Merge "Make the sdcardd domain enforcing."
diff --git a/app.te b/app.te
index a0672c7..cb6ecbc 100644
--- a/app.te
+++ b/app.te
@@ -17,10 +17,6 @@
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
-# Needed to close the zygote socket, which involves getopt / getattr
-# This should be deleted after b/12061011 is fixed
-allow appdomain zygote:unix_stream_socket { getopt getattr };
-
# gdbserver for ndk-gdb reads the zygote.
allow appdomain zygote_exec:file r_file_perms;
diff --git a/clatd.te b/clatd.te
index dc62fb0..5483f4a 100644
--- a/clatd.te
+++ b/clatd.te
@@ -1,7 +1,7 @@
# 464xlat daemon
type clatd, domain;
+permissive_or_unconfined(clatd)
type clatd_exec, exec_type, file_type;
init_daemon_domain(clatd)
net_domain(clatd)
-unconfined_domain(clatd)
diff --git a/dnsmasq.te b/dnsmasq.te
index a5c647a..0e16580 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -1,6 +1,12 @@
+# DNS, DHCP services
type dnsmasq, domain;
+permissive_or_unconfined(dnsmasq)
type dnsmasq_exec, exec_type, file_type;
-init_daemon_domain(dnsmasq)
-net_domain(dnsmasq)
-unconfined_domain(dnsmasq)
+allow dnsmasq self:capability { net_bind_service setgid setuid };
+allow dnsmasq self:tcp_socket create_socket_perms;
+
+allow dnsmasq dhcp_data_file:dir w_dir_perms;
+allow dnsmasq dhcp_data_file:file create_file_perms;
+allow dnsmasq port:tcp_socket name_bind;
+allow dnsmasq node:tcp_socket node_bind;
diff --git a/domain.te b/domain.te
index 8c66e1b..5ac6b46 100644
--- a/domain.te
+++ b/domain.te
@@ -132,6 +132,10 @@
allow domain security_file:dir { search getattr };
allow domain security_file:file getattr;
+# World readable asec image contents
+allow domain asec_public_file:file r_file_perms;
+allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
+
######## Backwards compatibility - Unlabeled files ############
# Revert to DAC rules when looking at unlabeled files. Over time, the number
@@ -150,7 +154,17 @@
### neverallow rules
###
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
+
+# Limit device node creation and raw I/O to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod };
+
+# No domain needs mac_override as it is unused by SELinux.
neverallow domain self:capability2 mac_override;
+
+# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
# Only init should be able to load SELinux policies.
@@ -189,9 +203,14 @@
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# ueventd is exempt from this, as its managing these devices.
neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
diff --git a/drmserver.te b/drmserver.te
index 2fbb661..eb050a2 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -21,7 +21,7 @@
allow drmserver port:tcp_socket name_connect;
allow drmserver tee_device:chr_file rw_file_perms;
allow drmserver platform_app_data_file:file { read write getattr };
-allow drmserver { app_data_file asec_apk_file }:file { read write getattr };
+allow drmserver app_data_file:file { read write getattr };
allow drmserver sdcard_type:file { read write getattr };
r_dir_file(drmserver, efs_file)
diff --git a/file.te b/file.te
index ef6c55c..bde3a53 100644
--- a/file.te
+++ b/file.te
@@ -85,6 +85,8 @@
type wallpaper_file, file_type, mlstrustedobject;
# /mnt/asec
type asec_apk_file, file_type, data_file_type;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type;
# /data/app-asec
type asec_image_file, file_type, data_file_type;
# /data/backup and /data/secure/backup
diff --git a/file_contexts b/file_contexts
index 35dee30..1763a7b 100644
--- a/file_contexts
+++ b/file_contexts
@@ -224,5 +224,7 @@
/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0
#############################
# asec containers
-/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
-/data/app-asec(/.*)? u:object_r:asec_image_file:s0
+/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/res.zip u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)? u:object_r:asec_image_file:s0
diff --git a/hostapd.te b/hostapd.te
index efa3a8d..a5ed62a 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -11,8 +11,8 @@
allow hostapd wifi_data_file:file rw_file_perms;
allow hostapd wifi_data_file:dir create_dir_perms;
-allow hostapd wifi_data_file:sock_file { create setattr write unlink };
-
+allow hostapd wpa_socket:dir create_dir_perms;
+allow hostapd wpa_socket:sock_file create_file_perms;
allow hostapd netd:fd use;
allow hostapd netd:udp_socket { read write };
allow hostapd netd:netlink_kobject_uevent_socket { read write };
diff --git a/init.te b/init.te
index bab0df3..c05faba 100644
--- a/init.te
+++ b/init.te
@@ -7,6 +7,10 @@
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;
+allow init self:capability { sys_rawio mknod };
+
+allow init dev_type:blk_file rw_file_perms;
+allow init fs_type:filesystem *;
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow init kernel:security load_policy;
allow init usermodehelper:file rw_file_perms;
diff --git a/inputflinger.te b/inputflinger.te
index 243bee3..dd5c086 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -1,9 +1,8 @@
# inputflinger
type inputflinger, domain;
+permissive_or_unconfined(inputflinger)
type inputflinger_exec, exec_type, file_type;
init_daemon_domain(inputflinger)
binder_use(inputflinger)
binder_service(inputflinger)
-
-unconfined_domain(inputflinger)
diff --git a/kernel.te b/kernel.te
index dfc6258..88ebc50 100644
--- a/kernel.te
+++ b/kernel.te
@@ -9,9 +9,17 @@
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;
+allow kernel fs_type:filesystem *;
# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
+
+# For operations performed by kernel or init prior to switching to init domain.
+## TODO: Investigate whether it is safe to remove these
+allow kernel self:capability { sys_rawio mknod };
+auditallow kernel self:capability { sys_rawio mknod };
+allow kernel dev_type:blk_file rw_file_perms;
+auditallow kernel dev_type:blk_file rw_file_perms;
diff --git a/lmkd.te b/lmkd.te
index 9af658f..0e0dedf 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -1,7 +1,6 @@
# lmkd low memory killer daemon
type lmkd, domain;
+permissive_or_unconfined(lmkd)
type lmkd_exec, exec_type, file_type;
init_daemon_domain(lmkd)
-
-unconfined_domain(lmkd);
diff --git a/mediaserver.te b/mediaserver.te
index ad7cdcb..31b4818 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -39,7 +39,7 @@
allow mediaserver sysfs:file rw_file_perms;
# XXX Why?
-allow mediaserver { apk_data_file asec_apk_file }:file { read getattr };
+allow mediaserver apk_data_file:file { read getattr };
# Access camera device.
allow mediaserver camera_device:chr_file rw_file_perms;
diff --git a/mtp.te b/mtp.te
index 48a5525..9681daf 100644
--- a/mtp.te
+++ b/mtp.te
@@ -1,7 +1,16 @@
# vpn tunneling protocol manager
type mtp, domain;
+permissive_or_unconfined(mtp)
type mtp_exec, exec_type, file_type;
init_daemon_domain(mtp)
net_domain(mtp)
-unconfined_domain(mtp)
+
+# pptp policy
+allow mtp self:tcp_socket create_socket_perms;
+allow mtp self:socket create_socket_perms;
+allow mtp self:rawip_socket create_socket_perms;
+allow mtp self:capability net_raw;
+allow mtp ppp:process signal;
+allow mtp port:tcp_socket name_connect;
+allow mtp vpn_data_file:dir search;
diff --git a/ppp.te b/ppp.te
index 1f61fdd..21838f1 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,6 +1,15 @@
# Point to Point Protocol daemon
type ppp, domain;
+permissive_or_unconfined(ppp)
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
-unconfined_domain(ppp)
domain_auto_trans(mtp, ppp_exec, ppp)
+
+allow ppp mtp:socket rw_socket_perms;
+allow ppp ppp_device:chr_file rw_file_perms;
+allow ppp self:capability net_admin;
+allow ppp self:udp_socket create_socket_perms;
+allow ppp system_file:file rx_file_perms;
+allow ppp vpn_data_file:dir w_dir_perms;
+allow ppp vpn_data_file:file create_file_perms;
+allow ppp mtp:fd use;
diff --git a/racoon.te b/racoon.te
index 12955f2..596cf7e 100644
--- a/racoon.te
+++ b/racoon.te
@@ -1,5 +1,25 @@
# IKE key management daemon
type racoon, domain;
+permissive_or_unconfined(racoon)
type racoon_exec, exec_type, file_type;
-unconfined_domain(racoon)
+init_daemon_domain(racoon)
+typeattribute racoon mlstrustedsubject;
+
+binder_call(racoon, servicemanager)
+binder_call(racoon, keystore)
+
+allow racoon tun_device:chr_file r_file_perms;
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+allow racoon port:udp_socket name_bind;
+allow racoon node:udp_socket node_bind;
+
+allow racoon self:{ key_socket udp_socket } create_socket_perms;
+allow racoon self:tun_socket create;
+allow racoon self:capability { net_admin net_bind_service net_raw setuid };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file rx_file_perms;
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;
diff --git a/recovery.te b/recovery.te
index abcf0cf..b6f82c7 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,7 +8,15 @@
allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
allow recovery unlabeled:filesystem mount;
+allow recovery fs_type:filesystem *;
+
+# Required to e.g. wipe userdata/cache.
+allow recovery dev_type:blk_file rw_file_perms;
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery tmpfs:file rx_file_perms;
+
+## TODO: Investigate whether it is safe to remove these
+allow recovery self:capability { sys_rawio mknod };
+auditallow recovery self:capability { sys_rawio mknod };
diff --git a/shared_app.te b/shared_app.te
index 4ab90fe..2223882 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -10,5 +10,3 @@
net_domain(shared_app)
# Access bluetooth.
bluetooth_domain(shared_app)
-# ASEC
-r_dir_file(shared_app, asec_apk_file)
diff --git a/system_app.te b/system_app.te
index a80cc45..4f5492c 100644
--- a/system_app.te
+++ b/system_app.te
@@ -31,10 +31,6 @@
# Settings app reads sdcard for storage stats
allow system_app sdcard_type:dir r_dir_perms;
-# Allow settings app to read from asec
-allow system_app asec_apk_file:dir search;
-allow system_app asec_apk_file:file r_file_perms;
-
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
diff --git a/unconfined.te b/unconfined.te
index 8d424f3..80d42b3 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,7 @@
# The use of this template is discouraged.
######################################################
-allow unconfineddomain self:capability *;
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
allow unconfineddomain kernel:system *;
@@ -28,8 +28,7 @@
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
-allow unconfineddomain fs_type:filesystem *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
diff --git a/untrusted_app.te b/untrusted_app.te
index 1904249..96c7009 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,6 +32,8 @@
# ASEC
allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms;
+# Execute libs in asec containers.
+allow untrusted_app asec_public_file:file execute;
# Create tcp/udp sockets
allow untrusted_app node_type:{ tcp_socket udp_socket } node_bind;
diff --git a/vold.te b/vold.te
index 22198fd..18c909d 100644
--- a/vold.te
+++ b/vold.te
@@ -71,8 +71,11 @@
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
security_access_policy(vold)
-allow vold asec_apk_file:dir { rw_dir_perms setattr };
-allow vold asec_apk_file:file { r_file_perms setattr };
+relabelto_domain(vold)
+allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
+allow vold asec_public_file:file { relabelto setattr };
# Handle wake locks (used for device encryption)
allow vold sysfs_wake_lock:file rw_file_perms;