Merge "Label and allow access to /data/system/ndebugsocket."
diff --git a/app.te b/app.te
index 689ff95..e292c05 100644
--- a/app.te
+++ b/app.te
@@ -122,8 +122,9 @@
###
# Superuser capabilities.
-# Only exception is sys_nice for binder, might not be necessary.
-neverallow { appdomain -unconfineddomain } self:capability ~sys_nice;
+# bluetooth requires net_admin.
+neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
+neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
neverallow { appdomain -unconfineddomain } self:capability2 *;
# Block device access.
@@ -132,8 +133,32 @@
# Kernel memory access.
neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
-# Setting SELinux enforcing status or booleans.
-neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
+# Access to any character device that is not specifically typed.
+neverallow { appdomain -unconfineddomain } device:chr_file { read write };
+
+# Access to any of the following character devices.
+neverallow { appdomain -unconfineddomain } {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ gps_device
+ rpmsg_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell -unconfineddomain }
+ graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
+ { read write };
+neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
+
+# Set SELinux enforcing mode, booleans or any other SELinux settings.
+neverallow { appdomain -unconfineddomain } kernel:security
+ { setenforce setbool setsecparam setcheckreqprot };
# Load security policy.
neverallow appdomain kernel:security load_policy;
@@ -153,18 +178,120 @@
netlink_kobject_uevent_socket
} *;
+# Sockets under /dev/socket that are not specifically typed.
+neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } bluetooth_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
+neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
+ property_socket:sock_file write;
+neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
+neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
+
# ptrace access to non-app domains.
neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
+# Write access to /proc/pid entries for any non-app domain.
+neverallow { appdomain -unconfineddomain } { domain - appdomain }:file write;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
+ { sigkill sigstop signal };
+
# Transition to a non-app domain.
-neverallow { appdomain -unconfineddomain } ~appdomain:process { transition dyntransition };
+neverallow { appdomain -unconfineddomain } ~appdomain:process
+ { transition dyntransition };
+
+# Map low memory.
+# Note: Take to domain.te and apply to all domains in the future.
+neverallow { appdomain -unconfineddomain } self:memprotect mmap_zero;
+
+# Write to rootfs.
+neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
# Write to /system.
-neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set write;
+neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow { appdomain -unconfineddomain } exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
# Write to system-owned parts of /data.
# This is the default type for anything under /data not otherwise
# specified in file_contexts. Define a different type for portions
# that should be writable by apps.
# Exception for system_app for Settings.
-neverallow { appdomain -unconfineddomain -system_app } system_data_file:dir_file_class_set write;
+neverallow { appdomain -unconfineddomain -system_app }
+ system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow { appdomain -system_app -unconfineddomain }
+ security_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app -unconfineddomain }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell -unconfineddomain }
+ shell_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth -unconfineddomain }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -unconfineddomain }
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Access to factory files.
+neverallow { appdomain -unconfineddomain }
+ efs_file:dir_file_class_set { read write };
+
+# Write to various pseudo file systems.
+neverallow { appdomain -nfc -unconfineddomain }
+ sysfs:dir_file_class_set write;
+neverallow { appdomain -system_app -unconfineddomain }
+ selinuxfs:dir_file_class_set write;
+neverallow { appdomain -unconfineddomain }
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow { appdomain -system_app -unconfineddomain }
+ kernel:system { syslog_read syslog_mod syslog_console };
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
+
+# Ability to set system properties.
+neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
+ property_type:property_service set;
diff --git a/domain.te b/domain.te
index 6321237..12aa898 100644
--- a/domain.te
+++ b/domain.te
@@ -138,3 +138,6 @@
# Only init should be able to load SELinux policies
neverallow { domain -init } kernel:security load_policy;
+
+# Ensure that all entrypoint executables are in exec_type.
+neverallow domain { file_type -exec_type }:file entrypoint;
diff --git a/file_contexts b/file_contexts
index 91d933e..1e4b5a6 100644
--- a/file_contexts
+++ b/file_contexts
@@ -166,7 +166,6 @@
/data/app-private/vmdl.*\.tmp u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/local/tmp/selinux(/.*)? u:object_r:tombstone_data_file:s0
# Misc data
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
diff --git a/ping.te b/ping.te
index 3c6254a..19f3a47 100644
--- a/ping.te
+++ b/ping.te
@@ -1,5 +1,5 @@
type ping, domain;
permissive ping;
-type ping_exec, file_type;
+type ping_exec, exec_type, file_type;
domain_auto_trans(shell, ping_exec, ping)
unconfined_domain(ping)
diff --git a/runas.te b/runas.te
index 50295a9..ec5e1c4 100644
--- a/runas.te
+++ b/runas.te
@@ -1,5 +1,5 @@
type runas, domain;
-type runas_exec, file_type;
+type runas_exec, exec_type, file_type;
permissive runas;
unconfined_domain(runas)
diff --git a/shell.te b/shell.te
index 89bc9be..8b51003 100644
--- a/shell.te
+++ b/shell.te
@@ -1,6 +1,6 @@
# Domain for shell processes spawned by ADB
type shell, domain;
-type shell_exec, file_type;
+type shell_exec, exec_type, file_type;
unconfined_domain(shell)
# Run app_process.
diff --git a/su.te b/su.te
index ca9fcc2..c1f002f 100644
--- a/su.te
+++ b/su.te
@@ -1,6 +1,6 @@
type su, domain;
permissive su;
-type su_exec, file_type;
+type su_exec, exec_type, file_type;
domain_auto_trans(shell, su_exec, su)
# su is unconfined.
diff --git a/su_user.te b/su_user.te
index 77fc535..6f936a0 100644
--- a/su_user.te
+++ b/su_user.te
@@ -1,4 +1,4 @@
# File types must be defined for file_contexts.
-type su_exec, file_type;
+type su_exec, exec_type, file_type;
# No allow rules
diff --git a/te_macros b/te_macros
index 9313938..9f885bf 100644
--- a/te_macros
+++ b/te_macros
@@ -307,6 +307,20 @@
')
#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
diff --git a/untrusted_app.te b/untrusted_app.te
index c91543e..80f60da 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -38,7 +38,7 @@
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-allow untrusted_app devpts:chr_file rw_file_perms;
+create_pty(untrusted_app)
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".