commit 80b1b43ac228424a6dcdec0cfd5740265d5cd635
author Lorenzo Colitti <lorenzo@google.com> Wed Jun 18 03:42:03 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jun 17 22:47:31 2014 +0000
tree 72d684f2379b04c39d8cce2ed048b76b27130758
parent ee43230f7f21856bea49deb36fb1695faab2f118
parent 1d75c90be76f1cc3b39e7c9a76210164543b9422

Merge "Remove clatd's dac_override abilities."

app.te

diff --git a/app.te b/app.te
index 73febbc..df8ff81 100644
--- a/app.te
+++ b/app.te
@@ -141,6 +141,10 @@
 # Allow apps to read/execute installed binaries
 allow appdomain apk_data_file:file { rx_file_perms execmod };
 
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
 ###
 ### CTS-specific rules
 ###

attributes

diff --git a/attributes b/attributes
index 64de61a..613ed8f 100644
--- a/attributes
+++ b/attributes
@@ -11,6 +11,9 @@
 # All types used for filesystems.
 attribute fs_type;
 
+# All types used for context= mounts.
+attribute contextmount_type;
+
 # All types used for files that can exist on a labeled fs.
 # Do not use for pseudo file types.
 attribute file_type;

dhcp.te

diff --git a/dhcp.te b/dhcp.te
index 81f6db4..9e461a4 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -15,7 +15,6 @@
 allow dhcp proc_net:file write;
 allow dhcp system_prop:property_service set ;
 unix_socket_connect(dhcp, property, init)
-allow dhcp owntty_device:chr_file rw_file_perms;
 
 type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
 allow dhcp dhcp_data_file:dir create_dir_perms;

domain.te

diff --git a/domain.te b/domain.te
index b161467..86c683f 100644
--- a/domain.te
+++ b/domain.te
@@ -130,7 +130,8 @@
 allow domain debugfs:file w_file_perms;
 
 # Get SELinux enforcing status.
-selinux_getenforce(domain)
+allow domain selinuxfs:dir r_dir_perms;
+allow domain selinuxfs:file r_file_perms;
 
 # /data/security files
 allow domain security_file:dir { search getattr };
@@ -259,3 +260,13 @@
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow { domain -recovery } contextmount_type:dir_file_class_set
+    { create write setattr relabelfrom relabelto append unlink link rename };

file.te

diff --git a/file.te b/file.te
index b031d74..18bafa4 100644
--- a/file.te
+++ b/file.te
@@ -33,7 +33,7 @@
 type debugfs, fs_type, mlstrustedobject;
 type pstorefs, fs_type;
 type functionfs, fs_type;
-type oemfs, fs_type;
+type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 
 # File types
@@ -61,6 +61,8 @@
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/dalvik-cache/profiles
 type dalvikcache_profiles_data_file, file_type, data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell
 type shell_data_file, file_type, data_file_type;
 # /data/gps
@@ -154,3 +156,12 @@
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+#   type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+#   type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem *;

file_contexts

diff --git a/file_contexts b/file_contexts
index 8ea7f6d..dd09c1f 100644
--- a/file_contexts
+++ b/file_contexts
@@ -157,6 +157,7 @@
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
+/system/bin/logwrapper  u:object_r:system_file:s0
 #############################
 # Vendor files
 #
@@ -173,6 +174,7 @@
 /data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
 /data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0

init.te

diff --git a/init.te b/init.te
index 8421fa3..e4d1f88 100644
--- a/init.te
+++ b/init.te
@@ -10,8 +10,17 @@
 allow init dev_type:blk_file rw_file_perms;
 
 # Mounting filesystems.
-allow init fs_type:filesystem *;
-allow init unlabeled:filesystem *;
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init fs_type:filesystem ~relabelto;
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
 
 # restorecon and restorecon_recursive calls from init.rc files.
 # system/core/init.rc requires at least cache_file and data_file_type.

inputflinger.te

diff --git a/inputflinger.te b/inputflinger.te
index 0bef25e..283bbba 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -1,6 +1,5 @@
 # inputflinger
 type inputflinger, domain;
-permissive_or_unconfined(inputflinger)
 type inputflinger_exec, exec_type, file_type;
 
 init_daemon_domain(inputflinger)

installd.te

diff --git a/installd.te b/installd.te
index eed0343..5faa1ec 100644
--- a/installd.te
+++ b/installd.te
@@ -49,6 +49,10 @@
 allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
 
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
 # Upgrade from unlabeled userdata.
 # Just need enough to remove and/or relabel it.
 allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };

property.te

diff --git a/property.te b/property.te
index 6f2b280..3195caf 100644
--- a/property.te
+++ b/property.te
@@ -14,6 +14,7 @@
 type ctl_rildaemon_prop, property_type;
 type ctl_bugreport_prop, property_type;
 type audio_prop, property_type;
+type logd_prop, property_type;
 type security_prop, property_type;
 type bluetooth_prop, property_type;
 type powerctl_prop, property_type;

property_contexts

diff --git a/property_contexts b/property_contexts
index cd8be69..4640d56 100644
--- a/property_contexts
+++ b/property_contexts
@@ -34,6 +34,7 @@
 service.adb.tcp.port    u:object_r:shell_prop:s0
 
 persist.audio.          u:object_r:audio_prop:s0
+persist.logd.           u:object_r:logd_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0

recovery.te

diff --git a/recovery.te b/recovery.te
index 5958761..c6c5417 100644
--- a/recovery.te
+++ b/recovery.te
@@ -17,19 +17,31 @@
 
   # Mount filesystems.
   allow recovery rootfs:dir mounton;
-  allow recovery fs_type:filesystem *;
-  allow recovery unlabeled:filesystem *;
+  allow recovery fs_type:filesystem ~relabelto;
+  allow recovery unlabeled:filesystem ~relabelto;
+  allow recovery contextmount_type:filesystem relabelto;
 
   # Create and relabel files and directories under /system.
   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
+  # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
+  # support to OTAs. However, that code has a bug. When an update occurs,
+  # some directories are inappropriately labeled as exec_type. This is
+  # only transient, and subsequent steps in the OTA script correct this
+  # mistake.
+  # Allow this behavior for now until we can fix the underlying bug.
+  # b/15575013
+  allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
+  auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
+
   # Write to /proc/sys/vm/drop_caches
   # TODO: create more specific label?
   allow recovery proc:file w_file_perms;
 
   # Required to e.g. wipe userdata/cache.
+  allow recovery device:dir r_dir_perms;
   allow recovery block_device:dir r_dir_perms;
   allow recovery dev_type:blk_file rw_file_perms;
 

runas.te

diff --git a/runas.te b/runas.te
index 8cc0eea..1ce8e64 100644
--- a/runas.te
+++ b/runas.te
@@ -4,7 +4,8 @@
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
 allow runas adbd:process sigchld;
-allow runas shell:fd  use;
+allow runas shell:fd use;
+allow runas shell:fifo_file { read write };
 allow runas devpts:chr_file { read write ioctl };
 
 # run-as reads package information.

service_contexts

diff --git a/service_contexts b/service_contexts
index 3720b46..b14aa1c 100644
--- a/service_contexts
+++ b/service_contexts
@@ -39,14 +39,19 @@
 input_method                              u:object_r:system_server_service:s0
 input                                     u:object_r:system_server_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
+ims                                       u:object_r:radio_service:s0
 isms                                      u:object_r:radio_service:s0
+isub                                      u:object_r:radio_service:s0
+jobscheduler                              u:object_r:system_server_service:s0
 launcherapps                              u:object_r:system_server_service:s0
 location                                  u:object_r:system_server_service:s0
 lock_settings                             u:object_r:system_server_service:s0
 media.audio_flinger                       u:object_r:mediaserver_service:s0
 media.audio_policy                        u:object_r:mediaserver_service:s0
 media.camera                              u:object_r:mediaserver_service:s0
+media.log                                 u:object_r:mediaserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
+media.sound_trigger_hw                    u:object_r:mediaserver_service:s0
 media_router                              u:object_r:system_server_service:s0
 media_session                             u:object_r:system_server_service:s0
 meminfo                                   u:object_r:system_server_service:s0

shell.te

diff --git a/shell.te b/shell.te
index aa02ce5..5f70cd0 100644
--- a/shell.te
+++ b/shell.te
@@ -25,7 +25,6 @@
 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)
 
-allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;

system_app.te

diff --git a/system_app.te b/system_app.te
index 42f7f7e..5b9f8a0 100644
--- a/system_app.te
+++ b/system_app.te
@@ -33,6 +33,7 @@
 allow system_app radio_prop:property_service set;
 allow system_app system_prop:property_service set;
 allow system_app ctl_bugreport_prop:property_service set;
+allow system_app logd_prop:property_service set;
 
 # Create /data/anr/traces.txt.
 allow system_app anr_data_file:dir ra_dir_perms;

system_server.te

diff --git a/system_server.te b/system_server.te
index fc0da2b..d7643a0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -15,6 +15,10 @@
 # For art.
 allow system_server dalvikcache_data_file:file execute;
 
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
 # ptrace to processes in the same domain for debugging crashes.
 allow system_server self:process ptrace;
 
@@ -155,7 +159,6 @@
 allow system_server input_device:chr_file rw_file_perms;
 allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
-allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
@@ -196,7 +199,7 @@
 allow system_server dalvikcache_data_file:file create_file_perms;
 
 # Read from /data/dalvik-cache/profiles
-allow system_server dalvikcache_profiles_data_file:dir w_dir_perms;
+allow system_server dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow system_server dalvikcache_profiles_data_file:file create_file_perms;
 
 # Manage /data/misc/adb.

te_macros

diff --git a/te_macros b/te_macros
index 7cd7d82..c72760e 100644
--- a/te_macros
+++ b/te_macros
@@ -187,7 +187,6 @@
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
 define(`selinux_check_access', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
 allow $1 self:netlink_selinux_socket *;
@@ -197,24 +196,14 @@
 # selinux_check_context(domain)
 # Allow domain to check SELinux contexts via selinuxfs.
 define(`selinux_check_context', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security check_context;
 ')
 
 #####################################
-# selinux_getenforce(domain)
-# Allow domain to check whether SELinux is enforcing.
-define(`selinux_getenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-')
-
-#####################################
 # selinux_setenforce(domain)
 # Allow domain to set SELinux to enforcing.
 define(`selinux_setenforce', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setenforce;
 ')
@@ -223,7 +212,6 @@
 # selinux_setbool(domain)
 # Allow domain to set SELinux booleans.
 define(`selinux_setbool', `
-allow $1 selinuxfs:dir r_dir_perms;
 allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
@@ -235,11 +223,6 @@
 define(`security_access_policy', `
 allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
-allow $1 security_file:lnk_file r_file_perms;
-allow $1 selinuxfs:dir r_dir_perms;
-allow $1 selinuxfs:file r_file_perms;
-allow $1 rootfs:dir r_dir_perms;
-allow $1 rootfs:file r_file_perms;
 ')
 
 #####################################

tools/sepolicy-analyze.c

diff --git a/tools/sepolicy-analyze.c b/tools/sepolicy-analyze.c
index 1901033..3cef012 100644
--- a/tools/sepolicy-analyze.c
+++ b/tools/sepolicy-analyze.c
@@ -11,6 +11,7 @@
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/util.h>
+#include <stdbool.h>
 
 void usage(char *arg0)
 {
@@ -343,15 +344,23 @@
     unsigned int i, j;
     avtab_key_t avkey;
     avtab_ptr_t node;
+    struct type_datum *stype, *ttype, *stype2, *ttype2;
+    bool attrib1, attrib2;
 
     if (!(k->specified & AVTAB_ALLOWED))
         return 0;
 
+    if (k->source_type == k->target_type)
+        return 0; /* self rule */
+
     avkey.target_class = k->target_class;
     avkey.specified = k->specified;
 
     sattr = &policydb->type_attr_map[k->source_type - 1];
     tattr = &policydb->type_attr_map[k->target_type - 1];
+    stype = policydb->type_val_to_struct[k->source_type - 1];
+    ttype = policydb->type_val_to_struct[k->target_type - 1];
+    attrib1 = stype->flavor || ttype->flavor;
     ebitmap_for_each_bit(sattr, snode, i) {
         if (!ebitmap_node_get_bit(snode, i))
             continue;
@@ -363,14 +372,26 @@
             if (avkey.source_type == k->source_type &&
                 avkey.target_type == k->target_type)
                 continue;
+            if (avkey.source_type == avkey.target_type)
+                continue; /* self rule */
+            stype2 = policydb->type_val_to_struct[avkey.source_type - 1];
+            ttype2 = policydb->type_val_to_struct[avkey.target_type - 1];
+            attrib2 = stype2->flavor || ttype2->flavor;
+            if (attrib1 && attrib2)
+                continue; /* overlapping attribute-based rules */
             for (node = avtab_search_node(&policydb->te_avtab, &avkey);
                  node != NULL;
                  node = avtab_search_node_next(node, avkey.specified)) {
-                if (node->datum.data & d->data) {
-                    uint32_t perms = node->datum.data & d->data;
+                uint32_t perms = node->datum.data & d->data;
+                if ((attrib1 && perms == node->datum.data) ||
+                    (attrib2 && perms == d->data)) {
+                    /*
+                     * The attribute-based rule is a superset of the
+                     * non-attribute-based rule.  This is a dup.
+                     */
                     printf("Duplicate allow rule found:\n");
-                    display_allow(policydb, k, i, perms);
-                    display_allow(policydb, &node->key, i, perms);
+                    display_allow(policydb, k, i, d->data);
+                    display_allow(policydb, &node->key, i, node->datum.data);
                     printf("\n");
                 }
             }

unconfined.te

diff --git a/unconfined.te b/unconfined.te
index 4dc30db..ce51f30 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -48,7 +48,8 @@
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {
     file_type
     -keystore_data_file
@@ -58,10 +59,18 @@
     -security_file
     -shell_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
-allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
-allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain exec_type:dir r_dir_perms;
+allow unconfineddomain exec_type:file { rx_file_perms execmod };
+allow unconfineddomain exec_type:lnk_file r_file_perms;
+allow unconfineddomain system_file:dir r_dir_perms;
+allow unconfineddomain system_file:file { rx_file_perms execmod };
+allow unconfineddomain system_file:lnk_file r_file_perms;
+allow unconfineddomain {
+    fs_type
+    -usermodehelper
+    -proc_security
+    -contextmount_type
+}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {
     file_type
@@ -72,7 +81,9 @@
     -security_file
     -shell_data_file
 }:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain { rootfs system_file exec_type }:file execute;
+allow unconfineddomain rootfs:file execute;
+allow unconfineddomain contextmount_type:dir r_dir_perms;
+allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;

wpa.te

diff --git a/wpa.te b/wpa.te
index ceabf6d..761d345 100644
--- a/wpa.te
+++ b/wpa.te
@@ -15,7 +15,6 @@
 allow wpa wifi_data_file:dir create_dir_perms;
 allow wpa wifi_data_file:file create_file_perms;
 unix_socket_send(wpa, system_wpa, system_server)
-allow wpa random_device:chr_file r_file_perms;
 
 binder_use(wpa)
 binder_call(wpa, keystore)

zygote.te

diff --git a/zygote.te b/zygote.te
index da3a037..c2a325e 100644
--- a/zygote.te
+++ b/zygote.te
@@ -24,6 +24,9 @@
 # Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
+# Write to /data/resource-cache
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
 # Execute dexopt.