Merge "system_server: Delete system_file:file execute_no_trans;"

commit: 8fe7b8d2a73d2c4ec3c88ab81688537b677f946e [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Mon Nov 28 16:55:09 2016 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Nov 28 16:55:09 2016 +0000
tree: d4115b8c6fc3bb42ff75889e81f3005b535b96a9
parent: 2affae65dc235c9a6a3dcead4219ca4744eca495 [diff]
parent: 55e86a3a3498ca21f2472c7b368074ef437efdc8 [diff]
diff --git a/public/domain.te b/public/domain.te
index 7c15ebc..c78af07 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -171,6 +171,11 @@
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
   ioctl unpriv_unix_sock_ioctls;
 
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 ###
 ### neverallow rules
@@ -179,6 +184,11 @@
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 19a03b7..b198703 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te

@@ -77,7 +77,6 @@
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
-r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
 r_dir_file(domain_deprecated, proc_net)
@@ -87,8 +86,6 @@
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow domain_deprecated inotify:dir r_dir_perms;
-auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
 auditallow {
   domain_deprecated
   -appdomain
@@ -141,9 +138,3 @@
 allow domain_deprecated selinuxfs:file r_file_perms;
 auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-
-# World readable asec image contents
-allow domain_deprecated asec_public_file:file r_file_perms;
-allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
-auditallow domain_deprecated asec_public_file:file r_file_perms;
-auditallow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;

diff --git a/public/inputflinger.te b/public/inputflinger.te
index bee392f..14cfdc7 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te

@@ -1,5 +1,5 @@
 # inputflinger
-type inputflinger, domain, domain_deprecated;
+type inputflinger, domain;
 type inputflinger_exec, exec_type, file_type;
 
 binder_use(inputflinger)

diff --git a/public/ioctl_macros b/public/ioctl_macros
index 122e1f0..e8cc086 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros

@@ -42,10 +42,16 @@
 }')
 
 # commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
+define(`unpriv_unix_sock_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
 
 # commonly used TTY ioctls
-define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW TCFLSH
+  TIOCSPGRP TIOCGPGRP
+}')
 
 # point to point ioctls
 define(`ppp_ioctls', `{

diff --git a/public/lmkd.te b/public/lmkd.te
index 8e3c61a..e25a77f 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te

@@ -1,5 +1,5 @@
 # lmkd low memory killer daemon
-type lmkd, domain, domain_deprecated, mlstrustedsubject;
+type lmkd, domain, mlstrustedsubject;
 type lmkd_exec, exec_type, file_type;
 
 allow lmkd self:capability { dac_override sys_resource kill };

diff --git a/public/logd.te b/public/logd.te
index 1171ebf..3e6f7b6 100644
--- a/public/logd.te
+++ b/public/logd.te

@@ -22,10 +22,6 @@
 allow logd pstorefs:dir search;
 allow logd pstorefs:file r_file_perms;
 
-# Set persist.sys. and sys.powerctl
-set_prop(logd, safemode_prop)
-set_prop(logd, powerctl_prop)
-
 # Access device logging gating property
 get_prop(logd, device_logging_prop)
 userdebug_or_eng(`get_prop(logd, logpersistd_logging_prop)')

diff --git a/public/servicemanager.te b/public/servicemanager.te
index 469c637..46b3b0e 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te

@@ -1,5 +1,5 @@
 # servicemanager - the Binder context manager
-type servicemanager, domain, domain_deprecated, mlstrustedsubject;
+type servicemanager, domain, mlstrustedsubject;
 type servicemanager_exec, exec_type, file_type;
 
 # Note that we do not use the binder_* macros here.

diff --git a/public/te_macros b/public/te_macros
index df171f0..6a1a5ff 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -259,6 +259,11 @@
 type_transition $1 devpts:chr_file $1_devpts;
 # Allow use of the pty after creation.
 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
 # allowed to everyone via domain.te.
 ')
@@ -279,7 +284,6 @@
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-define(`eng', ifelse(target_build_variant, `eng', $1))
 
 #####################################
 # SELinux rules for HALs that have either been binderized or are
commit	8fe7b8d2a73d2c4ec3c88ab81688537b677f946e	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Mon Nov 28 16:55:09 2016 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Nov 28 16:55:09 2016 +0000
tree	d4115b8c6fc3bb42ff75889e81f3005b535b96a9
parent	2affae65dc235c9a6a3dcead4219ca4744eca495 [diff]
parent	55e86a3a3498ca21f2472c7b368074ef437efdc8 [diff]