Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
diff --git a/Android.mk b/Android.mk
index bdf26b3..1163477 100644
--- a/Android.mk
+++ b/Android.mk
@@ -198,6 +198,26 @@
built_pc := $(LOCAL_BUILT_MODULE)
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+ALL_SVC_FILES := $(call build_policy, service_contexts)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(ALL_SVC_FILES) > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+
+built_svc := $(LOCAL_BUILT_MODULE)
+
+##################################
##################################
include $(CLEAR_VARS)
@@ -243,7 +263,7 @@
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc)
+$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
@mkdir -p $(dir $@)
$(hide) echo -n $(BUILD_FINGERPRINT) > $@
@@ -255,5 +275,6 @@
built_sc :=
built_fc :=
built_pc :=
+built_svc :=
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/access_vectors b/access_vectors
index 2655872..7609d9d 100644
--- a/access_vectors
+++ b/access_vectors
@@ -888,3 +888,8 @@
{
set
}
+
+class service_manager
+{
+ add
+}
diff --git a/attributes b/attributes
index 261500f..64de61a 100644
--- a/attributes
+++ b/attributes
@@ -39,6 +39,9 @@
# All types used for property service
attribute property_type;
+# All types used for services managed by service_manager.
+attribute service_manager_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 757d807..db2f93f 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -11,3 +11,7 @@
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
+
+# Allow binderservicedomain to add services by default.
+allow binderservicedomain service_manager_type:service_manager add;
+auditallow binderservicedomain default_android_service:service_manager add;
diff --git a/drmserver.te b/drmserver.te
index e2b62df..1993176 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -44,3 +44,5 @@
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
+
+allow drmserver drmserver_service:service_manager add;
diff --git a/healthd.te b/healthd.te
index 97c0ca5..08472cc 100644
--- a/healthd.te
+++ b/healthd.te
@@ -32,3 +32,5 @@
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
+
+allow healthd healthd_service:service_manager add;
diff --git a/inputflinger.te b/inputflinger.te
index b08b345..0bef25e 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -8,3 +8,5 @@
binder_service(inputflinger)
binder_call(inputflinger, system_server)
+
+allow inputflinger inputflinger_service:service_manager add;
diff --git a/keystore.te b/keystore.te
index 8aa1d7d..3e627f8 100644
--- a/keystore.te
+++ b/keystore.te
@@ -25,3 +25,5 @@
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
+
+allow keystore keystore_service:service_manager add;
diff --git a/mediaserver.te b/mediaserver.te
index 439315f..e4d5a23 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,3 +78,5 @@
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
+
+allow mediaserver mediaserver_service:service_manager add;
diff --git a/nfc.te b/nfc.te
index 0968c35..65aaef7 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,3 +13,5 @@
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
+
+allow nfc nfc_service:service_manager add;
diff --git a/radio.te b/radio.te
index d5bf42b..4f1df1f 100644
--- a/radio.te
+++ b/radio.te
@@ -22,3 +22,5 @@
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
+
+allow radio radio_service:service_manager add;
diff --git a/security_classes b/security_classes
index 197805e..9ff494f 100644
--- a/security_classes
+++ b/security_classes
@@ -137,4 +137,7 @@
# Property service
class property_service # userspace
+# Service manager
+class service_manager # userspace
+
# FLASK
diff --git a/service.te b/service.te
new file mode 100644
index 0000000..650ac13
--- /dev/null
+++ b/service.te
@@ -0,0 +1,10 @@
+type default_android_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type healthd_service, service_manager_type;
+type inputflinger_service, service_manager_type;
+type keystore_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type surfaceflinger_service, service_manager_type;
+type system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
new file mode 100644
index 0000000..3720b46
--- /dev/null
+++ b/service_contexts
@@ -0,0 +1,96 @@
+accessibility u:object_r:system_server_service:s0
+account u:object_r:system_server_service:s0
+activity u:object_r:system_server_service:s0
+alarm u:object_r:system_server_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+appops u:object_r:system_server_service:s0
+appwidget u:object_r:system_server_service:s0
+assetatlas u:object_r:system_server_service:s0
+audio u:object_r:system_server_service:s0
+backup u:object_r:system_server_service:s0
+batteryproperties u:object_r:healthd_service:s0
+batterystats u:object_r:system_server_service:s0
+battery u:object_r:system_server_service:s0
+bluetooth_manager u:object_r:system_server_service:s0
+clipboard u:object_r:system_server_service:s0
+com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
+commontime_management u:object_r:system_server_service:s0
+connectivity u:object_r:system_server_service:s0
+consumer_ir u:object_r:system_server_service:s0
+content u:object_r:system_server_service:s0
+country_detector u:object_r:system_server_service:s0
+cpuinfo u:object_r:system_server_service:s0
+dbinfo u:object_r:system_server_service:s0
+device_policy u:object_r:system_server_service:s0
+devicestoragemonitor u:object_r:system_server_service:s0
+diskstats u:object_r:system_server_service:s0
+display.qservice u:object_r:surfaceflinger_service:s0
+display u:object_r:system_server_service:s0
+DockObserver u:object_r:system_server_service:s0
+dreams u:object_r:system_server_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:system_server_service:s0
+entropy u:object_r:system_server_service:s0
+ethernet u:object_r:system_server_service:s0
+gfxinfo u:object_r:system_server_service:s0
+hardware u:object_r:system_server_service:s0
+hdmi_control u:object_r:system_server_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:system_server_service:s0
+input u:object_r:system_server_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+launcherapps u:object_r:system_server_service:s0
+location u:object_r:system_server_service:s0
+lock_settings u:object_r:system_server_service:s0
+media.audio_flinger u:object_r:mediaserver_service:s0
+media.audio_policy u:object_r:mediaserver_service:s0
+media.camera u:object_r:mediaserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media_router u:object_r:system_server_service:s0
+media_session u:object_r:system_server_service:s0
+meminfo u:object_r:system_server_service:s0
+mount u:object_r:system_server_service:s0
+netpolicy u:object_r:system_server_service:s0
+netstats u:object_r:system_server_service:s0
+network_management u:object_r:system_server_service:s0
+network_score u:object_r:system_server_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:system_server_service:s0
+package u:object_r:system_server_service:s0
+permission u:object_r:system_server_service:s0
+phone u:object_r:radio_service:s0
+power u:object_r:system_server_service:s0
+print u:object_r:system_server_service:s0
+procstats u:object_r:system_server_service:s0
+restrictions u:object_r:system_server_service:s0
+samplingprofiler u:object_r:system_server_service:s0
+scheduling_policy u:object_r:system_server_service:s0
+search u:object_r:system_server_service:s0
+sensorservice u:object_r:system_server_service:s0
+serial u:object_r:system_server_service:s0
+servicediscovery u:object_r:system_server_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+statusbar u:object_r:system_server_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+task u:object_r:system_server_service:s0
+telecomm u:object_r:radio_service:s0
+telephony.registry u:object_r:system_server_service:s0
+textservices u:object_r:system_server_service:s0
+trust u:object_r:system_server_service:s0
+tv_input u:object_r:system_server_service:s0
+uimode u:object_r:system_server_service:s0
+updatelock u:object_r:system_server_service:s0
+usagestats u:object_r:system_server_service:s0
+usb u:object_r:system_server_service:s0
+user u:object_r:system_server_service:s0
+vibrator u:object_r:system_server_service:s0
+voiceinteraction u:object_r:system_server_service:s0
+wallpaper u:object_r:system_server_service:s0
+wifip2p u:object_r:system_server_service:s0
+wifiscanner u:object_r:system_server_service:s0
+wifi u:object_r:system_server_service:s0
+window u:object_r:system_server_service:s0
+
+* u:object_r:default_android_service:s0
diff --git a/servicemanager.te b/servicemanager.te
index a78a485..f3dbca8 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -12,3 +12,10 @@
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
+
+# Get contexts of binder services that call servicemanager.
+allow servicemanager binderservicedomain:dir search;
+allow servicemanager binderservicedomain:file { read open };
+allow servicemanager binderservicedomain:process getattr;
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 6a40bfc..c508612 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -57,6 +57,8 @@
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
+allow surfaceflinger surfaceflinger_service:service_manager add;
+
###
### Neverallow rules
###
diff --git a/system_server.te b/system_server.te
index aa4d6c4..11a1ebe 100644
--- a/system_server.te
+++ b/system_server.te
@@ -350,6 +350,8 @@
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
+allow system_server system_server_service:service_manager add;
+
###
### Neverallow rules
###