
+
+# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
+allow shell non_system_app_set:process sigkill;
diff --git a/shell_user.te b/shell_user.te
index 8b51003..1eccbd6 100644
--- a/shell_user.te
+++ b/shell_user.te
@@ -6,3 +6,9 @@
# Run app_process.
# XXX Split into its own domain?
app_domain(shell)
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index f0c5d8e..c9dbda9 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -13,7 +13,9 @@
binder_use(surfaceflinger)
binder_call(surfaceflinger, system_server)
binder_service(surfaceflinger)
-allow surfaceflinger init:binder transfer;
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
@@ -33,3 +35,6 @@
allow surfaceflinger appdomain:fd use;
allow surfaceflinger platform_app_data_file:file { read write };
allow surfaceflinger app_data_file:file { read write };
+
+# Use open file provided by bootanim.
+allow surfaceflinger bootanim:fd use;
diff --git a/system_app.te b/system_app.te
index 3084e93..63aa76c 100644
--- a/system_app.te
+++ b/system_app.te
@@ -35,4 +35,7 @@
allow system_app asec_apk_file:file r_file_perms;
# Write to properties
+unix_socket_connect(system_app, property, init)
+allow system_app debug_prop:property_service set;
+allow system_app radio_prop:property_service set;
allow system_app system_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index 25ce2a4..2afafa6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -73,6 +73,7 @@
unix_socket_connect(system_server, property, init)
unix_socket_connect(system_server, qemud, qemud)
unix_socket_connect(system_server, installd, installd)
+unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, netd, netd)
unix_socket_connect(system_server, vold, vold)
unix_socket_connect(system_server, zygote, zygote)
@@ -109,6 +110,7 @@
allow system_server device:dir r_dir_perms;
allow system_server mdns_socket:sock_file rw_file_perms;
allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
allow system_server graphics_device:dir search;
allow system_server graphics_device:chr_file rw_file_perms;
allow system_server iio_device:chr_file rw_file_perms;
diff --git a/unconfined.te b/unconfined.te
index f6899c2..45c8292 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -19,8 +19,7 @@
allow unconfineddomain self:capability_class_set *;
allow unconfineddomain kernel:security ~{ load_policy setenforce };
allow unconfineddomain kernel:system *;
-allow unconfineddomain self:memprotect *;
-allow unconfineddomain domain:process *;
+allow unconfineddomain domain:process ~ptrace;
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
@@ -30,7 +29,9 @@
allow unconfineddomain domain:key *;
allow unconfineddomain fs_type:filesystem *;
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};
allow unconfineddomain node_type:node *;
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow unconfineddomain netif_type:netif *;
diff --git a/untrusted_app.te b/untrusted_app.te
index 80f60da..2630f9e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -15,6 +15,10 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app app_data_file:file rx_file_perms;
+
allow untrusted_app tun_device:chr_file rw_file_perms;
# Internal SDCard rw access.
diff --git a/vold.te b/vold.te
index 25e586a..12fe691 100644
--- a/vold.te
+++ b/vold.te
@@ -14,6 +14,7 @@
allow vold sdcard_type:dir mounton;
allow vold sdcard_type:filesystem { mount remount unmount };
allow vold sdcard_type:dir create_dir_perms;
+allow vold sdcard_type:file create_file_perms;
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
@@ -29,6 +30,9 @@
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill };
+# For blkid
+allow vold shell_exec:file rx_file_perms;
+
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;