Merge changes from topic 'checkseapp-fixups'
* changes:
checkseapp: remove .data = NULL assignments
checkseapp: remove data types form static map
checkseapp: generalize input validation
checkseapp: update error message output
checkseapp: declare internal function as static
diff --git a/app.te b/app.te
index 6ad58a6..993c025 100644
--- a/app.te
+++ b/app.te
@@ -209,6 +209,9 @@
allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
###
### CTS-specific rules
###
diff --git a/blkid.te b/blkid.te
index 23ce3a9..43bc944 100644
--- a/blkid.te
+++ b/blkid.te
@@ -16,5 +16,5 @@
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
-neverallow domain blkid:process dyntransition;
+neverallow * blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index 7e53de7..da3bdac 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -32,5 +32,5 @@
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow domain blkid_untrusted:process dyntransition;
+neverallow * blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/domain.te b/domain.te
index 2a63c82..2922da6 100644
--- a/domain.te
+++ b/domain.te
@@ -22,7 +22,7 @@
setrlimit
};
allow domain self:fd use;
-allow domain proc:dir search;
+allow domain proc:dir r_dir_perms;
allow domain proc_net:dir search;
r_dir_file(domain, self)
allow domain self:{ fifo_file file } rw_file_perms;
@@ -168,10 +168,10 @@
neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow domain self:memprotect mmap_zero;
+neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
-neverallow domain self:capability2 mac_override;
+neverallow * self:capability2 mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
@@ -203,11 +203,11 @@
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
# switching domains, there is never any need to setenforce again by init.
-neverallow domain kernel:security setenforce;
+neverallow * kernel:security setenforce;
neverallow { domain -kernel } kernel:security setcheckreqprot;
# No booleans in AOSP policy, so no need to ever set them.
-neverallow domain kernel:security setbool;
+neverallow * kernel:security setbool;
# Adjusting the AVC cache threshold.
# Not presently allowed to anything in policy, but possibly something
@@ -218,11 +218,11 @@
neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type.
-neverallow domain { file_type -exec_type }:file entrypoint;
+neverallow * { file_type -exec_type }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
@@ -230,15 +230,15 @@
neverallow { domain -init } proc_security:file { append write };
# No domain should be allowed to ptrace init.
-neverallow domain init:process ptrace;
+neverallow * init:process ptrace;
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
-neverallow domain init:binder *;
+neverallow * init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
@@ -297,15 +297,15 @@
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
-neverallow domain exec_type:dir_file_class_set mounton;
+neverallow * exec_type:dir_file_class_set mounton;
neverallow { domain -init } system_file:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
-neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
@@ -318,11 +318,12 @@
# system_app_service rather than the generic type.
# New service_types are defined in service.te and new mappings
# from service name to service_type are defined in service_contexts.
-neverallow domain default_android_service:service_manager add;
+neverallow * default_android_service:service_manager add;
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
@@ -372,11 +373,11 @@
# that, even assuming only non-buggy and non-malicious code, it is very likely
# that over time, the kernel global tables used to implement SysV IPCs will fill
# up.
-neverallow domain domain:{ shm sem msg msgq } *;
+neverallow * *:{ shm sem msg msgq } *;
# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
-neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
@@ -388,7 +389,7 @@
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
-neverallow domain {
+neverallow * {
file_type
-system_data_file
-apk_data_file
@@ -399,7 +400,7 @@
# Do not allow making the stack or heap executable.
# We would also like to minimize execmem but it seems to be
# required by some device-specific service domains.
-neverallow domain self:process { execstack execheap };
+neverallow * self:process { execstack execheap };
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
@@ -500,16 +501,16 @@
} shell_data_file:file open;
# servicemanager is the only process which handles list request
-neverallow domain ~servicemanager:service_manager list;
+neverallow * ~servicemanager:service_manager list;
# only service_manager_types can be added to service_manager
-neverallow domain ~service_manager_type:service_manager { add find };
+neverallow * ~service_manager_type:service_manager { add find };
# logpersist is only allowed on userdebug/eng builds
neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_file_perms;
# Prevent assigning non property types to properties
-neverallow domain ~property_type:property_service set;
+neverallow * ~property_type:property_service set;
# Domain types should never be assigned to any files other
# than the /proc/pid files associated with a process. The
@@ -522,7 +523,7 @@
# init_daemon_domain(mydaemon)
# $ grep mydaemon file_contexts
# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow domain domain:file { execute execute_no_trans entrypoint };
+neverallow * domain:file { execute execute_no_trans entrypoint };
# Do not allow access to the generic debugfs label. This is too broad.
# Instead, if access to part of debugfs is desired, it should have a
diff --git a/file.te b/file.te
index 81ff887..d205c56 100644
--- a/file.te
+++ b/file.te
@@ -50,6 +50,7 @@
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
# File types
type unlabeled, file_type;
@@ -169,6 +170,8 @@
type bluetooth_efs_file, file_type;
# Type for fingerprint template file.
type fingerprintd_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type;
# Socket types
type adbd_socket, file_type;
@@ -211,6 +214,7 @@
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
diff --git a/fsck.te b/fsck.te
index cdf1188..d5a6db1 100644
--- a/fsck.te
+++ b/fsck.te
@@ -43,5 +43,5 @@
# Only allow entry from init or vold via fsck binaries
neverallow { domain -init -vold } fsck:process transition;
-neverallow domain fsck:process dyntransition;
+neverallow * fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 4f01db2..00faa20 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -32,5 +32,5 @@
# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow domain fsck_untrusted:process dyntransition;
+neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/init.te b/init.te
index 7346d9a..1baeeee 100644
--- a/init.te
+++ b/init.te
@@ -266,6 +266,7 @@
# by dm-verity detecting corrupted blocks
allow init pstorefs:dir search;
allow init pstorefs:file r_file_perms;
+allow init kernel:system syslog_read;
# linux keyring configuration
allow init init:key { write search setattr };
diff --git a/kernel.te b/kernel.te
index 67edc10..20b0c0a 100644
--- a/kernel.te
+++ b/kernel.te
@@ -71,7 +71,7 @@
# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
-neverallow domain kernel:process { transition dyntransition };
+neverallow * kernel:process { transition dyntransition };
# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
diff --git a/keystore.te b/keystore.te
index e2338db..9dca43c 100644
--- a/keystore.te
+++ b/keystore.te
@@ -29,4 +29,4 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-neverallow domain keystore:process ptrace;
+neverallow * keystore:process ptrace;
diff --git a/lmkd.te b/lmkd.te
index 0d641ca..ee290a3 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -34,4 +34,4 @@
### neverallow rules
# never honor LD_PRELOAD
-neverallow domain lmkd:process noatsecure;
+neverallow * lmkd:process noatsecure;
diff --git a/mediaserver.te b/mediaserver.te
index 6006f02..7e20002 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -66,6 +66,9 @@
allow mediaserver audio_data_file:dir ra_dir_perms;
allow mediaserver audio_data_file:file create_file_perms;
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
diff --git a/priv_app.te b/priv_app.te
index 68b588c..e300d45 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -67,6 +67,8 @@
# For AppFuse.
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
+allow priv_app app_fuse_file:dir rw_dir_perms;
+allow priv_app app_fuse_file:file rw_file_perms;
# /sys access
allow priv_app sysfs_zram:dir search;
diff --git a/property.te b/property.te
index 94567ed..c649a90 100644
--- a/property.te
+++ b/property.te
@@ -23,6 +23,7 @@
type ctl_console_prop, property_type;
type audio_prop, property_type, core_property_type;
type logd_prop, property_type, core_property_type;
+type mmc_prop, property_type;
type restorecon_prop, property_type, core_property_type;
type security_prop, property_type, core_property_type;
type bluetooth_prop, property_type, core_property_type;
diff --git a/property_contexts b/property_contexts
index 47c3cf7..6b25ec4 100644
--- a/property_contexts
+++ b/property_contexts
@@ -37,10 +37,12 @@
service.adb.tcp.port u:object_r:shell_prop:s0
persist.audio. u:object_r:audio_prop:s0
+persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.log.tag u:object_r:logd_prop:s0
+persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
diff --git a/service_contexts b/service_contexts
index 4116383..5cab2d3 100644
--- a/service_contexts
+++ b/service_contexts
@@ -2,7 +2,7 @@
account u:object_r:account_service:s0
activity u:object_r:activity_service:s0
alarm u:object_r:alarm_service:s0
-android.os.IUpdateEngine u:object_r:update_engine_service:s0
+android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
appops u:object_r:appops_service:s0
diff --git a/sgdisk.te b/sgdisk.te
index b8d6b3f..43636d4 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -18,5 +18,5 @@
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
-neverallow domain sgdisk:process dyntransition;
+neverallow * sgdisk:process dyntransition;
neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/system_app.te b/system_app.te
index 5e66acd..355f6d4 100644
--- a/system_app.te
+++ b/system_app.te
@@ -23,6 +23,7 @@
allow system_app wallpaper_file:file r_file_perms;
# Write to properties
+set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
diff --git a/system_server.te b/system_server.te
index eae67ed..7050980 100644
--- a/system_server.te
+++ b/system_server.te
@@ -441,7 +441,7 @@
# For AppFuse.
allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl };
+allow system_server fuse_device:chr_file { read write ioctl getattr };
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
diff --git a/toolbox.te b/toolbox.te
index d2f969f..55de7eb 100644
--- a/toolbox.te
+++ b/toolbox.te
@@ -22,5 +22,5 @@
# Only allow entry from init via the toolbox binary.
neverallow { domain -init } toolbox:process transition;
-neverallow domain toolbox:process dyntransition;
+neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/uncrypt.te b/uncrypt.te
index 354bda0..9231a4d 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -26,8 +26,6 @@
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file w_file_perms;
-auditallow uncrypt block_device:blk_file w_file_perms;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index a92323e..1b2d89e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -148,3 +148,21 @@
# Do not allow untrusted_app to set system properties.
neverallow untrusted_app property_socket:sock_file write;
neverallow untrusted_app property_type:property_service set;
+
+# Do not allow untrusted_app to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow untrusted_app {
+ fs_type
+ -fuse # sdcard
+ file_type
+ -app_data_file # The apps sandbox itself
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
diff --git a/update_engine.te b/update_engine.te
index 3fbfd8a..39b9936 100644
--- a/update_engine.te
+++ b/update_engine.te
@@ -33,3 +33,6 @@
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
+
+# Allow read/write bootctrl block device.
+allow update_engine bootctrl_block_device:blk_file rw_file_perms;
diff --git a/vold.te b/vold.te
index 67e461a..9a1ccfe 100644
--- a/vold.te
+++ b/vold.te
@@ -174,6 +174,9 @@
# For AppFuse.
allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
# coldboot of /sys/block
allow vold sysfs_zram:dir r_dir_perms;