Only allow toolbox exec where /system exec was already allowed.
When the toolbox domain was introduced, we allowed all domains to exec it
to avoid breakage. However, only domains that were previously allowed the
ability to exec /system files would have been able to do this prior to the
introduction of the toolbox domain. Remove the rule from domain.te and add
rules to all domains that are already allowed execute_no_trans to system_file.
Requires coordination with device-specific policy changes with the same Change-Id.
Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/adbd.te b/adbd.te
index a74d10b..cac2343 100644
--- a/adbd.te
+++ b/adbd.te
@@ -49,6 +49,10 @@
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow adbd toolbox_exec:file rx_file_perms;
+auditallow adbd toolbox_exec:file rx_file_perms;
+
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
diff --git a/app.te b/app.te
index a78fad1..583495e 100644
--- a/app.te
+++ b/app.te
@@ -74,6 +74,7 @@
# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
+allow appdomain toolbox_exec:file rx_file_perms;
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/dhcp.te b/dhcp.te
index cbf105c..078e512 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -11,6 +11,9 @@
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow dhcp toolbox_exec:file rx_file_perms;
+auditallow dhcp toolbox_exec:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
diff --git a/domain.te b/domain.te
index e7e0d7d..bfbceab 100644
--- a/domain.te
+++ b/domain.te
@@ -109,10 +109,6 @@
allow domain system_file:file execute;
allow domain system_file:lnk_file r_file_perms;
-# Run toolbox.
-# Kernel, init, and mediaserver never run anything without changing domains.
-allow { domain -kernel -init -mediaserver } toolbox_exec:file rx_file_perms;
-
# Read files already opened under /data.
allow domain system_data_file:dir { search getattr };
allow domain system_data_file:file { getattr read };
diff --git a/dumpstate.te b/dumpstate.te
index f2aab81..963f8cd 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -21,6 +21,7 @@
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
+allow dumpstate toolbox_exec:file rx_file_perms;
# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
diff --git a/gpsd.te b/gpsd.te
index 2e05092..4b22223 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -18,6 +18,7 @@
# Execute the shell or system commands.
allow gpsd shell_exec:file rx_file_perms;
allow gpsd system_file:file rx_file_perms;
+allow gpsd toolbox_exec:file rx_file_perms;
###
### neverallow
diff --git a/install_recovery.te b/install_recovery.te
index 1385220..cbc8634 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -13,6 +13,10 @@
# Execute /system/bin/applypatch
allow install_recovery system_file:file rx_file_perms;
+# XXX Execute toolbox. Might not be needed.
+allow install_recovery toolbox_exec:file rx_file_perms;
+auditallow install_recovery toolbox_exec:file rx_file_perms;
+
# Update the recovery block device based off a diff of the boot block device
allow install_recovery block_device:dir search;
allow install_recovery boot_block_device:blk_file r_file_perms;
diff --git a/netd.te b/netd.te
index d4c5153..81d76c3 100644
--- a/netd.te
+++ b/netd.te
@@ -20,6 +20,9 @@
allow netd self:netlink_socket create_socket_perms;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow netd toolbox_exec:file rx_file_perms;
+auditallow netd toolbox_exec:file rx_file_perms;
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
diff --git a/perfprofd.te b/perfprofd.te
index 58cb3e2..433b2b8 100644
--- a/perfprofd.te
+++ b/perfprofd.te
@@ -48,7 +48,7 @@
allow perfprofd exec_type:file r_file_perms;
# simpleperf is going to execute "sleep"
- allow perfprofd toolbox_exec:file x_file_perms;
+ allow perfprofd toolbox_exec:file rx_file_perms;
# needed for simpleperf on some kernels
allow perfprofd self:capability ipc_lock;
diff --git a/ppp.te b/ppp.te
index af7062b..c9b27af 100644
--- a/ppp.te
+++ b/ppp.te
@@ -11,6 +11,9 @@
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
allow ppp system_file:file rx_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow ppp toolbox_exec:file rx_file_perms;
+auditallow ppp toolbox_exec:file rx_file_perms;
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
allow ppp mtp:fd use;
diff --git a/racoon.te b/racoon.te
index 8b09cdf..6447a3d 100644
--- a/racoon.te
+++ b/racoon.te
@@ -19,6 +19,9 @@
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow racoon toolbox_exec:file rx_file_perms;
+auditallow racoon toolbox_exec:file rx_file_perms;
allow racoon vpn_data_file:file create_file_perms;
allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/recovery.te b/recovery.te
index 1441db1..b11213f 100644
--- a/recovery.te
+++ b/recovery.te
@@ -15,6 +15,7 @@
# Run helpers from / or /system without changing domain.
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
+ allow recovery toolbox_exec:file rx_file_perms;
# Mount filesystems.
allow recovery rootfs:dir mounton;
diff --git a/rild.te b/rild.te
index 549a4aa..ea0e4ed 100644
--- a/rild.te
+++ b/rild.te
@@ -23,6 +23,9 @@
allow rild system_data_file:dir r_dir_perms;
allow rild system_data_file:file r_file_perms;
allow rild system_file:file x_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow rild toolbox_exec:file rx_file_perms;
+auditallow rild toolbox_exec:file rx_file_perms;
# property service
set_prop(rild, radio_prop)
diff --git a/shell.te b/shell.te
index 28f79d6..84e1802 100644
--- a/shell.te
+++ b/shell.te
@@ -38,6 +38,7 @@
allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
diff --git a/system_server.te b/system_server.te
index 5f07f65..6737783 100644
--- a/system_server.te
+++ b/system_server.te
@@ -311,6 +311,10 @@
# Run system programs, e.g. dexopt.
allow system_server system_file:file x_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow system_server toolbox_exec:file rx_file_perms;
+auditallow system_server toolbox_exec:file rx_file_perms;
+
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
allow system_server gps_device:chr_file rw_file_perms;
diff --git a/vold.te b/vold.te
index a1aef72..b50e399 100644
--- a/vold.te
+++ b/vold.te
@@ -24,6 +24,9 @@
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
+# XXX Run toolbox. Might not be needed.
+allow vold toolbox_exec:file rx_file_perms;
+auditallow vold toolbox_exec:file rx_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold block_device:blk_file create_file_perms;
auditallow vold block_device:blk_file create_file_perms;