Stephen Smalley committed bb4d00f Merge

Merge branch 'seandroid' into seandroid-4.4

Comments (0)

Files changed (16)

 sepolicy_policy.conf := $(intermediates)/policy.conf
 $(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
 $(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes bools *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
+$(sepolicy_policy.conf) : $(call build_policy, security_classes initial_sids access_vectors global_macros mls_macros mls policy_capabilities te_macros attributes *.te roles users initial_sid_contexts fs_use genfs_contexts port_contexts)
 	@mkdir -p $(dir $@)
 	$(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
 		-D target_build_variant=$(TARGET_BUILD_VARIANT) \
 # child shell or gdbserver pty access for runas.
 allow appdomain devpts:chr_file { getattr read write ioctl };
-# Communicate with system_server.
+# Use pipes and sockets provided by system_server via binder or local socket.
 allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt };
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow appdomain media_rw_data_file:file { read getattr };
 # Allow apps to use the USB Accessory interface.
 r_dir_file(bluetooth, bluetooth_efs_file)
 # Device accesses.
-if (!disableBluetooth) {
 allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms;
 # Other domains that can create and use bluetooth sockets.
 # sysfs access.
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
 # Allow clients to use a socket provided by the bluetooth app.
 # TODO:  See if this is still required under bluedroid.
-allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt getattr read write shutdown };
 # tethering
 allow bluetooth self:tun_socket create_socket_perms;
 allow bluetooth sdcard_internal:dir create_dir_perms;
 allow bluetooth sdcard_internal:file create_file_perms;
-# Allow reading of media_rw_data_file file descriptors
-# passed to bluetooth
-allow bluetooth media_rw_data_file:file { read getattr };
 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;


-bool disableAudioCapture false;
-bool disableAudio false;
-bool disableBluetooth false;
-bool disableCamera false;
 type adb_device, dev_type;
 type ashmem_device, dev_type, mlstrustedobject;
 type audio_device, dev_type;
-type audio_capture_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type block_device, dev_type;
 type camera_device, dev_type;
 allow dhcp netd:fifo_file rw_file_perms;
 allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
 allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
-# netdev-bt-pan driver loading
-allow dhcp kernel:system module_request;
   allow domain su:fd use;
   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+  binder_call(domain, su)
   # Running something like "pm dump" requires
   # fifo writes
   allow domain su:fifo_file { write getattr };
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type proc_net, fs_type;
+type proc_sysrq, fs_type;
 type selinuxfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type sysfs, fs_type, mlstrustedobject;
 type logdw_socket, file_type;
 type mdns_socket, file_type;
 type mdnsd_socket, file_type;
+type mtpd_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
 type racoon_socket, file_type;
 /dev/rpmsg-omx[0-9]	u:object_r:rpmsg_device:s0
 /dev/rproc_user	u:object_r:rpmsg_device:s0
 /dev/snd(/.*)?		u:object_r:audio_device:s0
-/dev/snd/pcmC[0-9]*D[0-9]*c u:object_r:audio_capture_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/logdw	u:object_r:logdw_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd	u:object_r:mtpd_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
 /dev/socket/racoon	u:object_r:racoon_socket:s0
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net u:object_r:proc_net:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
 genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
 genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 ## Writes to /sys/module/lowmemorykiller/parameters/minfree
 allow lmkd sysfs_lowmemorykiller:file w_file_perms;
+# Send kill signals
+allow lmkd appdomain:process sigkill;
 # mdns daemon
 type mdnsd, domain;
 type mdnsd_exec, exec_type, file_type;
 allow mediaserver audio_prop:property_service set;
 # Access audio devices at all.
-if (!disableAudio) {
 allow mediaserver audio_device:chr_file rw_file_perms;
-# Access audio capture devices.
-if (!disableAudio && !disableAudioCapture) {
-allow mediaserver audio_capture_device:chr_file rw_file_perms;
 # XXX Label with a specific type?
 allow mediaserver sysfs:file rw_file_perms;
 allow mediaserver apk_data_file:file { read getattr };
 # Access camera device.
-if (!disableCamera) {
 allow mediaserver camera_device:chr_file rw_file_perms;
 allow mediaserver rpmsg_device:chr_file rw_file_perms;
 # Inter System processes communicate over named pipe (FIFO)
 allow mediaserver system_server:fifo_file r_file_perms;
 # XXX Split into its own type.
 allow netd sysfs:file write;
-# Network driver loading.
-allow netd kernel:system module_request;
 # Set dhcp lease for PAN connection
 unix_socket_connect(netd, property, init)
 allow netd system_prop:property_service set;
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
-user=_app domain=untrusted_app type=app_data_file levelFrom=app
+user=_app domain=untrusted_app type=app_data_file
 user=_app seinfo=platform domain=platform_app type=platform_app_data_file
 user=_app seinfo=shared domain=shared_app type=platform_app_data_file
 user=_app seinfo=media domain=media_app type=platform_app_data_file
 # For art.
 allow system_server dalvikcache_data_file:file execute;
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
 # Child of the zygote.
 allow system_server zygote:fd use;
 allow system_server zygote:process sigchld;
 allow system_server zygote_tmpfs:file read;
+# May kill zygote on crashes.
+allow system_server zygote:process sigkill;
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
 # Needed to close the zygote socket, which involves getopt / getattr
 allow system_server zygote:unix_stream_socket { getopt getattr };
 # Use netlink uevent sockets.
 allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms;
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
 # Read /sys/kernel/debug/wakeup_sources.
 allow system_server debugfs:file r_file_perms;
 unix_socket_connect(system_server, property, init)
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
 unix_socket_connect(system_server, netd, netd)
 unix_socket_connect(system_server, vold, vold)
 unix_socket_connect(system_server, zygote, zygote)
 allow system_server appdomain:process getattr;
 allow system_server mediaserver:process getattr;
+# Use sockets received over binder from various services.
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
 # Check SELinux permissions.
 allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
+allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
 allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 # Relabel wallpaper.
 allow system_server system_data_file:file relabelfrom;
 allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file rw_file_perms;
+allow system_server wallpaper_file:file { rw_file_perms unlink };
 # Relabel /data/anr.
 allow system_server system_data_file:dir relabelfrom;
 allow system_server gps_device:chr_file rw_file_perms;
 allow system_server gps_control:file rw_file_perms;
-# Allow system_server to use app-created sockets.
-allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:fifo_file { getattr read write };
 # Allow abstract socket connection
 allow system_server rild:unix_stream_socket connectto;
-# connect to vpn tunnel
-allow system_server mtp:unix_stream_socket { connectto };
 # BackupManagerService lets PMS create a data backup file
 allow system_server cache_backup_file:file create_file_perms;
 # Relabel /data/backup
 # /sys/module/lowmemorykiller/parameters/adj
 # /sys/module/lowmemorykiller/parameters/minfree
 allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+### Neverallow rules
+### system_server should NEVER do any of this
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the system_server.
+# neverallow system_server sdcard_type:file rw_file_perms;