Merge "Update readme to reflect addition of SEPOLICY_IGNORE."
diff --git a/access_vectors b/access_vectors
index f8c0110..5e78341 100644
--- a/access_vectors
+++ b/access_vectors
@@ -892,6 +892,8 @@
class service_manager
{
add
+ find
+ list
}
class keystore_key
diff --git a/adbd.te b/adbd.te
index 705f5f0..3b654a1 100644
--- a/adbd.te
+++ b/adbd.te
@@ -8,8 +8,6 @@
')
domain_auto_trans(adbd, shell_exec, shell)
-# this is an entrypoint
-allow adbd rootfs:file entrypoint;
# Do not sanitize the environment or open fds of the shell.
allow adbd shell:process noatsecure;
@@ -70,3 +68,9 @@
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
+
+service_manager_local_audit_domain(adbd)
+auditallow adbd {
+ service_manager_type
+ -surfaceflinger_service
+}:service_manager find;
diff --git a/app.te b/app.te
index 91210f5..8288ea0 100644
--- a/app.te
+++ b/app.te
@@ -61,6 +61,9 @@
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write };
@@ -116,8 +119,8 @@
allow untrusted_app system_app_data_file:file { read write getattr };
# Access SDcard via the fuse mount.
-allow appdomain sdcard_internal:dir create_dir_perms;
-allow appdomain sdcard_internal:file create_file_perms;
+allow appdomain fuse:dir create_dir_perms;
+allow appdomain fuse:file create_file_perms;
# Allow apps to use the USB Accessory interface.
# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
@@ -185,15 +188,15 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin.
-neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;
-neverallow { appdomain -unconfineddomain } self:capability2 *;
+# bluetooth requires net_admin and wake_alarm.
+neverallow { appdomain -bluetooth } self:capability *;
+neverallow { appdomain -bluetooth } self:capability2 *;
# Block device access.
-neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
+neverallow appdomain dev_type:blk_file { read write };
# Access to any of the following character devices.
-neverallow { appdomain -unconfineddomain } {
+neverallow appdomain {
audio_device
camera_device
dm_device
@@ -203,16 +206,16 @@
}:chr_file { read write };
# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell -unconfineddomain } graphics_device:chr_file { read write };
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-neverallow { appdomain -nfc -unconfineddomain } nfc_device:chr_file
+neverallow { appdomain -nfc } nfc_device:chr_file
{ read write };
-neverallow { appdomain -bluetooth -unconfineddomain } hci_attach_dev:chr_file
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
{ read write };
-neverallow { appdomain -unconfineddomain } tee_device:chr_file { read write };
+neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
-neverallow { appdomain -unconfineddomain }
+neverallow appdomain
self:{
netlink_socket
netlink_firewall_socket
@@ -226,45 +229,45 @@
} *;
# Sockets under /dev/socket that are not specifically typed.
-neverallow { appdomain -unconfineddomain } socket_device:sock_file write;
+neverallow appdomain socket_device:sock_file write;
# Unix domain sockets.
-neverallow { appdomain -unconfineddomain } adbd_socket:sock_file write;
-neverallow { appdomain -unconfineddomain } installd_socket:sock_file write;
-neverallow { appdomain -bluetooth -radio -shell -system_app -unconfineddomain }
+neverallow appdomain adbd_socket:sock_file write;
+neverallow appdomain installd_socket:sock_file write;
+neverallow { appdomain -bluetooth -radio -shell -system_app }
property_socket:sock_file write;
-neverallow { appdomain -radio -unconfineddomain } rild_socket:sock_file write;
-neverallow { appdomain -unconfineddomain } vold_socket:sock_file write;
-neverallow { appdomain -unconfineddomain } zygote_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+neverallow appdomain vold_socket:sock_file write;
+neverallow appdomain zygote_socket:sock_file write;
# ptrace access to non-app domains.
-neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
+neverallow appdomain { domain -appdomain }:process ptrace;
# Write access to /proc/pid entries for any non-app domain.
-neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
+neverallow appdomain { domain -appdomain }:file write;
# signal access to non-app domains.
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
-neverallow { appdomain -unconfineddomain } { domain -appdomain }:process
+neverallow appdomain { domain -appdomain }:process
{ sigkill sigstop signal };
# Transition to a non-app domain.
# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell -unconfineddomain } ~appdomain:process
+neverallow { appdomain -shell } ~appdomain:process
{ transition dyntransition };
# Write to rootfs.
-neverallow { appdomain -unconfineddomain } rootfs:dir_file_class_set
+neverallow appdomain rootfs:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to /system.
-neverallow { appdomain -unconfineddomain } system_file:dir_file_class_set
+neverallow appdomain system_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to entrypoint executables.
-neverallow { appdomain -unconfineddomain } exec_type:file
+neverallow appdomain exec_type:file
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to system-owned parts of /data.
@@ -272,54 +275,54 @@
# specified in file_contexts. Define a different type for portions
# that should be writable by apps.
# Exception for system_app for Settings.
-neverallow { appdomain -unconfineddomain -system_app }
+neverallow { appdomain -system_app }
system_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Write to various other parts of /data.
-neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
+neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set
+neverallow appdomain gps_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
+neverallow { appdomain -platform_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
+neverallow { appdomain -platform_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
+neverallow { appdomain -platform_app }
apk_private_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app -unconfineddomain }
+neverallow { appdomain -platform_app }
apk_private_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell -unconfineddomain }
+neverallow { appdomain -shell }
shell_data_file:dir_file_class_set
{ create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth -unconfineddomain }
+neverallow { appdomain -bluetooth }
bluetooth_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
+neverallow appdomain
keystore_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
+neverallow appdomain
systemkeys_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
+neverallow appdomain
wifi_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -unconfineddomain }
+neverallow appdomain
dhcp_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Access to factory files.
-neverallow { appdomain -unconfineddomain }
+neverallow appdomain
efs_file:dir_file_class_set { read write };
# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc -unconfineddomain }
+neverallow { appdomain -bluetooth -nfc }
sysfs:dir_file_class_set write;
-neverallow { appdomain -unconfineddomain }
+neverallow appdomain
proc:dir_file_class_set write;
# Access to syslog(2) or /proc/kmsg.
@@ -330,8 +333,8 @@
# Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc.
-neverallow { appdomain -unconfineddomain } fs_type:filesystem ~getattr;
+neverallow appdomain fs_type:filesystem ~getattr;
# Ability to set system properties.
-neverallow { appdomain -system_app -radio -shell -bluetooth -unconfineddomain }
+neverallow { appdomain -system_app -radio -shell -bluetooth }
property_type:property_service set;
diff --git a/attributes b/attributes
index 613ed8f..d40217a 100644
--- a/attributes
+++ b/attributes
@@ -67,3 +67,6 @@
# All domains used for binder service domains.
attribute binderservicedomain;
+
+# All domains that are excluded from the domain.te auditallow.
+attribute service_manager_local_audit;
diff --git a/bluetooth.te b/bluetooth.te
index 4e274c4..56fe170 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -28,6 +28,7 @@
# sysfs access.
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;
# Allow clients to use a socket provided by the bluetooth app.
# TODO: See if this is still required under bluedroid.
@@ -48,6 +49,15 @@
allow bluetooth pan_result_prop:property_service set;
allow bluetooth ctl_dhcp_pan_prop:property_service set;
+# Audited locally.
+service_manager_local_audit_domain(bluetooth)
+auditallow bluetooth {
+ service_manager_type
+ -bluetooth_service
+ -radio_service
+ -system_server_service
+}:service_manager find;
+
###
### Neverallow rules
###
@@ -55,5 +65,6 @@
###
# Superuser capabilities.
-# bluetooth requires net_admin.
-neverallow { bluetooth -unconfineddomain } self:capability ~net_admin;
+# bluetooth requires net_admin and wake_alarm.
+neverallow bluetooth self:capability ~net_admin;
+neverallow bluetooth self:capability2 ~wake_alarm;
diff --git a/bootanim.te b/bootanim.te
index 024d20c..7592295 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -8,3 +8,10 @@
binder_call(bootanim, surfaceflinger)
allow bootanim gpu_device:chr_file rw_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir search;
+
+# Audited locally.
+service_manager_local_audit_domain(bootanim)
+auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
diff --git a/device.te b/device.te
index e9b7e51..42d15e3 100644
--- a/device.te
+++ b/device.te
@@ -64,3 +64,6 @@
# Partition layout block device
type root_block_device, dev_type;
+
+# Persistent data block device
+type persistent_data_block_device, dev_type;
diff --git a/dex2oat.te b/dex2oat.te
new file mode 100644
index 0000000..2df9947
--- /dev/null
+++ b/dex2oat.te
@@ -0,0 +1,12 @@
+# dex2oat
+type dex2oat, domain;
+type dex2oat_exec, exec_type, file_type;
+
+allow dex2oat dalvikcache_data_file:file write;
+allow dex2oat installd:fd use;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
+allow dex2oat asec_apk_file:file read;
+allow dex2oat unlabeled:file read;
diff --git a/domain.te b/domain.te
index 1a3feb4..015274b 100644
--- a/domain.te
+++ b/domain.te
@@ -158,19 +158,27 @@
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
+allow domain servicemanager:service_manager list;
+auditallow domain servicemanager:service_manager list;
+allow domain service_manager_type:service_manager find;
+auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
+
###
### neverallow rules
###
# Do not allow any confined domain to create new unlabeled files.
-neverallow { domain -unconfineddomain } unlabeled:dir_file_class_set create;
+neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
-# Limit device node creation and raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
+# Limit device node creation to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+
+# Limit raw I/O to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow domain self:memprotect mmap_zero;
@@ -243,7 +251,7 @@
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
@@ -257,7 +265,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the /system partition except for a few whitelisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
#
neverallow {
domain
@@ -268,6 +276,11 @@
-system_server
-zygote
} { file_type -system_file -exec_type }:file execute;
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
# Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
@@ -289,3 +302,10 @@
# mount to another type.
neverallow { domain -recovery } contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
+
+# Do not allow service_manager add for default_android_service.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in service.te and new mappings
+# from service name to service_type are defined in service_contexts.
+neverallow domain default_android_service:service_manager add;
diff --git a/drmserver.te b/drmserver.te
index 1993176..14b2f49 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -46,3 +46,11 @@
allow drmserver radio_data_file:file { read getattr };
allow drmserver drmserver_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(drmserver)
+auditallow drmserver {
+ service_manager_type
+ -drmserver_service
+ -system_server_service
+}:service_manager find;
diff --git a/dumpstate.te b/dumpstate.te
index 2221222..242cb93 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -92,3 +92,22 @@
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
+
+# Read network state info files.
+allow dumpstate net_data_file:dir search;
+allow dumpstate net_data_file:file r_file_perms;
+
+service_manager_local_audit_domain(dumpstate)
+auditallow dumpstate {
+ service_manager_type
+ -drmserver_service
+ -healthd_service
+ -inputflinger_service
+ -keystore_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -system_app_service
+ -system_server_service
+}:service_manager find;
diff --git a/file.te b/file.te
index 18bafa4..99c3839 100644
--- a/file.te
+++ b/file.te
@@ -28,8 +28,10 @@
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
-type sdcard_internal, sdcard_type, fs_type, mlstrustedobject;
-type sdcard_external, sdcard_type, fs_type, mlstrustedobject;
+type fuse, sdcard_type, fs_type, mlstrustedobject;
+type vfat, sdcard_type, fs_type, mlstrustedobject;
+typealias fuse alias sdcard_internal;
+typealias vfat alias sdcard_external;
type debugfs, fs_type, mlstrustedobject;
type pstorefs, fs_type;
type functionfs, fs_type;
@@ -78,6 +80,7 @@
type keystore_data_file, file_type, data_file_type;
type media_data_file, file_type, data_file_type;
type media_rw_data_file, file_type, data_file_type;
+type net_data_file, file_type, data_file_type;
type nfc_data_file, file_type, data_file_type;
type radio_data_file, file_type, data_file_type;
type shared_relro_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index 85a1b04..def1e53 100644
--- a/file_contexts
+++ b/file_contexts
@@ -159,6 +159,9 @@
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat u:object_r:dex2oat_exec:s0
+
#############################
# Vendor files
#
@@ -179,10 +182,10 @@
/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
/data/dalvik-cache/profiles(/.*)? u:object_r:dalvikcache_profiles_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
-/data/app(/.*)? u:object_r:apk_data_file:s0
-/data/app/vmdl.*\.tmp u:object_r:apk_tmp_file:s0
-/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp u:object_r:apk_private_tmp_file:s0
+/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app/vmdl.*\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
@@ -200,6 +203,7 @@
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
+/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
@@ -236,7 +240,7 @@
#############################
# asec containers
-/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/res\.zip u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
-/data/app-asec(/.*)? u:object_r:asec_image_file:s0
+/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)? u:object_r:asec_image_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index a018833..ab4e045 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -25,9 +25,9 @@
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:sdcard_external:s0
+genfscon vfat / u:object_r:vfat:s0
genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:sdcard_internal:s0
+genfscon fuse / u:object_r:fuse:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
diff --git a/healthd.te b/healthd.te
index 9832ac4..3cb69bf 100644
--- a/healthd.te
+++ b/healthd.te
@@ -2,7 +2,6 @@
# it lives in the rootfs and has no unique file type.
type healthd, domain;
-allow healthd rootfs:file { read entrypoint };
write_klog(healthd)
# /dev/__null__ created by init prior to policy load,
# open fd inherited by healthd.
@@ -23,6 +22,12 @@
### healthd: charger mode
###
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow healthd pstorefs:dir r_dir_perms;
+allow healthd pstorefs:file r_file_perms;
+
allow healthd graphics_device:dir r_dir_perms;
allow healthd graphics_device:chr_file rw_file_perms;
allow healthd input_device:dir r_dir_perms;
@@ -32,8 +37,13 @@
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
+
allow healthd healthd_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(healthd)
+auditallow healthd { service_manager_type -healthd_service }:service_manager find;
+
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
unix_socket_connect(healthd, property, init)
diff --git a/init.te b/init.te
index 191c570..361fb87 100644
--- a/init.te
+++ b/init.te
@@ -60,12 +60,23 @@
allow init proc_security:file rw_file_perms;
# Transitions to seclabel processes in init.rc
-allow init adbd:process transition;
-allow init healthd:process transition;
-allow init recovery:process transition;
-allow init shell:process transition;
-allow init ueventd:process transition;
-allow init watchdogd:process transition;
+domain_trans(init, rootfs, adbd)
+domain_trans(init, rootfs, healthd)
+recovery_only(`
+ domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, rootfs, ueventd)
+domain_trans(init, rootfs, watchdogd)
+
+# Certain domains need LD_PRELOAD passed from init.
+# https://android-review.googlesource.com/94851
+# For now, allow it to most domains.
+# TODO: scope this down.
+allow init { domain -lmkd }:process noatsecure;
+
+# Support "adb shell stop"
+allow init domain:process sigkill;
# Init creates keystore's directory on boot, and walks through
# the directory as part of a recursive restorecon.
@@ -92,6 +103,10 @@
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow init kernel:process setsched;
+
###
### neverallow rules
###
diff --git a/inputflinger.te b/inputflinger.te
index 283bbba..4377a10 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -9,3 +9,7 @@
binder_call(inputflinger, system_server)
allow inputflinger inputflinger_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(inputflinger)
+auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
diff --git a/install_recovery.te b/install_recovery.te
new file mode 100644
index 0000000..138134a
--- /dev/null
+++ b/install_recovery.te
@@ -0,0 +1,29 @@
+# service flash_recovery in init.rc
+type install_recovery, domain;
+type install_recovery_exec, exec_type, file_type;
+
+init_daemon_domain(install_recovery)
+
+allow install_recovery self:capability dac_override;
+
+# /system/bin/install-recovery.sh is a shell script.
+# Needs to execute /system/bin/sh
+allow install_recovery shell_exec:file rx_file_perms;
+
+# Execute /system/bin/applypatch
+allow install_recovery system_file:file rx_file_perms;
+
+# Update the recovery block device
+# TODO: Limit this to only recovery block device when we
+# create an appropriate label for it.
+allow install_recovery block_device:dir search;
+allow install_recovery block_device:blk_file rw_file_perms;
+
+# Create and delete /cache/saved.file
+allow install_recovery cache_file:dir rw_dir_perms;
+allow install_recovery cache_file:file create_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+# TODO: create a specific label for this file instead of allowing
+# write for all /proc files.
+allow install_recovery proc:file w_file_perms;
diff --git a/installd.te b/installd.te
index 5faa1ec..6257ede 100644
--- a/installd.te
+++ b/installd.te
@@ -53,6 +53,12 @@
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# dex2oat needs LD_PRELOAD, passed down from init
+# https://android-review.googlesource.com/94851
+allow installd dex2oat:process noatsecure;
+
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
diff --git a/isolated_app.te b/isolated_app.te
index a156838..5929b25 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,3 +18,12 @@
# Needed to allow dlopen() from Chrome renderer processes.
# See b/15902433 for details.
allow isolated_app app_data_file:file execute;
+
+# Audited locally.
+service_manager_local_audit_domain(isolated_app)
+auditallow isolated_app {
+ service_manager_type
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/kernel.te b/kernel.te
index 422edc9..b8a8cf2 100644
--- a/kernel.te
+++ b/kernel.te
@@ -35,7 +35,7 @@
allow kernel self:security setcheckreqprot;
# MTP sync
-allow kernel sdcard_internal:file { read write };
+allow kernel fuse:file { read write };
###
### neverallow rules
diff --git a/keystore.te b/keystore.te
index afa701c..f2c5039 100644
--- a/keystore.te
+++ b/keystore.te
@@ -28,5 +28,9 @@
allow keystore keystore_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(keystore)
+auditallow keystore { service_manager_type -keystore_service }:service_manager find;
+
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/lmkd.te b/lmkd.te
index 8c2b12c..df8208f 100644
--- a/lmkd.te
+++ b/lmkd.te
@@ -6,6 +6,12 @@
allow lmkd self:capability { dac_override sys_resource kill };
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:capability ipc_lock;
+
## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?
r_dir_file(lmkd, appdomain)
@@ -18,3 +24,14 @@
# Send kill signals
allow lmkd appdomain:process sigkill;
+
+# Clean up old cgroups
+allow lmkd cgroup:dir { remove_name rmdir };
+
+# Set self to SCHED_FIFO
+allow lmkd self:capability sys_nice;
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow domain lmkd:process noatsecure;
diff --git a/mediaserver.te b/mediaserver.te
index 55d1f205..52c593e 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -79,3 +79,13 @@
allow mediaserver tee:unix_stream_socket connectto;
allow mediaserver mediaserver_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(mediaserver)
+auditallow mediaserver {
+ service_manager_type
+ -drmserver_service
+ -mediaserver_service
+ -system_server_service
+ -surfaceflinger_service
+}:service_manager find;
diff --git a/netd.te b/netd.te
index b7c30eb..81275a7 100644
--- a/netd.te
+++ b/netd.te
@@ -46,6 +46,10 @@
allow netd wifi_data_file:file create_file_perms;
allow netd wifi_data_file:dir rw_dir_perms;
+# Needed to update /data/misc/net/rt_tables
+allow netd net_data_file:file create_file_perms;
+allow netd net_data_file:dir rw_dir_perms;
+
# Allow netd to spawn hostapd in it's own domain
domain_auto_trans(netd, hostapd_exec, hostapd)
allow netd hostapd:process signal;
diff --git a/nfc.te b/nfc.te
index 65aaef7..2b851a2 100644
--- a/nfc.te
+++ b/nfc.te
@@ -15,3 +15,12 @@
allow nfc sysfs:file write;
allow nfc nfc_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(nfc)
+auditallow nfc {
+ service_manager_type
+ -mediaserver_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index 0151720..a44e35d 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -13,6 +13,7 @@
allow platform_app shell_data_file:file { open getattr read };
# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
allow platform_app apk_private_data_file:dir search;
# ASEC
@@ -26,3 +27,13 @@
# Write to /cache.
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
+
+# Audited locally.
+service_manager_local_audit_domain(platform_app)
+auditallow platform_app {
+ service_manager_type
+ -mediaserver_service
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/radio.te b/radio.te
index d0018ea..5f45df3 100644
--- a/radio.te
+++ b/radio.te
@@ -28,3 +28,13 @@
allow radio ctl_rildaemon_prop:property_service set;
allow radio radio_service:service_manager add;
+
+# Audited locally.
+service_manager_local_audit_domain(radio)
+auditallow radio {
+ service_manager_type
+ -mediaserver_service
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/recovery.te b/recovery.te
index 9ee3a04..75a024c 100644
--- a/recovery.te
+++ b/recovery.te
@@ -7,9 +7,6 @@
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
recovery_only(`
- allow recovery rootfs:file { entrypoint execute };
- permissive_or_unconfined(recovery)
-
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy.
@@ -30,6 +27,11 @@
allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
+ # We may be asked to set an SELinux label for a type not known to the
+ # currently loaded policy. Allow it.
+ allow recovery unlabeled:file { create_file_perms relabelfrom relabelto };
+ allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
# 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
# support to OTAs. However, that code has a bug. When an update occurs,
# some directories are inappropriately labeled as exec_type. This is
@@ -48,8 +50,10 @@
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
- # Access /dev/android_adb.
+ # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow recovery adb_device:chr_file rw_file_perms;
+ allow recovery functionfs:dir search;
+ allow recovery functionfs:file rw_file_perms;
# Required to e.g. wipe userdata/cache.
allow recovery device:dir r_dir_perms;
@@ -83,6 +87,11 @@
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
+ # Allow recovery to create a fuse filesystem, and read files from it.
+ allow recovery fuse_device:chr_file rw_file_perms;
+ allow recovery fuse:dir r_dir_perms;
+ allow recovery fuse:file r_file_perms;
+
wakelock_use(recovery)
# This line seems suspect, as it should not really need to
diff --git a/seapp_contexts b/seapp_contexts
index 57b443f..26d0c8f 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -1,4 +1,4 @@
-# Input selectors:
+# Input selectors:
# isSystemServer (boolean)
# user (string)
# seinfo (string)
@@ -13,11 +13,12 @@
# user=_isolated will match any isolated service UID.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
+#
# Precedence rules:
# (1) isSystemServer=true before isSystemServer=false.
# (2) Specified user= string before unspecified user= string.
# (3) Fixed user= string before user= prefix (i.e. ending in *).
-# (4) Longer user= prefix before shorter user= prefix.
+# (4) Longer user= prefix before shorter user= prefix.
# (5) Specified seinfo= string before unspecified seinfo= string.
# (6) Specified name= string before unspecified name= string.
# (7) Specified path= string before unspecified path= string.
@@ -32,7 +33,7 @@
# Only entries that specify type= will be used for app directory labeling.
# levelFrom=user is only supported for _app or _isolated UIDs.
# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
+# level may be used to specify a fixed level for any UID.
#
isSystemServer=true domain=system_server
user=system domain=system_app type=system_app_data_file
diff --git a/service_contexts b/service_contexts
index 0f4212b..e96178b 100644
--- a/service_contexts
+++ b/service_contexts
@@ -16,6 +16,7 @@
bluetooth u:object_r:bluetooth_service:s0
clipboard u:object_r:system_server_service:s0
com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
+com.android.net.IProxyService u:object_r:system_server_service:s0
commontime_management u:object_r:system_server_service:s0
common_time.clock u:object_r:mediaserver_service:s0
common_time.config u:object_r:mediaserver_service:s0
@@ -61,6 +62,7 @@
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:mediaserver_service:s0
+media_projection u:object_r:system_server_service:s0
media_router u:object_r:system_server_service:s0
media_session u:object_r:system_server_service:s0
meminfo u:object_r:system_server_service:s0
@@ -73,6 +75,7 @@
notification u:object_r:system_server_service:s0
package u:object_r:system_server_service:s0
permission u:object_r:system_server_service:s0
+persistent_data_block u:object_r:system_server_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
phone2 u:object_r:radio_service:s0
@@ -110,6 +113,7 @@
vibrator u:object_r:system_server_service:s0
voiceinteraction u:object_r:system_server_service:s0
wallpaper u:object_r:system_server_service:s0
+webviewupdate u:object_r:system_server_service:s0
wifip2p u:object_r:system_server_service:s0
wifiscanner u:object_r:system_server_service:s0
wifi u:object_r:system_server_service:s0
diff --git a/servicemanager.te b/servicemanager.te
index f3dbca8..a928916 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -13,9 +13,5 @@
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
-# Get contexts of binder services that call servicemanager.
-allow servicemanager binderservicedomain:dir search;
-allow servicemanager binderservicedomain:file { read open };
-allow servicemanager binderservicedomain:process getattr;
# Check SELinux permissions.
selinux_check_access(servicemanager)
diff --git a/su.te b/su.te
index 8615148..73ca514 100644
--- a/su.te
+++ b/su.te
@@ -12,20 +12,12 @@
# additional information.
domain_auto_trans(dumpstate, su_exec, su)
- # su is unconfined.
- unconfined_domain(su)
-
- allow su ashmem_device:chr_file execute;
- allow su self:process execmem;
- tmpfs_domain(su)
- allow su su_tmpfs:file execute;
- allow su debuggerd_prop:property_service set;
-
# su is also permissive to permit setenforce.
permissive su;
- # Make su a net domain.
+ # Add su to various domains
net_domain(su)
+ app_domain(su)
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index c508612..ff91993 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -59,6 +59,14 @@
allow surfaceflinger surfaceflinger_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(surfaceflinger)
+auditallow surfaceflinger {
+ service_manager_type
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
+
###
### Neverallow rules
###
diff --git a/system_app.te b/system_app.te
index bada905..5a5888f 100644
--- a/system_app.te
+++ b/system_app.te
@@ -63,21 +63,15 @@
clear_uid
};
-auditallow system_app keystore:keystore_key {
- test
- get
- insert
- delete
- exist
- reset
- password
- lock
- unlock
- sign
- verify
- grant
- duplicate
- clear_uid
-};
-
control_logd(system_app)
+
+# Audited locally.
+service_manager_local_audit_domain(system_app)
+auditallow system_app {
+ service_manager_type
+ -keystore_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
diff --git a/system_server.te b/system_server.te
index ae7ed57..9d973db 100644
--- a/system_server.te
+++ b/system_server.te
@@ -14,6 +14,7 @@
# For art.
allow system_server dalvikcache_data_file:file execute;
+allow system_server dex2oat_exec:file rx_file_perms;
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -171,11 +172,13 @@
# Manage /data/app.
allow system_server apk_data_file:dir create_dir_perms;
allow system_server apk_data_file:file create_file_perms;
+allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
allow system_server apk_private_tmp_file:file create_file_perms;
# Manage files within asec containers.
@@ -252,8 +255,8 @@
security_access_policy(system_server)
# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
@@ -359,6 +362,9 @@
allow system_server system_server_service:service_manager add;
+# Audited locally.
+service_manager_local_audit_domain(system_server)
+
allow system_server keystore:keystore_key {
test
get
@@ -378,20 +384,16 @@
clear_uid
};
-auditallow system_server keystore:keystore_key {
- test
- get
- insert
- delete
- saw
- lock
- unlock
- sign
- verify
- grant
- duplicate
- clear_uid
-};
+# Allow system server to search and write to the persistent data block device
+# This block device does not get wiped in a factory reset.
+allow system_server persistent_data_block_device:blk_file rw_file_perms;
+allow system_server block_device:dir search;
+
+# Clean up old cgroups
+allow system_server cgroup:dir { remove_name rmdir };
+
+# /oem access
+allow system_server oemfs:dir search;
###
### Neverallow rules
@@ -400,4 +402,4 @@
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the system_server.
-# neverallow system_server sdcard_type:file rw_file_perms;
+neverallow system_server sdcard_type:file rw_file_perms;
diff --git a/te_macros b/te_macros
index 4199d6e..b2913f3 100644
--- a/te_macros
+++ b/te_macros
@@ -109,6 +109,7 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
+service_manager_local_audit_domain($1)
')
#####################################
@@ -149,6 +150,10 @@
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
@@ -354,3 +359,11 @@
allow keystore $1:process getattr;
binder_call($1, keystore)
')
+
+###########################################
+# service_manager_local_audit_domain(domain)
+# Has its own auditallow rule on service_manager
+# and should be excluded from the domain.te auditallow.
+define(`service_manager_local_audit_domain', `
+ typeattribute $1 service_manager_local_audit;
+')
diff --git a/ueventd.te b/ueventd.te
index 25460de..2e61e88 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -4,13 +4,13 @@
tmpfs_domain(ueventd)
write_klog(ueventd)
security_access_policy(ueventd)
-allow ueventd rootfs:file entrypoint;
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
allow ueventd sysfs:file rw_file_perms;
-allow ueventd sysfs_type:file { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms };
allow ueventd sysfs_devices_system_cpu:file rw_file_perms;
allow ueventd tmpfs:chr_file rw_file_perms;
allow ueventd dev_type:dir create_dir_perms;
diff --git a/unconfined.te b/unconfined.te
index 6b64fb9..a76c3d8 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,27 +20,6 @@
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- noatsecure
- siginh
- setrlimit
- rlimitinh
-};
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 50a02da..c97b451 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,6 +64,19 @@
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
+# Audited locally.
+service_manager_local_audit_domain(untrusted_app)
+auditallow untrusted_app {
+ service_manager_type
+ -drmserver_service
+ -keystore_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -system_server_service
+}:service_manager find;
+
###
### neverallow rules
###
@@ -71,3 +84,14 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow untrusted_app debugfs:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow untrusted_app service_manager_type:service_manager add;
+
+# Do not allow untrusted_apps to connect to the property service
+# or set properties. b/10243159
+neverallow untrusted_app property_socket:sock_file write;
+neverallow untrusted_app init:unix_stream_socket connectto;
+neverallow untrusted_app property_type:property_service set;
diff --git a/watchdogd.te b/watchdogd.te
index be193ea..ab93560 100644
--- a/watchdogd.te
+++ b/watchdogd.te
@@ -1,6 +1,5 @@
# watchdogd seclabel is specified in init.<board>.rc
type watchdogd, domain;
-allow watchdogd rootfs:file { entrypoint r_file_perms };
allow watchdogd self:capability mknod;
allow watchdogd device:dir { add_name write remove_name };
allow watchdogd watchdog_device:chr_file rw_file_perms;
diff --git a/zygote.te b/zygote.te
index c2a325e..c2a2395 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,6 +31,7 @@
allow zygote dalvikcache_data_file:file execute;
# Execute dexopt.
allow zygote system_file:file x_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote self:capability sys_admin;