Merge changes Ia473e29d,Ic500af7b
* changes:
write_klog also requires write permission to the directory.
Allow access to /data/security/current symbolic link.
diff --git a/app.te b/app.te
index aaf811a..689ff95 100644
--- a/app.te
+++ b/app.te
@@ -20,9 +20,9 @@
allow appdomain zygote:process sigchld;
# Communicate with system_server.
-allow appdomain system:fifo_file rw_file_perms;
-allow appdomain system:unix_stream_socket { read write setopt };
-binder_call(appdomain, system)
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt };
+binder_call(appdomain, system_server)
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
@@ -30,7 +30,7 @@
# App sandbox file accesses.
allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
# Read/write data files created by the platform apps if they
# were passed to the app via binder or local IPC. Do not allow open.
@@ -66,7 +66,6 @@
# Appdomain interaction with isolated apps
r_dir_file(appdomain, isolated_app)
-binder_call(appdomain, isolated_app)
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
@@ -82,8 +81,8 @@
allow appdomain system_data_file:lnk_file getattr;
# Allow all applications to read downloaded files
+allow appdomain download_file:dir search;
allow appdomain download_file:file r_file_perms;
-file_type_auto_trans(appdomain, download_file, download_file)
# Allow applications to communicate with netd via /dev/socket/dnsproxyd
# to do DNS resolution
@@ -134,7 +133,6 @@
neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
# Setting SELinux enforcing status or booleans.
-# Conditionally allowed to system_app for SEAndroidManager.
neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
# Load security policy.
diff --git a/bluetoothd.te b/bluetoothd.te
deleted file mode 100644
index a63dfa3..0000000
--- a/bluetoothd.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# bluetoothd - bluetooth daemon
-type bluetoothd, domain;
-permissive bluetoothd;
-type bluetoothd_exec, exec_type, file_type;
-
-init_daemon_domain(bluetoothd)
-unconfined_domain(bluetoothd)
diff --git a/dbusd.te b/dbusd.te
deleted file mode 100644
index 8e9db8f..0000000
--- a/dbusd.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# dbus daemon
-type dbusd, domain;
-permissive dbusd;
-type dbusd_exec, exec_type, file_type;
-
-init_daemon_domain(dbusd)
-unconfined_domain(dbusd)
diff --git a/domain.te b/domain.te
index f4fd6ae..6321237 100644
--- a/domain.te
+++ b/domain.te
@@ -10,9 +10,6 @@
# Search /storage/emulated tmpfs mount.
allow domain tmpfs:dir r_dir_perms;
-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
-
# Intra-domain accesses.
allow domain self:process ~{ execstack execheap ptrace };
allow domain self:fd use;
@@ -23,7 +20,7 @@
# Inherit or receive open files from others.
allow domain init:fd use;
-allow domain system:fd use;
+allow domain system_server:fd use;
# Connect to adbd and use a socket transferred from it.
allow domain adbd:unix_stream_socket connectto;
@@ -61,8 +58,8 @@
allow domain log_device:chr_file rw_file_perms;
allow domain nv_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
-allow domain urandom_device:chr_file r_file_perms;
-allow domain random_device:chr_file r_file_perms;
+allow domain urandom_device:chr_file rw_file_perms;
+allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms;
# Filesystem accesses.
@@ -103,9 +100,8 @@
# For /sys/qemu_trace files in the emulator.
bool in_qemu false;
if (in_qemu) {
-allow domain sysfs:file rw_file_perms;
-}
allow domain sysfs_writable:file rw_file_perms;
+}
# Read access to pseudo filesystems.
r_dir_file(domain, proc)
diff --git a/file.te b/file.te
index aefa9a6..a9729cb 100644
--- a/file.te
+++ b/file.te
@@ -46,7 +46,6 @@
# /data/gps
type gps_data_file, file_type, data_file_type;
# /data/misc subdirectories
-type bluetoothd_data_file, file_type, data_file_type;
type bluetooth_data_file, file_type, data_file_type;
type keystore_data_file, file_type, data_file_type;
type vpn_data_file, file_type, data_file_type;
@@ -87,7 +86,6 @@
# Socket types
type adbd_socket, file_type;
type bluetooth_socket, file_type;
-type dbus_socket, file_type;
type dnsproxyd_socket, file_type, mlstrustedobject;
type gps_socket, file_type;
type installd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 81b9da9..3fe7d3f 100644
--- a/file_contexts
+++ b/file_contexts
@@ -82,8 +82,6 @@
/dev/socket u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/bluetooth u:object_r:bluetooth_socket:s0
-/dev/socket/dbus_bluetooth u:object_r:bluetooth_socket:s0
-/dev/socket/dbus u:object_r:dbus_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/installd u:object_r:installd_socket:s0
/dev/socket/keystore u:object_r:keystore_socket:s0
@@ -131,11 +129,9 @@
/system/bin/netd u:object_r:netd_exec:s0
/system/bin/rild u:object_r:rild_exec:s0
/system/bin/mediaserver u:object_r:mediaserver_exec:s0
-/system/bin/dbus-daemon u:object_r:dbusd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/debuggerd u:object_r:debuggerd_exec:s0
-/system/bin/bluetoothd u:object_r:bluetoothd_exec:s0
/system/bin/wpa_supplicant u:object_r:wpa_exec:s0
/system/bin/qemud u:object_r:qemud_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
@@ -176,7 +172,6 @@
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/selinux(/.*)? u:object_r:tombstone_data_file:s0
# Misc data
-/data/misc/bluetoothd(/.*)? u:object_r:bluetoothd_data_file:s0
/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
@@ -208,7 +203,7 @@
#############################
# sysfs files
#
-/sys/qemu_trace/process_name -- u:object_r:sysfs_writable:s0
+/sys/qemu_trace(/.*)? -- u:object_r:sysfs_writable:s0
/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
/sys/class/rfkill/rfkill[0-9]*/state -- u:object_r:sysfs_bluetooth_writable:s0
/sys/class/rfkill/rfkill[0-9]*/type -- u:object_r:sysfs_bluetooth_writable:s0
diff --git a/installd.te b/installd.te
index fae130a..68a0d06 100644
--- a/installd.te
+++ b/installd.te
@@ -11,7 +11,7 @@
allow installd dalvikcache_data_file:file create_file_perms;
allow installd data_file_type:dir create_dir_perms;
allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file lnk_file sock_file } { getattr unlink };
+allow installd data_file_type:{ file_class_set } { getattr unlink };
allow installd apk_data_file:file r_file_perms;
allow installd apk_tmp_file:file r_file_perms;
allow installd system_file:file x_file_perms;
diff --git a/isolated_app.te b/isolated_app.te
index 1b33484..3b99e37 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,9 +13,6 @@
permissive isolated_app;
app_domain(isolated_app)
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
# Already connected, unnamed sockets being passed over some other IPC
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
diff --git a/netd.te b/netd.te
index f98be3d..d8d65c9 100644
--- a/netd.te
+++ b/netd.te
@@ -68,7 +68,6 @@
neverallow netd kmem_device:chr_file { read write };
# Setting SELinux enforcing status or booleans.
-# Conditionally allowed to system_app for SEAndroidManager.
neverallow netd kernel:security { setenforce setbool };
# Load security policy.
diff --git a/seapp_contexts b/seapp_contexts
index 41d3dd8..2049b8a 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -32,7 +32,7 @@
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
# level may be used to specify a fixed level for any UID.
#
-isSystemServer=true domain=system
+isSystemServer=true domain=system_server
user=system domain=system_app type=system_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
diff --git a/system.te b/system.te
deleted file mode 100644
index b096b68..0000000
--- a/system.te
+++ /dev/null
@@ -1,23 +0,0 @@
-type system_app, domain;
-permissive system_app;
-app_domain(system_app)
-unconfined_domain(system_app)
-
-type system, domain;
-permissive system;
-unconfined_domain(system);
-relabelto_domain(system);
-
-# Create a socket for receiving info from wpa.
-type_transition system wifi_data_file:sock_file system_wpa_socket;
-allow system self:zygote { specifyids specifyrlimits specifyseinfo };
-
-allow system backup_data_file:dir relabelto;
-allow system cache_backup_file:dir relabelto;
-allow system anr_data_file:dir relabelto;
-allow system system_data_file:dir relabelto;
-allow system apk_data_file:file relabelto;
-allow system apk_tmp_file:file relabelto;
-allow system cache_backup_file:file relabelto;
-allow system apk_private_tmp_file:file relabelto;
-allow system wallpaper_file:file relabelto;
diff --git a/system_app.te b/system_app.te
new file mode 100644
index 0000000..61a18db
--- /dev/null
+++ b/system_app.te
@@ -0,0 +1,9 @@
+#
+# Apps that run with the system UID, e.g. com.android.system.ui,
+# com.android.settings. These are not as privileged as the system
+# server.
+#
+type system_app, domain;
+permissive system_app;
+app_domain(system_app)
+unconfined_domain(system_app)
diff --git a/system_server.te b/system_server.te
new file mode 100644
index 0000000..d4930ab
--- /dev/null
+++ b/system_server.te
@@ -0,0 +1,38 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain;
+permissive system_server;
+unconfined_domain(system_server);
+relabelto_domain(system_server);
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:capability {
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_module
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+};
+
+# Create a socket for receiving info from wpa.
+type_transition system_server wifi_data_file:sock_file system_wpa_socket;
+allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
+
+allow system_server backup_data_file:dir relabelto;
+allow system_server cache_backup_file:dir relabelto;
+allow system_server anr_data_file:dir relabelto;
+allow system_server system_data_file:dir relabelto;
+allow system_server apk_data_file:file relabelto;
+allow system_server apk_tmp_file:file relabelto;
+allow system_server cache_backup_file:file relabelto;
+allow system_server apk_private_tmp_file:file relabelto;
+allow system_server wallpaper_file:file relabelto;
diff --git a/tools/sepolicy-check.c b/tools/sepolicy-check.c
index ea198e2..ad75d16 100644
--- a/tools/sepolicy-check.c
+++ b/tools/sepolicy-check.c
@@ -16,6 +16,7 @@
#include <stdio.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
+#include <sepol/policydb/expand.h>
#define EQUALS 0
#define NOT 1
@@ -66,6 +67,45 @@
return (current->datum.data & perm_bitmask) != 0;
}
+
+int expand_and_check(int s_op, uint32_t source_type,
+ int t_op, uint32_t target_type,
+ int c_op, uint32_t target_class,
+ perm_datum_t *perm, policydb_t *policy, avtab_t *avtab) {
+ avtab_t exp_avtab;
+ avtab_ptr_t cur;
+ unsigned int i;
+ int match;
+
+ if (avtab_init(&exp_avtab)) {
+ fputs("out of memory\n", stderr);
+ return -1;
+ }
+
+ if (expand_avtab(policy, avtab, &exp_avtab)) {
+ fputs("out of memory\n", stderr);
+ avtab_destroy(&exp_avtab);
+ return -1;
+ }
+
+ for (i = 0; i < exp_avtab.nslot; i++) {
+ for (cur = exp_avtab.htable[i]; cur; cur = cur->next) {
+ match = 1;
+ match &= check(s_op, source_type, cur->key.source_type);
+ match &= check(t_op, target_type, cur->key.target_type);
+ match &= check(c_op, target_class, cur->key.target_class);
+ match &= check_perm(cur, perm);
+ if (match) {
+ avtab_destroy(&exp_avtab);
+ return 1;
+ }
+ }
+ }
+
+ avtab_destroy(&exp_avtab);
+ return 0;
+}
+
/*
* Checks to see if a rule matching the given arguments already exists.
*
@@ -91,8 +131,6 @@
int c_op = parse_ops(&c);
int p_op = parse_ops(&p);
avtab_key_t key;
- avtab_ptr_t cur;
- unsigned int i;
int match;
if (s_op != ANY) {
@@ -138,19 +176,19 @@
if (c_op != ANY)
key.target_class = cls->s.value;
- for (i = 0; i < policy->te_avtab.nslot; i++) {
- for (cur = policy->te_avtab.htable[i]; cur; cur = cur->next) {
- match = 1;
- match &= check(s_op, key.source_type, cur->key.source_type);
- match &= check(t_op, key.target_type, cur->key.target_type);
- match &= check(c_op, key.target_class, cur->key.target_class);
- match &= check_perm(cur, perm);
- if (match)
- return 1;
- }
- }
+ /* Check unconditional rules after attribute expansion. */
+ match = expand_and_check(s_op, key.source_type,
+ t_op, key.target_type,
+ c_op, key.target_class,
+ perm, policy, &policy->te_avtab);
+ if (match)
+ return match;
- return 0;
+ /* Check conditional rules after attribute expansion. */
+ return expand_and_check(s_op, key.source_type,
+ t_op, key.target_type,
+ c_op, key.target_class,
+ perm, policy, &policy->te_cond_avtab);
}
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) {
@@ -247,9 +285,6 @@
if (load_policy(policy, &policydb, &pf))
goto out;
- if (policydb_load_isids(&policydb, &sidtab))
- goto out;
-
match = check_rule(source, target, class, perm, &policydb);
if (match < 0) {
fprintf(stderr, "Error checking rules!\n");
diff --git a/zygote.te b/zygote.te
index 5b6162f..ddda88c 100644
--- a/zygote.te
+++ b/zygote.te
@@ -9,13 +9,13 @@
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
-allow zygote system:process dyntransition;
+allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
# Allow zygote to read + write app data dirs (b/10455872 and b/10498304)
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { r_file_perms write };
# Move children into the peer process group.
-allow zygote system:process { getpgid setpgid };
+allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;