Merge "drop vold from sys_rawio neverallow exception" into nyc-dev
diff --git a/adbd.te b/adbd.te
index cd5df2a..b44cf0d 100644
--- a/adbd.te
+++ b/adbd.te
@@ -36,7 +36,8 @@
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms;
+allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
diff --git a/app.te b/app.te
index c9c5ca2..c4ebdf6 100644
--- a/app.te
+++ b/app.te
@@ -33,8 +33,9 @@
allow appdomain dalvikcache_data_file:dir { search getattr };
allow appdomain dalvikcache_data_file:file r_file_perms;
-# Read the /sdcard symlink
+# Read the /sdcard and /mnt/sdcard symlinks
allow appdomain rootfs:lnk_file r_file_perms;
+allow appdomain tmpfs:lnk_file r_file_perms;
# Search /storage/emulated tmpfs mount.
allow appdomain tmpfs:dir r_dir_perms;
diff --git a/audioserver.te b/audioserver.te
index 0865497..ea7f6d9 100644
--- a/audioserver.te
+++ b/audioserver.te
@@ -15,11 +15,14 @@
allow audioserver ion_device:chr_file r_file_perms;
allow audioserver system_file:dir r_dir_perms;
-# used for TEE sink - pcm capture for debug.
userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
allow audioserver media_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:dir create_dir_perms;
allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
')
allow audioserver audio_device:dir r_dir_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 0056550..0b45fa9 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -23,7 +23,7 @@
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
-allow debuggerd { audioserver cameraserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow debuggerd { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/domain.te b/domain.te
index ed08dc0..9b2024b 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,7 @@
allow domain self:{ fifo_file file } rw_file_perms;
allow domain self:unix_dgram_socket { create_socket_perms sendto };
allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket } ioctl unpriv_unix_sock_ioctls;
# Inherit or receive open files from others.
allow domain init:fd use;
@@ -217,8 +218,8 @@
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
-# Ensure that all entrypoint executables are in exec_type.
-neverallow * { file_type -exec_type }:file entrypoint;
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
@@ -560,3 +561,8 @@
-installd
-profman
} profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;
diff --git a/dumpstate.te b/dumpstate.te
index 8f64a0c..5095ecd 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -48,9 +48,9 @@
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:process signal;
+allow dumpstate { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
-allow dumpstate { audioserver cameraserver drmserver mediaserver mediacodec mediaextractor sdcardd surfaceflinger }:debuggerd dump_backtrace;
+allow dumpstate { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
diff --git a/file.te b/file.te
index d842559..c6b2a49 100644
--- a/file.te
+++ b/file.te
@@ -124,7 +124,7 @@
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type, exec_type;
+type postinstall_file, file_type;
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type;
diff --git a/init.te b/init.te
index c8b39eb..d8ed8b8 100644
--- a/init.te
+++ b/init.te
@@ -286,6 +286,9 @@
unix_socket_connect(init, vold, vold)
+# Raw writes to misc block device
+allow init misc_block_device:blk_file w_file_perms;
+
###
### neverallow rules
###
diff --git a/ioctl_macros b/ioctl_macros
index 466870e..2b5db31 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -2,7 +2,7 @@
define(`unpriv_sock_ioctls', `
{
# Socket ioctls for gathering information about the interface
-SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFBRDADDR
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
# Wireless extension ioctls. Primarily get functions.
SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
@@ -16,7 +16,7 @@
# qualcomm rmnet ioctls
WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
# socket ioctls
-SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR SIOCGIFDSTADDR
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
@@ -40,5 +40,8 @@
SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
}')
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCSWINSZ FIONREAD }')
+
# commonly used TTY ioctls
define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
diff --git a/isolated_app.te b/isolated_app.te
index 6497cf1..978982a 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -40,6 +40,12 @@
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
# b/17487348
# Isolated apps can only access three services,
# activity_service, display_service and webviewupdate_service.
@@ -57,6 +63,16 @@
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
+neverallow isolated_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow isolated_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
diff --git a/mediaserver.te b/mediaserver.te
index c6ec3ff..21f16f4 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -15,6 +15,11 @@
# open /vendor/lib/mediadrm
allow mediaserver system_file:dir r_dir_perms;
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
binder_use(mediaserver)
binder_call(mediaserver, binderservicedomain)
binder_call(mediaserver, { appdomain autoplay_app })
diff --git a/net.te b/net.te
index 6aa12f2..4616eb1 100644
--- a/net.te
+++ b/net.te
@@ -13,7 +13,7 @@
allow netdomain port_type:udp_socket name_bind;
allow netdomain port_type:tcp_socket name_bind;
# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/netd.te b/netd.te
index 51445fc..6864ad6 100644
--- a/netd.te
+++ b/netd.te
@@ -65,6 +65,9 @@
allow netd system_server:binder call;
allow netd permission_service:service_manager find;
+# Allow netd to talk to the framework service which collects DNS query metrics.
+allow netd dns_listener_service:service_manager find;
+
# Allow netd to operate on sockets that are passed to it.
allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt};
allow netd netdomain:fd use;
diff --git a/postinstall.te b/postinstall.te
index 8afc561..938fcd2 100644
--- a/postinstall.te
+++ b/postinstall.te
@@ -18,3 +18,7 @@
allow postinstall shell_exec:file rx_file_perms;
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;
+
+# No domain other than update_engine should transition to postinstall, as it is
+# only meant to run during the update.
+neverallow { domain -update_engine } postinstall:process { transition dyntransition };
diff --git a/priv_app.te b/priv_app.te
index b2b9e57..5801619 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -36,7 +36,6 @@
allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
allow priv_app recovery_service:service_manager find;
-allow priv_app contexthub_service:service_manager find;
# Traverse into /mnt/media_rw for bypassing FUSE daemon
# TODO: narrow this to just MediaProvider
diff --git a/property_contexts b/property_contexts
index 504e1a0..1329854 100644
--- a/property_contexts
+++ b/property_contexts
@@ -44,6 +44,7 @@
persist.mmc. u:object_r:mmc_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
+ro.sys.safemode u:object_r:safemode_prop:s0
persist.sys.audit_safemode u:object_r:safemode_prop:s0
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
diff --git a/service.te b/service.te
index bd6ab38..8fea071 100644
--- a/service.te
+++ b/service.te
@@ -35,7 +35,7 @@
type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, system_server_service, service_manager_type;
-type contexthub_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type connectivity_service, app_api_service, system_server_service, service_manager_type;
@@ -49,6 +49,7 @@
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, system_server_service, service_manager_type;
+type dns_listener_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index 288ff90..11c0736 100644
--- a/service_contexts
+++ b/service_contexts
@@ -34,6 +34,7 @@
diskstats u:object_r:diskstats_service:s0
display.qservice u:object_r:surfaceflinger_service:s0
display u:object_r:display_service:s0
+dns_listener u:object_r:dns_listener_service:s0
DockObserver u:object_r:DockObserver_service:s0
dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
diff --git a/shell.te b/shell.te
index a304673..a314c61 100644
--- a/shell.te
+++ b/shell.te
@@ -88,6 +88,7 @@
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
+allow shell proc_meminfo:file r_file_perms;
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
diff --git a/system_server.te b/system_server.te
index ac27256..1d2677e 100644
--- a/system_server.te
+++ b/system_server.te
@@ -150,7 +150,7 @@
binder_service(system_server)
# Ask debuggerd to dump backtraces for native stacks of interest.
-allow system_server { audioserver cameraserver mediaserver mediacodec mediadrmserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+allow system_server { audioserver cameraserver drmserver inputflinger mediacodec mediadrmserver mediaextractor mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
# Use sockets received over binder from various services.
allow system_server audioserver:tcp_socket rw_socket_perms;
diff --git a/te_macros b/te_macros
index 4d18973..488ef9b 100644
--- a/te_macros
+++ b/te_macros
@@ -221,7 +221,7 @@
define(`selinux_check_access', `
allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket *;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
')
#####################################
diff --git a/untrusted_app.te b/untrusted_app.te
index d4d90cc..6bc6843 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -151,8 +151,19 @@
# Do not allow untrusted_app to access network MAC address file
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
-# do not allow privileged socket ioctl commands
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow untrusted_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow untrusted_app *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
# Do not allow untrusted_app access to /cache
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
@@ -185,3 +196,7 @@
# Do not allow untrusted_app to directly open tun_device
neverallow untrusted_app tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow untrusted_app anr_data_file:file ~{ open append };
+neverallow untrusted_app anr_data_file:dir ~search;
diff --git a/vold.te b/vold.te
index 5663562..6d5d994 100644
--- a/vold.te
+++ b/vold.te
@@ -189,6 +189,9 @@
allow vold user_profile_data_file:dir create_dir_perms;
allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;