Add access control for each service_manager action.
Add SELinux MAC for the service manager actions list
and find. Add the list and find verbs to the
service_manager class. Add policy requirements for
service_manager to enforce policies to binder_use
macro.
Change-Id: I224b1c6a6e21e3cdeb23badfc35c82a37558f964
diff --git a/access_vectors b/access_vectors
index f8c0110..5e78341 100644
--- a/access_vectors
+++ b/access_vectors
@@ -892,6 +892,8 @@
class service_manager
{
add
+ find
+ list
}
class keystore_key
diff --git a/attributes b/attributes
index 613ed8f..d40217a 100644
--- a/attributes
+++ b/attributes
@@ -67,3 +67,6 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+
+# All domains that are excluded from the domain.te auditallow.
+attribute service_manager_local_audit;
diff --git a/bluetooth.te b/bluetooth.te
index 2b108a9..8ba56b0 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,6 +49,14 @@
allow bluetooth pan_result_prop:property_service set;
allow bluetooth ctl_dhcp_pan_prop:property_service set;
+# Audited locally.
+service_manager_local_audit_domain(bluetooth)
+auditallow bluetooth {
+ service_manager_type
+ -bluetooth_service
+ -system_server_service
+}:service_manager find;
+
###
### Neverallow rules
###
diff --git a/bootanim.te b/bootanim.te
index 3a0a76f..7592295 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -11,3 +11,7 @@
# /oem access
allow bootanim oemfs:dir search;
+
+# Audited locally.
+service_manager_local_audit_domain(bootanim)
+auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
diff --git a/domain.te b/domain.te
index 7d64cfa..0913453 100644
--- a/domain.te
+++ b/domain.te
@@ -158,6 +158,11 @@
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
+allow domain servicemanager:service_manager list;
+auditallow domain servicemanager:service_manager list;
+allow domain service_manager_type:service_manager find;
+auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
+
###
### neverallow rules
###
diff --git a/drmserver.te b/drmserver.te
index 1993176..12e3ac7 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -46,3 +46,7 @@
allow drmserver radio_data_file:file { read getattr };
allow drmserver drmserver_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(drmserver)
+auditallow drmserver { service_manager_type -drmserver_service }:service_manager find;
diff --git a/healthd.te b/healthd.te
index ce6b877..940f7c4 100644
--- a/healthd.te
+++ b/healthd.te
@@ -31,8 +31,13 @@
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
+
allow healthd healthd_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(healthd)
+auditallow healthd { service_manager_type -healthd_service }:service_manager find;
+
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
unix_socket_connect(healthd, property, init)
diff --git a/inputflinger.te b/inputflinger.te
index 283bbba..4377a10 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -9,3 +9,7 @@
binder_call(inputflinger, system_server)
allow inputflinger inputflinger_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(inputflinger)
+auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
diff --git a/isolated_app.te b/isolated_app.te
index a156838..27b0e40 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,3 +18,7 @@
# Needed to allow dlopen() from Chrome renderer processes.
# See b/15902433 for details.
allow isolated_app app_data_file:file execute;
+
+# Audited locally.
+service_manager_local_audit_domain(isolated_app)
+auditallow isolated_app service_manager_type:service_manager find;
diff --git a/keystore.te b/keystore.te
index afa701c..f2c5039 100644
--- a/keystore.te
+++ b/keystore.te
@@ -28,5 +28,9 @@
allow keystore keystore_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(keystore)
+auditallow keystore { service_manager_type -keystore_service }:service_manager find;
+
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/mediaserver.te b/mediaserver.te
index 55d1f205..52c593e 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -79,3 +79,13 @@
allow mediaserver tee:unix_stream_socket connectto;
allow mediaserver mediaserver_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(mediaserver)
+auditallow mediaserver {
+ service_manager_type
+ -drmserver_service
+ -mediaserver_service
+ -system_server_service
+ -surfaceflinger_service
+}:service_manager find;
diff --git a/nfc.te b/nfc.te
index 65aaef7..c32e9d5 100644
--- a/nfc.te
+++ b/nfc.te
@@ -15,3 +15,11 @@
allow nfc sysfs:file write;
allow nfc nfc_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(nfc)
+auditallow nfc {
+ service_manager_type
+ -mediaserver_service
+ -system_server_service
+}:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 7ff8d62..a44e35d 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -27,3 +27,13 @@
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
+
+# Audited locally.
+service_manager_local_audit_domain(platform_app)
+auditallow platform_app {
+ service_manager_type
+ -mediaserver_service
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/radio.te b/radio.te
index d0018ea..11691cb 100644
--- a/radio.te
+++ b/radio.te
@@ -28,3 +28,12 @@
allow radio ctl_rildaemon_prop:property_service set;
allow radio radio_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(radio)
+auditallow radio {
+ service_manager_type
+ -mediaserver_service
+ -radio_service
+ -system_server_service
+}:service_manager find;
diff --git a/servicemanager.te b/servicemanager.te
index f3dbca8..a928916 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -13,9 +13,5 @@
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
-# Get contexts of binder services that call servicemanager.
-allow servicemanager binderservicedomain:dir search;
-allow servicemanager binderservicedomain:file { read open };
-allow servicemanager binderservicedomain:process getattr;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c508612..ff91993 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -59,6 +59,14 @@
allow surfaceflinger surfaceflinger_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(surfaceflinger)
+auditallow surfaceflinger {
+ service_manager_type
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
+
###
### Neverallow rules
###
diff --git a/system_app.te b/system_app.te
index 2a7421b..24b135e 100644
--- a/system_app.te
+++ b/system_app.te
@@ -64,3 +64,12 @@
};
control_logd(system_app)
+
+# Audited locally.
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+ service_manager_type
+ -nfc_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/system_server.te b/system_server.te
index d7453ad..62cbce7 100644
--- a/system_server.te
+++ b/system_server.te
@@ -361,6 +361,18 @@
allow system_server system_server_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(system_server)
+auditallow system_server {
+ service_manager_type
+ -healthd_service
+ -keystore_service
+ -mediaserver_service
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
+
allow system_server keystore:keystore_key {
test
get
diff --git a/te_macros b/te_macros
index 4199d6e..b2913f3 100644
--- a/te_macros
+++ b/te_macros
@@ -109,6 +109,7 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
+service_manager_local_audit_domain($1)
')
#####################################
@@ -149,6 +150,10 @@
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
@@ -354,3 +359,11 @@
allow keystore $1:process getattr;
binder_call($1, keystore)
')
+
+###########################################
+# service_manager_local_audit_domain(domain)
+# Has its own auditallow rule on service_manager
+# and should be excluded from the domain.te auditallow.
+define(`service_manager_local_audit_domain', `
+ typeattribute $1 service_manager_local_audit;
+')
diff --git a/untrusted_app.te b/untrusted_app.te
index f29149e..346716a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,6 +64,17 @@
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
+# Audited locally.
+service_manager_local_audit_domain(untrusted_app)
+auditallow untrusted_app {
+ service_manager_type
+ -drmserver_service
+ -mediaserver_service
+ -nfc_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
+
###
### neverallow rules
###