Merge "Revert "Allow ueventd to set verity.* properties""
diff --git a/README b/README
index 83ee7a2..46f58b5 100644
--- a/README
+++ b/README
@@ -1,3 +1,9 @@
+This directory contains the core Android SELinux policy configuration.
+It defines the domains and types for the AOSP services and apps common to
+all devices. Device-specific policy should be placed under a
+separate device/<vendor>/<board>/sepolicy subdirectory and linked
+into the policy build as described below.
+
Policy Generation:
Additional, per device, policy files can be added into the
diff --git a/adbd.te b/adbd.te
index f5cebd2..c80dba4 100644
--- a/adbd.te
+++ b/adbd.te
@@ -80,3 +80,5 @@
allow adbd kernel:security read_policy;
allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
diff --git a/app.te b/app.te
index be47ca5..c17c903 100644
--- a/app.te
+++ b/app.te
@@ -83,7 +83,6 @@
allow appdomain shell_data_file:file { write getattr };
# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain proc_net:dir search;
allow appdomain qtaguid_proc:file rw_file_perms;
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
diff --git a/clatd.te b/clatd.te
index 0492f22..5c52bdb 100644
--- a/clatd.te
+++ b/clatd.te
@@ -15,9 +15,16 @@
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
-r_dir_file(clatd, proc_net)
allow clatd self:capability { net_admin net_raw setuid setgid };
+# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
+# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
+# under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
+# does not need CAP_IPC_LOCK, so we suppress any denials we see
+# from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940
+dontaudit clatd self:capability ipc_lock;
+
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/dhcp.te b/dhcp.te
index 898e3a1..32a6ccc 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -12,8 +12,7 @@
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net:file rw_file_perms;
-allow dhcp proc_net:dir r_dir_perms;
+allow dhcp proc_net:file write;
allow dhcp dhcp_prop:property_service set;
allow dhcp pan_result_prop:property_service set;
unix_socket_connect(dhcp, property, init)
diff --git a/domain.te b/domain.te
index 731e0c4..d835ee9 100644
--- a/domain.te
+++ b/domain.te
@@ -145,9 +145,8 @@
r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, inotify)
r_dir_file(domain, cgroup)
+r_dir_file(domain, proc_net)
allow domain proc_cpuinfo:file r_file_perms;
-allow domain proc_net:dir search;
-allow domain proc_net_psched:file r_file_perms;
# debugfs access
allow domain debugfs:dir r_dir_perms;
@@ -181,7 +180,7 @@
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
# Limit device node creation to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
# Limit raw I/O to these whitelisted domains.
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
@@ -257,7 +256,7 @@
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
@@ -362,3 +361,7 @@
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
neverallow domain domain:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
diff --git a/dumpstate.te b/dumpstate.te
index 876eaca..320b19f 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -61,7 +61,6 @@
allow dumpstate sysfs:file w_file_perms;
# Other random bits of data we want to collect
-allow dumpstate proc_net:dir search;
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
diff --git a/file.te b/file.te
index ae1079c..5ac2b66 100644
--- a/file.te
+++ b/file.te
@@ -12,7 +12,6 @@
type proc_bluetooth_writable, fs_type;
type proc_cpuinfo, fs_type;
type proc_net, fs_type;
-type proc_net_psched, fs_type;
type proc_sysrq, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
@@ -79,6 +78,8 @@
type gps_data_file, file_type, data_file_type;
# /data/property
type property_data_file, file_type, data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 04fa4c7..d510476 100644
--- a/file_contexts
+++ b/file_contexts
@@ -227,6 +227,9 @@
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+# Bootchart data
+/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+
# coredump directory for userdebug/eng devices
/cores(/.*)? u:object_r:coredump_file:s0
diff --git a/fs_use b/fs_use
index edbcf58..4bd1112 100644
--- a/fs_use
+++ b/fs_use
@@ -7,6 +7,7 @@
fs_use_xattr xfs u:object_r:labeledfs:s0;
fs_use_xattr btrfs u:object_r:labeledfs:s0;
fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
diff --git a/genfs_contexts b/genfs_contexts
index 2f60ad1..31b7e4f 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,7 +3,6 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/psched u:object_r:proc_net_psched:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
diff --git a/init.te b/init.te
index 1283ec7..14e9f80 100644
--- a/init.te
+++ b/init.te
@@ -1,5 +1,5 @@
# init switches to init domain (via init.rc).
-type init, domain;
+type init, domain, mlstrustedsubject;
permissive_or_unconfined(init)
tmpfs_domain(init)
@@ -124,8 +124,7 @@
allow init proc:file w_file_perms;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-allow init proc_net:file rw_file_perms;
-allow init proc_net:dir r_dir_perms;
+allow init proc_net:file w_file_perms;
allow init self:capability net_admin;
# Write to /proc/sysrq-trigger.
@@ -141,6 +140,7 @@
# Transitions to seclabel processes in init.rc
domain_trans(init, rootfs, adbd)
domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
recovery_only(`
domain_trans(init, rootfs, recovery)
')
@@ -164,6 +164,11 @@
# Set UID and GID for services.
allow init self:capability { setuid setgid };
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
# setexec is for services with seclabel options.
# setfscreate is for labeling directories and socket files.
diff --git a/install_recovery.te b/install_recovery.te
index 5232685..9155a2d 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -14,11 +14,7 @@
allow install_recovery system_file:file rx_file_perms;
# Update the recovery block device
-# TODO: Limit this to only recovery block device when we
-# create an appropriate label for it.
allow install_recovery block_device:dir search;
-allow install_recovery block_device:blk_file rw_file_perms;
-auditallow install_recovery block_device:blk_file rw_file_perms;
allow install_recovery recovery_block_device:blk_file rw_file_perms;
# Create and delete /cache/saved.file
diff --git a/kernel.te b/kernel.te
index 7ccbc61..ff34ece 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,6 +1,5 @@
# Life begins with the kernel.
-type kernel, domain;
-permissive_or_unconfined(kernel)
+type kernel, domain, mlstrustedsubject;
allow kernel self:capability sys_nice;
@@ -46,6 +45,7 @@
# MTP sync (b/15835289)
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel untrusted_app:fd use;
allow kernel sdcard_type:file { read write };
# Allow the kernel to read OBB files from app directories. (b/17428116)
@@ -53,6 +53,7 @@
# Fixes CTS tests:
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel vold:fd use;
allow kernel app_data_file:file read;
###
diff --git a/mediaserver.te b/mediaserver.te
index 6e6c87d..ec69aed 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -61,7 +61,6 @@
allow mediaserver audio_data_file:file create_file_perms;
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver proc_net:dir search;
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
diff --git a/mls b/mls
index 3a64004..d5942c3 100644
--- a/mls
+++ b/mls
@@ -78,12 +78,13 @@
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
-# is a MLS trusted subject and can receive data at any level.
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+ (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
#
# IPC constraints
diff --git a/netd.te b/netd.te
index 96d485a..5f4f38c 100644
--- a/netd.te
+++ b/netd.te
@@ -24,8 +24,7 @@
allow netd devpts:chr_file rw_file_perms;
# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
-allow netd proc_net:dir r_dir_perms;
+allow netd proc_net:file write;
# For /sys/modules/bcmdhd/parameters/firmware_path
# XXX Split into its own type.
diff --git a/radio.te b/radio.te
index 03d1580..a6aec28 100644
--- a/radio.te
+++ b/radio.te
@@ -17,7 +17,6 @@
allow radio alarm_device:chr_file rw_file_perms;
-r_dir_file(radio, proc_net)
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
diff --git a/seapp_contexts b/seapp_contexts
index 4469b75..8b2b59c 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -5,7 +5,6 @@
# seinfo (string)
# name (string)
# path (string)
-# sebool (string)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isOwner=true will only match for the owner/primary user.
@@ -27,7 +26,6 @@
# (6) Specified seinfo= string before unspecified seinfo= string.
# (7) Specified name= string before unspecified name= string.
# (8) Specified path= string before unspecified path= string.
-# (9) Specified sebool= string before unspecified sebool= string.
#
# Outputs:
# domain (string)
diff --git a/shell.te b/shell.te
index 6af3717..d31a496 100644
--- a/shell.te
+++ b/shell.te
@@ -64,3 +64,9 @@
# allow shell to look through /proc/ for ps, top
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
+
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;
diff --git a/slideshow.te b/slideshow.te
new file mode 100644
index 0000000..1a22fb5
--- /dev/null
+++ b/slideshow.te
@@ -0,0 +1,13 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+write_klog(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability { mknod sys_tty_config };
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+
diff --git a/su.te b/su.te
index dab5210..58c75f6 100644
--- a/su.te
+++ b/su.te
@@ -49,4 +49,5 @@
dontaudit su keystore:keystore_key *;
dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *;
+ service_manager_local_audit_domain(su)
')
diff --git a/system_server.te b/system_server.te
index bfe5b89..ae9ada2 100644
--- a/system_server.te
+++ b/system_server.te
@@ -91,7 +91,6 @@
# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
-r_dir_file(system_server, proc_net)
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index af780a3..d5d15b0 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -36,6 +36,12 @@
map_matched
};
+const char *map_match_str[] = {
+ "do not match",
+ "match on all inputs",
+ "match on everything"
+};
+
/**
* Whether or not the "key" from a key vaue pair is considered an
* input or an output.
@@ -126,9 +132,6 @@
/** Set to !0 to enable verbose logging */
static int logging_verbose = 0;
-/** set to !0 to enable strict checking of duplicate entries */
-static int is_strict = 0;
-
/** file handle to the output file */
static FILE *output_file = NULL;
@@ -162,7 +165,6 @@
{ .name = "seinfo", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "name", .type = dt_string, .dir = dir_in, .data = NULL },
{ .name = "path", .type = dt_string, .dir = dir_in, .data = NULL },
- { .name = "sebool", .type = dt_string, .dir = dir_in, .data = NULL },
/*Outputs*/
{ .name = "domain", .type = dt_string, .dir = dir_out, .data = NULL },
{ .name = "type", .type = dt_string, .dir = dir_out, .data = NULL },
@@ -245,11 +247,9 @@
int rc = 1;
int ret = 1;
- int resp;
char *key = m->name;
char *value = m->data;
data_type type = m->type;
- sepol_bool_key_t *se_key;
log_info("Validating %s=%s\n", key, value);
@@ -281,34 +281,6 @@
if (!pol.policy_file) {
goto out;
}
- else if (!strcasecmp(key, "sebool")) {
-
- ret = sepol_bool_key_create(pol.handle, value, &se_key);
- if (ret < 0) {
- log_error("Could not create selinux boolean key, error: %s\n",
- strerror(errno));
- rc = 0;
- goto out;
- }
-
- ret = sepol_bool_exists(pol.handle, pol.db, se_key, &resp);
- if (ret < 0) {
- log_error("Could not check selinux boolean, error: %s\n",
- strerror(errno));
- rc = 0;
- sepol_bool_key_free(se_key);
- goto out;
- }
-
- if(!resp) {
- log_error("Could not find selinux boolean \"%s\" on line: %d in file: %s\n",
- value, lineno, out_file_name);
- rc = 0;
- sepol_bool_key_free(se_key);
- goto out;
- }
- sepol_bool_key_free(se_key);
- }
else if (!strcasecmp(key, "type") || !strcasecmp(key, "domain")) {
if(!check_type(pol.db, value)) {
@@ -521,6 +493,10 @@
rule_map *new_map = NULL;
kvp *k = NULL;
key_map *r = NULL, *x = NULL;
+ bool seen[KVP_NUM_OF_RULES];
+
+ for (i = 0; i < KVP_NUM_OF_RULES; i++)
+ seen[i] = false;
new_map = calloc(1, (num_of_keys * sizeof(key_map)) + sizeof(rule_map));
if (!new_map)
@@ -546,6 +522,12 @@
continue;
}
+ if (seen[j]) {
+ log_error("Duplicated key: %s\n", k->key);
+ goto err;
+ }
+ seen[j] = true;
+
memcpy(r, x, sizeof(key_map));
/* Assign rule map value to one from file */
@@ -609,7 +591,7 @@
free_kvp(k);
}
}
- exit(EXIT_FAILURE);
+ return NULL;
}
/**
@@ -622,7 +604,6 @@
"and allows later declarations to override previous ones on a match.\n"
"Options:\n"
"-h - print this help message\n"
- "-s - enable strict checking of duplicates. This causes the program to exit on a duplicate entry with a non-zero exit status\n"
"-v - enable verbose debugging informations\n"
"-p policy file - specify policy file for strict checking of output selectors against the policy\n"
"-o output file - specify output file, default is stdout\n");
@@ -722,9 +703,6 @@
case 'p':
pol.policy_file_name = optarg;
break;
- case 's':
- is_strict = 1;
- break;
case 'v':
log_set_verbose();
break;
@@ -822,7 +800,6 @@
ENTRY *f;
hash_entry *entry;
hash_entry *tmp;
- char *preserved_key;
e.key = rm->key;
@@ -839,41 +816,12 @@
log_info("Existing entry found!\n");
tmp = (hash_entry *)f->data;
cmp = rule_map_cmp(rm, tmp->r);
- log_info("Comparing on rule map ret: %d\n", cmp);
- /* Override be freeing the old rule map and updating
- the pointer */
- if(cmp != map_matched) {
-
- /*
- * DO NOT free key pointers given to the hash map, instead
- * free the new key. The ordering here is critical!
- */
- preserved_key = tmp->r->key;
- rule_map_free(tmp->r, rule_map_preserve_key);
-/* hdestroy() frees comparsion keys for non glibc */
-#ifdef __GLIBC__
- free(rm->key);
-#endif
- rm->key = preserved_key;
- tmp->r = rm;
- }
- /* Duplicate */
- else {
- /* if is_strict is set, then don't allow duplicates */
- if(is_strict) {
- log_error("Duplicate line detected in file: %s\n"
- "Lines %d and %d match!\n",
- out_file_name, tmp->r->lineno, rm->lineno);
- rule_map_free(rm, rule_map_destroy_key);
- goto err;
- }
-
- /* Allow duplicates, just drop the entry*/
- log_info("Duplicate line detected in file: %s\n"
- "Lines %d and %d match!\n",
- out_file_name, tmp->r->lineno, rm->lineno);
- rule_map_free(rm, rule_map_destroy_key);
- }
+ log_error("Duplicate line detected in file: %s\n"
+ "Lines %d and %d %s!\n",
+ out_file_name, tmp->r->lineno, rm->lineno,
+ map_match_str[cmp]);
+ rule_map_free(rm, rule_map_destroy_key);
+ goto err;
}
/* It wasn't found, just add the rule map to the table */
else {
@@ -967,6 +915,8 @@
} /*End token parsing */
rule_map *r = rule_map_new(keys, token_cnt, lineno);
+ if (!r)
+ goto err;
rule_add(r);
} /* End file parsing */
diff --git a/unconfined.te b/unconfined.te
index d9a5b04..559ed59 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -43,8 +43,8 @@
tun_socket
} *;
allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
+allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
allow unconfineddomain {
file_type
-keystore_data_file
@@ -55,7 +55,7 @@
-shell_data_file
-app_data_file
-unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
allow unconfineddomain exec_type:dir r_dir_perms;
allow unconfineddomain exec_type:file { r_file_perms execute };
allow unconfineddomain exec_type:lnk_file r_file_perms;