diff options
author | Nick Kralevich <nnk@google.com> | 2016-03-29 15:37:20 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2016-03-29 15:37:20 -0700 |
commit | c81ebe522c66dd6e6ef4419ecc7737e2e1740d59 (patch) | |
tree | 4174530cbf7f483e0ebdcfca48beef00f2d5e63c | |
parent | 6937aa93ac0a36f19cb13b81a282dedcad324be5 (diff) | |
download | sepolicy-main.tar.gz |
These files have been moved to system/sepolicy.
Bug: 27875478
Change-Id: I057784af0e9f6e43cd9a22ffce26fd63acccf98b
138 files changed, 1 insertions, 13256 deletions
diff --git a/Android.mk b/Android.mk deleted file mode 100644 index a382734..0000000 --- a/Android.mk +++ /dev/null @@ -1,503 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -include $(CLEAR_VARS) - -# SELinux policy version. -# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel. -# Must be within the compatibility range reported by checkpolicy -V. -POLICYVERS ?= 29 - -MLS_SENS=1 -MLS_CATS=1024 - -ifdef BOARD_SEPOLICY_REPLACE -$(error BOARD_SEPOLICY_REPLACE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) -endif - -ifdef BOARD_SEPOLICY_IGNORE -$(error BOARD_SEPOLICY_IGNORE is no longer supported; please remove from your BoardConfig.mk or other .mk file.) -endif - -ifdef BOARD_SEPOLICY_UNION -$(warning BOARD_SEPOLICY_UNION is no longer required - all files found in BOARD_SEPOLICY_DIRS are implicitly unioned; please remove from your BoardConfig.mk or other .mk file.) -endif - -ifdef BOARD_SEPOLICY_M4DEFS -LOCAL_ADDITIONAL_M4DEFS := $(addprefix -D, $(BOARD_SEPOLICY_M4DEFS)) -endif - -# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS and the LOCAL_PATH. -# $(1): the set of policy name paths to build -build_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(LOCAL_PATH) $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file))))) - -# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS. -# $(1): the set of policy name paths to build -build_device_policy = $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(BOARD_SEPOLICY_DIRS)), $(sort $(wildcard $(file))))) - -# Add a file containing only a newline in-between each policy configuration -# 'contexts' file. This will allow OEM policy configuration files without a -# final newline (0x0A) to be built correctly by the m4(1) macro processor. -# $(1): the set of contexts file names. -# $(2): the file containing only 0x0A. -add_nl = $(foreach entry, $(1), $(subst $(entry), $(entry) $(2), $(entry))) - -sepolicy_build_files := security_classes \ - initial_sids \ - access_vectors \ - global_macros \ - neverallow_macros \ - mls_macros \ - mls \ - policy_capabilities \ - te_macros \ - attributes \ - ioctl_macros \ - *.te \ - roles \ - users \ - initial_sid_contexts \ - fs_use \ - genfs_contexts \ - port_contexts - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := sectxfile_nl -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional - -# Create a file containing newline only to add between context config files -include $(BUILD_SYSTEM)/base_rules.mk -$(LOCAL_BUILT_MODULE): - @mkdir -p $(dir $@) - $(hide) echo > $@ - -built_nl := $(LOCAL_BUILT_MODULE) - -################################# -include $(CLEAR_VARS) - -LOCAL_MODULE := sepolicy -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) - -include $(BUILD_SYSTEM)/base_rules.mk - -sepolicy_policy.conf := $(intermediates)/policy.conf -$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files)) - @mkdir -p $(dir $@) - $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \ - -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ - -D target_build_variant=$(TARGET_BUILD_VARIANT) \ - -s $^ > $@ - $(hide) sed '/dontaudit/d' $@ > $@.dontaudit - -$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< > /dev/null - $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit > /dev/null - $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains - $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ - echo "==========" 1>&2; \ - echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ - echo "List of invalid domains:" 1>&2; \ - cat $@.permissivedomains 1>&2; \ - exit 1; \ - fi - $(hide) mv $@.tmp $@ - -built_sepolicy := $(LOCAL_BUILT_MODULE) -sepolicy_policy.conf := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := sepolicy.recovery -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := eng - -include $(BUILD_SYSTEM)/base_rules.mk - -sepolicy_policy_recovery.conf := $(intermediates)/policy_recovery.conf -$(sepolicy_policy_recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS) -$(sepolicy_policy_recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS) -$(sepolicy_policy_recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(sepolicy_policy_recovery.conf): $(call build_policy, $(sepolicy_build_files)) - @mkdir -p $(dir $@) - $(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \ - -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ - -D target_build_variant=$(TARGET_BUILD_VARIANT) \ - -D target_recovery=true \ - -s $^ > $@ - -$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< > /dev/null - $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains - $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \ - echo "==========" 1>&2; \ - echo "ERROR: permissive domains not allowed in user builds" 1>&2; \ - echo "List of invalid domains:" 1>&2; \ - cat $@.permissivedomains 1>&2; \ - exit 1; \ - fi - $(hide) mv $@.tmp $@ - -built_sepolicy_recovery := $(LOCAL_BUILT_MODULE) -sepolicy_policy_recovery.conf := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := general_sepolicy.conf -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -exp_sepolicy_build_files :=\ - $(foreach file, $(addprefix $(LOCAL_PATH)/, $(sepolicy_build_files)), $(sort $(wildcard $(file)))) - -$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS) -$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS) -$(LOCAL_BUILT_MODULE): $(exp_sepolicy_build_files) - mkdir -p $(dir $@) - $(hide) m4 -D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \ - -D target_build_variant=user \ - -s $^ > $@ - $(hide) sed '/dontaudit/d' $@ > $@.dontaudit - -built_general_sepolicy.conf := $(LOCAL_BUILT_MODULE) -exp_sepolicy_build_files := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := sepolicy.general -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf) -$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null - -built_general_sepolicy := $(LOCAL_BUILT_MODULE) -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := file_contexts.bin -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) - -include $(BUILD_SYSTEM)/base_rules.mk - -# The file_contexts.bin is built in the following way: -# 1. Collect all file_contexts files in THIS repository and process them with -# m4 into a tmp file called file_contexts.local.tmp. -# 2. Collect all device specific file_contexts files and process them with m4 -# into a tmp file called file_contexts.device.tmp. -# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on -# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp. -# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into -# file_contexts.concat.tmp. -# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce -# file_contexts.bin. -# -# Note: That a newline file is placed between each file_context file found to -# ensure a proper build when an fc file is missing an ending newline. - -local_fc_files := $(LOCAL_PATH)/file_contexts -ifneq ($(filter address,$(SANITIZE_TARGET)),) - local_fc_files := $(local_fc_files) $(LOCAL_PATH)/file_contexts_asan -endif -local_fcfiles_with_nl := $(call add_nl, $(local_fc_files), $(built_nl)) - -file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp -$(file_contexts.local.tmp): $(local_fcfiles_with_nl) - @mkdir -p $(dir $@) - $(hide) m4 -s $^ > $@ - -device_fc_files := $(call build_device_policy, file_contexts) -device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl)) - -file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp -$(file_contexts.device.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(file_contexts.device.tmp): $(device_fcfiles_with_nl) - @mkdir -p $(dir $@) - $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ - -file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp -$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy) -$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $< - $(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@ - -file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp -$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) - @mkdir -p $(dir $@) - $(hide) m4 -s $^ > $@ - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) -$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< - $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< - -built_fc := $(LOCAL_BUILT_MODULE) -local_fc_files := -local_fcfiles_with_nl := -device_fc_files := -device_fcfiles_with_nl := -file_contexts.concat.tmp := -file_contexts.device.sorted.tmp := -file_contexts.device.tmp := -file_contexts.local.tmp := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := general_file_contexts.bin -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -general_file_contexts.tmp := $(intermediates)/general_file_contexts.tmp -$(general_file_contexts.tmp): $(addprefix $(LOCAL_PATH)/, file_contexts) - @mkdir -p $(dir $@) - $(hide) m4 -s $< > $@ - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy) -$(LOCAL_BUILT_MODULE): $(general_file_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkfc $(PRIVATE_SEPOLICY) $< - $(hide) $(HOST_OUT_EXECUTABLES)/sefcontext_compile -o $@ $< - -general_file_contexts.tmp := - -################################## -include $(CLEAR_VARS) -LOCAL_MODULE := seapp_contexts -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) - -include $(BUILD_SYSTEM)/base_rules.mk - -all_sc_files := $(call build_policy, seapp_contexts) - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) -$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(all_sc_files) -$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) - -built_sc := $(LOCAL_BUILT_MODULE) -all_sc_files := - -################################## -include $(CLEAR_VARS) -LOCAL_MODULE := general_seapp_contexts -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -all_sc_files := $(addprefix $(LOCAL_PATH)/, seapp_contexts) - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy) -$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILE := $(all_sc_files) -$(LOCAL_BUILT_MODULE): $(built_general_sepolicy) $(all_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILE) - -all_sc_files := - -################################## -include $(CLEAR_VARS) -LOCAL_MODULE := general_seapp_neverallows -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -$(LOCAL_BUILT_MODULE): $(addprefix $(LOCAL_PATH)/, seapp_contexts) - @mkdir -p $(dir $@) - - $(hide) grep -ie '^neverallow' $< > $@ - - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := property_contexts -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) - -include $(BUILD_SYSTEM)/base_rules.mk - -all_pc_files := $(call build_policy, property_contexts) -all_pcfiles_with_nl := $(call add_nl, $(all_pc_files), $(built_nl)) - -property_contexts.tmp := $(intermediates)/property_contexts.tmp -$(property_contexts.tmp): PRIVATE_PC_FILES := $(all_pcfiles_with_nl) -$(property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(property_contexts.tmp): $(all_pcfiles_with_nl) - @mkdir -p $(dir $@) - $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@ - - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) -$(LOCAL_BUILT_MODULE): $(property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) - @mkdir -p $(dir $@) - $(hide) $(ACP) $< $@ - $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $< - -built_pc := $(LOCAL_BUILT_MODULE) -all_pc_files := -all_pcfiles_with_nl := -property_contexts.tmp := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := general_property_contexts -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -general_property_contexts.tmp := $(intermediates)/general_property_contexts.tmp -$(general_property_contexts.tmp): $(addprefix $(LOCAL_PATH)/, property_contexts) - @mkdir -p $(dir $@) - $(hide) m4 -s $< > $@ - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy) -$(LOCAL_BUILT_MODULE): $(general_property_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) - @mkdir -p $(dir $@) - $(hide) $(ACP) $< $@ - $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $< - -general_property_contexts.tmp := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := service_contexts -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) - -include $(BUILD_SYSTEM)/base_rules.mk - -all_svc_files := $(call build_policy, service_contexts) -all_svcfiles_with_nl := $(call add_nl, $(all_svc_files), $(built_nl)) - -service_contexts.tmp := $(intermediates)/service_contexts.tmp -$(service_contexts.tmp): PRIVATE_SVC_FILES := $(all_svcfiles_with_nl) -$(service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(service_contexts.tmp): $(all_svcfiles_with_nl) - @mkdir -p $(dir $@) - $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) -$(LOCAL_BUILT_MODULE): $(service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $< - $(hide) $(ACP) $< $@ - -built_svc := $(LOCAL_BUILT_MODULE) -all_svc_files := -all_svcfiles_with_nl := -service_contexts.tmp := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := general_service_contexts -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := tests - -include $(BUILD_SYSTEM)/base_rules.mk - -general_service_contexts.tmp := $(intermediates)/general_service_contexts.tmp -$(general_service_contexts.tmp): $(addprefix $(LOCAL_PATH)/, service_contexts) - @mkdir -p $(dir $@) - $(hide) m4 -s $< > $@ - -$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_general_sepolicy) -$(LOCAL_BUILT_MODULE): $(general_service_contexts.tmp) $(built_general_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) - @mkdir -p $(dir $@) - $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $< - $(hide) $(ACP) $< $@ - -general_service_contexts.tmp := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := mac_permissions.xml -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security - -include $(BUILD_SYSTEM)/base_rules.mk - -# Build keys.conf -mac_perms_keys.tmp := $(intermediates)/keys.tmp -$(mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) -$(mac_perms_keys.tmp): $(call build_policy, keys.conf) - @mkdir -p $(dir $@) - $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@ - -all_mac_perms_files := $(call build_policy, $(LOCAL_MODULE)) - -$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_mac_perms_files) -$(LOCAL_BUILT_MODULE): $(mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py $(all_mac_perms_files) - @mkdir -p $(dir $@) - $(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \ - $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES) - -mac_perms_keys.tmp := -all_mac_perms_files := - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := selinux_version -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) - -include $(BUILD_SYSTEM)/base_rules.mk -$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc) - @mkdir -p $(dir $@) - $(hide) echo -n $(BUILD_FINGERPRINT_FROM_FILE) > $@ - -################################## - -build_policy := -build_device_policy := -sepolicy_build_files := -built_sepolicy := -built_sepolicy_recovery := -built_sc := -built_fc := -built_pc := -built_svc := -built_general_sepolicy := -built_general_sepolicy.conf := -built_nl := -add_nl := - -include $(call all-makefiles-under,$(LOCAL_PATH)) diff --git a/CleanSpec.mk b/CleanSpec.mk deleted file mode 100644 index f141e34..0000000 --- a/CleanSpec.mk +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright (C) 2015 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# If you don't need to do a full clean build but would like to touch -# a file or delete some intermediate files, add a clean step to the end -# of the list. These steps will only be run once, if they haven't been -# run before. -# -# E.g.: -# $(call add-clean-step, touch -c external/sqlite/sqlite3.h) -# $(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/STATIC_LIBRARIES/libz_intermediates) -# -# Always use "touch -c" and "rm -f" or "rm -rf" to gracefully deal with -# files that are missing or have been moved. -# -# Use $(PRODUCT_OUT) to get to the "out/target/product/blah/" directory. -# Use $(OUT_DIR) to refer to the "out" directory. -# -# If you need to re-do something that's already mentioned, just copy -# the command and add it to the bottom of the list. E.g., if a change -# that you made last week required touching a file and a change you -# made today requires touching the same file, just copy the old -# touch step and add it to the end of the list. -# -# ************************************************ -# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST -# ************************************************ - -# For example: -#$(call add-clean-step, rm -rf $(OUT_DIR)/target/common/obj/APPS/AndroidTests_intermediates) -#$(call add-clean-step, rm -rf $(OUT_DIR)/target/common/obj/JAVA_LIBRARIES/core_intermediates) -#$(call add-clean-step, find $(OUT_DIR) -type f -name "IGTalkSession*" -print0 | xargs -0 rm -f) -#$(call add-clean-step, rm -rf $(PRODUCT_OUT)/data/*) - -# ************************************************ -# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST -# ************************************************ - -$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/file_contexts) -$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/file_contexts) @@ -1,103 +1 @@ -This directory contains the core Android SELinux policy configuration. -It defines the domains and types for the AOSP services and apps common to -all devices. Device-specific policy should be placed under a -separate device/<vendor>/<board>/sepolicy subdirectory and linked -into the policy build as described below. - -Policy Generation: - -Additional, per device, policy files can be added into the -policy build. These files should have each line including the -final line terminated by a newline character (0x0A). This -will allow files to be concatenated and processed whenever -the m4(1) macro processor is called by the build process. -Adding the newline will also make the intermediate text files -easier to read when debugging build failures. The sets of file, -service and property contexts files will automatically have a -newline inserted between each file as these are common failure -points. - -These device policy files can be configured through the use of -the BOARD_SEPOLICY_DIRS variable. This variable should be set -in the BoardConfig.mk file in the device or vendor directories. - -BOARD_SEPOLICY_DIRS contains a list of directories to search -for additional policy files. Order matters in this list. -For example, if you have 2 instances of widget.te files in the -BOARD_SEPOLICY_DIRS search path, then the first one found (at the -first search dir containing the file) will be concatenated first. -Reviewing out/target/product/<device>/etc/sepolicy_intermediates/policy.conf -will help sort out ordering issues. - -Example BoardConfig.mk Usage: -From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk - -BOARD_SEPOLICY_DIRS += device/samsung/tuna/sepolicy - -Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4 -definitions during the build. A definition consists of a string in the form -of macro-name=value. Spaces must NOT be present. This is useful for building modular -policies, policy generation, conditional file paths, etc. It is supported in -the following file types: - * All *.te and SE Linux policy files as passed to checkpolicy - * file_contexts - * service_contexts - * property_contexts - * keys.conf - -Example BoardConfig.mk Usage: -BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \ - btdevice=/dev/gps - -SPECIFIC POLICY FILE INFORMATION - -mac_permissions.xml: - ABOUT: - The mac_permissions.xml file is used for controlling the mmac solutions - as well as mapping a public base16 signing key with an arbitrary seinfo - string. Details of the files contents can be found in a comment at the - top of that file. The seinfo string, previously mentioned, is the same string - that is referenced in seapp_contexts. - - It is important to note the final processed version of this file - is stripped of comments and whitespace. This is to preserve space on the - system.img. If one wishes to view it in a more human friendly format, - the "tidy" or "xmllint" command will assist you. - - TOOLING: - insertkeys.py - Is a helper script for mapping arbitrary tags in the signature stanzas of - mac_permissions.xml to public keys found in pem files. This script takes - a mac_permissions.xml file(s) and configuration file in order to operate. - Details of the configuration file (keys.conf) can be found in the subsection - keys.conf. This tool is also responsible for stripping the comments and - whitespace during processing. - - keys.conf - The keys.conf file is used for controlling the mapping of "tags" found in - the mac_permissions.xml signature stanzas with actual public keys found in - pem files. The configuration file is processed via m4. - - The script allows for mapping any string contained in TARGET_BUILD_VARIANT - with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either - user, eng or userdebug. Additionally, one can specify "ALL" to map a path to - any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim - and all options are matched lowercase. The options are "tolowered" automatically - for the user, it is convention to specify tags and options in all uppercase - and tags start with @. The option arguments can also use environment variables - via the familiar $VARIABLE syntax. This is often useful for setting a location - to ones release keys. - - Often times, one will need to integrate an application that was signed by a separate - organization and may need to extract the pem file for the insertkeys/keys.conf tools. - Extraction of the public key in the pem format is possible via openssl. First you need - to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute - openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs - On some occasions CERT.RSA has a different name, and you will need to adjust for that. - After extracting the pem, you can rename it, and configure keys.conf and - mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text - editor and strip out anything outside the opening and closing scissor lines. Failure to do - so WILL cause a compile time issue thrown by insertkeys.py - - NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml - and setool all use base16 encodings. +This directory has moved to system/sepolicy. diff --git a/access_vectors b/access_vectors deleted file mode 100644 index c38aa7b..0000000 --- a/access_vectors +++ /dev/null @@ -1,620 +0,0 @@ -# -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - - -# -# Define a common prefix for file access vectors. -# - -common file -{ - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - unlink - link - rename - execute - swapon - quotaon - mounton -} - - -# -# Define a common prefix for socket access vectors. -# - -common socket -{ -# inherited from file - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append -# socket-specific - bind - connect - listen - accept - getopt - setopt - shutdown - recvfrom - sendto - recv_msg - send_msg - name_bind -} - -# -# Define a common prefix for ipc access vectors. -# - -common ipc -{ - create - destroy - getattr - setattr - read - write - associate - unix_read - unix_write -} - -# -# Define the access vectors. -# -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# - -class filesystem -{ - mount - remount - unmount - getattr - relabelfrom - relabelto - transition - associate - quotamod - quotaget -} - -class dir -inherits file -{ - add_name - remove_name - reparent - search - rmdir - open - audit_access - execmod -} - -class file -inherits file -{ - execute_no_trans - entrypoint - execmod - open - audit_access -} - -class lnk_file -inherits file -{ - open - audit_access - execmod -} - -class chr_file -inherits file -{ - execute_no_trans - entrypoint - execmod - open - audit_access -} - -class blk_file -inherits file -{ - open - audit_access - execmod -} - -class sock_file -inherits file -{ - open - audit_access - execmod -} - -class fifo_file -inherits file -{ - open - audit_access - execmod -} - -class fd -{ - use -} - - -# -# Define the access vector interpretation for network-related objects. -# - -class socket -inherits socket - -class tcp_socket -inherits socket -{ - connectto - newconn - acceptfrom - node_bind - name_connect -} - -class udp_socket -inherits socket -{ - node_bind -} - -class rawip_socket -inherits socket -{ - node_bind -} - -class node -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - enforce_dest - dccp_recv - dccp_send - recvfrom - sendto -} - -class netif -{ - tcp_recv - tcp_send - udp_recv - udp_send - rawip_recv - rawip_send - dccp_recv - dccp_send - ingress - egress -} - -class netlink_socket -inherits socket - -class packet_socket -inherits socket - -class key_socket -inherits socket - -class unix_stream_socket -inherits socket -{ - connectto - newconn - acceptfrom -} - -class unix_dgram_socket -inherits socket - -# -# Define the access vector interpretation for process-related objects -# - -class process -{ - fork - transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals - ptrace - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - setexec - setfscreate - noatsecure - siginh - setrlimit - rlimitinh - dyntransition - setcurrent - execmem - execstack - execheap - setkeycreate - setsockcreate -} - - -# -# Define the access vector interpretation for ipc-related objects -# - -class ipc -inherits ipc - -class sem -inherits ipc - -class msgq -inherits ipc -{ - enqueue -} - -class msg -{ - send - receive -} - -class shm -inherits ipc -{ - lock -} - - -# -# Define the access vector interpretation for the security server. -# - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce # was avc_toggle in system class - setbool - setsecparam - setcheckreqprot - read_policy -} - - -# -# Define the access vector interpretation for system operations. -# - -class system -{ - ipc_info - syslog_read - syslog_mod - syslog_console - module_request -} - -# -# Define the access vector interpretation for controling capabilies -# - -class capability -{ - # The capabilities are defined in include/linux/capability.h - # Capabilities >= 32 are defined in the capability2 class. - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control - setfcap -} - -class capability2 -{ - mac_override # unused by SELinux - mac_admin # unused by SELinux - syslog - wake_alarm - block_suspend - audit_read -} - -# -# Extended Netlink classes -# -class netlink_route_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_firewall_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_tcpdiag_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_nflog_socket -inherits socket - -class netlink_xfrm_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_selinux_socket -inherits socket - -class netlink_audit_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_relay - nlmsg_readpriv - nlmsg_tty_audit -} - -class netlink_ip6fw_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_dnrt_socket -inherits socket - -# Define the access vector interpretation for controlling -# access to IPSec network data by association -# -class association -{ - sendto - recvfrom - setcontext - polmatch -} - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket -inherits socket - -class appletalk_socket -inherits socket - -class packet -{ - send - recv - relabelto - flow_in # deprecated - flow_out # deprecated - forward_in - forward_out -} - -class key -{ - view - read - write - search - link - setattr - create -} - -class dccp_socket -inherits socket -{ - node_bind - name_connect -} - -class memprotect -{ - mmap_zero -} - -# network peer labels -class peer -{ - recv -} - -class kernel_service -{ - use_as_override - create_files_as -} - -class tun_socket -inherits socket -{ - attach_queue -} - -class binder -{ - impersonate - call - set_context_mgr - transfer -} - -class netlink_iscsi_socket -inherits socket - -class netlink_fib_lookup_socket -inherits socket - -class netlink_connector_socket -inherits socket - -class netlink_netfilter_socket -inherits socket - -class netlink_generic_socket -inherits socket - -class netlink_scsitransport_socket -inherits socket - -class netlink_rdma_socket -inherits socket - -class netlink_crypto_socket -inherits socket - -class property_service -{ - set -} - -class service_manager -{ - add - find - list -} - -class keystore_key -{ - get_state - get - insert - delete - exist - list - reset - password - lock - unlock - is_empty - sign - verify - grant - duplicate - clear_uid - add_auth - user_changed -} - -class debuggerd -{ - dump_tombstone - dump_backtrace -} - -class drmservice { - consumeRights - setPlaybackStatus - openDecryptSession - closeDecryptSession - initializeDecryptUnit - decrypt - finalizeDecryptUnit - pread -} diff --git a/adbd.te b/adbd.te deleted file mode 100644 index 2734a33..0000000 --- a/adbd.te +++ /dev/null @@ -1,102 +0,0 @@ -# adbd seclabel is specified in init.rc since -# it lives in the rootfs and has no unique file type. -type adbd, domain, mlstrustedsubject; - -userdebug_or_eng(` - allow adbd self:process setcurrent; - allow adbd su:process dyntransition; -') - -domain_auto_trans(adbd, shell_exec, shell) - -# Do not sanitize the environment or open fds of the shell. Allow signaling -# created processes. -allow adbd shell:process { noatsecure signal }; - -# Set UID and GID to shell. Set supplementary groups. -allow adbd self:capability { setuid setgid }; - -# Drop capabilities from bounding set on user builds. -allow adbd self:capability setpcap; - -# Create and use network sockets. -net_domain(adbd) - -# Access /dev/android_adb or /dev/usb-ffs/adb/ep0 -allow adbd adb_device:chr_file rw_file_perms; -allow adbd functionfs:dir search; -allow adbd functionfs:file rw_file_perms; - -# Use a pseudo tty. -allow adbd devpts:chr_file rw_file_perms; - -# adb push/pull /data/local/tmp. -allow adbd shell_data_file:dir create_dir_perms; -allow adbd shell_data_file:file create_file_perms; - -# adb push/pull sdcard. -allow adbd tmpfs:dir search; -allow adbd rootfs:lnk_file r_file_perms; -allow adbd sdcard_type:dir create_dir_perms; -allow adbd sdcard_type:file create_file_perms; - -# adb pull /data/anr/traces.txt -allow adbd anr_data_file:dir r_dir_perms; -allow adbd anr_data_file:file r_file_perms; - -# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. -set_prop(adbd, shell_prop) -set_prop(adbd, powerctl_prop) -set_prop(adbd, ffs_prop) - -# Access device logging gating property -get_prop(adbd, device_logging_prop) - -# Run /system/bin/bu -allow adbd system_file:file rx_file_perms; - -# Perform binder IPC to surfaceflinger (screencap) -# XXX Run screencap in a separate domain? -binder_use(adbd) -binder_call(adbd, surfaceflinger) -# b/13188914 -allow adbd gpu_device:chr_file rw_file_perms; -allow adbd ion_device:chr_file rw_file_perms; -r_dir_file(adbd, system_file) - -# Read /data/misc/adb/adb_keys. -allow adbd adb_keys_file:dir search; -allow adbd adb_keys_file:file r_file_perms; - -userdebug_or_eng(` - # Write debugging information to /data/adb - # when persist.adb.trace_mask is set - # https://code.google.com/p/android/issues/detail?id=72895 - allow adbd adb_data_file:dir rw_dir_perms; - allow adbd adb_data_file:file create_file_perms; -') - -# ndk-gdb invokes adb forward to forward the gdbserver socket. -allow adbd app_data_file:dir search; -allow adbd app_data_file:sock_file write; -allow adbd appdomain:unix_stream_socket connectto; - -# ndk-gdb invokes adb pull of app_process, linker, and libc.so. -allow adbd zygote_exec:file r_file_perms; -allow adbd system_file:file r_file_perms; - -# Allow pulling the SELinux policy for CTS purposes -allow adbd selinuxfs:dir r_dir_perms; -allow adbd selinuxfs:file r_file_perms; -allow adbd kernel:security read_policy; - -allow adbd surfaceflinger_service:service_manager find; -allow adbd bootchart_data_file:dir search; -allow adbd bootchart_data_file:file r_file_perms; - -# Allow access to external storage; we have several visible mount points under /storage -# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary -allow adbd storage_file:dir r_dir_perms; -allow adbd storage_file:lnk_file r_file_perms; -allow adbd mnt_user_file:dir r_dir_perms; -allow adbd mnt_user_file:lnk_file r_file_perms; @@ -1,409 +0,0 @@ -### -### Domain for all zygote spawned apps -### -### This file is the base policy for all zygote spawned apps. -### Other policy files, such as isolated_app.te, untrusted_app.te, etc -### extend from this policy. Only policies which should apply to ALL -### zygote spawned apps should be added here. -### - -# WebView and other application-specific JIT compilers -allow appdomain self:process execmem; - -allow appdomain ashmem_device:chr_file execute; - -# Receive and use open file descriptors inherited from zygote. -allow appdomain zygote:fd use; - -# gdbserver for ndk-gdb reads the zygote. -# valgrind needs mmap exec for zygote -allow appdomain zygote_exec:file rx_file_perms; - -# Read system properties managed by zygote. -allow appdomain zygote_tmpfs:file read; - -# Notify zygote of death; -allow appdomain zygote:process sigchld; - -# Place process into foreground / background -allow appdomain cgroup:dir { search write }; -allow appdomain cgroup:file w_file_perms; - -# Read /data/dalvik-cache. -allow appdomain dalvikcache_data_file:dir { search getattr }; -allow appdomain dalvikcache_data_file:file r_file_perms; - -# Read the /sdcard symlink -allow appdomain rootfs:lnk_file r_file_perms; - -# Search /storage/emulated tmpfs mount. -allow appdomain tmpfs:dir r_dir_perms; - -userdebug_or_eng(` - # Notify zygote of the wrapped process PID when using --invoke-with. - allow appdomain zygote:fifo_file write; - - # Allow apps to create and write method traces in /data/misc/trace. - allow appdomain method_trace_data_file:dir w_dir_perms; - allow appdomain method_trace_data_file:file { create w_file_perms }; -') - -# Notify shell and adbd of death when spawned via runas for ndk-gdb. -allow appdomain shell:process sigchld; -allow appdomain adbd:process sigchld; - -# child shell or gdbserver pty access for runas. -allow appdomain devpts:chr_file { getattr read write ioctl }; - -# Use pipes and sockets provided by system_server via binder or local socket. -allow appdomain system_server:fifo_file rw_file_perms; -allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown }; -allow appdomain system_server:tcp_socket { read write getattr getopt shutdown }; - -# Communication with other apps via fifos -allow appdomain appdomain:fifo_file rw_file_perms; - -# Communicate with surfaceflinger. -allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; - -# App sandbox file accesses. -allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; -allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; - -# lib subdirectory of /data/data dir is system-owned. -allow appdomain system_data_file:dir r_dir_perms; -allow appdomain system_data_file:file { execute execute_no_trans open execmod }; - -# Traverse into expanded storage -allow appdomain mnt_expand_file:dir r_dir_perms; - -# Keychain and user-trusted credentials -allow appdomain keychain_data_file:dir r_dir_perms; -allow appdomain keychain_data_file:file r_file_perms; -allow appdomain misc_user_data_file:dir r_dir_perms; -allow appdomain misc_user_data_file:file r_file_perms; - -# Access to OEM provided data and apps -allow appdomain oemfs:dir r_dir_perms; -allow appdomain oemfs:file rx_file_perms; - -# Execute the shell or other system executables. -allow appdomain shell_exec:file rx_file_perms; -allow appdomain system_file:file rx_file_perms; -allow appdomain toolbox_exec:file rx_file_perms; - -# Renderscript needs the ability to read directories on /system -r_dir_file(appdomain, system_file) - -# Execute dex2oat when apps call dexclassloader -allow appdomain dex2oat_exec:file rx_file_perms; - -# Read/write wallpaper file (opened by system). -allow appdomain wallpaper_file:file { getattr read write }; - -# Write to /data/anr/traces.txt. -allow appdomain anr_data_file:dir search; -allow appdomain anr_data_file:file { open append }; - -# Allow apps to send dump information to dumpstate -allow appdomain dumpstate:fd use; -allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown }; -allow appdomain shell_data_file:file { write getattr }; - -# Send heap dumps to system_server via an already open file descriptor -# % adb shell am set-watch-heap com.android.systemui 1048576 -# % adb shell dumpsys procstats --start-testing -# debuggable builds only. -userdebug_or_eng(` - allow appdomain heapdump_data_file:file append; -') - -# Write to /proc/net/xt_qtaguid/ctrl file. -allow appdomain qtaguid_proc:file rw_file_perms; -# Everybody can read the xt_qtaguid resource tracking misc dev. -# So allow all apps to read from /dev/xt_qtaguid. -allow appdomain qtaguid_device:chr_file r_file_perms; - -# Grant GPU access to all processes started by Zygote. -# They need that to render the standard UI. -allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; - -# Use the Binder. -binder_use(appdomain) -# Perform binder IPC to binder services. -binder_call(appdomain, binderservicedomain) -# Perform binder IPC to other apps. -binder_call(appdomain, appdomain) - -# Already connected, unnamed sockets being passed over some other IPC -# hence no sock_file or connectto permission. This appears to be how -# Chrome works, may need to be updated as more apps using isolated services -# are examined. -allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown }; - -# Backup ability for every app. BMS opens and passes the fd -# to any app that has backup ability. Hence, no open permissions here. -allow appdomain backup_data_file:file { read write getattr }; -allow appdomain cache_backup_file:file { read write getattr }; -allow appdomain cache_backup_file:dir getattr; -# Backup ability using 'adb backup' -allow appdomain system_data_file:lnk_file getattr; - -# Allow read/stat of /data/media files passed by Binder or local socket IPC. -allow appdomain media_rw_data_file:file { read getattr }; - -# Read and write /data/data/com.android.providers.telephony files passed over Binder. -allow appdomain radio_data_file:file { read write getattr }; - -# Allow access to external storage; we have several visible mount points under /storage -# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary -allow appdomain storage_file:dir r_dir_perms; -allow appdomain storage_file:lnk_file r_file_perms; -allow appdomain mnt_user_file:dir r_dir_perms; -allow appdomain mnt_user_file:lnk_file r_file_perms; - -# Read/write visible storage -allow appdomain fuse:dir create_dir_perms; -allow appdomain fuse:file create_file_perms; - -# Access OBBs (vfat images) mounted by vold (b/17633509) -# File write access allowed for FDs returned through Storage Access Framework -allow appdomain vfat:dir r_dir_perms; -allow appdomain vfat:file rw_file_perms; - -# Allow apps to use the USB Accessory interface. -# http://developer.android.com/guide/topics/connectivity/usb/accessory.html -# -# USB devices are first opened by the system server (USBDeviceManagerService) -# and the file descriptor is passed to the right Activity via binder. -allow appdomain usb_device:chr_file { read write getattr ioctl }; -allow appdomain usbaccessory_device:chr_file { read write getattr }; - -# For art. -allow appdomain dalvikcache_data_file:file execute; -allow appdomain dalvikcache_data_file:lnk_file r_file_perms; - -# Allow any app to read shared RELRO files. -allow appdomain shared_relro_file:dir search; -allow appdomain shared_relro_file:file r_file_perms; - -# Allow apps to read/execute installed binaries -allow appdomain apk_data_file:dir r_dir_perms; -allow appdomain apk_data_file:file { rx_file_perms execmod }; - -# /data/resource-cache -allow appdomain resourcecache_data_file:file r_file_perms; -allow appdomain resourcecache_data_file:dir r_dir_perms; - -# logd access -read_logd(appdomain) -control_logd(appdomain) -# application inherit logd write socket (urge is to deprecate this long term) -allow appdomain zygote:unix_dgram_socket write; - -allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify }; - -use_keystore({ appdomain -isolated_app }) - -allow appdomain console_device:chr_file { read write }; - -allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms; - -# For app fuse. -allow appdomain app_fuse_file:file { getattr read append write }; - -### -### CTS-specific rules -### - -# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java. -# testRunAsHasCorrectCapabilities -allow appdomain runas_exec:file getattr; -# Others are either allowed elsewhere or not desired. - -# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java -# Check SELinux policy and contexts. -selinux_check_access(appdomain) -selinux_check_context(appdomain) - -# Apps receive an open tun fd from the framework for -# device traffic. Do not allow untrusted app to directly open tun_device -allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append }; - -# Connect to adbd and use a socket transferred from it. -# This is used for e.g. adb backup/restore. -allow appdomain adbd:unix_stream_socket connectto; -allow appdomain adbd:fd use; -allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; - -allow appdomain cache_file:dir getattr; - -### -### Neverallow rules -### -### These are things that Android apps should NEVER be able to do -### - -# Superuser capabilities. -# bluetooth requires net_admin and wake_alarm. -neverallow { appdomain -bluetooth } self:capability *; -neverallow { appdomain -bluetooth } self:capability2 *; - -# Block device access. -neverallow appdomain dev_type:blk_file { read write }; - -# Access to any of the following character devices. -neverallow appdomain { - audio_device - video_device - dm_device - radio_device - gps_device - rpmsg_device -}:chr_file { read write }; - -# Note: Try expanding list of app domains in the future. -neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write }; - -neverallow { appdomain -nfc } nfc_device:chr_file - { read write }; -neverallow { appdomain -bluetooth } hci_attach_dev:chr_file - { read write }; -neverallow appdomain tee_device:chr_file { read write }; - -# Privileged netlink socket interfaces. -neverallow appdomain - domain:{ - netlink_firewall_socket - netlink_tcpdiag_socket - netlink_nflog_socket - netlink_xfrm_socket - netlink_audit_socket - netlink_ip6fw_socket - netlink_dnrt_socket - } *; - -# These messages are broadcast messages from the kernel to userspace. -# Do not allow the writing of netlink messages, which has been a source -# of rooting vulns in the past. -neverallow appdomain domain:netlink_kobject_uevent_socket { write append }; - -# Sockets under /dev/socket that are not specifically typed. -neverallow appdomain socket_device:sock_file write; - -# Unix domain sockets. -neverallow appdomain adbd_socket:sock_file write; -neverallow appdomain installd_socket:sock_file write; -neverallow { appdomain -radio } rild_socket:sock_file write; -neverallow appdomain vold_socket:sock_file write; -neverallow appdomain zygote_socket:sock_file write; - -# ptrace access to non-app domains. -neverallow appdomain { domain -appdomain }:process ptrace; - -# Write access to /proc/pid entries for any non-app domain. -neverallow appdomain { domain -appdomain }:file write; - -# signal access to non-app domains. -# sigchld allowed for parent death notification. -# signull allowed for kill(pid, 0) existence test. -# All others prohibited. -neverallow appdomain { domain -appdomain }:process - { sigkill sigstop signal }; - -# Transition to a non-app domain. -# Exception for the shell domain and the su domain, can transition to runas, -# etc. -neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process - { transition dyntransition }; - -# Write to rootfs. -neverallow appdomain rootfs:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to /system. -neverallow appdomain system_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to entrypoint executables. -neverallow appdomain exec_type:file - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to system-owned parts of /data. -# This is the default type for anything under /data not otherwise -# specified in file_contexts. Define a different type for portions -# that should be writable by apps. -neverallow appdomain system_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Write to various other parts of /data. -neverallow appdomain drm_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -system_app } - gps_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_tmp_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_private_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -platform_app } - apk_private_tmp_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -shell } - shell_data_file:dir_file_class_set - { create setattr relabelfrom relabelto append unlink link rename }; -neverallow { appdomain -bluetooth } - bluetooth_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - keystore_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - systemkeys_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - wifi_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; -neverallow appdomain - dhcp_data_file:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# access tmp apk files -neverallow { appdomain -platform_app -priv_app } - { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *; - -# Access to factory files. -neverallow appdomain efs_file:dir_file_class_set write; -neverallow { appdomain -shell } efs_file:dir_file_class_set read; - -# Write to various pseudo file systems. -neverallow { appdomain -bluetooth -nfc } - sysfs:dir_file_class_set write; -neverallow appdomain - proc:dir_file_class_set write; - -# Access to syslog(2) or /proc/kmsg. -neverallow { appdomain -system_app } - kernel:system { syslog_mod syslog_console }; -neverallow { appdomain -system_app -shell } - kernel:system syslog_read; - -# Ability to perform any filesystem operation other than statfs(2). -# i.e. no mount(2), unmount(2), etc. -neverallow appdomain fs_type:filesystem ~getattr; - -# prevent creation/manipulation of globally readable symlinks -neverallow appdomain { - apk_data_file - cache_file - cache_recovery_file - dev_type - rootfs - system_file - tmpfs -}:lnk_file no_w_file_perms; diff --git a/atrace.te b/atrace.te deleted file mode 100644 index 31cf9e7..0000000 --- a/atrace.te +++ /dev/null @@ -1,24 +0,0 @@ -# Domain for atrace process spawned by boottrace service. -type atrace_exec, exec_type, file_type; - -userdebug_or_eng(` - - type atrace, domain, domain_deprecated; - init_daemon_domain(atrace) - - # boottrace services uses /data/misc/boottrace/categories - allow atrace boottrace_data_file:dir search; - allow atrace boottrace_data_file:file r_file_perms; - - # atrace reads the files in /sys/kernel/debug/tracing/ - allow atrace debugfs_tracing:file r_file_perms; - - # atrace sets debug.atrace.* properties - set_prop(atrace, debug_prop) - - # atrace pokes all the binder-enabled processes at startup. - binder_use(atrace) - allow atrace healthd:binder call; - allow atrace surfaceflinger:binder call; - -') diff --git a/attributes b/attributes deleted file mode 100644 index 485b3e9..0000000 --- a/attributes +++ /dev/null @@ -1,102 +0,0 @@ -###################################### -# Attribute declarations -# - -# All types used for devices. -# On change, update CHECK_FC_ASSERT_ATTRS -# in tools/checkfc.c -attribute dev_type; - -# All types used for processes. -attribute domain; - -# Temporary attribute used for migrating permissions out of domain. -# Motivation: Domain is overly permissive. Start removing permissions -# from domain and assign them to the domain_deprecated attribute. -# Domain_deprecated and domain can initially be assigned to all -# domains. The goal is to not assign domain_deprecated to new domains -# and to start removing domain_deprecated where it's not required or -# reassigning the appropriate permissions to the inheriting domain -# when necessary. -attribute domain_deprecated; - -# All types used for filesystems. -# On change, update CHECK_FC_ASSERT_ATTRS -# definition in tools/checkfc.c. -attribute fs_type; - -# All types used for context= mounts. -attribute contextmount_type; - -# All types used for files that can exist on a labeled fs. -# Do not use for pseudo file types. -# On change, update CHECK_FC_ASSERT_ATTRS -# definition in tools/checkfc.c. -attribute file_type; - -# All types used for domain entry points. -attribute exec_type; - -# All types used for /data files. -attribute data_file_type; - -# All types use for sysfs files. -attribute sysfs_type; - -# All types use for debugfs files. -attribute debugfs_type; - -# Attribute used for all sdcards -attribute sdcard_type; - -# All types used for nodes/hosts. -attribute node_type; - -# All types used for network interfaces. -attribute netif_type; - -# All types used for network ports. -attribute port_type; - -# All types used for property service -# On change, update CHECK_PC_ASSERT_ATTRS -# definition in tools/checkfc.c. -attribute property_type; - -# All properties defined in core SELinux policy. Should not be -# used by device specific properties -attribute core_property_type; - -# All service_manager types created by system_server -attribute system_server_service; - -# services which should be available to all but isolated apps -attribute app_api_service; - -# services which export only system_api -attribute system_api_service; - -# All types used for services managed by service_manager. -# On change, update CHECK_SC_ASSERT_ATTRS -# definition in tools/checkfc.c. -attribute service_manager_type; - -# All domains that can override MLS restrictions. -# i.e. processes that can read up and write down. -attribute mlstrustedsubject; - -# All types that can override MLS restrictions. -# i.e. files that can be read by lower and written by higher -attribute mlstrustedobject; - -# All domains used for apps. -attribute appdomain; - -# All domains used for apps with network access. -attribute netdomain; - -# All domains used for apps with bluetooth access. -attribute bluetoothdomain; - -# All domains used for binder service domains. -attribute binderservicedomain; diff --git a/binderservicedomain.te b/binderservicedomain.te deleted file mode 100644 index 36993eb..0000000 --- a/binderservicedomain.te +++ /dev/null @@ -1,21 +0,0 @@ -# Rules common to all binder service domains - -# Allow dumpstate to collect information from binder services -allow binderservicedomain dumpstate:fd use; -allow binderservicedomain dumpstate:unix_stream_socket { read write getopt getattr }; -allow binderservicedomain shell_data_file:file { getattr write }; - -# Allow dumpsys to work from adb shell or the serial console -allow binderservicedomain devpts:chr_file rw_file_perms; -allow binderservicedomain console_device:chr_file rw_file_perms; - -# Receive and write to a pipe received over Binder from an app. -allow binderservicedomain appdomain:fd use; -allow binderservicedomain appdomain:fifo_file write; - -# allow all services to run permission checks -allow binderservicedomain permission_service:service_manager find; - -allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify }; - -use_keystore(binderservicedomain) diff --git a/blkid.te b/blkid.te deleted file mode 100644 index 43bc944..0000000 --- a/blkid.te +++ /dev/null @@ -1,20 +0,0 @@ -# blkid called from vold -type blkid, domain, domain_deprecated; -type blkid_exec, exec_type, file_type; - -# Allowed read-only access to encrypted devices to extract UUID/label -allow blkid block_device:dir search; -allow blkid userdata_block_device:blk_file r_file_perms; -allow blkid dm_device:blk_file r_file_perms; - -# Allow stdin/out back to vold -allow blkid vold:fd use; -allow blkid vold:fifo_file { read write getattr }; - -# For blkid launched through popen() -allow blkid blkid_exec:file rx_file_perms; - -# Only allow entry from vold -neverallow { domain -vold } blkid:process transition; -neverallow * blkid:process dyntransition; -neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/blkid_untrusted.te b/blkid_untrusted.te deleted file mode 100644 index da3bdac..0000000 --- a/blkid_untrusted.te +++ /dev/null @@ -1,36 +0,0 @@ -# blkid for untrusted block devices -type blkid_untrusted, domain, domain_deprecated; - -# Allowed read-only access to vold block devices to extract UUID/label -allow blkid_untrusted block_device:dir search; -allow blkid_untrusted vold_device:blk_file r_file_perms; - -# Allow stdin/out back to vold -allow blkid_untrusted vold:fd use; -allow blkid_untrusted vold:fifo_file { read write getattr }; - -# For blkid launched through popen() -allow blkid_untrusted blkid_exec:file rx_file_perms; - -### -### neverallow rules -### - -# Untrusted blkid should never be run on block devices holding sensitive data -neverallow blkid_untrusted { - boot_block_device - frp_block_device - metadata_block_device - recovery_block_device - root_block_device - swap_block_device - system_block_device - userdata_block_device - cache_block_device - dm_device -}:blk_file no_rw_file_perms; - -# Only allow entry from vold via blkid binary -neverallow { domain -vold } blkid_untrusted:process transition; -neverallow * blkid_untrusted:process dyntransition; -neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/bluetooth.te b/bluetooth.te deleted file mode 100644 index f249e9b..0000000 --- a/bluetooth.te +++ /dev/null @@ -1,64 +0,0 @@ -# bluetooth subsystem -type bluetooth, domain, domain_deprecated; -app_domain(bluetooth) -net_domain(bluetooth) - -wakelock_use(bluetooth); - -# Data file accesses. -allow bluetooth bluetooth_data_file:dir create_dir_perms; -allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms; - -# Socket creation under /data/misc/bluedroid. -type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket; -allow bluetooth bluetooth_socket:sock_file create_file_perms; - -# bluetooth factory file accesses. -r_dir_file(bluetooth, bluetooth_efs_file) - -allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; - -# sysfs access. -allow bluetooth sysfs_bluetooth_writable:file rw_file_perms; -allow bluetooth self:capability net_admin; -allow bluetooth self:capability2 wake_alarm; - -# tethering -allow bluetooth self:tun_socket create_socket_perms; -allow bluetooth tun_device:chr_file rw_file_perms; -allow bluetooth efs_file:dir search; - -# proc access. -allow bluetooth proc_bluetooth_writable:file rw_file_perms; - -# Allow write access to bluetooth specific properties -set_prop(bluetooth, bluetooth_prop) -set_prop(bluetooth, pan_result_prop) -set_prop(bluetooth, ctl_dhcp_pan_prop) - -allow bluetooth bluetooth_service:service_manager find; -allow bluetooth drmserver_service:service_manager find; -allow bluetooth mediaserver_service:service_manager find; -allow bluetooth radio_service:service_manager find; -allow bluetooth surfaceflinger_service:service_manager find; -allow bluetooth app_api_service:service_manager find; -allow bluetooth system_api_service:service_manager find; - -# Bluetooth Sim Access Profile Socket to the RIL -unix_socket_connect(bluetooth, sap_uim, rild) - -# already open bugreport file descriptors may be shared with -# the bluetooth process, from a file in -# /data/data/com.android.shell/files/bugreports/bugreport-*. -allow bluetooth shell_data_file:file read; - -### -### Neverallow rules -### -### These are things that the bluetooth app should NEVER be able to do -### - -# Superuser capabilities. -# bluetooth requires net_admin, wake_alarm and block_suspend -neverallow bluetooth self:capability ~net_admin; -neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend }; diff --git a/bluetoothdomain.te b/bluetoothdomain.te deleted file mode 100644 index fe4f0e6..0000000 --- a/bluetoothdomain.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow clients to use a socket provided by the bluetooth app. -allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown }; diff --git a/bootanim.te b/bootanim.te deleted file mode 100644 index fa0e4dc..0000000 --- a/bootanim.te +++ /dev/null @@ -1,30 +0,0 @@ -# bootanimation oneshot service -type bootanim, domain; -type bootanim_exec, exec_type, file_type; - -init_daemon_domain(bootanim) - -binder_use(bootanim) -binder_call(bootanim, surfaceflinger) - -allow bootanim gpu_device:chr_file rw_file_perms; - -# /oem access -allow bootanim oemfs:dir search; -allow bootanim oemfs:file r_file_perms; - -allow bootanim audio_device:dir r_dir_perms; -allow bootanim audio_device:chr_file rw_file_perms; - -allow bootanim surfaceflinger_service:service_manager find; - -# Allow access to ion memory allocation device -allow bootanim ion_device:chr_file rw_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(bootanim, proc) -r_dir_file(bootanim, sysfs) -r_dir_file(bootanim, cgroup) - -# System file accesses. -allow bootanim system_file:dir r_dir_perms; diff --git a/bootstat.te b/bootstat.te deleted file mode 100644 index 44a8c91..0000000 --- a/bootstat.te +++ /dev/null @@ -1,12 +0,0 @@ -# bootstat command -type bootstat, domain; -type bootstat_exec, exec_type, file_type; - -init_daemon_domain(bootstat) - -# Allow persistent storage in /data/misc/bootstat. -allow bootstat bootstat_data_file:dir rw_dir_perms; -allow bootstat bootstat_data_file:file create_file_perms; - -# Read access to pseudo filesystems (for /proc/uptime). -r_dir_file(bootstat, proc)
\ No newline at end of file diff --git a/clatd.te b/clatd.te deleted file mode 100644 index 3cda6a2..0000000 --- a/clatd.te +++ /dev/null @@ -1,31 +0,0 @@ -# 464xlat daemon -type clatd, domain, domain_deprecated; -type clatd_exec, exec_type, file_type; - -net_domain(clatd) - -# Access objects inherited from netd. -allow clatd netd:fd use; -allow clatd netd:fifo_file { read write }; -# TODO: Check whether some or all of these sockets should be close-on-exec. -allow clatd netd:netlink_kobject_uevent_socket { read write }; -allow clatd netd:netlink_nflog_socket { read write }; -allow clatd netd:netlink_route_socket { read write }; -allow clatd netd:udp_socket { read write }; -allow clatd netd:unix_stream_socket { read write }; -allow clatd netd:unix_dgram_socket { read write }; - -allow clatd self:capability { net_admin net_raw setuid setgid }; - -# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks -# capable(CAP_IPC_LOCK), and then checks to see the requested amount is -# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have -# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices -# so we permit any requests we see from clatd asking for this capability. -# See https://android-review.googlesource.com/127940 and -# https://b.corp.google.com/issues/21736319 -allow clatd self:capability ipc_lock; - -allow clatd self:netlink_route_socket nlmsg_write; -allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms; -allow clatd tun_device:chr_file rw_file_perms; diff --git a/debuggerd.te b/debuggerd.te deleted file mode 100644 index 04dcb79..0000000 --- a/debuggerd.te +++ /dev/null @@ -1,38 +0,0 @@ -# debugger interface -type debuggerd, domain, domain_deprecated; -type debuggerd_exec, exec_type, file_type; - -init_daemon_domain(debuggerd) -typeattribute debuggerd mlstrustedsubject; -allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid }; -allow debuggerd self:capability2 { syslog }; -allow debuggerd domain:dir r_dir_perms; -allow debuggerd domain:file r_file_perms; -allow debuggerd domain:lnk_file read; -allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr }; -allow debuggerd tombstone_data_file:dir rw_dir_perms; -allow debuggerd tombstone_data_file:file create_file_perms; -allow debuggerd shared_relro_file:dir r_dir_perms; -allow debuggerd shared_relro_file:file r_file_perms; -allow debuggerd domain:process { sigstop sigkill signal }; -allow debuggerd exec_type:file r_file_perms; -# Access app library -allow debuggerd system_data_file:file open; -# Allow debuggerd to redirect a dump_backtrace request to itself. -# This only happens on 64 bit systems, where all requests go to the 64 bit -# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit. -allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; - -# Connect to system_server via /data/system/ndebugsocket. -unix_socket_connect(debuggerd, system_ndebug, system_server) - -userdebug_or_eng(` - allow debuggerd input_device:dir r_dir_perms; - allow debuggerd input_device:chr_file rw_file_perms; -') - -# logd access -read_logd(debuggerd) - -# Check SELinux permissions. -selinux_check_access(debuggerd) diff --git a/device.te b/device.te deleted file mode 100644 index 0fc90c5..0000000 --- a/device.te +++ /dev/null @@ -1,102 +0,0 @@ -# Device types -type device, dev_type, fs_type; -type alarm_device, dev_type, mlstrustedobject; -type adb_device, dev_type; -type ashmem_device, dev_type, mlstrustedobject; -type audio_device, dev_type; -type binder_device, dev_type, mlstrustedobject; -type block_device, dev_type; -type dm_device, dev_type; -type loop_device, dev_type; -type pmsg_device, dev_type, mlstrustedobject; -type radio_device, dev_type; -type ram_device, dev_type; -type rtc_device, dev_type; -type vold_device, dev_type; -type console_device, dev_type; -type cpuctl_device, dev_type; -type fscklogs, dev_type; -type full_device, dev_type; -# GPU (used by most UI apps) -type gpu_device, dev_type, mlstrustedobject; -type graphics_device, dev_type; -type hw_random_device, dev_type; -type input_device, dev_type; -type kmem_device, dev_type; -type log_device, dev_type, mlstrustedobject; -type mtd_device, dev_type; -type mtp_device, dev_type, mlstrustedobject; -type nfc_device, dev_type; -type ptmx_device, dev_type, mlstrustedobject; -type kmsg_device, dev_type; -type null_device, dev_type, mlstrustedobject; -type random_device, dev_type, mlstrustedobject; -type sensors_device, dev_type; -type serial_device, dev_type; -type socket_device, dev_type; -type owntty_device, dev_type, mlstrustedobject; -type tty_device, dev_type; -type urandom_device, dev_type, mlstrustedobject; -type video_device, dev_type; -type vcs_device, dev_type; -type zero_device, dev_type, mlstrustedobject; -type fuse_device, dev_type, mlstrustedobject; -type iio_device, dev_type; -type ion_device, dev_type, mlstrustedobject; -type gps_device, dev_type; -type qtaguid_device, dev_type; -type watchdog_device, dev_type; -type uhid_device, dev_type; -type uio_device, dev_type; -type tun_device, dev_type, mlstrustedobject; -type usbaccessory_device, dev_type, mlstrustedobject; -type usb_device, dev_type, mlstrustedobject; -type klog_device, dev_type; -type properties_device, dev_type; -type properties_serial, dev_type; -type i2c_device, dev_type; - -# All devices have a uart for the hci -# attach service. The uart dev node -# varies per device. This type -# is used in per device policy -type hci_attach_dev, dev_type; - -# All devices have a rpmsg device for -# achieving remoteproc and rpmsg modules -type rpmsg_device, dev_type; - -# Partition layout block device -type root_block_device, dev_type; - -# factory reset protection block device -type frp_block_device, dev_type; - -# System block device mounted on /system. -type system_block_device, dev_type; - -# Recovery block device. -type recovery_block_device, dev_type; - -# boot block device. -type boot_block_device, dev_type; - -# Userdata block device mounted on /data. -type userdata_block_device, dev_type; - -# Cache block device mounted on /cache. -type cache_block_device, dev_type; - -# Block device for any swap partition. -type swap_block_device, dev_type; - -# Metadata block device used for encryption metadata. -# Assign this type to the partition specified by the encryptable= -# mount option in your fstab file in the entry for userdata. -type metadata_block_device, dev_type; - -# The 'misc' partition used by recovery and A/B. -type misc_block_device, dev_type; - -# Bootctrl block device used by A/B update (update_engine, update_verifier). -type bootctrl_block_device, dev_type; diff --git a/dex2oat.te b/dex2oat.te deleted file mode 100644 index 83a7c8a..0000000 --- a/dex2oat.te +++ /dev/null @@ -1,16 +0,0 @@ -# dex2oat -type dex2oat, domain, domain_deprecated; -type dex2oat_exec, exec_type, file_type; - -allow dex2oat dalvikcache_data_file:file write; -# Read symlinks in /data/dalvik-cache -allow dex2oat dalvikcache_data_file:lnk_file read; -allow dex2oat installd:fd use; - -# Read already open asec_apk_file file descriptors passed by installd. -# Also allow reading unlabeled files, to allow for upgrading forward -# locked APKs. -allow dex2oat asec_apk_file:file read; -allow dex2oat unlabeled:file read; -allow dex2oat oemfs:file read; -allow dex2oat apk_tmp_file:file read; diff --git a/dhcp.te b/dhcp.te deleted file mode 100644 index a858e08..0000000 --- a/dhcp.te +++ /dev/null @@ -1,32 +0,0 @@ -type dhcp, domain, domain_deprecated; -type dhcp_exec, exec_type, file_type; -type dhcp_data_file, file_type, data_file_type; - -init_daemon_domain(dhcp) -net_domain(dhcp) - -allow dhcp cgroup:dir { create write add_name }; -allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service }; -allow dhcp self:packet_socket create_socket_perms; -allow dhcp self:netlink_route_socket nlmsg_write; -allow dhcp shell_exec:file rx_file_perms; -allow dhcp system_file:file rx_file_perms; - -# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec) -allow dhcp toolbox_exec:file rx_file_perms; - -# For /proc/sys/net/ipv4/conf/*/promote_secondaries -allow dhcp proc_net:file write; - -set_prop(dhcp, dhcp_prop) -set_prop(dhcp, pan_result_prop) - -type_transition dhcp system_data_file:{ dir file } dhcp_data_file; -allow dhcp dhcp_data_file:dir create_dir_perms; -allow dhcp dhcp_data_file:file create_file_perms; - -# PAN connections -allow dhcp netd:fd use; -allow dhcp netd:fifo_file rw_file_perms; -allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write }; -allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write }; diff --git a/dnsmasq.te b/dnsmasq.te deleted file mode 100644 index e5e4198..0000000 --- a/dnsmasq.te +++ /dev/null @@ -1,24 +0,0 @@ -# DNS, DHCP services -type dnsmasq, domain, domain_deprecated; -type dnsmasq_exec, exec_type, file_type; - -net_domain(dnsmasq) - -# TODO: Run with dhcp group to avoid need for dac_override. -allow dnsmasq self:capability dac_override; - -allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid }; - -allow dnsmasq dhcp_data_file:dir w_dir_perms; -allow dnsmasq dhcp_data_file:file create_file_perms; - -# Inherit and use open files from netd. -allow dnsmasq netd:fd use; -allow dnsmasq netd:fifo_file { read write }; -# TODO: Investigate whether these inherited sockets should be closed on exec. -allow dnsmasq netd:netlink_kobject_uevent_socket { read write }; -allow dnsmasq netd:netlink_nflog_socket { read write }; -allow dnsmasq netd:netlink_route_socket { read write }; -allow dnsmasq netd:unix_stream_socket { read write }; -allow dnsmasq netd:unix_dgram_socket { read write }; -allow dnsmasq netd:udp_socket { read write }; diff --git a/domain.te b/domain.te deleted file mode 100644 index 549a0b9..0000000 --- a/domain.te +++ /dev/null @@ -1,532 +0,0 @@ -# Rules for all domains. - -# Allow reaping by init. -allow domain init:process sigchld; - -# Intra-domain accesses. -allow domain self:process { - fork - sigchld - sigkill - sigstop - signull - signal - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - getattr - setrlimit -}; -allow domain self:fd use; -allow domain proc:dir r_dir_perms; -allow domain proc_net:dir search; -r_dir_file(domain, self) -allow domain self:{ fifo_file file } rw_file_perms; -allow domain self:unix_dgram_socket { create_socket_perms sendto }; -allow domain self:unix_stream_socket { create_stream_socket_perms connectto }; - -# Inherit or receive open files from others. -allow domain init:fd use; - -userdebug_or_eng(` - # Same as adbd rules above, except allow su to do the same thing - allow domain su:unix_stream_socket connectto; - allow domain su:fd use; - allow domain su:unix_stream_socket { getattr getopt read write shutdown }; - - binder_call({ domain -init }, su) - - # Running something like "pm dump com.android.bluetooth" requires - # fifo writes - allow domain su:fifo_file { write getattr }; - - # allow "gdbserver --attach" to work for su. - allow domain su:process sigchld; - - # Allow writing coredumps to /cores/* - allow domain coredump_file:file create_file_perms; - allow domain coredump_file:dir ra_dir_perms; -') - -### -### Talk to debuggerd. -### -allow domain debuggerd:process sigchld; -allow domain debuggerd:unix_stream_socket connectto; - -# Root fs. -allow domain rootfs:dir search; -allow domain rootfs:lnk_file read; - -# Device accesses. -allow domain device:dir search; -allow domain dev_type:lnk_file r_file_perms; -allow domain devpts:dir search; -allow domain socket_device:dir r_dir_perms; -allow domain owntty_device:chr_file rw_file_perms; -allow domain null_device:chr_file rw_file_perms; -allow domain zero_device:chr_file rw_file_perms; -allow domain ashmem_device:chr_file rw_file_perms; -allow domain binder_device:chr_file rw_file_perms; -allow domain ptmx_device:chr_file rw_file_perms; -allow domain alarm_device:chr_file r_file_perms; -allow domain urandom_device:chr_file rw_file_perms; -allow domain random_device:chr_file rw_file_perms; -allow domain properties_device:dir r_dir_perms; -allow domain properties_serial:file r_file_perms; - -# For now, everyone can access core property files -# Device specific properties are not granted by default -get_prop(domain, core_property_type) -dontaudit domain property_type:file audit_access; -allow domain property_contexts:file r_file_perms; - -allow domain init:key search; -allow domain vold:key search; - -# logd access -write_logd(domain) - -# System file accesses. -allow domain system_file:dir { search getattr }; -allow domain system_file:file { execute read open getattr }; -allow domain system_file:lnk_file read; - -# read any sysfs symlinks -allow domain sysfs:lnk_file read; - -# libc references /data/misc/zoneinfo for timezone related information -r_dir_file(domain, zoneinfo_data_file) - -# Lots of processes access current CPU information -r_dir_file(domain, sysfs_devices_system_cpu) - -# files under /data. -allow domain system_data_file:dir { search getattr }; -allow domain system_data_file:lnk_file read; - -# required by the dynamic linker -allow domain proc:lnk_file { getattr read }; - -# /proc/cpuinfo -allow domain proc_cpuinfo:file r_file_perms; - -# toybox loads libselinux which stats /sys/fs/selinux/ -allow domain selinuxfs:dir search; -allow domain selinuxfs:file getattr; -allow domain sysfs:dir search; -allow domain selinuxfs:filesystem getattr; - -# For /acct/uid/*/tasks. -allow domain cgroup:dir { search write }; -allow domain cgroup:file w_file_perms; - -# Almost all processes log tracing information to -# /sys/kernel/debug/tracing/trace_marker -# The reason behind this is documented in b/6513400 -allow domain debugfs:dir search; -allow domain debugfs_tracing:dir search; -allow domain debugfs_trace_marker:file w_file_perms; - -# Filesystem access. -allow domain fs_type:filesystem getattr; -allow domain fs_type:dir getattr; - -### -### neverallow rules -### - -# Do not allow any domain other than init or recovery to create unlabeled files. -neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; - -# Limit ability to ptrace or read sensitive /proc/pid files of processes -# with other UIDs to these whitelisted domains. -neverallow { - domain - -debuggerd - -vold - -dumpstate - -system_server - userdebug_or_eng(`-perfprofd') -} self:capability sys_ptrace; - -# Limit device node creation to these whitelisted domains. -neverallow { - domain - -kernel - -init - -ueventd - -vold - -recovery -} self:capability mknod; - -# Limit raw I/O to these whitelisted domains. -neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio; - -# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR). -neverallow * self:memprotect mmap_zero; - -# No domain needs mac_override as it is unused by SELinux. -neverallow * self:capability2 mac_override; - -# Only recovery needs mac_admin to set contexts not defined in current policy. -neverallow { domain -recovery } self:capability2 mac_admin; - -# Once the policy has been loaded there shall be none to modify the policy. -# It is sealed. -neverallow * kernel:security load_policy; - -# Only init and the system_server shall use the property_service. -neverallow { domain -init -system_server } security_prop:property_service set; - -# Only init prior to switching context should be able to set enforcing mode. -# init starts in kernel domain and switches to init domain via setcon in -# the init.rc, so the setenforce occurs while still in kernel. After -# switching domains, there is never any need to setenforce again by init. -neverallow * kernel:security setenforce; -neverallow { domain -kernel } kernel:security setcheckreqprot; - -# No booleans in AOSP policy, so no need to ever set them. -neverallow * kernel:security setbool; - -# Adjusting the AVC cache threshold. -# Not presently allowed to anything in policy, but possibly something -# that could be set from init.rc. -neverallow { domain -init } kernel:security setsecparam; - -# Only init, ueventd and system_server should be able to access HW RNG -neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *; - -# Ensure that all entrypoint executables are in exec_type. -neverallow * { file_type -exec_type }:file entrypoint; - -# Ensure that nothing in userspace can access /dev/mem or /dev/kmem -neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; -neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr }; - -# Only init should be able to configure kernel usermodehelpers or -# security-sensitive proc settings. -neverallow { domain -init } usermodehelper:file { append write }; -neverallow { domain -init } proc_security:file { append write }; - -# No domain should be allowed to ptrace init. -neverallow * init:process ptrace; - -# Init can't do anything with binder calls. If this neverallow rule is being -# triggered, it's probably due to a service with no SELinux domain. -neverallow * init:binder *; - -# Don't allow raw read/write/open access to block_device -# Rather force a relabel to a more specific type -neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write }; - -# Don't allow raw read/write/open access to generic devices. -# Rather force a relabel to a more specific type. -# init is exempt from this as there are character devices that only it uses. -# ueventd is exempt from this, as it is managing these devices. -neverallow { domain -init -ueventd } device:chr_file { open read write }; - -# Limit what domains can mount filesystems or change their mount flags. -# sdcard_type / vfat is exempt as a larger set of domains need -# this capability, including device-specific domains. -neverallow { domain -kernel -init -recovery -vold -zygote -update_engine } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; - -# -# Assert that, to the extent possible, we're not loading executable content from -# outside the rootfs or /system partition except for a few whitelisted domains. -# -neverallow { - domain - -appdomain - -dumpstate - -shell - userdebug_or_eng(`-su') - -system_server - -zygote -} { file_type -system_file -exec_type -postinstall_file }:file execute; -neverallow { - domain - -appdomain # for oemfs - -recovery # for /tmp/update_binary in tmpfs -} { fs_type -rootfs }:file execute; -# Files from cache should never be executed -neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute; - -# Protect most domains from executing arbitrary content from /data. -neverallow { - domain - -untrusted_app - -priv_app - -shell -} { - data_file_type - -dalvikcache_data_file - -system_data_file # shared libs in apks - -apk_data_file -}:file no_x_file_perms; - -neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms; - -# Only the init property service should write to /data/property. -neverallow { domain -init } property_data_file:dir no_w_dir_perms; -neverallow { domain -init } property_data_file:file no_w_file_perms; - -# Only recovery should be doing writes to /system -neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set - { create write setattr relabelfrom append unlink link rename }; -neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto; - -# Don't allow mounting on top of /system files or directories -neverallow * exec_type:dir_file_class_set mounton; -neverallow { domain -init } system_file:dir_file_class_set mounton; - -# Nothing should be writing to files in the rootfs. -neverallow * rootfs:file { create write setattr relabelto append unlink link rename }; - -# Restrict context mounts to specific types marked with -# the contextmount_type attribute. -neverallow * {fs_type -contextmount_type}:filesystem relabelto; - -# Ensure that context mount types are not writable, to ensure that -# the write to /system restriction above is not bypassed via context= -# mount to another type. -neverallow { domain -recovery } contextmount_type:dir_file_class_set - { create write setattr relabelfrom relabelto append unlink link rename }; - -# Do not allow service_manager add for default_android_service. -# Instead domains should use a more specific type such as -# system_app_service rather than the generic type. -# New service_types are defined in service.te and new mappings -# from service name to service_type are defined in service_contexts. -neverallow * default_android_service:service_manager add; - -# Require that domains explicitly label unknown properties, and do not allow -# anyone but init to modify unknown properties. -neverallow { domain -init } default_prop:property_service set; -neverallow { domain -init } mmc_prop:property_service set; - -neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms; - -# No domain other than recovery and update_engine can write to system partition(s). -neverallow { domain -recovery -update_engine } system_block_device:blk_file write; - -# No domains other than install_recovery or recovery can write to recovery. -neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; - -# Only servicemanager should be able to register with binder as the context manager -neverallow { domain -servicemanager } *:binder set_context_mgr; - -# Only authorized processes should be writing to files in /data/dalvik-cache -neverallow { - domain - -init # TODO: limit init to relabelfrom for files - -zygote - -installd - -dex2oat -} dalvikcache_data_file:file no_w_file_perms; - -neverallow { - domain - -init - -installd - -dex2oat - -zygote -} dalvikcache_data_file:dir no_w_dir_perms; - -# Only system_server should be able to send commands via the zygote socket -neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto; -neverallow { domain -system_server } zygote_socket:sock_file write; - -# Android does not support System V IPCs. -# -# The reason for this is due to the fact that, by design, they lead to global -# kernel resource leakage. -# -# For example, there is no way to automatically release a SysV semaphore -# allocated in the kernel when: -# -# - a buggy or malicious process exits -# - a non-buggy and non-malicious process crashes or is explicitly killed. -# -# Killing processes automatically to make room for new ones is an -# important part of Android's application lifecycle implementation. This means -# that, even assuming only non-buggy and non-malicious code, it is very likely -# that over time, the kernel global tables used to implement SysV IPCs will fill -# up. -neverallow * *:{ shm sem msg msgq } *; - -# Do not mount on top of symlinks, fifos, or sockets. -# Feature parity with Chromium LSM. -neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; - -# Nobody should be able to execute su on user builds. -# On userdebug/eng builds, only dumpstate, shell, and -# su itself execute su. -neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms; - -# Do not allow the introduction of new execmod rules. Text relocations -# and modification of executable pages are unsafe. -# The only exceptions are for NDK text relocations associated with -# https://code.google.com/p/android/issues/detail?id=23203 -# which, long term, need to go away. -neverallow * { - file_type - -system_data_file - -apk_data_file - -app_data_file - -asec_public_file -}:file execmod; - -# Do not allow making the stack or heap executable. -# We would also like to minimize execmem but it seems to be -# required by some device-specific service domains. -neverallow * self:process { execstack execheap }; - -# prohibit non-zygote spawned processes from using shared libraries -# with text relocations. b/20013628 . -neverallow { domain -appdomain } file_type:file execmod; - -neverallow { domain -init } proc:{ file dir } mounton; - -# Ensure that all types assigned to processes are included -# in the domain attribute, so that all allow and neverallow rules -# written on domain are applied to all processes. -# This is achieved by ensuring that it is impossible to transition -# from a domain to a non-domain type and vice versa. -neverallow domain ~domain:process { transition dyntransition }; -neverallow ~domain domain:process { transition dyntransition }; - -# -# Only system_app and system_server should be creating or writing -# their files. The proper way to share files is to setup -# type transitions to a more specific type or assigning a type -# to its parent directory via a file_contexts entry. -# Example type transition: -# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type) -# -neverallow { - domain - -system_server - -system_app - -init - -installd # for relabelfrom and unlink, check for this in explicit neverallow -} system_data_file:file no_w_file_perms; -# do not grant anything greater than r_file_perms and relabelfrom unlink -# to installd -neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink }; - -# -# Only these domains should transition to shell domain. This domain is -# permissible for the "shell user". If you need a process to exec a shell -# script with differing privilege, define a domain and set up a transition. -# -neverallow { - domain - -adbd - -init - -runas - -zygote -} shell:process { transition dyntransition }; - -# Minimize read access to shell- or app-writable symlinks. -# This is to prevent malicious symlink attacks. -neverallow { - domain - -appdomain - -installd - -uncrypt # TODO: see if we can remove -} app_data_file:lnk_file read; - -neverallow { - domain - -shell - userdebug_or_eng(`-uncrypt') - -installd -} shell_data_file:lnk_file read; - -# In addition to the symlink reading restrictions above, restrict -# write access to shell owned directories. The /data/local/tmp -# directory is untrustworthy, and non-whitelisted domains should -# not be trusting any content in those directories. -neverallow { - domain - -adbd - -dumpstate - -installd - -init - -shell - -vold -} shell_data_file:dir no_w_dir_perms; - -neverallow { - domain - -adbd - -appdomain - -dumpstate - -init - -installd - -system_server # why? - userdebug_or_eng(`-uncrypt') -} shell_data_file:dir { open search }; - -# Same as above for /data/local/tmp files. We allow shell files -# to be passed around by file descriptor, but not directly opened. -neverallow { - domain - -adbd - -appdomain - -dumpstate - -installd - userdebug_or_eng(`-uncrypt') -} shell_data_file:file open; - -# servicemanager is the only process which handles list request -neverallow * ~servicemanager:service_manager list; - -# only service_manager_types can be added to service_manager -neverallow * ~service_manager_type:service_manager { add find }; - -# Prevent assigning non property types to properties -neverallow * ~property_type:property_service set; - -# Domain types should never be assigned to any files other -# than the /proc/pid files associated with a process. The -# executable file used to enter a domain should be labeled -# with its own _exec type, not with the domain type. -# Conventionally, this looks something like: -# $ cat mydaemon.te -# type mydaemon, domain; -# type mydaemon_exec, exec_type, file_type; -# init_daemon_domain(mydaemon) -# $ grep mydaemon file_contexts -# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0 -neverallow * domain:file { execute execute_no_trans entrypoint }; - -# Do not allow access to the generic debugfs label. This is too broad. -# Instead, if access to part of debugfs is desired, it should have a -# more specific label. -# TODO: fix system_server and dumpstate -neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms; - -neverallow { - domain - -init - -recovery - -sdcardd - -vold -} fuse_device:chr_file open; -neverallow { - domain - -dumpstate - -init - -priv_app - -recovery - -sdcardd - -system_server - -ueventd - -vold -} fuse_device:chr_file *; diff --git a/domain_deprecated.te b/domain_deprecated.te deleted file mode 100644 index 88b62bd..0000000 --- a/domain_deprecated.te +++ /dev/null @@ -1,69 +0,0 @@ -# rules removed from the domain attribute - -# Read access to properties mapping. -allow domain_deprecated kernel:fd use; -allow domain_deprecated tmpfs:file { read getattr }; -allow domain_deprecated tmpfs:lnk_file { read getattr }; - -# Search /storage/emulated tmpfs mount. -allow domain_deprecated tmpfs:dir r_dir_perms; - -# Inherit or receive open files from others. -allow domain_deprecated system_server:fd use; - -# Connect to adbd and use a socket transferred from it. -# This is used for e.g. adb backup/restore. -allow domain_deprecated adbd:unix_stream_socket connectto; -allow domain_deprecated adbd:fd use; -allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; - -# Root fs. -allow domain_deprecated rootfs:dir r_dir_perms; -allow domain_deprecated rootfs:file r_file_perms; -allow domain_deprecated rootfs:lnk_file r_file_perms; - -# Device accesses. -allow domain_deprecated device:file read; - -# System file accesses. -allow domain_deprecated system_file:dir r_dir_perms; -allow domain_deprecated system_file:file r_file_perms; -allow domain_deprecated system_file:lnk_file r_file_perms; - -# Read files already opened under /data. -allow domain_deprecated system_data_file:dir { search getattr }; -allow domain_deprecated system_data_file:file { getattr read }; -allow domain_deprecated system_data_file:lnk_file r_file_perms; - -# Read apk files under /data/app. -allow domain_deprecated apk_data_file:dir { getattr search }; -allow domain_deprecated apk_data_file:file r_file_perms; -allow domain_deprecated apk_data_file:lnk_file r_file_perms; - -# Read /data/dalvik-cache. -allow domain_deprecated dalvikcache_data_file:dir { search getattr }; -allow domain_deprecated dalvikcache_data_file:file r_file_perms; - -# Read already opened /cache files. -allow domain_deprecated cache_file:dir r_dir_perms; -allow domain_deprecated cache_file:file { getattr read }; -allow domain_deprecated cache_file:lnk_file r_file_perms; - -#Allow access to ion memory allocation device -allow domain_deprecated ion_device:chr_file rw_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(domain_deprecated, proc) -r_dir_file(domain_deprecated, sysfs) -r_dir_file(domain_deprecated, inotify) -r_dir_file(domain_deprecated, cgroup) -r_dir_file(domain_deprecated, proc_meminfo) -r_dir_file(domain_deprecated, proc_net) - -# Get SELinux enforcing status. -allow domain_deprecated selinuxfs:dir r_dir_perms; -allow domain_deprecated selinuxfs:file r_file_perms; - -# World readable asec image contents -allow domain_deprecated asec_public_file:file r_file_perms; -allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms; diff --git a/drmserver.te b/drmserver.te deleted file mode 100644 index 3b654cc..0000000 --- a/drmserver.te +++ /dev/null @@ -1,55 +0,0 @@ -# drmserver - DRM service -type drmserver, domain, domain_deprecated; -type drmserver_exec, exec_type, file_type; - -init_daemon_domain(drmserver) -typeattribute drmserver mlstrustedsubject; - -net_domain(drmserver) - -# Perform Binder IPC to system server. -binder_use(drmserver) -binder_call(drmserver, system_server) -binder_call(drmserver, appdomain) -binder_service(drmserver) - -# Perform Binder IPC to mediaserver -binder_call(drmserver, mediaserver) - -allow drmserver sdcard_type:dir search; -allow drmserver drm_data_file:dir create_dir_perms; -allow drmserver drm_data_file:file create_file_perms; -allow drmserver tee_device:chr_file rw_file_perms; -allow drmserver app_data_file:file { read write getattr }; -allow drmserver sdcard_type:file { read write getattr }; -r_dir_file(drmserver, efs_file) - -type drmserver_socket, file_type; - -# /data/app/tlcd_sock socket file. -# Clearly, /data/app is the most logical place to create a socket. Not. -allow drmserver apk_data_file:dir rw_dir_perms; -type_transition drmserver apk_data_file:sock_file drmserver_socket; -allow drmserver drmserver_socket:sock_file create_file_perms; -allow drmserver tee:unix_stream_socket connectto; -# Delete old socket file if present. -allow drmserver apk_data_file:sock_file unlink; - -# After taking a video, drmserver looks at the video file. -r_dir_file(drmserver, media_rw_data_file) - -# Read resources from open apk files passed over Binder. -allow drmserver apk_data_file:file { read getattr }; -allow drmserver asec_apk_file:file { read getattr }; - -# Read /data/data/com.android.providers.telephony files passed over Binder. -allow drmserver radio_data_file:file { read getattr }; - -# /oem access -allow drmserver oemfs:dir search; -allow drmserver oemfs:file r_file_perms; - -allow drmserver drmserver_service:service_manager { add find }; -allow drmserver permission_service:service_manager find; - -selinux_check_access(drmserver) diff --git a/dumpstate.te b/dumpstate.te deleted file mode 100644 index be9542f..0000000 --- a/dumpstate.te +++ /dev/null @@ -1,133 +0,0 @@ -# dumpstate -type dumpstate, domain, domain_deprecated, mlstrustedsubject; -type dumpstate_exec, exec_type, file_type; - -init_daemon_domain(dumpstate) -net_domain(dumpstate) -binder_use(dumpstate) - -# Allow setting process priority, protect from OOM killer, and dropping -# privileges by switching UID / GID -allow dumpstate self:capability { setuid setgid sys_resource }; - -# Allow dumpstate to scan through /proc/pid for all processes -r_dir_file(dumpstate, domain) - -# Send signals to processes -allow dumpstate self:capability kill; - -# Allow executing files on system, such as: -# /system/bin/toolbox -# /system/bin/logcat -# /system/bin/dumpsys -allow dumpstate system_file:file execute_no_trans; -allow dumpstate toolbox_exec:file rx_file_perms; - -# Create and write into /data/anr/ -allow dumpstate self:capability { dac_override chown fowner fsetid }; -allow dumpstate anr_data_file:dir rw_dir_perms; -allow dumpstate anr_data_file:file create_file_perms; - -# Allow reading /data/system/uiderrors.txt -# TODO: scope this down. -allow dumpstate system_data_file:file r_file_perms; - -# Read dmesg -allow dumpstate self:capability2 syslog; -allow dumpstate kernel:system syslog_read; - -# Read /sys/fs/pstore/console-ramoops -allow dumpstate pstorefs:dir r_dir_perms; -allow dumpstate pstorefs:file r_file_perms; - -# Get process attributes -allow dumpstate domain:process getattr; - -# Signal java processes to dump their stack -allow dumpstate { appdomain system_server }:process signal; - -# Signal native processes to dump their stack. -# This list comes from native_processes_to_dump in dumpstate/utils.c -allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; -# Ask debuggerd for the backtraces of these processes. -allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace; - -# Execute and transition to the vdc domain -domain_auto_trans(dumpstate, vdc_exec, vdc) - -# Vibrate the device after we're done collecting the bugreport -# /sys/class/timed_output/vibrator/enable -# TODO: create a new file class, instead of allowing write access to all of /sys -allow dumpstate sysfs:file w_file_perms; - -# Other random bits of data we want to collect -allow dumpstate qtaguid_proc:file r_file_perms; -allow dumpstate debugfs:file r_file_perms; -# df for /storage/emulated needs search -allow dumpstate { storage_file block_device }:dir { search getattr }; -allow dumpstate fuse_device:chr_file getattr; -allow dumpstate { dm_device cache_block_device }:blk_file getattr; - -# Allow dumpstate to make binder calls to any binder service -binder_call(dumpstate, binderservicedomain) -binder_call(dumpstate, appdomain) - -# Reading /proc/PID/maps of other processes -allow dumpstate self:capability sys_ptrace; - -# Allow the bugreport service to create a file in -# /data/data/com.android.shell/files/bugreports/bugreport -allow dumpstate shell_data_file:dir create_dir_perms; -allow dumpstate shell_data_file:file create_file_perms; - -# Run a shell. -allow dumpstate shell_exec:file rx_file_perms; - -# For running am and similar framework commands. -# Run /system/bin/app_process. -allow dumpstate zygote_exec:file rx_file_perms; -# Dalvik Compiler JIT. -allow dumpstate ashmem_device:chr_file execute; -allow dumpstate dumpstate_tmpfs:file execute; -allow dumpstate self:process execmem; -# For art. -allow dumpstate dalvikcache_data_file:file execute; -allow dumpstate dalvikcache_data_file:lnk_file r_file_perms; - -# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access -allow dumpstate gpu_device:chr_file rw_file_perms; - -# logd access -read_logd(dumpstate) -control_logd(dumpstate) - -# Read network state info files. -allow dumpstate net_data_file:dir search; -allow dumpstate net_data_file:file r_file_perms; - -# Access /data/tombstones. -allow dumpstate tombstone_data_file:dir r_dir_perms; -allow dumpstate tombstone_data_file:file r_file_perms; - -# Access /cache/recovery -allow dumpstate cache_recovery_file:dir r_dir_perms; -allow dumpstate cache_recovery_file:file r_file_perms; - -# Access /data/misc/recovery -allow dumpstate recovery_data_file:dir r_dir_perms; -allow dumpstate recovery_data_file:file r_file_perms; - -allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find; -allow dumpstate servicemanager:service_manager list; - -allow dumpstate devpts:chr_file rw_file_perms; - -# Set properties. -# dumpstate_prop is used to share state with the Shell app. -set_prop(dumpstate, dumpstate_prop) - -# systrace support - allow atrace to run -allow dumpstate debugfs_tracing:dir r_dir_perms; -allow dumpstate debugfs_tracing:file rw_file_perms; -allow dumpstate debugfs_trace_marker:file getattr; -allow dumpstate atrace_exec:file rx_file_perms; diff --git a/file.te b/file.te deleted file mode 100644 index b789e36..0000000 --- a/file.te +++ /dev/null @@ -1,237 +0,0 @@ -# Filesystem types -type labeledfs, fs_type; -type pipefs, fs_type; -type sockfs, fs_type; -type rootfs, fs_type; -type proc, fs_type; -# Security-sensitive proc nodes that should not be writable to most. -type proc_security, fs_type; -# Type for /proc/sys/vm/drop_caches -type proc_drop_caches, fs_type; -# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. -type usermodehelper, fs_type, sysfs_type; -type qtaguid_proc, fs_type, mlstrustedobject; -type proc_bluetooth_writable, fs_type; -type proc_cpuinfo, fs_type; -type proc_iomem, fs_type; -type proc_meminfo, fs_type; -type proc_net, fs_type; -type proc_sysrq, fs_type; -type proc_uid_cputime_showstat, fs_type; -type proc_uid_cputime_removeuid, fs_type; -type selinuxfs, fs_type, mlstrustedobject; -type cgroup, fs_type, mlstrustedobject; -type sysfs, fs_type, sysfs_type, mlstrustedobject; -type sysfs_uio, sysfs_type, fs_type; -type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; -type sysfs_batteryinfo, fs_type, sysfs_type; -type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; -type sysfs_hwrandom, fs_type, sysfs_type; -type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; -type sysfs_wake_lock, fs_type, sysfs_type; -type sysfs_mac_address, fs_type, sysfs_type; -# /sys/devices/system/cpu -type sysfs_devices_system_cpu, fs_type, sysfs_type; -# /sys/module/lowmemorykiller -type sysfs_lowmemorykiller, fs_type, sysfs_type; - -type sysfs_thermal, sysfs_type, fs_type; - -type sysfs_zram, fs_type, sysfs_type; -type sysfs_zram_uevent, fs_type, sysfs_type; -type inotify, fs_type, mlstrustedobject; -type devpts, fs_type, mlstrustedobject; -type tmpfs, fs_type; -type shm, fs_type; -type mqueue, fs_type; -type fuse, sdcard_type, fs_type, mlstrustedobject; -type vfat, sdcard_type, fs_type, mlstrustedobject; -typealias fuse alias sdcard_internal; -typealias vfat alias sdcard_external; -type debugfs, fs_type; -type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; -type debugfs_tracing, fs_type, debugfs_type; -type pstorefs, fs_type; -type functionfs, fs_type; -type oemfs, fs_type, contextmount_type; -type usbfs, fs_type; -type binfmt_miscfs, fs_type; -type app_fusefs, fs_type, contextmount_type; - -# File types -type unlabeled, file_type; -# Default type for anything under /system. -type system_file, file_type; -# Type for /system/bin/logcat. -type logcat_exec, exec_type, file_type; -# /cores for coredumps on userdebug / eng builds -type coredump_file, file_type; -# Default type for anything under /data. -type system_data_file, file_type, data_file_type; -# Unencrypted data -type unencrypted_data_file, file_type, data_file_type; -# /data/.layout_version or other installd-created files that -# are created in a system_data_file directory. -type install_data_file, file_type, data_file_type; -# /data/drm - DRM plugin data -type drm_data_file, file_type, data_file_type; -# /data/adb - adb debugging files -type adb_data_file, file_type, data_file_type; -# /data/anr - ANR traces -type anr_data_file, file_type, data_file_type, mlstrustedobject; -# /data/tombstones - core dumps -type tombstone_data_file, file_type, data_file_type; -# /data/app - user-installed apps -type apk_data_file, file_type, data_file_type; -type apk_tmp_file, file_type, data_file_type, mlstrustedobject; -# /data/app-private - forward-locked apps -type apk_private_data_file, file_type, data_file_type; -type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject; -# /data/dalvik-cache -type dalvikcache_data_file, file_type, data_file_type; -# /data/resource-cache -type resourcecache_data_file, file_type, data_file_type; -# /data/local - writable by shell -type shell_data_file, file_type, data_file_type, mlstrustedobject; -# /data/gps -type gps_data_file, file_type, data_file_type; -# /data/property -type property_data_file, file_type, data_file_type; -# /data/bootchart -type bootchart_data_file, file_type, data_file_type; -# /data/system/heapdump -type heapdump_data_file, file_type, data_file_type, mlstrustedobject; -# /data/nativetest -type nativetest_data_file, file_type, data_file_type; - -# Mount locations managed by vold -type mnt_media_rw_file, file_type; -type mnt_user_file, file_type; -type mnt_expand_file, file_type; -type storage_file, file_type; - -# Label for storage dirs which are just mount stubs -type mnt_media_rw_stub_file, file_type; -type storage_stub_file, file_type; - -# /postinstall: Mount point used by update_engine to run postinstall. -type postinstall_mnt_dir, file_type; -# Files inside the /postinstall mountpoint are all labeled as postinstall_file. -type postinstall_file, file_type, exec_type; - -# /data/misc subdirectories -type adb_keys_file, file_type, data_file_type; -type audio_data_file, file_type, data_file_type; -type bluetooth_data_file, file_type, data_file_type; -type bootstat_data_file, file_type, data_file_type; -type boottrace_data_file, file_type, data_file_type; -type camera_data_file, file_type, data_file_type; -type gatekeeper_data_file, file_type, data_file_type; -type keychain_data_file, file_type, data_file_type; -type keystore_data_file, file_type, data_file_type; -type media_data_file, file_type, data_file_type; -type media_rw_data_file, file_type, data_file_type, mlstrustedobject; -type misc_user_data_file, file_type, data_file_type; -type net_data_file, file_type, data_file_type; -type nfc_data_file, file_type, data_file_type; -type radio_data_file, file_type, data_file_type, mlstrustedobject; -type recovery_data_file, file_type, data_file_type; -type shared_relro_file, file_type, data_file_type; -type systemkeys_data_file, file_type, data_file_type; -type vpn_data_file, file_type, data_file_type; -type wifi_data_file, file_type, data_file_type; -type zoneinfo_data_file, file_type, data_file_type; -type vold_data_file, file_type, data_file_type; -type perfprofd_data_file, file_type, data_file_type, mlstrustedobject; -# /data/misc/trace for method traces on userdebug / eng builds -type method_trace_data_file, file_type, data_file_type, mlstrustedobject; - -# Compatibility with type names used in vanilla Android 4.3 and 4.4. -typealias audio_data_file alias audio_firmware_file; -# /data/data subdirectories - app sandboxes -type app_data_file, file_type, data_file_type; -# /data/data subdirectory for system UID apps. -type system_app_data_file, file_type, data_file_type, mlstrustedobject; -# Compatibility with type name used in Android 4.3 and 4.4. -typealias app_data_file alias platform_app_data_file; -typealias app_data_file alias download_file; -# Default type for anything under /cache -type cache_file, file_type, mlstrustedobject; -# Type for /cache/.*\.{data|restore} and default -# type for anything under /cache/backup -type cache_backup_file, file_type, mlstrustedobject; -# Type for anything under /cache/recovery -type cache_recovery_file, file_type, mlstrustedobject; -# Default type for anything under /efs -type efs_file, file_type; -# Type for wallpaper file. -type wallpaper_file, file_type, mlstrustedobject; -# /mnt/asec -type asec_apk_file, file_type, data_file_type, mlstrustedobject; -# Elements of asec files (/mnt/asec) that are world readable -type asec_public_file, file_type, data_file_type; -# /data/app-asec -type asec_image_file, file_type, data_file_type; -# /data/backup and /data/secure/backup -type backup_data_file, file_type, data_file_type, mlstrustedobject; -# All devices have bluetooth efs files. But they -# vary per device, so this type is used in per -# device policy -type bluetooth_efs_file, file_type; -# Type for fingerprint template file. -type fingerprintd_data_file, file_type, data_file_type; -# Type for appfuse file. -type app_fuse_file, file_type, data_file_type, mlstrustedobject; - -# Socket types -type adbd_socket, file_type; -type bluetooth_socket, file_type; -type dnsproxyd_socket, file_type, mlstrustedobject; -type dumpstate_socket, file_type; -type fwmarkd_socket, file_type, mlstrustedobject; -type gps_socket, file_type; -type installd_socket, file_type; -type lmkd_socket, file_type; -type logd_socket, file_type, mlstrustedobject; -type logdr_socket, file_type, mlstrustedobject; -type logdw_socket, file_type, mlstrustedobject; -type mdns_socket, file_type; -type mdnsd_socket, file_type, mlstrustedobject; -type misc_logd_file, file_type; -type mtpd_socket, file_type; -type netd_socket, file_type; -type property_socket, file_type; -type racoon_socket, file_type; -type rild_socket, file_type; -type rild_debug_socket, file_type; -type system_wpa_socket, file_type; -type system_ndebug_socket, file_type; -type vold_socket, file_type; -type wpa_socket, file_type; -type zygote_socket, file_type; -type sap_uim_socket, file_type; -# UART (for GPS) control proc file -type gps_control, file_type; - -# property_contexts file -type property_contexts, file_type; - -# Allow files to be created in their appropriate filesystems. -allow fs_type self:filesystem associate; -allow sysfs_type sysfs:filesystem associate; -allow debugfs_type debugfs:filesystem associate; -allow file_type labeledfs:filesystem associate; -allow file_type tmpfs:filesystem associate; -allow file_type rootfs:filesystem associate; -allow dev_type tmpfs:filesystem associate; -allow app_fuse_file app_fusefs:filesystem associate; -allow postinstall_file self:filesystem associate; - -# It's a bug to assign the file_type attribute and fs_type attribute -# to any type. Do not allow it. -# -# For example, the following is a bug: -# type apk_data_file, file_type, data_file_type, fs_type; -# Should be: -# type apk_data_file, file_type, data_file_type; -neverallow fs_type file_type:filesystem associate; diff --git a/file_contexts b/file_contexts deleted file mode 100644 index 83d87e1..0000000 --- a/file_contexts +++ /dev/null @@ -1,357 +0,0 @@ -########################################### -# Root -/ u:object_r:rootfs:s0 - -# Data files -/adb_keys u:object_r:adb_keys_file:s0 -/build\.prop u:object_r:rootfs:s0 -/default\.prop u:object_r:rootfs:s0 -/fstab\..* u:object_r:rootfs:s0 -/init\..* u:object_r:rootfs:s0 -/res(/.*)? u:object_r:rootfs:s0 -/selinux_version u:object_r:rootfs:s0 -/ueventd\..* u:object_r:rootfs:s0 -/verity_key u:object_r:rootfs:s0 - -# Executables -/charger u:object_r:rootfs:s0 -/init u:object_r:init_exec:s0 -/sbin(/.*)? u:object_r:rootfs:s0 - -# Empty directories -/lost\+found u:object_r:rootfs:s0 -/acct u:object_r:cgroup:s0 -/config u:object_r:rootfs:s0 -/mnt u:object_r:tmpfs:s0 -/postinstall u:object_r:postinstall_mnt_dir:s0 -/proc u:object_r:rootfs:s0 -/root u:object_r:rootfs:s0 -/sys u:object_r:sysfs:s0 - -# Symlinks -/d u:object_r:rootfs:s0 -/etc u:object_r:rootfs:s0 -/sdcard u:object_r:rootfs:s0 - -# SELinux policy files -/file_contexts\.bin u:object_r:rootfs:s0 -/property_contexts u:object_r:property_contexts:s0 -/seapp_contexts u:object_r:rootfs:s0 -/sepolicy u:object_r:rootfs:s0 -/service_contexts u:object_r:rootfs:s0 - -########################## -# Devices -# -/dev(/.*)? u:object_r:device:s0 -/dev/akm8973.* u:object_r:sensors_device:s0 -/dev/accelerometer u:object_r:sensors_device:s0 -/dev/adf[0-9]* u:object_r:graphics_device:s0 -/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0 -/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0 -/dev/alarm u:object_r:alarm_device:s0 -/dev/android_adb.* u:object_r:adb_device:s0 -/dev/ashmem u:object_r:ashmem_device:s0 -/dev/audio.* u:object_r:audio_device:s0 -/dev/binder u:object_r:binder_device:s0 -/dev/block(/.*)? u:object_r:block_device:s0 -/dev/block/dm-[0-9]+ u:object_r:dm_device:s0 -/dev/block/loop[0-9]* u:object_r:loop_device:s0 -/dev/block/vold/.+ u:object_r:vold_device:s0 -/dev/block/ram[0-9]* u:object_r:ram_device:s0 -/dev/block/zram[0-9]* u:object_r:ram_device:s0 -/dev/bus/usb(.*)? u:object_r:usb_device:s0 -/dev/cam u:object_r:video_device:s0 -/dev/console u:object_r:console_device:s0 -/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 -/dev/device-mapper u:object_r:dm_device:s0 -/dev/eac u:object_r:audio_device:s0 -/dev/fscklogs(/.*)? u:object_r:fscklogs:s0 -/dev/full u:object_r:full_device:s0 -/dev/fuse u:object_r:fuse_device:s0 -/dev/graphics(/.*)? u:object_r:graphics_device:s0 -/dev/hw_random u:object_r:hw_random_device:s0 -/dev/i2c-[0-9]+ u:object_r:i2c_device:s0 -/dev/input(/.*) u:object_r:input_device:s0 -/dev/iio:device[0-9]+ u:object_r:iio_device:s0 -/dev/ion u:object_r:ion_device:s0 -/dev/kmem u:object_r:kmem_device:s0 -/dev/log(/.*)? u:object_r:log_device:s0 -/dev/mem u:object_r:kmem_device:s0 -/dev/modem.* u:object_r:radio_device:s0 -/dev/mpu u:object_r:gps_device:s0 -/dev/mpuirq u:object_r:gps_device:s0 -/dev/mtd(/.*)? u:object_r:mtd_device:s0 -/dev/mtp_usb u:object_r:mtp_device:s0 -/dev/pmsg0 u:object_r:pmsg_device:s0 -/dev/pn544 u:object_r:nfc_device:s0 -/dev/ppp u:object_r:ppp_device:s0 -/dev/ptmx u:object_r:ptmx_device:s0 -/dev/pvrsrvkm u:object_r:gpu_device:s0 -/dev/kmsg u:object_r:kmsg_device:s0 -/dev/null u:object_r:null_device:s0 -/dev/nvhdcp1 u:object_r:video_device:s0 -/dev/random u:object_r:random_device:s0 -/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0 -/dev/rproc_user u:object_r:rpmsg_device:s0 -/dev/rtc[0-9] u:object_r:rtc_device:s0 -/dev/snd(/.*)? u:object_r:audio_device:s0 -/dev/socket(/.*)? u:object_r:socket_device:s0 -/dev/socket/adbd u:object_r:adbd_socket:s0 -/dev/socket/sap_uim_socket[0-9] u:object_r:sap_uim_socket:s0 -/dev/socket/cryptd u:object_r:vold_socket:s0 -/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0 -/dev/socket/dumpstate u:object_r:dumpstate_socket:s0 -/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0 -/dev/socket/gps u:object_r:gps_socket:s0 -/dev/socket/installd u:object_r:installd_socket:s0 -/dev/socket/lmkd u:object_r:lmkd_socket:s0 -/dev/socket/logd u:object_r:logd_socket:s0 -/dev/socket/logdr u:object_r:logdr_socket:s0 -/dev/socket/logdw u:object_r:logdw_socket:s0 -/dev/socket/mdns u:object_r:mdns_socket:s0 -/dev/socket/mdnsd u:object_r:mdnsd_socket:s0 -/dev/socket/mtpd u:object_r:mtpd_socket:s0 -/dev/socket/netd u:object_r:netd_socket:s0 -/dev/socket/property_service u:object_r:property_socket:s0 -/dev/socket/racoon u:object_r:racoon_socket:s0 -/dev/socket/rild u:object_r:rild_socket:s0 -/dev/socket/rild-debug u:object_r:rild_debug_socket:s0 -/dev/socket/vold u:object_r:vold_socket:s0 -/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0 -/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0 -/dev/socket/zygote u:object_r:zygote_socket:s0 -/dev/socket/zygote_secondary u:object_r:zygote_socket:s0 -/dev/spdif_out.* u:object_r:audio_device:s0 -/dev/tegra.* u:object_r:video_device:s0 -/dev/tf_driver u:object_r:tee_device:s0 -/dev/tty u:object_r:owntty_device:s0 -/dev/tty[0-9]* u:object_r:tty_device:s0 -/dev/ttyS[0-9]* u:object_r:serial_device:s0 -/dev/tun u:object_r:tun_device:s0 -/dev/uhid u:object_r:uhid_device:s0 -/dev/uinput u:object_r:uhid_device:s0 -/dev/uio[0-9]* u:object_r:uio_device:s0 -/dev/urandom u:object_r:urandom_device:s0 -/dev/usb_accessory u:object_r:usbaccessory_device:s0 -/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0 -/dev/video[0-9]* u:object_r:video_device:s0 -/dev/watchdog u:object_r:watchdog_device:s0 -/dev/xt_qtaguid u:object_r:qtaguid_device:s0 -/dev/zero u:object_r:zero_device:s0 -/dev/__kmsg__ u:object_r:klog_device:s0 -/dev/__properties__ u:object_r:properties_device:s0 -############################# -# System files -# -/system(/.*)? u:object_r:system_file:s0 -/system/bin/atrace u:object_r:atrace_exec:s0 -/system/bin/e2fsck -- u:object_r:fsck_exec:s0 -/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0 -/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0 -/system/bin/toolbox -- u:object_r:toolbox_exec:s0 -/system/bin/toybox -- u:object_r:toolbox_exec:s0 -/system/bin/logcat -- u:object_r:logcat_exec:s0 -/system/bin/sh -- u:object_r:shell_exec:s0 -/system/bin/run-as -- u:object_r:runas_exec:s0 -/system/bin/bootanimation u:object_r:bootanim_exec:s0 -/system/bin/bootstat u:object_r:bootstat_exec:s0 -/system/bin/app_process32 u:object_r:zygote_exec:s0 -/system/bin/app_process64 u:object_r:zygote_exec:s0 -/system/bin/servicemanager u:object_r:servicemanager_exec:s0 -/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 -/system/bin/drmserver u:object_r:drmserver_exec:s0 -/system/bin/dumpstate u:object_r:dumpstate_exec:s0 -/system/bin/vold u:object_r:vold_exec:s0 -/system/bin/netd u:object_r:netd_exec:s0 -/system/bin/rild u:object_r:rild_exec:s0 -/system/bin/mediaserver u:object_r:mediaserver_exec:s0 -/system/bin/mdnsd u:object_r:mdnsd_exec:s0 -/system/bin/installd u:object_r:installd_exec:s0 -/system/bin/keystore u:object_r:keystore_exec:s0 -/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0 -/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0 -/system/bin/debuggerd u:object_r:debuggerd_exec:s0 -/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0 -/system/bin/wpa_supplicant u:object_r:wpa_exec:s0 -/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0 -/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0 -/system/bin/sdcard u:object_r:sdcardd_exec:s0 -/system/bin/dhcpcd u:object_r:dhcp_exec:s0 -/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0 -/system/bin/mtpd u:object_r:mtp_exec:s0 -/system/bin/pppd u:object_r:ppp_exec:s0 -/system/bin/tf_daemon u:object_r:tee_exec:s0 -/system/bin/racoon u:object_r:racoon_exec:s0 -/system/xbin/su u:object_r:su_exec:s0 -/system/xbin/perfprofd u:object_r:perfprofd_exec:s0 -/system/vendor/bin/gpsd u:object_r:gpsd_exec:s0 -/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 -/system/bin/hostapd u:object_r:hostapd_exec:s0 -/system/bin/clatd u:object_r:clatd_exec:s0 -/system/bin/lmkd u:object_r:lmkd_exec:s0 -/system/bin/inputflinger u:object_r:inputflinger_exec:s0 -/system/bin/logd u:object_r:logd_exec:s0 -/system/bin/uncrypt u:object_r:uncrypt_exec:s0 -/system/bin/update_verifier u:object_r:update_verifier_exec:s0 -/system/bin/logwrapper u:object_r:system_file:s0 -/system/bin/vdc u:object_r:vdc_exec:s0 -/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0 -/system/bin/dex2oat u:object_r:dex2oat_exec:s0 -# patchoat executable has (essentially) the same requirements as dex2oat. -/system/bin/patchoat u:object_r:dex2oat_exec:s0 -/system/bin/sgdisk u:object_r:sgdisk_exec:s0 -/system/bin/blkid u:object_r:blkid_exec:s0 -/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0 -/system/bin/idmap u:object_r:idmap_exec:s0 -/system/bin/update_engine u:object_r:update_engine_exec:s0 -/system/bin/bspatch u:object_r:update_engine_exec:s0 - -############################# -# Vendor files -# -/vendor(/.*)? u:object_r:system_file:s0 -/vendor/bin/gpsd u:object_r:gpsd_exec:s0 - -############################# -# OEM and ODM files -# -/odm(/.*)? u:object_r:system_file:s0 -/oem(/.*)? u:object_r:oemfs:s0 - - -############################# -# Data files -# -# NOTE: When modifying existing label rules, changes may also need to -# propagate to the "Expanded data files" section. -# -/data(/.*)? u:object_r:system_data_file:s0 -/data/.layout_version u:object_r:install_data_file:s0 -/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0 -/data/backup(/.*)? u:object_r:backup_data_file:s0 -/data/secure/backup(/.*)? u:object_r:backup_data_file:s0 -/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0 -/data/drm(/.*)? u:object_r:drm_data_file:s0 -/data/gps(/.*)? u:object_r:gps_data_file:s0 -/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0 -/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0 -/data/adb(/.*)? u:object_r:adb_data_file:s0 -/data/anr(/.*)? u:object_r:anr_data_file:s0 -/data/app(/.*)? u:object_r:apk_data_file:s0 -/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 -/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 -/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 -/data/app-private(/.*)? u:object_r:apk_private_data_file:s0 -/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0 -/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0 -/data/local/tmp(/.*)? u:object_r:shell_data_file:s0 -/data/media(/.*)? u:object_r:media_rw_data_file:s0 -/data/mediadrm(/.*)? u:object_r:media_data_file:s0 -/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0 -/data/property(/.*)? u:object_r:property_data_file:s0 - -# Misc data -/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0 -/data/misc/audio(/.*)? u:object_r:audio_data_file:s0 -/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0 -/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0 -/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0 -/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0 -/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0 -/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0 -/data/misc/camera(/.*)? u:object_r:camera_data_file:s0 -/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0 -/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0 -/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0 -/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0 -/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0 -/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0 -/data/misc/media(/.*)? u:object_r:media_data_file:s0 -/data/misc/net(/.*)? u:object_r:net_data_file:s0 -/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0 -/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0 -/data/misc/sms(/.*)? u:object_r:radio_data_file:s0 -/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0 -/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0 -/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0 -/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0 -/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0 -/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0 -/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0 -/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0 -/data/misc/vold(/.*)? u:object_r:vold_data_file:s0 -/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0 -/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0 -/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0 -/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0 - -# Fingerprint data -/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0 - -# Bootchart data -/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0 - -############################# -# Expanded data files -# -/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0 -/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0 -/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0 -/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0 -/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0 -/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0 -/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0 -/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0 -/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0 - -# coredump directory for userdebug/eng devices -/cores(/.*)? u:object_r:coredump_file:s0 - -# Wallpaper file for other users -/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0 -############################# -# efs files -# -/efs(/.*)? u:object_r:efs_file:s0 -############################# -# Cache files -# -/cache(/.*)? u:object_r:cache_file:s0 -/cache/.*\.data u:object_r:cache_backup_file:s0 -/cache/.*\.restore u:object_r:cache_backup_file:s0 -# LocalTransport (backup) uses this directory -/cache/backup(/.*)? u:object_r:cache_backup_file:s0 -/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0 -############################# -# sysfs files -# -/sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0 -/sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0 -/sys/devices/virtual/block/zram\d+(/.*)? u:object_r:sysfs_zram:s0 -/sys/devices/virtual/block/zram\d+/uevent u:object_r:sysfs_zram_uevent:s0 -/sys/devices/virtual/misc/hw_random(/.*)? u:object_r:sysfs_hwrandom:s0 -/sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0 -/sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0 -/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0 -/sys/module/lowmemorykiller(/.*)? -- u:object_r:sysfs_lowmemorykiller:s0 - -############################# -# debugfs files -# -/sys/kernel/debug/tracing(/.*)? u:object_r:debugfs_tracing:s0 -/sys/kernel/debug/tracing/trace_marker u:object_r:debugfs_trace_marker:s0 - -############################# -# asec containers -/mnt/asec(/.*)? u:object_r:asec_apk_file:s0 -/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0 -/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0 -/data/app-asec(/.*)? u:object_r:asec_image_file:s0 - -############################# -# external storage -/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0 -/mnt/user(/.*)? u:object_r:mnt_user_file:s0 -/mnt/runtime(/.*)? u:object_r:storage_file:s0 -/storage(/.*)? u:object_r:storage_file:s0 diff --git a/file_contexts_asan b/file_contexts_asan deleted file mode 100644 index 5813d32..0000000 --- a/file_contexts_asan +++ /dev/null @@ -1,4 +0,0 @@ -/data/lib(/.*)? u:object_r:system_file:s0 -/data/lib64(/.*)? u:object_r:system_file:s0 -/data/vendor/lib(/.*)? u:object_r:system_file:s0 -/data/vendor/lib64(/.*)? u:object_r:system_file:s0 diff --git a/fingerprintd.te b/fingerprintd.te deleted file mode 100644 index 1c0ab1c..0000000 --- a/fingerprintd.te +++ /dev/null @@ -1,23 +0,0 @@ -type fingerprintd, domain, domain_deprecated; -type fingerprintd_exec, exec_type, file_type; - -# fingerprintd -init_daemon_domain(fingerprintd) -binder_use(fingerprintd) - -# need to find KeyStore and add self -allow fingerprintd fingerprintd_service:service_manager { add find }; - -# allow HAL module to read dir contents -allow fingerprintd fingerprintd_data_file:file { create_file_perms }; - -# allow HAL module to read/write/unlink contents of this dir -allow fingerprintd fingerprintd_data_file:dir rw_dir_perms; - -# Need to add auth tokens to KeyStore -use_keystore(fingerprintd) -allow fingerprintd keystore:keystore_key { add_auth }; - -# For permissions checking -binder_call(fingerprintd, system_server); -allow fingerprintd permission_service:service_manager find; @@ -1,23 +0,0 @@ -# Label inodes via getxattr. -fs_use_xattr yaffs2 u:object_r:labeledfs:s0; -fs_use_xattr jffs2 u:object_r:labeledfs:s0; -fs_use_xattr ext2 u:object_r:labeledfs:s0; -fs_use_xattr ext3 u:object_r:labeledfs:s0; -fs_use_xattr ext4 u:object_r:labeledfs:s0; -fs_use_xattr xfs u:object_r:labeledfs:s0; -fs_use_xattr btrfs u:object_r:labeledfs:s0; -fs_use_xattr f2fs u:object_r:labeledfs:s0; -fs_use_xattr squashfs u:object_r:labeledfs:s0; - -# Label inodes from task label. -fs_use_task pipefs u:object_r:pipefs:s0; -fs_use_task sockfs u:object_r:sockfs:s0; - -# Label inodes from combination of task label and fs label. -# Define type_transition rules if you want per-domain types. -fs_use_trans devpts u:object_r:devpts:s0; -fs_use_trans tmpfs u:object_r:tmpfs:s0; -fs_use_trans devtmpfs u:object_r:device:s0; -fs_use_trans shm u:object_r:shm:s0; -fs_use_trans mqueue u:object_r:mqueue:s0; - diff --git a/fsck.te b/fsck.te deleted file mode 100644 index d5a6db1..0000000 --- a/fsck.te +++ /dev/null @@ -1,47 +0,0 @@ -# Any fsck program run by init -type fsck, domain, domain_deprecated; -type fsck_exec, exec_type, file_type; - -init_daemon_domain(fsck) - -# /dev/__null__ created by init prior to policy load, -# open fd inherited by fsck. -allow fsck tmpfs:chr_file { read write ioctl }; - -# Inherit and use pty created by android_fork_execvp_ext(). -allow fsck devpts:chr_file { read write ioctl getattr }; - -# Allow stdin/out back to vold -allow fsck vold:fd use; -allow fsck vold:fifo_file { read write getattr }; - -# Run fsck on certain block devices -allow fsck block_device:dir search; -allow fsck userdata_block_device:blk_file rw_file_perms; -allow fsck cache_block_device:blk_file rw_file_perms; -allow fsck dm_device:blk_file rw_file_perms; - -# fsck performs a stat() on swap to verify that it is a valid -# swap device before setting the EXT2_MF_SWAP mount flag. -allow fsck swap_block_device:blk_file getattr; - -### -### neverallow rules -### - -# fsck should never be run on these block devices -neverallow fsck { - boot_block_device - frp_block_device - metadata_block_device - recovery_block_device - root_block_device - swap_block_device - system_block_device - vold_device -}:blk_file no_rw_file_perms; - -# Only allow entry from init or vold via fsck binaries -neverallow { domain -init -vold } fsck:process transition; -neverallow * fsck:process dyntransition; -neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/fsck_untrusted.te b/fsck_untrusted.te deleted file mode 100644 index 00faa20..0000000 --- a/fsck_untrusted.te +++ /dev/null @@ -1,36 +0,0 @@ -# Any fsck program run on untrusted block devices -type fsck_untrusted, domain, domain_deprecated; - -# Inherit and use pty created by android_fork_execvp_ext(). -allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; - -# Allow stdin/out back to vold -allow fsck_untrusted vold:fd use; -allow fsck_untrusted vold:fifo_file { read write getattr }; - -# Run fsck on vold block devices -allow fsck_untrusted block_device:dir search; -allow fsck_untrusted vold_device:blk_file rw_file_perms; - -### -### neverallow rules -### - -# Untrusted fsck should never be run on block devices holding sensitive data -neverallow fsck_untrusted { - boot_block_device - frp_block_device - metadata_block_device - recovery_block_device - root_block_device - swap_block_device - system_block_device - userdata_block_device - cache_block_device - dm_device -}:blk_file no_rw_file_perms; - -# Only allow entry from vold via fsck binaries -neverallow { domain -vold } fsck_untrusted:process transition; -neverallow * fsck_untrusted:process dyntransition; -neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/gatekeeperd.te b/gatekeeperd.te deleted file mode 100644 index 81d7fdf..0000000 --- a/gatekeeperd.te +++ /dev/null @@ -1,27 +0,0 @@ -type gatekeeperd, domain, domain_deprecated; -type gatekeeperd_exec, exec_type, file_type; - -# gatekeeperd -init_daemon_domain(gatekeeperd) -binder_service(gatekeeperd) -binder_use(gatekeeperd) -allow gatekeeperd tee_device:chr_file rw_file_perms; - -# need to find KeyStore and add self -allow gatekeeperd gatekeeper_service:service_manager { add find }; - -# Need to add auth tokens to KeyStore -use_keystore(gatekeeperd) -allow gatekeeperd keystore:keystore_key { add_auth }; - -# For permissions checking -allow gatekeeperd system_server:binder call; -allow gatekeeperd permission_service:service_manager find; -# For parent user ID lookup -allow gatekeeperd user_service:service_manager find; - -# for SID file access -allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms; -allow gatekeeperd gatekeeper_data_file:file create_file_perms; - -neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add; diff --git a/genfs_contexts b/genfs_contexts deleted file mode 100644 index 2700a94..0000000 --- a/genfs_contexts +++ /dev/null @@ -1,41 +0,0 @@ -# Label inodes with the fs label. -genfscon rootfs / u:object_r:rootfs:s0 -# proc labeling can be further refined (longest matching prefix). -genfscon proc / u:object_r:proc:s0 -genfscon proc /iomem u:object_r:proc_iomem:s0 -genfscon proc /meminfo u:object_r:proc_meminfo:s0 -genfscon proc /net u:object_r:proc_net:s0 -genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 -genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0 -genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0 -genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 -genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 -genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 -genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 -genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 -genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 -genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 -genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 -genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 -genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 -genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 -genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 -genfscon proc /sys/net u:object_r:proc_net:s0 -genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 -genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 -genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 -genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 - -# selinuxfs booleans can be individually labeled. -genfscon selinuxfs / u:object_r:selinuxfs:s0 -genfscon cgroup / u:object_r:cgroup:s0 -# sysfs labels can be set by userspace. -genfscon sysfs / u:object_r:sysfs:s0 -genfscon inotifyfs / u:object_r:inotify:s0 -genfscon vfat / u:object_r:vfat:s0 -genfscon debugfs / u:object_r:debugfs:s0 -genfscon fuse / u:object_r:fuse:s0 -genfscon pstore / u:object_r:pstorefs:s0 -genfscon functionfs / u:object_r:functionfs:s0 -genfscon usbfs / u:object_r:usbfs:s0 -genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0 diff --git a/global_macros b/global_macros deleted file mode 100644 index 0534e46..0000000 --- a/global_macros +++ /dev/null @@ -1,46 +0,0 @@ -##################################### -# Common groupings of object classes. -# -define(`capability_class_set', `{ capability capability2 }') - -define(`devfile_class_set', `{ chr_file blk_file }') -define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') -define(`file_class_set', `{ devfile_class_set notdevfile_class_set }') -define(`dir_file_class_set', `{ dir file_class_set }') - -define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }') -define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') - -define(`ipc_class_set', `{ sem msgq shm ipc }') - -##################################### -# Common groupings of permissions. -# -define(`x_file_perms', `{ getattr execute execute_no_trans }') -define(`r_file_perms', `{ getattr open read ioctl lock }') -define(`w_file_perms', `{ open append write lock }') -define(`rx_file_perms', `{ r_file_perms x_file_perms }') -define(`ra_file_perms', `{ r_file_perms append }') -define(`rw_file_perms', `{ r_file_perms w_file_perms }') -define(`rwx_file_perms', `{ rw_file_perms x_file_perms }') -define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }') - -define(`r_dir_perms', `{ open getattr read search ioctl lock }') -define(`w_dir_perms', `{ open search write add_name remove_name lock }') -define(`ra_dir_perms', `{ r_dir_perms add_name write }') -define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }') -define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }') - -define(`r_ipc_perms', `{ getattr read associate unix_read }') -define(`w_ipc_perms', `{ write unix_write }') -define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }') -define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }') - -##################################### -# Common socket permission sets. -define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }') -define(`create_socket_perms', `{ create rw_socket_perms }') -define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }') -define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }') diff --git a/gpsd.te b/gpsd.te deleted file mode 100644 index 4b22223..0000000 --- a/gpsd.te +++ /dev/null @@ -1,29 +0,0 @@ -# gpsd - GPS daemon -type gpsd, domain; -type gpsd_exec, exec_type, file_type; - -init_daemon_domain(gpsd) -net_domain(gpsd) -allow gpsd gps_data_file:dir rw_dir_perms; -allow gpsd gps_data_file:notdevfile_class_set create_file_perms; -# Socket is created by the daemon, not by init, and under /data/gps, -# not under /dev/socket. -type_transition gpsd gps_data_file:sock_file gps_socket; -allow gpsd gps_socket:sock_file create_file_perms; -# XXX Label sysfs files with a specific type? -allow gpsd sysfs:file rw_file_perms; - -allow gpsd gps_device:chr_file rw_file_perms; - -# Execute the shell or system commands. -allow gpsd shell_exec:file rx_file_perms; -allow gpsd system_file:file rx_file_perms; -allow gpsd toolbox_exec:file rx_file_perms; - -### -### neverallow -### - -# gpsd can never have capabilities other than block_suspend -neverallow gpsd self:capability *; -neverallow gpsd self:capability2 ~block_suspend; diff --git a/hci_attach.te b/hci_attach.te deleted file mode 100644 index 543cae1..0000000 --- a/hci_attach.te +++ /dev/null @@ -1,9 +0,0 @@ -type hci_attach, domain, domain_deprecated; -type hci_attach_exec, exec_type, file_type; - -init_daemon_domain(hci_attach) - -allow hci_attach kernel:system module_request; -allow hci_attach hci_attach_dev:chr_file rw_file_perms; -allow hci_attach bluetooth_efs_file:dir r_dir_perms; -allow hci_attach bluetooth_efs_file:file r_file_perms; diff --git a/healthd.te b/healthd.te deleted file mode 100644 index f54d716..0000000 --- a/healthd.te +++ /dev/null @@ -1,48 +0,0 @@ -# healthd seclabel is specified in init.rc since -# it lives in the rootfs and has no unique file type. -type healthd, domain, domain_deprecated; - -# Write to /dev/kmsg -allow healthd kmsg_device:chr_file rw_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(healthd, sysfs) - -allow healthd self:capability { net_admin sys_tty_config }; -wakelock_use(healthd) -allow healthd self:netlink_kobject_uevent_socket create_socket_perms; -binder_use(healthd) -binder_service(healthd) -binder_call(healthd, system_server) - -# Write to state file. -# TODO: Split into a separate type? -allow healthd sysfs:file write; - -allow healthd sysfs_batteryinfo:file r_file_perms; - -### -### healthd: charger mode -### - -# Read /sys/fs/pstore/console-ramoops -# Don't worry about overly broad permissions for now, as there's -# only one file in /sys/fs/pstore -allow healthd pstorefs:dir r_dir_perms; -allow healthd pstorefs:file r_file_perms; - -allow healthd graphics_device:dir r_dir_perms; -allow healthd graphics_device:chr_file rw_file_perms; -allow healthd input_device:dir r_dir_perms; -allow healthd input_device:chr_file r_file_perms; -allow healthd tty_device:chr_file rw_file_perms; -allow healthd ashmem_device:chr_file execute; -allow healthd self:process execmem; -allow healthd proc_sysrq:file rw_file_perms; -allow healthd self:capability sys_boot; - -allow healthd batteryproperties_service:service_manager { add find }; - -# Healthd needs to tell init to continue the boot -# process when running in charger mode. -set_prop(healthd, system_prop) diff --git a/hostapd.te b/hostapd.te deleted file mode 100644 index 204a0d9..0000000 --- a/hostapd.te +++ /dev/null @@ -1,27 +0,0 @@ -# userspace wifi access points -type hostapd, domain, domain_deprecated; -type hostapd_exec, exec_type, file_type; - -net_domain(hostapd) - -allow hostapd self:capability { net_admin net_raw setuid setgid }; -allow hostapd self:netlink_socket create_socket_perms; -allow hostapd self:netlink_generic_socket create_socket_perms; -allow hostapd self:packet_socket create_socket_perms; -allow hostapd self:netlink_route_socket nlmsg_write; - -allow hostapd wifi_data_file:file rw_file_perms; -allow hostapd wifi_data_file:dir create_dir_perms; -type_transition hostapd wifi_data_file:dir wpa_socket "sockets"; -type_transition hostapd wifi_data_file:dir wpa_socket "hostapd"; -allow hostapd wpa_socket:dir create_dir_perms; -allow hostapd wpa_socket:sock_file create_file_perms; -allow hostapd netd:fd use; -allow hostapd netd:udp_socket { read write }; -allow hostapd netd:fifo_file { read write }; -# TODO: Investigate whether these inherited sockets should be closed on exec. -allow hostapd netd:netlink_kobject_uevent_socket { read write }; -allow hostapd netd:netlink_nflog_socket { read write }; -allow hostapd netd:netlink_route_socket { read write }; -allow hostapd netd:unix_stream_socket { read write }; -allow hostapd netd:unix_dgram_socket { read write }; diff --git a/idmap.te b/idmap.te deleted file mode 100644 index c1b4d0f..0000000 --- a/idmap.te +++ /dev/null @@ -1,10 +0,0 @@ -# idmap, when executed by installd -type idmap, domain, domain_deprecated; -type idmap_exec, exec_type, file_type; - -# Use open file to /data/resource-cache file inherited from installd. -allow idmap installd:fd use; -allow idmap resourcecache_data_file:file { getattr read write }; - -# Open and read from target and overlay apk files passed by argument. -allow idmap apk_data_file:file r_file_perms; diff --git a/init.te b/init.te deleted file mode 100644 index e1a8217..0000000 --- a/init.te +++ /dev/null @@ -1,298 +0,0 @@ -# init is its own domain. -type init, domain, domain_deprecated, mlstrustedsubject; -tmpfs_domain(init) - -# The init domain is entered by execing init. -type init_exec, exec_type, file_type; - -# /dev/__null__ node created by init. -allow init tmpfs:chr_file create_file_perms; - -# -# init direct restorecon calls. -# -# /dev/socket -allow init { device socket_device }:dir relabelto; -# /dev/__properties__ -allow init properties_device:dir relabelto; -allow init properties_serial:file { write relabelto }; -allow init property_type:file { create_file_perms relabelto }; - -# setrlimit -allow init self:capability sys_resource; - -# Remove /dev/.booting, created before initial policy load or restorecon /dev. -allow init tmpfs:file unlink; - -# Access pty created for fsck. -allow init devpts:chr_file { read write open }; - -# Create /dev/fscklogs files. -allow init fscklogs:file create_file_perms; - -# Access /dev/__null__ node created prior to initial policy load. -allow init tmpfs:chr_file write; - -# Access /dev/console. -allow init console_device:chr_file rw_file_perms; - -# Access /dev/tty0. -allow init tty_device:chr_file rw_file_perms; - -# Call mount(2). -allow init self:capability sys_admin; - -# Create and mount on directories in /. -allow init rootfs:dir create_dir_perms; -allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton; - -# Mount on /dev/usb-ffs/adb. -allow init device:dir mounton; - -# Create and remove symlinks in /. -allow init rootfs:lnk_file { create unlink }; - -# Mount debugfs on /sys/kernel/debug. -allow init sysfs:dir mounton; - -# Create cgroups mount points in tmpfs and mount cgroups on them. -allow init tmpfs:dir create_dir_perms; -allow init tmpfs:dir mounton; -allow init cgroup:dir create_dir_perms; -allow init cpuctl_device:dir { create mounton }; - -# Use tmpfs as /data, used for booting when /data is encrypted -allow init tmpfs:dir relabelfrom; - -# Create directories under /dev/cpuctl after chowning it to system. -allow init self:capability dac_override; - -# Set system clock. -allow init self:capability sys_time; - -allow init self:capability { sys_rawio mknod }; - -# Mounting filesystems from block devices. -allow init dev_type:blk_file r_file_perms; - -# Mounting filesystems. -# Only allow relabelto for types used in context= mount options, -# which should all be assigned the contextmount_type attribute. -# This can be done in device-specific policy via type or typeattribute -# declarations. -allow init fs_type:filesystem ~relabelto; -allow init unlabeled:filesystem ~relabelto; -allow init contextmount_type:filesystem relabelto; - -# Allow read-only access to context= mounted filesystems. -allow init contextmount_type:dir r_dir_perms; -allow init contextmount_type:notdevfile_class_set r_file_perms; - -# restorecon /adb_keys or any other rootfs files and directories to a more -# specific type. -allow init rootfs:{ dir file } relabelfrom; - -# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files. -# chown/chmod require open+read+setattr required for open()+fchown/fchmod(). -# system/core/init.rc requires at least cache_file and data_file_type. -# init.<board>.rc files often include device-specific types, so -# we just allow all file types except /system files here. -allow init self:capability { chown fowner fsetid }; -allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink }; -allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; -allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom }; -allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto; -allow init dev_type:dir create_dir_perms; -allow init dev_type:lnk_file create; - -# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on -allow init debugfs_tracing:file w_file_perms; - -# chown/chmod on pseudo files. -allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr }; -allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search }; - -# chown/chmod on devices. -allow init { dev_type -kmem_device }:chr_file { read open setattr }; - -# Unlabeled file access for upgrades from 4.2. -allow init unlabeled:dir { create_dir_perms relabelfrom }; -allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom }; - -# Any operation that can modify the kernel ring buffer, e.g. clear -# or a read that consumes the messages that were read. -allow init kernel:system syslog_mod; -allow init self:capability2 syslog; - -# Set usermodehelpers and /proc security settings. -allow init usermodehelper:file rw_file_perms; -allow init proc_security:file rw_file_perms; - -# Write to /proc/sys/kernel/panic_on_oops. -allow init proc:file w_file_perms; - -# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files. -allow init proc_net:file w_file_perms; -allow init self:capability net_admin; - -# Write to /proc/sysrq-trigger. -allow init proc_sysrq:file w_file_perms; - -# Reboot. -allow init self:capability sys_boot; - -# Write to sysfs nodes. -allow init sysfs_type:dir r_dir_perms; -allow init sysfs_type:file w_file_perms; - -# disksize -allow init sysfs_zram:file getattr; - -# Transitions to seclabel processes in init.rc -domain_trans(init, rootfs, adbd) -domain_trans(init, rootfs, healthd) -domain_trans(init, rootfs, slideshow) -recovery_only(` - domain_trans(init, rootfs, recovery) -') -domain_trans(init, shell_exec, shell) -domain_trans(init, init_exec, ueventd) -domain_trans(init, init_exec, watchdogd) -# case where logpersistd is actually logcat -f in logd context (nee: logcatd) -userdebug_or_eng(` - domain_auto_trans(init, logcat_exec, logd) -') - -# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd". -# Init will also walk through the directory as part of a recursive restorecon. -allow init misc_logd_file:dir { open create read getattr setattr search }; -allow init misc_logd_file:file { getattr }; - -# Support "adb shell stop" -allow init self:capability kill; -allow init domain:process { sigkill signal }; - -# Init creates keystore's directory on boot, and walks through -# the directory as part of a recursive restorecon. -allow init keystore_data_file:dir { open create read getattr setattr search }; -allow init keystore_data_file:file { getattr }; - -# Init creates vold's directory on boot, and walks through -# the directory as part of a recursive restorecon. -allow init vold_data_file:dir { open create read getattr setattr search }; -allow init vold_data_file:file { getattr }; - -# Init creates /data/local/tmp at boot -allow init shell_data_file:dir { open create read getattr setattr search }; -allow init shell_data_file:file { getattr }; - -# Set UID and GID for services. -allow init self:capability { setuid setgid }; - -# For bootchart to read the /proc/$pid/cmdline file of each process, -# we need to have following line to allow init to have access -# to different domains. -r_dir_file(init, domain) - -# Use setexeccon(), setfscreatecon(), and setsockcreatecon(). -# setexec is for services with seclabel options. -# setfscreate is for labeling directories and socket files. -# setsockcreate is for labeling local/unix domain sockets. -allow init self:process { setexec setfscreate setsockcreate }; - -# Perform SELinux access checks on setting properties. -selinux_check_access(init) - -# Ask the kernel for the new context on services to label their sockets. -allow init kernel:security compute_create; - -# Create sockets for the services. -allow init domain:unix_stream_socket { create bind }; -allow init domain:unix_dgram_socket { create bind }; - -# Create /data/property and files within it. -allow init property_data_file:dir create_dir_perms; -allow init property_data_file:file create_file_perms; - -# Set any property. -allow init property_type:property_service set; - -# Run "ifup lo" to bring up the localhost interface -allow init self:udp_socket { create ioctl }; -allow init self:capability net_raw; - -# This line seems suspect, as it should not really need to -# set scheduling parameters for a kernel domain task. -allow init kernel:process setsched; - -# swapon() needs write access to swap device -# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all -allow init swap_block_device:blk_file rw_file_perms; - -# Read from /dev/hw_random if present. -# system/core/init/init.c - mix_hwrng_into_linux_rng_action -allow init hw_random_device:chr_file r_file_perms; - -# Create and access /dev files without a specific type, -# e.g. /dev/.coldboot_done, /dev/.booting -# TODO: Move these files into their own type unless they are -# only ever accessed by init. -allow init device:file create_file_perms; - -# Access character devices without a specific type, -# e.g. /dev/keychord. -# TODO: Move these devices into their own type unless they -# are only ever accessed by init. -allow init device:chr_file { rw_file_perms setattr }; - -# keychord configuration -allow init self:capability sys_tty_config; - -# Access device mapper for setting up dm-verity -allow init dm_device:chr_file rw_file_perms; -allow init dm_device:blk_file rw_file_perms; - -# Access metadata block device for storing dm-verity state -allow init metadata_block_device:blk_file rw_file_perms; - -# Read /sys/fs/pstore/console-ramoops to detect restarts caused -# by dm-verity detecting corrupted blocks -allow init pstorefs:dir search; -allow init pstorefs:file r_file_perms; -allow init kernel:system syslog_read; - -# linux keyring configuration -allow init init:key { write search setattr }; - -# Allow init to create /data/unencrypted -allow init unencrypted_data_file:dir create_dir_perms; - -unix_socket_connect(init, vold, vold) - -### -### neverallow rules -### - -# The init domain is only entered via setcon from the kernel domain, -# never via an exec-based transition. -neverallow domain init:process dyntransition; -neverallow { domain -kernel} init:process transition; -neverallow init { file_type fs_type -init_exec }:file entrypoint; - -# Never read/follow symlinks created by shell or untrusted apps. -neverallow init shell_data_file:lnk_file read; -neverallow init app_data_file:lnk_file read; - -# init should never execute a program without changing to another domain. -neverallow init { file_type fs_type }:file execute_no_trans; - -# Init never adds or uses services via service_manager. -neverallow init service_manager_type:service_manager { add find }; -neverallow init servicemanager:service_manager list; - -# Init should not be creating subdirectories in /data/local/tmp -neverallow init shell_data_file:dir { write add_name remove_name }; diff --git a/initial_sid_contexts b/initial_sid_contexts deleted file mode 100644 index 9819051..0000000 --- a/initial_sid_contexts +++ /dev/null @@ -1,27 +0,0 @@ -sid kernel u:r:kernel:s0 -sid security u:object_r:kernel:s0 -sid unlabeled u:object_r:unlabeled:s0 -sid fs u:object_r:labeledfs:s0 -sid file u:object_r:unlabeled:s0 -sid file_labels u:object_r:unlabeled:s0 -sid init u:object_r:unlabeled:s0 -sid any_socket u:object_r:unlabeled:s0 -sid port u:object_r:port:s0 -sid netif u:object_r:netif:s0 -sid netmsg u:object_r:unlabeled:s0 -sid node u:object_r:node:s0 -sid igmp_packet u:object_r:unlabeled:s0 -sid icmp_socket u:object_r:unlabeled:s0 -sid tcp_socket u:object_r:unlabeled:s0 -sid sysctl_modprobe u:object_r:unlabeled:s0 -sid sysctl u:object_r:proc:s0 -sid sysctl_fs u:object_r:unlabeled:s0 -sid sysctl_kernel u:object_r:unlabeled:s0 -sid sysctl_net u:object_r:unlabeled:s0 -sid sysctl_net_unix u:object_r:unlabeled:s0 -sid sysctl_vm u:object_r:unlabeled:s0 -sid sysctl_dev u:object_r:unlabeled:s0 -sid kmod u:object_r:unlabeled:s0 -sid policy u:object_r:unlabeled:s0 -sid scmp_packet u:object_r:unlabeled:s0 -sid devnull u:object_r:null_device:s0 diff --git a/initial_sids b/initial_sids deleted file mode 100644 index 91ac816..0000000 --- a/initial_sids +++ /dev/null @@ -1,35 +0,0 @@ -# FLASK - -# -# Define initial security identifiers -# - -sid kernel -sid security -sid unlabeled -sid fs -sid file -sid file_labels -sid init -sid any_socket -sid port -sid netif -sid netmsg -sid node -sid igmp_packet -sid icmp_socket -sid tcp_socket -sid sysctl_modprobe -sid sysctl -sid sysctl_fs -sid sysctl_kernel -sid sysctl_net -sid sysctl_net_unix -sid sysctl_vm -sid sysctl_dev -sid kmod -sid policy -sid scmp_packet -sid devnull - -# FLASK diff --git a/inputflinger.te b/inputflinger.te deleted file mode 100644 index 324f3f6..0000000 --- a/inputflinger.te +++ /dev/null @@ -1,15 +0,0 @@ -# inputflinger -type inputflinger, domain, domain_deprecated; -type inputflinger_exec, exec_type, file_type; - -init_daemon_domain(inputflinger) -binder_use(inputflinger) -binder_service(inputflinger) - -binder_call(inputflinger, system_server) - -wakelock_use(inputflinger) - -allow inputflinger inputflinger_service:service_manager { add find }; -allow inputflinger input_device:dir r_dir_perms; -allow inputflinger input_device:chr_file rw_file_perms; diff --git a/install_recovery.te b/install_recovery.te deleted file mode 100644 index 1c47236..0000000 --- a/install_recovery.te +++ /dev/null @@ -1,31 +0,0 @@ -# service flash_recovery in init.rc -type install_recovery, domain, domain_deprecated; -type install_recovery_exec, exec_type, file_type; - -init_daemon_domain(install_recovery) - -allow install_recovery self:capability dac_override; - -# /system/bin/install-recovery.sh is a shell script. -# Needs to execute /system/bin/sh -allow install_recovery shell_exec:file rx_file_perms; - -# Execute /system/bin/applypatch -allow install_recovery system_file:file rx_file_perms; - -allow install_recovery toolbox_exec:file rx_file_perms; - -# Update the recovery block device based off a diff of the boot block device -allow install_recovery block_device:dir search; -allow install_recovery boot_block_device:blk_file r_file_perms; -allow install_recovery recovery_block_device:blk_file rw_file_perms; - -# Create and delete /cache/saved.file -allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms; -allow install_recovery { cache_file cache_recovery_file }:file create_file_perms; - -auditallow install_recovery cache_recovery_file:dir rw_dir_perms; -auditallow install_recovery cache_recovery_file:file create_file_perms; - -# Write to /proc/sys/vm/drop_caches -allow install_recovery proc_drop_caches:file w_file_perms; diff --git a/installd.te b/installd.te deleted file mode 100644 index 1f83501..0000000 --- a/installd.te +++ /dev/null @@ -1,94 +0,0 @@ -# installer daemon -type installd, domain, domain_deprecated; -type installd_exec, exec_type, file_type; - -init_daemon_domain(installd) -typeattribute installd mlstrustedsubject; -allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; - -# Allow labeling of files under /data/app/com.example/oat/ -allow installd dalvikcache_data_file:dir relabelto; -allow installd dalvikcache_data_file:file { relabelto link }; - -# Allow movement of APK files between volumes -allow installd apk_data_file:dir { create_dir_perms relabelfrom }; -allow installd apk_data_file:file { create_file_perms relabelfrom link }; -allow installd apk_data_file:lnk_file { create read unlink }; - -allow installd asec_apk_file:file r_file_perms; -allow installd apk_tmp_file:file { r_file_perms unlink }; -allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; -allow installd oemfs:dir r_dir_perms; -allow installd oemfs:file r_file_perms; -allow installd cgroup:dir create_dir_perms; -allow installd mnt_expand_file:dir { search getattr }; -# Check validity of SELinux context before use. -selinux_check_context(installd) - -# Search /data/app-asec and stat files in it. -allow installd asec_image_file:dir search; -allow installd asec_image_file:file getattr; - -# Create /data/user and /data/user/0 if necessary. -# Also required to initially create /data/data subdirectories -# and lib symlinks before the setfilecon call. May want to -# move symlink creation after setfilecon in installd. -allow installd system_data_file:dir create_dir_perms; -allow installd system_data_file:lnk_file { create setattr unlink }; - -# Upgrade /data/media for multi-user if necessary. -allow installd media_rw_data_file:dir create_dir_perms; -allow installd media_rw_data_file:file { getattr unlink }; -# restorecon new /data/media directory. -allow installd system_data_file:dir relabelfrom; -allow installd media_rw_data_file:dir relabelto; - -# Upgrade /data/misc/keychain for multi-user if necessary. -allow installd misc_user_data_file:dir create_dir_perms; -allow installd misc_user_data_file:file create_file_perms; -allow installd keychain_data_file:dir create_dir_perms; -allow installd keychain_data_file:file {r_file_perms unlink}; - -# Create /data/.layout_version.* file -type_transition installd system_data_file:file install_data_file; -allow installd install_data_file:file create_file_perms; - -# Create files under /data/dalvik-cache. -allow installd dalvikcache_data_file:dir create_dir_perms; -allow installd dalvikcache_data_file:file create_file_perms; - -# Create files under /data/resource-cache. -allow installd resourcecache_data_file:dir rw_dir_perms; -allow installd resourcecache_data_file:file create_file_perms; - -# Run dex2oat in its own sandbox. -domain_auto_trans(installd, dex2oat_exec, dex2oat) - -# Run idmap in its own sandbox. -domain_auto_trans(installd, idmap_exec, idmap) - -# Upgrade from unlabeled userdata. -# Just need enough to remove and/or relabel it. -allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; -allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr }; -# Read pkg.apk file for input during dexopt. -allow installd unlabeled:file r_file_perms; - -# Upgrade from before system_app_data_file was used for system UID apps. -# Just need enough to relabel it and to unlink removed package files. -# Directory access covered by earlier rule above. -allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink }; - -# Manage /data/data subdirectories, including initially labeling them -# upon creation via setfilecon or running restorecon_recursive, -# setting owner/mode, creating symlinks within them, and deleting them -# upon package uninstall. -# Types extracted from seapp_contexts type= fields. -allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { create_dir_perms relabelfrom relabelto }; -allow installd { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto }; - -# Create and use pty created by android_fork_execvp(). -allow installd devpts:chr_file rw_file_perms; - -# execute toybox for app relocation -allow installd toolbox_exec:file rx_file_perms; diff --git a/ioctl_macros b/ioctl_macros deleted file mode 100644 index e71e0ce..0000000 --- a/ioctl_macros +++ /dev/null @@ -1,11 +0,0 @@ -# socket ioctls allowed to unprivileged apps -define(`unpriv_sock_ioctls', ` -{ -# all socket ioctls except the Mac address SIOCGIFHWADDR 0x8927 -0x8900-0x8926 0x8928-0x89ff -# all wireless extensions ioctls except get/set essid -# IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B -0x8B00-0x8B09 0x8B1C-0x8BFF -# commonly used TTY ioctls -0x5411 0x5451 -}') diff --git a/isolated_app.te b/isolated_app.te deleted file mode 100644 index 34fe41c..0000000 --- a/isolated_app.te +++ /dev/null @@ -1,62 +0,0 @@ -### -### Services with isolatedProcess=true in their manifest. -### -### This file defines the rules for isolated apps. An "isolated -### app" is an APP with UID between AID_ISOLATED_START (99000) -### and AID_ISOLATED_END (99999). -### -### isolated_app includes all the appdomain rules, plus the -### additional following rules: -### - -type isolated_app, domain, domain_deprecated; -app_domain(isolated_app) - -# Access already open app data files received over Binder or local socket IPC. -allow isolated_app app_data_file:file { read write getattr lock }; - -allow isolated_app activity_service:service_manager find; -allow isolated_app display_service:service_manager find; - -# Google Breakpad (crash reporter for Chrome) relies on ptrace -# functionality. Without the ability to ptrace, the crash reporter -# tool is broken. -# b/20150694 -# https://code.google.com/p/chromium/issues/detail?id=475270 -allow isolated_app self:process ptrace; - -##### -##### Neverallow -##### - -# Do not allow isolated_app to directly open tun_device -neverallow isolated_app tun_device:chr_file open; - -# Do not allow isolated_app to set system properties. -neverallow isolated_app property_socket:sock_file write; -neverallow isolated_app property_type:property_service set; - -# Isolated apps should not directly open app data files themselves. -neverallow isolated_app app_data_file:file open; - -# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) -# TODO: are there situations where isolated_apps write to this file? -# TODO: should we tighten these restrictions further? -neverallow isolated_app anr_data_file:file ~{ open append }; -neverallow isolated_app anr_data_file:dir ~search; - -# b/17487348 -# Isolated apps can only access two services, -# activity_service and display_service -neverallow isolated_app { - service_manager_type - -activity_service - -display_service -}:service_manager find; - -# Isolated apps shouldn't be able to access the driver directly. -neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; - -# Do not allow isolated_app access to /cache -neverallow isolated_app cache_file:dir ~{ r_dir_perms }; -neverallow isolated_app cache_file:file ~{ read getattr }; diff --git a/kernel.te b/kernel.te deleted file mode 100644 index 20b0c0a..0000000 --- a/kernel.te +++ /dev/null @@ -1,87 +0,0 @@ -# Life begins with the kernel. -type kernel, domain, domain_deprecated, mlstrustedsubject; - -allow kernel self:capability sys_nice; - -# Root fs. -allow kernel rootfs:dir r_dir_perms; -allow kernel rootfs:file r_file_perms; -allow kernel rootfs:lnk_file r_file_perms; - -# Get SELinux enforcing status. -allow kernel selinuxfs:dir r_dir_perms; -allow kernel selinuxfs:file r_file_perms; - -# Allow init relabel itself. -allow kernel rootfs:file relabelfrom; -allow kernel init_exec:file relabelto; -# TODO: investigate why we need this. -allow kernel init:process share; - -# cgroup filesystem initialization prior to setting the cgroup root directory label. -allow kernel unlabeled:dir search; - -# Mount usbfs. -allow kernel usbfs:filesystem mount; -allow kernel usbfs:dir search; - -# Initial setenforce by init prior to switching to init domain. -# We use dontaudit instead of allow to prevent a kernel spawned userspace -# process from turning off SELinux once enabled. -dontaudit kernel self:security setenforce; - -# Write to /proc/1/oom_adj prior to switching to init domain. -allow kernel self:capability sys_resource; - -# Init reboot before switching selinux domains under certain error -# conditions. Allow it. -# As part of rebooting, init writes "u" to /proc/sysrq-trigger to -# remount filesystems read-only. /data is not mounted at this point, -# so we could ignore this. For now, we allow it. -allow kernel self:capability sys_boot; -allow kernel proc_sysrq:file w_file_perms; - -# Allow writing to /dev/__kmsg__ which was created prior to -# loading policy -allow kernel tmpfs:chr_file write; - -# Set checkreqprot by init.rc prior to switching to init domain. -allow kernel selinuxfs:file write; -allow kernel self:security setcheckreqprot; - -# MTP sync (b/15835289) -# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) -allow kernel priv_app:fd use; -allow kernel sdcard_type:file { read write }; - -# Allow the kernel to read OBB files from app directories. (b/17428116) -# Kernel thread "loop0" reads a vold supplied file descriptor. -# Fixes CTS tests: -# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal -# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs -allow kernel vold:fd use; -allow kernel app_data_file:file read; -allow kernel asec_image_file:file read; - -domain_auto_trans(kernel, init_exec, init) - -### -### neverallow rules -### - -# The initial task starts in the kernel domain (assigned via -# initial_sid_contexts), but nothing ever transitions to it. -neverallow * kernel:process { transition dyntransition }; - -# The kernel domain is never entered via an exec, nor should it -# ever execute a program outside the rootfs without changing to another domain. -# If you encounter an execute_no_trans denial on the kernel domain, then -# possible causes include: -# - The program is a kernel usermodehelper. In this case, define a domain -# for the program and domain_auto_trans() to it. -# - You failed to setcon u:r:init:s0 in your init.rc and thus your init -# program was left in the kernel domain and is now trying to execute -# some other program. Fix your init.rc file. -# - You are running an exploit which switched to the init task credentials -# and is then trying to exec a shell or other program. You lose! -neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans }; diff --git a/keys.conf b/keys.conf deleted file mode 100644 index 7a307b5..0000000 --- a/keys.conf +++ /dev/null @@ -1,25 +0,0 @@ -# -# Maps an arbitrary tag [TAGNAME] with the string contents found in -# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and -# name it after the base file name of the pem file. -# -# Each tag (section) then allows one to specify any string found in -# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another -# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string. -# - -[@PLATFORM] -ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem - -[@MEDIA] -ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem - -[@SHARED] -ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem - -# Example of ALL TARGET_BUILD_VARIANTS -[@RELEASE] -ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem -USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem -USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem - diff --git a/keystore.te b/keystore.te deleted file mode 100644 index 9dca43c..0000000 --- a/keystore.te +++ /dev/null @@ -1,32 +0,0 @@ -type keystore, domain, domain_deprecated; -type keystore_exec, exec_type, file_type; - -# keystore daemon -init_daemon_domain(keystore) -typeattribute keystore mlstrustedsubject; -binder_use(keystore) -binder_service(keystore) -allow keystore keystore_data_file:dir create_dir_perms; -allow keystore keystore_data_file:notdevfile_class_set create_file_perms; -allow keystore keystore_exec:file { getattr }; -allow keystore tee_device:chr_file rw_file_perms; -allow keystore tee:unix_stream_socket connectto; - -allow keystore keystore_service:service_manager { add find }; - -# Check SELinux permissions. -selinux_check_access(keystore) - -### -### Neverallow rules -### -### Protect ourself from others -### - -neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; -neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr }; - -neverallow { domain -keystore -init } keystore_data_file:dir *; -neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *; - -neverallow * keystore:process ptrace; diff --git a/lmkd.te b/lmkd.te deleted file mode 100644 index ee290a3..0000000 --- a/lmkd.te +++ /dev/null @@ -1,37 +0,0 @@ -# lmkd low memory killer daemon -type lmkd, domain, domain_deprecated, mlstrustedsubject; -type lmkd_exec, exec_type, file_type; - -init_daemon_domain(lmkd) - -allow lmkd self:capability { dac_override sys_resource kill }; - -# lmkd locks itself in memory, to prevent it from being -# swapped out and unable to kill other memory hogs. -# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35 -# b/16236289 -allow lmkd self:capability ipc_lock; - -## Open and write to /proc/PID/oom_score_adj -## TODO: maybe scope this down? -r_dir_file(lmkd, appdomain) -allow lmkd appdomain:file write; -r_dir_file(lmkd, system_server) -allow lmkd system_server:file write; - -## Writes to /sys/module/lowmemorykiller/parameters/minfree -allow lmkd sysfs_lowmemorykiller:file w_file_perms; - -# Send kill signals -allow lmkd appdomain:process sigkill; - -# Clean up old cgroups -allow lmkd cgroup:dir { remove_name rmdir }; - -# Set self to SCHED_FIFO -allow lmkd self:capability sys_nice; - -### neverallow rules - -# never honor LD_PRELOAD -neverallow * lmkd:process noatsecure; diff --git a/logd.te b/logd.te deleted file mode 100644 index 7254e53..0000000 --- a/logd.te +++ /dev/null @@ -1,67 +0,0 @@ -# android user-space log manager -type logd, domain, domain_deprecated, mlstrustedsubject; -type logd_exec, exec_type, file_type; - -init_daemon_domain(logd) - -# Read access to pseudo filesystems. -r_dir_file(logd, proc) -r_dir_file(logd, proc_net) - -allow logd self:capability { setuid setgid sys_nice audit_control }; -allow logd self:capability2 syslog; -allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write }; -allow logd kernel:system syslog_read; -allow logd kmsg_device:chr_file w_file_perms; -allow logd system_data_file:file r_file_perms; -# logpersist is only allowed on userdebug and eng builds -userdebug_or_eng(` - allow logd misc_logd_file:file create_file_perms; - allow logd misc_logd_file:dir rw_dir_perms; -') -allow logd pstorefs:dir search; -allow logd pstorefs:file r_file_perms; - -# Set persist.sys. and sys.powerctl -set_prop(logd, safemode_prop) -set_prop(logd, powerctl_prop) - -# Access device logging gating property -get_prop(logd, device_logging_prop) - -r_dir_file(logd, domain) - -allow logd kernel:system syslog_mod; - -control_logd(logd) - -# case where logpersistd is actually logcat -f in logd context (nee: logcatd) -userdebug_or_eng(` - unix_socket_connect(logd, logdr, logd) -') - -### -### Neverallow rules -### -### logd should NEVER do any of this - -# Block device access. -neverallow logd dev_type:blk_file { read write }; - -# ptrace any other app -neverallow logd domain:process ptrace; - -# Write to /system. -neverallow logd system_file:dir_file_class_set write; - -# Write to files in /data/data or system files on /data -neverallow logd { app_data_file system_data_file }:dir_file_class_set write; - -# logd is not allowed to write anywhere other than /data/misc/logd, and then -# only on userdebug or eng builds -neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file { create write append }; - -# logpersist is only allowed on userdebug/eng builds -neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file no_rw_file_perms; -neverallow { domain userdebug_or_eng(`-logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write }; -neverallow { domain -init } misc_logd_file:dir create; diff --git a/mac_permissions.xml b/mac_permissions.xml deleted file mode 100644 index 87efe0e..0000000 --- a/mac_permissions.xml +++ /dev/null @@ -1,54 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<policy> - -<!-- - - * A signature is a hex encoded X.509 certificate or a tag defined in - keys.conf and is required for each signer tag. The signature can - either appear as a set of attached cert child tags or as an attribute. - * A signer tag must contain a seinfo tag XOR multiple package stanzas. - * Each signer/package tag is allowed to contain one seinfo tag. This tag - represents additional info that each app can use in setting a SELinux security - context on the eventual process as well as the apps data directory. - * seinfo assignments are made according to the following rules: - - Stanzas with package name refinements will be checked first. - - Stanzas w/o package name refinements will be checked second. - - The "default" seinfo label is automatically applied. - - * valid stanzas can take one of the following forms: - - // single cert protecting seinfo - <signer signature="@PLATFORM" > - <seinfo value="platform" /> - </signer> - - // multiple certs protecting seinfo (all contained certs must match) - <signer> - <cert signature="@PLATFORM1"/> - <cert signature="@PLATFORM2"/> - <seinfo value="platform" /> - </signer> - - // single cert protecting explicitly named app - <signer signature="@PLATFORM" > - <package name="com.android.foo"> - <seinfo value="bar" /> - </package> - </signer> - - // multiple certs protecting explicitly named app (all certs must match) - <signer> - <cert signature="@PLATFORM1"/> - <cert signature="@PLATFORM2"/> - <package name="com.android.foo"> - <seinfo value="bar" /> - </package> - </signer> ---> - - <!-- Platform dev key in AOSP --> - <signer signature="@PLATFORM" > - <seinfo value="platform" /> - </signer> - -</policy> diff --git a/mdnsd.te b/mdnsd.te deleted file mode 100644 index a9dc7c5..0000000 --- a/mdnsd.te +++ /dev/null @@ -1,9 +0,0 @@ -# mdns daemon -type mdnsd, domain, mlstrustedsubject; -type mdnsd_exec, exec_type, file_type; - -init_daemon_domain(mdnsd) -net_domain(mdnsd) - -# Read from /proc/net -r_dir_file(mdnsd, proc_net) diff --git a/mediaserver.te b/mediaserver.te deleted file mode 100644 index 7e20002..0000000 --- a/mediaserver.te +++ /dev/null @@ -1,124 +0,0 @@ -# mediaserver - multimedia daemon -type mediaserver, domain, domain_deprecated; -type mediaserver_exec, exec_type, file_type; - -typeattribute mediaserver mlstrustedsubject; - -net_domain(mediaserver) -init_daemon_domain(mediaserver) - -r_dir_file(mediaserver, sdcard_type) - -# stat /proc/self -allow mediaserver proc:lnk_file getattr; - -# open /vendor/lib/mediadrm -allow mediaserver system_file:dir r_dir_perms; - -binder_use(mediaserver) -binder_call(mediaserver, binderservicedomain) -binder_call(mediaserver, appdomain) -binder_service(mediaserver) - -# Required by Widevine DRM (b/22990512) -allow mediaserver self:process execmem; - -allow mediaserver kernel:system module_request; -allow mediaserver media_data_file:dir create_dir_perms; -allow mediaserver media_data_file:file create_file_perms; -allow mediaserver app_data_file:dir search; -allow mediaserver app_data_file:file rw_file_perms; -allow mediaserver sdcard_type:file write; -allow mediaserver gpu_device:chr_file rw_file_perms; -allow mediaserver video_device:dir r_dir_perms; -allow mediaserver video_device:chr_file rw_file_perms; -allow mediaserver audio_device:dir r_dir_perms; -allow mediaserver tee_device:chr_file rw_file_perms; - -set_prop(mediaserver, audio_prop) - -# Access audio devices at all. -allow mediaserver audio_device:chr_file rw_file_perms; - -# XXX Label with a specific type? -allow mediaserver sysfs:file r_file_perms; - -# Read resources from open apk files passed over Binder. -allow mediaserver apk_data_file:file { read getattr }; -allow mediaserver asec_apk_file:file { read getattr }; - -# Read /data/data/com.android.providers.telephony files passed over Binder. -allow mediaserver radio_data_file:file { read getattr }; - -# Use pipes passed over Binder from app domains. -allow mediaserver appdomain:fifo_file { getattr read write }; - -allow mediaserver rpmsg_device:chr_file rw_file_perms; - -# Inter System processes communicate over named pipe (FIFO) -allow mediaserver system_server:fifo_file r_file_perms; - -# Camera data -r_dir_file(mediaserver, camera_data_file) -r_dir_file(mediaserver, media_rw_data_file) - -# Grant access to audio files to mediaserver -allow mediaserver audio_data_file:dir ra_dir_perms; -allow mediaserver audio_data_file:file create_file_perms; - -# Grant access to read files on appfuse. -allow mediaserver app_fuse_file:file { read getattr }; - -# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid -allow mediaserver qtaguid_proc:file rw_file_perms; -allow mediaserver qtaguid_device:chr_file r_file_perms; - -# Allow abstract socket connection -allow mediaserver rild:unix_stream_socket { connectto read write setopt }; - -# Needed on some devices for playing DRM protected content, -# but seems expected and appropriate for all devices. -unix_socket_connect(mediaserver, drmserver, drmserver) - -# Needed on some devices for playing audio on paired BT device, -# but seems appropriate for all devices. -unix_socket_connect(mediaserver, bluetooth, bluetooth) - -# Connect to tee service. -allow mediaserver tee:unix_stream_socket connectto; - -allow mediaserver activity_service:service_manager find; -allow mediaserver appops_service:service_manager find; -allow mediaserver cameraproxy_service:service_manager find; -allow mediaserver batterystats_service:service_manager find; -allow mediaserver drmserver_service:service_manager find; -allow mediaserver mediaserver_service:service_manager { add find }; -allow mediaserver permission_service:service_manager find; -allow mediaserver power_service:service_manager find; -allow mediaserver processinfo_service:service_manager find; -allow mediaserver scheduling_policy_service:service_manager find; -allow mediaserver surfaceflinger_service:service_manager find; - -# /oem access -allow mediaserver oemfs:dir search; -allow mediaserver oemfs:file r_file_perms; - -use_drmservice(mediaserver) -allow mediaserver drmserver:drmservice { - consumeRights - setPlaybackStatus - openDecryptSession - closeDecryptSession - initializeDecryptUnit - decrypt - finalizeDecryptUnit - pread -}; - -### -### neverallow rules -### - -# mediaserver should never execute any executable without a -# domain transition -neverallow mediaserver { file_type fs_type }:file execute_no_trans; @@ -1,112 +0,0 @@ -######################################### -# MLS declarations -# - -# Generate the desired number of sensitivities and categories. -gen_sens(mls_num_sens) -gen_cats(mls_num_cats) - -# Generate level definitions for each sensitivity and category. -gen_levels(mls_num_sens,mls_num_cats) - - -################################################# -# MLS policy constraints -# - -# -# Process constraints -# - -# Process transition: Require equivalence unless the subject is trusted. -mlsconstrain process { transition dyntransition } - ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); - -# Process read operations: No read up unless trusted. -mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } - (l1 dom l2 or t1 == mlstrustedsubject); - -# Process write operations: Require equivalence unless trusted. -mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } - (l1 eq l2 or t1 == mlstrustedsubject); - -# -# Socket constraints -# - -# Create/relabel operations: Subject must be equivalent to object unless -# the subject is trusted. Sockets inherit the range of their creator. -mlsconstrain socket_class_set { create relabelfrom relabelto } - ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); - -# Datagram send: Sender must be equivalent to the receiver unless one of them -# is trusted. -mlsconstrain unix_dgram_socket { sendto } - (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); - -# Stream connect: Client must be equivalent to server unless one of them -# is trusted. -mlsconstrain unix_stream_socket { connectto } - (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); - -# -# Directory/file constraints -# - -# Create/relabel operations: Subject must be equivalent to object unless -# the subject is trusted. Also, files should always be single-level. -# Do NOT exempt mlstrustedobject types from this constraint. -mlsconstrain dir_file_class_set { create relabelfrom relabelto } - (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); - -# -# Constraints for app data files only. -# - -# Only constrain open, not read/write. -# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc. -# Subject must be equivalent to object unless the subject is trusted. -mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir } - (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); -mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename } - (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject); - -# -# Constraints for file types other than app data files. -# - -# Read operations: Subject must dominate object unless the subject -# or the object is trusted. -mlsconstrain dir { read getattr search } - (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); - -mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } - (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); - -# Write operations: Subject must be equivalent to the object unless the -# subject or the object is trusted. -mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } - (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); - -mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } - (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); - -# Special case for FIFOs. -# These can be unnamed pipes, in which case they will be labeled with the -# creating process' label. Thus we also have an exemption when the "object" -# is a domain type, so that processes can communicate via unnamed pipes -# passed by binder or local socket IPC. -mlsconstrain fifo_file { read getattr } - (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); - -mlsconstrain fifo_file { write setattr append unlink link rename } - (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); - -# -# Binder IPC constraints -# -# Presently commented out, as apps are expected to call one another. -# This would only make sense if apps were assigned categories -# based on allowable communications rather than per-app categories. -#mlsconstrain binder call -# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); diff --git a/mls_macros b/mls_macros deleted file mode 100644 index 83e0542..0000000 --- a/mls_macros +++ /dev/null @@ -1,54 +0,0 @@ -######################################## -# -# gen_cats(N) -# -# declares categores c0 to c(N-1) -# -define(`decl_cats',`dnl -category c$1; -ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl -') - -define(`gen_cats',`decl_cats(0,decr($1))') - -######################################## -# -# gen_sens(N) -# -# declares sensitivites s0 to s(N-1) with dominance -# in increasing numeric order with s0 lowest, s(N-1) highest -# -define(`decl_sens',`dnl -sensitivity s$1; -ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl -') - -define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')') - -define(`gen_sens',` -# Each sensitivity has a name and zero or more aliases. -decl_sens(0,decr($1)) - -# Define the ordering of the sensitivity levels (least to greatest) -dominance { gen_dominance(0,decr($1)) } -') - -######################################## -# -# gen_levels(N,M) -# -# levels from s0 to (N-1) with categories c0 to (M-1) -# -define(`decl_levels',`dnl -level s$1:c0.c$3; -ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl -') - -define(`gen_levels',`decl_levels(0,decr($1),decr($2))') - -######################################## -# -# Basic level names for system low and high -# -define(`mls_systemlow',`s0') -define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)') @@ -1,12 +0,0 @@ -# vpn tunneling protocol manager -type mtp, domain, domain_deprecated; -type mtp_exec, exec_type, file_type; - -init_daemon_domain(mtp) -net_domain(mtp) - -# pptp policy -allow mtp self:socket create_socket_perms; -allow mtp self:capability net_raw; -allow mtp ppp:process signal; -allow mtp vpn_data_file:dir search; @@ -1,25 +0,0 @@ -# Network types -type node, node_type; -type netif, netif_type; -type port, port_type; - -# Use network sockets. -allow netdomain self:tcp_socket create_stream_socket_perms; -allow netdomain self:{ udp_socket rawip_socket } create_socket_perms; -# Connect to ports. -allow netdomain port_type:tcp_socket name_connect; -# Bind to ports. -allow netdomain node_type:{ tcp_socket udp_socket } node_bind; -allow netdomain port_type:udp_socket name_bind; -allow netdomain port_type:tcp_socket name_bind; -# See changes to the routing table. -allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read }; - -# Talks to netd via dnsproxyd socket. -unix_socket_connect(netdomain, dnsproxyd, netd) - -# Talks to netd via fwmarkd socket. -unix_socket_connect(netdomain, fwmarkd, netd) - -# Connect to mdnsd via mdnsd socket. -unix_socket_connect(netdomain, mdnsd, mdnsd) diff --git a/netd.te b/netd.te deleted file mode 100644 index d6c715c..0000000 --- a/netd.te +++ /dev/null @@ -1,88 +0,0 @@ -# network manager -type netd, domain, domain_deprecated, mlstrustedsubject; -type netd_exec, exec_type, file_type; - -init_daemon_domain(netd) -net_domain(netd) - -allow netd self:capability { net_admin net_raw kill }; -# Note: fsetid is deliberately not included above. fsetid checks are -# triggered by chmod on a directory or file owned by a group other -# than one of the groups assigned to the current process to see if -# the setgid bit should be cleared, regardless of whether the setgid -# bit was even set. We do not appear to truly need this capability -# for netd to operate. -dontaudit netd self:capability fsetid; - -allow netd self:netlink_kobject_uevent_socket create_socket_perms; -allow netd self:netlink_route_socket nlmsg_write; -allow netd self:netlink_nflog_socket create_socket_perms; -allow netd self:netlink_socket create_socket_perms; -allow netd self:netlink_tcpdiag_socket { create_socket_perms nlmsg_read nlmsg_write }; -allow netd self:netlink_generic_socket create_socket_perms; -allow netd self:netlink_netfilter_socket create_socket_perms; -allow netd shell_exec:file rx_file_perms; -allow netd system_file:file x_file_perms; -allow netd devpts:chr_file rw_file_perms; - -# For /proc/sys/net/ipv[46]/route/flush. -allow netd proc_net:file write; - -# For /sys/modules/bcmdhd/parameters/firmware_path -# XXX Split into its own type. -allow netd sysfs:file write; - -# Set dhcp lease for PAN connection -set_prop(netd, dhcp_prop) -set_prop(netd, system_prop) -auditallow netd system_prop:property_service set; - -# Connect to PAN -domain_auto_trans(netd, dhcp_exec, dhcp) -allow netd dhcp:process signal; - -# Needed to update /data/misc/wifi/hostapd.conf -# TODO: See what we can do to reduce the need for -# these capabilities -allow netd self:capability { dac_override chown fowner }; -allow netd wifi_data_file:file create_file_perms; -allow netd wifi_data_file:dir rw_dir_perms; - -# Needed to update /data/misc/net/rt_tables -allow netd net_data_file:file create_file_perms; -allow netd net_data_file:dir rw_dir_perms; - -# Allow netd to spawn hostapd in it's own domain -domain_auto_trans(netd, hostapd_exec, hostapd) -allow netd hostapd:process signal; - -# Allow netd to spawn dnsmasq in it's own domain -domain_auto_trans(netd, dnsmasq_exec, dnsmasq) -allow netd dnsmasq:process signal; - -# Allow netd to start clatd in its own domain -domain_auto_trans(netd, clatd_exec, clatd) -allow netd clatd:process signal; - -set_prop(netd, ctl_mdnsd_prop) - -# Allow netd to operate on sockets that are passed to it. -allow netd netdomain:{tcp_socket udp_socket rawip_socket dccp_socket tun_socket} {read write getattr setattr getopt setopt}; -allow netd netdomain:fd use; - -### -### Neverallow rules -### -### netd should NEVER do any of this - -# Block device access. -neverallow netd dev_type:blk_file { read write }; - -# ptrace any other app -neverallow netd { domain }:process ptrace; - -# Write to /system. -neverallow netd system_file:dir_file_class_set write; - -# Write to files in /data/data or system files on /data -neverallow netd { app_data_file system_data_file }:dir_file_class_set write; diff --git a/neverallow_macros b/neverallow_macros deleted file mode 100644 index b36cceb..0000000 --- a/neverallow_macros +++ /dev/null @@ -1,6 +0,0 @@ -# -# Common neverallow permissions -define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }') -define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }') -define(`no_x_file_perms', `{ execute execute_no_trans }') -define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }') @@ -1,31 +0,0 @@ -# nfc subsystem -type nfc, domain, domain_deprecated; -app_domain(nfc) -net_domain(nfc) -binder_service(nfc) - -# Set NFC properties -set_prop(nfc, nfc_prop) - -# NFC device access. -allow nfc nfc_device:chr_file rw_file_perms; - -# Data file accesses. -allow nfc nfc_data_file:dir create_dir_perms; -allow nfc nfc_data_file:notdevfile_class_set create_file_perms; - -allow nfc sysfs_nfc_power_writable:file rw_file_perms; -allow nfc sysfs:file write; - -allow nfc drmserver_service:service_manager find; -allow nfc mediaserver_service:service_manager find; -allow nfc nfc_service:service_manager { add find }; -allow nfc radio_service:service_manager find; -allow nfc surfaceflinger_service:service_manager find; -allow nfc app_api_service:service_manager find; -allow nfc system_api_service:service_manager find; - -# already open bugreport file descriptors may be shared with -# the nfc process, from a file in -# /data/data/com.android.shell/files/bugreports/bugreport-*. -allow nfc shell_data_file:file read; diff --git a/perfprofd.te b/perfprofd.te deleted file mode 100644 index 0122c55..0000000 --- a/perfprofd.te +++ /dev/null @@ -1,59 +0,0 @@ -# perfprofd - perf profile collection daemon -type perfprofd_exec, exec_type, file_type; - -userdebug_or_eng(` - - type perfprofd, domain, domain_deprecated, mlstrustedsubject; - - init_daemon_domain(perfprofd) - - # perfprofd needs to control CPU hot-plug in order to avoid kernel - # perfevents problems in cases where CPU goes on/off during measurement; - # this means read access to /sys/devices/system/cpu/possible - # and read/write access to /sys/devices/system/cpu/cpu*/online - allow perfprofd sysfs_devices_system_cpu:file rw_file_perms; - - # perfprofd checks for the existence of and then invokes simpleperf; - # simpleperf retains perfprofd domain after exec - allow perfprofd system_file:file rx_file_perms; - - # perfprofd reads a config file from /data/data/com.google.android.gms/files - allow perfprofd app_data_file:file r_file_perms; - allow perfprofd app_data_file:dir search; - allow perfprofd self:capability { dac_override }; - - # perfprofd opens a file for writing in /data/misc/perfprofd - allow perfprofd perfprofd_data_file:file create_file_perms; - allow perfprofd perfprofd_data_file:dir rw_dir_perms; - - # perfprofd uses the system log - read_logd(perfprofd); - write_logd(perfprofd); - - # perfprofd inspects /sys/power/wake_unlock - wakelock_use(perfprofd); - - # simpleperf uses ioctl() to turn on kernel perf events measurements - allow perfprofd self:capability sys_admin; - - # simpleperf needs to examine /proc to collect task/thread info - r_dir_file(perfprofd, domain) - - # simpleperf needs to access /proc/<pid>/exec - allow perfprofd self:capability { sys_resource sys_ptrace }; - neverallow perfprofd domain:process ptrace; - - # simpleperf needs open/read any file that turns up in a profile - # to see whether it has a build ID - allow perfprofd exec_type:file r_file_perms; - - # simpleperf examines debugfs on startup to collect tracepoint event types - allow perfprofd debugfs_tracing:file r_file_perms; - - # simpleperf is going to execute "sleep" - allow perfprofd toolbox_exec:file rx_file_perms; - - # needed for simpleperf on some kernels - allow perfprofd self:capability ipc_lock; - -') diff --git a/platform_app.te b/platform_app.te deleted file mode 100644 index 0381288..0000000 --- a/platform_app.te +++ /dev/null @@ -1,47 +0,0 @@ -### -### Apps signed with the platform key. -### - -type platform_app, domain, domain_deprecated; -app_domain(platform_app) -# Access the network. -net_domain(platform_app) -# Access bluetooth. -bluetooth_domain(platform_app) -# Read from /data/local/tmp or /data/data/com.android.shell. -allow platform_app shell_data_file:dir search; -allow platform_app shell_data_file:file { open getattr read }; -# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files -# created by system server. -allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms; -allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms; -allow platform_app apk_private_data_file:dir search; -# ASEC -allow platform_app asec_apk_file:dir create_dir_perms; -allow platform_app asec_apk_file:file create_file_perms; - -# Access to /data/media. -allow platform_app media_rw_data_file:dir create_dir_perms; -allow platform_app media_rw_data_file:file create_file_perms; - -# Write to /cache. -allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms; -allow platform_app { cache_file cache_recovery_file }:file create_file_perms; - -# Likely not needed -auditallow platform_app cache_recovery_file:dir create_dir_perms; -auditallow platform_app cache_recovery_file:file create_file_perms; - -# Direct access to vold-mounted storage under /mnt/media_rw -# This is a performance optimization that allows platform apps to bypass the FUSE layer -allow platform_app mnt_media_rw_file:dir r_dir_perms; -allow platform_app vfat:dir create_dir_perms; -allow platform_app vfat:file create_file_perms; - -allow platform_app drmserver_service:service_manager find; -allow platform_app mediaserver_service:service_manager find; -allow platform_app persistent_data_block_service:service_manager find; -allow platform_app radio_service:service_manager find; -allow platform_app surfaceflinger_service:service_manager find; -allow platform_app app_api_service:service_manager find; -allow platform_app system_api_service:service_manager find; diff --git a/policy_capabilities b/policy_capabilities deleted file mode 100644 index c7b9d9c..0000000 --- a/policy_capabilities +++ /dev/null @@ -1,5 +0,0 @@ -# Enable new networking controls. -policycap network_peer_controls; - -# Enable open permission check. -policycap open_perms; diff --git a/port_contexts b/port_contexts deleted file mode 100644 index b473c0c..0000000 --- a/port_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# portcon statements go here, e.g. -# portcon tcp 80 u:object_r:http_port:s0 - diff --git a/postinstall.te b/postinstall.te deleted file mode 100644 index 8afc561..0000000 --- a/postinstall.te +++ /dev/null @@ -1,20 +0,0 @@ -# Domain where the postinstall program runs during the update. -# Extend the permissions in this domain to allow this program to access other -# files needed by the specific device on your device's sepolicy directory. -type postinstall, domain; - -# Allow postinstall to write to its stdout/stderr when redirected via pipes to -# update_engine. -allow postinstall update_engine:fd use; -allow postinstall update_engine:fifo_file rw_file_perms; - -# Allow postinstall to read and execute directories and files in the same -# mounted location. -allow postinstall postinstall_file:file rx_file_perms; -allow postinstall postinstall_file:lnk_file r_file_perms; -allow postinstall postinstall_file:dir r_dir_perms; - -# Allow postinstall to execute the shell or other system executables. -allow postinstall shell_exec:file rx_file_perms; -allow postinstall system_file:file rx_file_perms; -allow postinstall toolbox_exec:file rx_file_perms; @@ -1,16 +0,0 @@ -# Point to Point Protocol daemon -type ppp, domain, domain_deprecated; -type ppp_device, dev_type; -type ppp_exec, exec_type, file_type; -domain_auto_trans(mtp, ppp_exec, ppp) - -net_domain(ppp) - -allow ppp mtp:socket rw_socket_perms; -allow ppp mtp:unix_dgram_socket rw_socket_perms; -allow ppp ppp_device:chr_file rw_file_perms; -allow ppp self:capability net_admin; -allow ppp system_file:file rx_file_perms; -allow ppp vpn_data_file:dir w_dir_perms; -allow ppp vpn_data_file:file create_file_perms; -allow ppp mtp:fd use; diff --git a/priv_app.te b/priv_app.te deleted file mode 100644 index 9146263..0000000 --- a/priv_app.te +++ /dev/null @@ -1,123 +0,0 @@ -### -### A domain for further sandboxing privileged apps. -### -type priv_app, domain, domain_deprecated; -app_domain(priv_app) -# Access the network. -net_domain(priv_app) -# Access bluetooth. -bluetooth_domain(priv_app) - -# Some apps ship with shared libraries and binaries that they write out -# to their sandbox directory and then execute. -allow priv_app app_data_file:file rx_file_perms; - -# android.process.media uses /dev/mtp_usb -allow priv_app mtp_device:chr_file rw_file_perms; - -# Allow the allocation and use of ptys -# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm -create_pty(priv_app) - -allow priv_app drmserver_service:service_manager find; -allow priv_app mediaserver_service:service_manager find; -allow priv_app nfc_service:service_manager find; -allow priv_app radio_service:service_manager find; -allow priv_app surfaceflinger_service:service_manager find; -allow priv_app app_api_service:service_manager find; -allow priv_app system_api_service:service_manager find; -allow priv_app persistent_data_block_service:service_manager find; -allow priv_app recovery_service:service_manager find; - -# Traverse into /mnt/media_rw for bypassing FUSE daemon -# TODO: narrow this to just MediaProvider -allow priv_app mnt_media_rw_file:dir search; - -# Write to /cache. -allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; -allow priv_app { cache_file cache_recovery_file }:file create_file_perms; - -# Access to /data/media. -allow priv_app media_rw_data_file:dir create_dir_perms; -allow priv_app media_rw_data_file:file create_file_perms; - -# Used by Finsky / Android "Verify Apps" functionality when -# running "adb install foo.apk". -allow priv_app shell_data_file:file r_file_perms; -allow priv_app shell_data_file:dir r_dir_perms; - -# Allow verifier to access staged apks. -allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms; -allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms; - -# b/18504118: Allow reads from /data/anr/traces.txt -allow priv_app anr_data_file:file r_file_perms; - -# Allow GMS core to access perfprofd output, which is stored -# in /data/misc/perfprofd/. GMS core will need to list all -# data stored in that directory to process them one by one. -userdebug_or_eng(` - allow priv_app perfprofd_data_file:file r_file_perms; - allow priv_app perfprofd_data_file:dir r_dir_perms; -') - -# Allow GMS core to stat files and executables on -# the system partition -allow priv_app exec_type:file getattr; - -# For AppFuse. -allow priv_app vold:fd use; -allow priv_app fuse_device:chr_file { read write }; -allow priv_app app_fuse_file:dir rw_dir_perms; -allow priv_app app_fuse_file:file rw_file_perms; - -# /sys access -allow priv_app sysfs_zram:dir search; -allow priv_app sysfs_zram:file r_file_perms; - -# Allow GMS core to communicate with update_engine for A/B update. -binder_call(priv_app, update_engine) -allow priv_app update_engine_service:service_manager find; - -### -### neverallow rules -### - -# Receive or send uevent messages. -neverallow priv_app domain:netlink_kobject_uevent_socket *; - -# Receive or send generic netlink messages -neverallow priv_app domain:netlink_socket *; - -# Too much leaky information in debugfs. It's a security -# best practice to ensure these files aren't readable. -neverallow priv_app debugfs:file read; - -# Do not allow privileged apps to register services. -# Only trusted components of Android should be registering -# services. -neverallow priv_app service_manager_type:service_manager add; - -# Do not allow privileged apps to connect to the property service -# or set properties. b/10243159 -neverallow priv_app property_socket:sock_file write; -neverallow priv_app init:unix_stream_socket connectto; -neverallow priv_app property_type:property_service set; - -# Do not allow priv_app to be assigned mlstrustedsubject. -# This would undermine the per-user isolation model being -# enforced via levelFrom=user in seapp_contexts and the mls -# constraints. As there is no direct way to specify a neverallow -# on attribute assignment, this relies on the fact that fork -# permission only makes sense within a domain (hence should -# never be granted to any other domain within mlstrustedsubject) -# and priv_app is allowed fork permission to itself. -neverallow priv_app mlstrustedsubject:process fork; - -# Do not allow priv_app to hard link to any files. -# In particular, if priv_app links to other app data -# files, installd will not be able to guarantee the deletion -# of the linked to file. Hard links also contribute to security -# bugs, so we want to ensure priv_app never has this -# capability. -neverallow priv_app file_type:file link; diff --git a/property.te b/property.te deleted file mode 100644 index 26d15ff..0000000 --- a/property.te +++ /dev/null @@ -1,38 +0,0 @@ -type default_prop, property_type, core_property_type; -type shell_prop, property_type, core_property_type; -type debug_prop, property_type, core_property_type; -type dumpstate_prop, property_type, core_property_type; -type persist_debug_prop, property_type, core_property_type; -type debuggerd_prop, property_type, core_property_type; -type dhcp_prop, property_type, core_property_type; -type fingerprint_prop, property_type, core_property_type; -type ffs_prop, property_type, core_property_type; -type radio_prop, property_type, core_property_type; -type net_radio_prop, property_type, core_property_type; -type system_radio_prop, property_type, core_property_type; -type system_prop, property_type, core_property_type; -type vold_prop, property_type, core_property_type; -type ctl_bootanim_prop, property_type; -type ctl_default_prop, property_type; -type ctl_dhcp_pan_prop, property_type; -type ctl_dumpstate_prop, property_type; -type ctl_fuse_prop, property_type; -type ctl_mdnsd_prop, property_type; -type ctl_rildaemon_prop, property_type; -type ctl_bugreport_prop, property_type; -type ctl_console_prop, property_type; -type audio_prop, property_type, core_property_type; -type logd_prop, property_type, core_property_type; -type mmc_prop, property_type; -type restorecon_prop, property_type, core_property_type; -type security_prop, property_type, core_property_type; -type bluetooth_prop, property_type, core_property_type; -type pan_result_prop, property_type, core_property_type; -type powerctl_prop, property_type, core_property_type; -type nfc_prop, property_type, core_property_type; -type dalvik_prop, property_type, core_property_type; -type config_prop, property_type, core_property_type; -type device_logging_prop, property_type; -type safemode_prop, property_type; - -allow property_type tmpfs:filesystem associate; diff --git a/property_contexts b/property_contexts deleted file mode 100644 index 66f1f14..0000000 --- a/property_contexts +++ /dev/null @@ -1,92 +0,0 @@ -########################## -# property service keys -# -# -net.rmnet u:object_r:net_radio_prop:s0 -net.gprs u:object_r:net_radio_prop:s0 -net.ppp u:object_r:net_radio_prop:s0 -net.qmi u:object_r:net_radio_prop:s0 -net.lte u:object_r:net_radio_prop:s0 -net.cdma u:object_r:net_radio_prop:s0 -net.dns u:object_r:net_radio_prop:s0 -sys.usb.config u:object_r:system_radio_prop:s0 -ril. u:object_r:radio_prop:s0 -ro.ril. u:object_r:radio_prop:s0 -gsm. u:object_r:radio_prop:s0 -persist.radio u:object_r:radio_prop:s0 - -net. u:object_r:system_prop:s0 -dev. u:object_r:system_prop:s0 -ro.runtime. u:object_r:system_prop:s0 -hw. u:object_r:system_prop:s0 -ro.hw. u:object_r:system_prop:s0 -sys. u:object_r:system_prop:s0 -sys.powerctl u:object_r:powerctl_prop:s0 -sys.usb.ffs. u:object_r:ffs_prop:s0 -service. u:object_r:system_prop:s0 -wlan. u:object_r:system_prop:s0 -dhcp. u:object_r:dhcp_prop:s0 -dhcp.bt-pan.result u:object_r:pan_result_prop:s0 -bluetooth. u:object_r:bluetooth_prop:s0 - -debug. u:object_r:debug_prop:s0 -debug.db. u:object_r:debuggerd_prop:s0 -dumpstate. u:object_r:dumpstate_prop:s0 -log. u:object_r:shell_prop:s0 -service.adb.root u:object_r:shell_prop:s0 -service.adb.tcp.port u:object_r:shell_prop:s0 - -persist.audio. u:object_r:audio_prop:s0 -persist.bluetooth. u:object_r:bluetooth_prop:s0 -persist.debug. u:object_r:persist_debug_prop:s0 -persist.logd. u:object_r:logd_prop:s0 -persist.logd.security u:object_r:device_logging_prop:s0 -persist.log.tag u:object_r:logd_prop:s0 -persist.mmc. u:object_r:mmc_prop:s0 -persist.sys. u:object_r:system_prop:s0 -persist.sys.safemode u:object_r:safemode_prop:s0 -persist.sys.audit_safemode u:object_r:safemode_prop:s0 -persist.service. u:object_r:system_prop:s0 -persist.service.bdroid. u:object_r:bluetooth_prop:s0 -persist.security. u:object_r:system_prop:s0 - -# Boolean property set by system server upon boot indicating -# if device owner is provisioned. -ro.device_owner u:object_r:device_logging_prop:s0 - -# selinux non-persistent properties -selinux.restorecon_recursive u:object_r:restorecon_prop:s0 -selinux. u:object_r:security_prop:s0 - -# default property context -* u:object_r:default_prop:s0 - -# data partition encryption properties -vold. u:object_r:vold_prop:s0 -ro.crypto. u:object_r:vold_prop:s0 - -# ro.build.fingerprint is either set in /system/build.prop, or is -# set at runtime by system_server. -ro.build.fingerprint u:object_r:fingerprint_prop:s0 - -# ctl properties -ctl.bootanim u:object_r:ctl_bootanim_prop:s0 -ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0 -ctl.fuse_ u:object_r:ctl_fuse_prop:s0 -ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0 -ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0 -ctl.bugreport u:object_r:ctl_bugreport_prop:s0 -ctl.dhcpcd_bt-pan u:object_r:ctl_dhcp_pan_prop:s0 -ctl.console u:object_r:ctl_console_prop:s0 -ctl. u:object_r:ctl_default_prop:s0 - -# NFC properties -nfc. u:object_r:nfc_prop:s0 - -# These properties are not normally set by processes other than init. -# They are only distinguished here for setting by qemu-props on the -# emulator/goldfish. -config. u:object_r:config_prop:s0 -ro.config. u:object_r:config_prop:s0 -dalvik. u:object_r:dalvik_prop:s0 -ro.dalvik. u:object_r:dalvik_prop:s0 diff --git a/racoon.te b/racoon.te deleted file mode 100644 index bf272d1..0000000 --- a/racoon.te +++ /dev/null @@ -1,32 +0,0 @@ -# IKE key management daemon -type racoon, domain, domain_deprecated; -type racoon_exec, exec_type, file_type; - -init_daemon_domain(racoon) -typeattribute racoon mlstrustedsubject; - -net_domain(racoon) - -binder_use(racoon) - -allow racoon tun_device:chr_file r_file_perms; -allow racoon cgroup:dir { add_name create }; -allow racoon kernel:system module_request; - -allow racoon self:key_socket create_socket_perms; -allow racoon self:tun_socket create_socket_perms; -allow racoon self:capability { net_admin net_bind_service net_raw setuid }; - -# XXX: should we give ip-up-vpn its own label (currently racoon domain) -allow racoon system_file:file rx_file_perms; -allow racoon vpn_data_file:file create_file_perms; -allow racoon vpn_data_file:dir w_dir_perms; - -use_keystore(racoon) - -# Racoon (VPN) has a restricted set of permissions from the default. -allow racoon keystore:keystore_key { - get - sign - verify -}; diff --git a/radio.te b/radio.te deleted file mode 100644 index 448fdb5..0000000 --- a/radio.te +++ /dev/null @@ -1,35 +0,0 @@ -# phone subsystem -type radio, domain, domain_deprecated, mlstrustedsubject; -app_domain(radio) -net_domain(radio) -bluetooth_domain(radio) -binder_service(radio) - -# Talks to rild via the rild socket. -unix_socket_connect(radio, rild, rild) - -# Data file accesses. -allow radio radio_data_file:dir create_dir_perms; -allow radio radio_data_file:notdevfile_class_set create_file_perms; - -allow radio alarm_device:chr_file rw_file_perms; - -allow radio net_data_file:dir search; -allow radio net_data_file:file r_file_perms; - -# Property service -set_prop(radio, radio_prop) -set_prop(radio, system_radio_prop) -set_prop(radio, net_radio_prop) -auditallow radio net_radio_prop:property_service set; -auditallow radio system_radio_prop:property_service set; - -# ctl interface -set_prop(radio, ctl_rildaemon_prop) - -allow radio drmserver_service:service_manager find; -allow radio mediaserver_service:service_manager find; -allow radio radio_service:service_manager { add find }; -allow radio surfaceflinger_service:service_manager find; -allow radio app_api_service:service_manager find; -allow radio system_api_service:service_manager find; diff --git a/recovery.te b/recovery.te deleted file mode 100644 index d5767ed..0000000 --- a/recovery.te +++ /dev/null @@ -1,121 +0,0 @@ -# recovery console (used in recovery init.rc for /sbin/recovery) - -# Declare the domain unconditionally so we can always reference it -# in neverallow rules. -type recovery, domain, domain_deprecated; - -# But the allow rules are only included in the recovery policy. -# Otherwise recovery is only allowed the domain rules. -recovery_only(` - allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; - - # Set security contexts on files that are not known to the loaded policy. - allow recovery self:capability2 mac_admin; - - # Run helpers from / or /system without changing domain. - allow recovery rootfs:file execute_no_trans; - allow recovery system_file:file execute_no_trans; - allow recovery toolbox_exec:file rx_file_perms; - - # Mount filesystems. - allow recovery rootfs:dir mounton; - allow recovery fs_type:filesystem ~relabelto; - allow recovery unlabeled:filesystem ~relabelto; - allow recovery contextmount_type:filesystem relabelto; - - # Create and relabel files and directories under /system. - allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto }; - allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto }; - allow recovery system_file:dir { create_dir_perms relabelfrom relabelto }; - - # We may be asked to set an SELinux label for a type not known to the - # currently loaded policy. Allow it. - allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; - allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; - - # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux - # support to OTAs. However, that code has a bug. When an update occurs, - # some directories are inappropriately labeled as exec_type. This is - # only transient, and subsequent steps in the OTA script correct this - # mistake. New devices are moving to block based OTAs, so this is not - # worth fixing. b/15575013 - allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; - - # Write to /proc/sys/vm/drop_caches - allow recovery proc_drop_caches:file w_file_perms; - - # Write to /sys/class/android_usb/android0/enable. - # TODO: create more specific label? - allow recovery sysfs:file w_file_perms; - - allow recovery sysfs_batteryinfo:file r_file_perms; - - allow recovery kernel:system syslog_read; - - # Access /dev/android_adb or /dev/usb-ffs/adb/ep0 - allow recovery adb_device:chr_file rw_file_perms; - allow recovery functionfs:dir search; - allow recovery functionfs:file rw_file_perms; - - # Required to e.g. wipe userdata/cache. - allow recovery device:dir r_dir_perms; - allow recovery block_device:dir r_dir_perms; - allow recovery dev_type:blk_file rw_file_perms; - - # GUI - allow recovery self:process execmem; - allow recovery ashmem_device:chr_file execute; - allow recovery graphics_device:chr_file rw_file_perms; - allow recovery graphics_device:dir r_dir_perms; - allow recovery input_device:dir r_dir_perms; - allow recovery input_device:chr_file r_file_perms; - allow recovery tty_device:chr_file rw_file_perms; - - # Create /tmp/recovery.log and execute /tmp/update_binary. - allow recovery tmpfs:file { create_file_perms x_file_perms }; - allow recovery tmpfs:dir create_dir_perms; - - # Manage files on /cache and /cache/recovery - allow recovery { cache_file cache_recovery_file }:dir create_dir_perms; - allow recovery { cache_file cache_recovery_file }:file create_file_perms; - - # Read files on /oem. - r_dir_file(recovery, oemfs); - - # Reboot the device - set_prop(recovery, powerctl_prop) - - # Start/stop adbd via ctl.start adbd - set_prop(recovery, ctl_default_prop) - - # Use setfscreatecon() to label files for OTA updates. - allow recovery self:process setfscreate; - - # Allow recovery to create a fuse filesystem, and read files from it. - allow recovery fuse_device:chr_file rw_file_perms; - allow recovery fuse:dir r_dir_perms; - allow recovery fuse:file r_file_perms; - - wakelock_use(recovery) - - # This line seems suspect, as it should not really need to - # set scheduling parameters for a kernel domain task. - allow recovery kernel:process setsched; -') - -### -### neverallow rules -### - -# Recovery should never touch /data. -# -# In particular, if /data is encrypted, it is not accessible -# to recovery anyway. -# -# For now, we only enforce write/execute restrictions, as domain.te -# contains a number of read-only rules that apply to all -# domains, including recovery. -# -# TODO: tighten this up further. -neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms }; -neverallow recovery data_file_type:dir no_w_dir_perms; diff --git a/recovery_persist.te b/recovery_persist.te deleted file mode 100644 index 19a240f..0000000 --- a/recovery_persist.te +++ /dev/null @@ -1,31 +0,0 @@ -# android recovery persistent log manager -type recovery_persist, domain; -type recovery_persist_exec, exec_type, file_type; - -init_daemon_domain(recovery_persist) - -allow recovery_persist pstorefs:dir search; -allow recovery_persist pstorefs:file r_file_perms; - -allow recovery_persist recovery_data_file:file create_file_perms; -allow recovery_persist recovery_data_file:dir create_dir_perms; - -### -### Neverallow rules -### -### recovery_persist should NEVER do any of this - -# Block device access. -neverallow recovery_persist dev_type:blk_file { read write }; - -# ptrace any other app -neverallow recovery_persist domain:process ptrace; - -# Write to /system. -neverallow recovery_persist system_file:dir_file_class_set write; - -# Write to files in /data/data -neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write; - -# recovery_persist is not allowed to write anywhere other than recovery_data_file -neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write; diff --git a/recovery_refresh.te b/recovery_refresh.te deleted file mode 100644 index 9fae110..0000000 --- a/recovery_refresh.te +++ /dev/null @@ -1,29 +0,0 @@ -# android recovery refresh log manager -type recovery_refresh, domain; -type recovery_refresh_exec, exec_type, file_type; - -init_daemon_domain(recovery_refresh) - -allow recovery_refresh pstorefs:dir search; -allow recovery_refresh pstorefs:file r_file_perms; -# NB: domain inherits write_logd which hands us write to pmsg_device - -### -### Neverallow rules -### -### recovery_refresh should NEVER do any of this - -# Block device access. -neverallow recovery_refresh dev_type:blk_file { read write }; - -# ptrace any other app -neverallow recovery_refresh domain:process ptrace; - -# Write to /system. -neverallow recovery_refresh system_file:dir_file_class_set write; - -# Write to files in /data/data or system files on /data -neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write; - -# recovery_refresh is not allowed to write anywhere -neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write; diff --git a/rild.te b/rild.te deleted file mode 100644 index e2856a3..0000000 --- a/rild.te +++ /dev/null @@ -1,47 +0,0 @@ -# rild - radio interface layer daemon -type rild, domain, domain_deprecated; -type rild_exec, exec_type, file_type; - -init_daemon_domain(rild) -net_domain(rild) -allow rild self:netlink_route_socket nlmsg_write; -allow rild kernel:system module_request; -allow rild self:capability { setuid net_admin net_raw }; -allow rild alarm_device:chr_file rw_file_perms; -allow rild cgroup:dir create_dir_perms; -allow rild radio_device:chr_file rw_file_perms; -allow rild radio_device:blk_file r_file_perms; -allow rild mtd_device:dir search; -allow rild efs_file:dir create_dir_perms; -allow rild efs_file:file create_file_perms; -allow rild shell_exec:file rx_file_perms; -allow rild bluetooth_efs_file:file r_file_perms; -allow rild bluetooth_efs_file:dir r_dir_perms; -allow rild radio_data_file:dir rw_dir_perms; -allow rild radio_data_file:file create_file_perms; -allow rild sdcard_type:dir r_dir_perms; -allow rild system_data_file:dir r_dir_perms; -allow rild system_data_file:file r_file_perms; -allow rild system_file:file x_file_perms; - -# property service -set_prop(rild, radio_prop) -set_prop(rild, net_radio_prop) -set_prop(rild, system_radio_prop) -auditallow rild net_radio_prop:property_service set; -auditallow rild system_radio_prop:property_service set; - -# Read/Write to uart driver (for GPS) -allow rild gps_device:chr_file rw_file_perms; - -allow rild tty_device:chr_file rw_file_perms; - -# Allow rild to create and use netlink sockets. -allow rild self:netlink_socket create_socket_perms; -allow rild self:netlink_generic_socket create_socket_perms; -allow rild self:netlink_kobject_uevent_socket create_socket_perms; - -# Access to wake locks -wakelock_use(rild) - -allow rild self:socket create_socket_perms; @@ -1,2 +0,0 @@ -role r; -role r types domain; diff --git a/runas.te b/runas.te deleted file mode 100644 index 58a1bdc..0000000 --- a/runas.te +++ /dev/null @@ -1,33 +0,0 @@ -type runas, domain, domain_deprecated, mlstrustedsubject; -type runas_exec, exec_type, file_type; - -# ndk-gdb invokes adb shell run-as. -domain_auto_trans(shell, runas_exec, runas) -allow runas adbd:process sigchld; -allow runas shell:fd use; -allow runas shell:fifo_file { read write }; -allow runas devpts:chr_file { read write ioctl }; -allow runas shell_data_file:file { read write }; - -# run-as reads package information. -allow runas system_data_file:file r_file_perms; - -# run-as checks and changes to the app data dir. -dontaudit runas self:capability dac_override; -allow runas app_data_file:dir { getattr search }; - -# run-as switches to the app UID/GID. -allow runas self:capability { setuid setgid }; - -# run-as switches to the app security context. -selinux_check_context(runas) # validate context -allow runas self:process setcurrent; -allow runas non_system_app_set:process dyntransition; # setcon - -### -### neverallow rules -### - -# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID -neverallow runas self:capability ~{ setuid setgid }; -neverallow runas self:capability2 *; diff --git a/sdcardd.te b/sdcardd.te deleted file mode 100644 index 846c59b..0000000 --- a/sdcardd.te +++ /dev/null @@ -1,40 +0,0 @@ -type sdcardd, domain, domain_deprecated; -type sdcardd_exec, exec_type, file_type; - -allow sdcardd cgroup:dir create_dir_perms; -allow sdcardd fuse_device:chr_file rw_file_perms; -allow sdcardd rootfs:dir mounton; # TODO: deprecated in M -allow sdcardd tmpfs:dir r_dir_perms; -allow sdcardd mnt_media_rw_file:dir r_dir_perms; -allow sdcardd storage_file:dir search; -allow sdcardd storage_stub_file:dir { search mounton }; -allow sdcardd sdcard_type:filesystem { mount unmount }; -allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource }; - -allow sdcardd sdcard_type:dir create_dir_perms; -allow sdcardd sdcard_type:file create_file_perms; - -type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; -allow sdcardd media_rw_data_file:dir create_dir_perms; -allow sdcardd media_rw_data_file:file create_file_perms; - -# Read /data/system/packages.list. -allow sdcardd system_data_file:file r_file_perms; - -# Read /data/.layout_version -allow sdcardd install_data_file:file r_file_perms; - -# Allow stdin/out back to vold -allow sdcardd vold:fd use; -allow sdcardd vold:fifo_file { read write getattr }; - -# Allow running on top of expanded storage -allow sdcardd mnt_expand_file:dir search; - -### -### neverallow rules -### - -# The sdcard daemon should no longer be started from init -neverallow init sdcardd_exec:file execute; -neverallow init sdcardd:process { transition dyntransition }; diff --git a/seapp_contexts b/seapp_contexts deleted file mode 100644 index d8d2240..0000000 --- a/seapp_contexts +++ /dev/null @@ -1,92 +0,0 @@ -# Input selectors: -# isSystemServer (boolean) -# isOwner (boolean) -# user (string) -# seinfo (string) -# name (string) -# path (string) -# isPrivApp (boolean) -# isSystemServer=true can only be used once. -# An unspecified isSystemServer defaults to false. -# isOwner=true will only match for the owner/primary user. -# isOwner=false will only match for secondary users. -# If unspecified, the entry can match either case. -# An unspecified string selector will match any value. -# A user string selector that ends in * will perform a prefix match. -# user=_app will match any regular app UID. -# user=_isolated will match any isolated service UID. -# isPrivApp=true will only match for applications preinstalled in -# /system/priv-app. -# All specified input selectors in an entry must match (i.e. logical AND). -# Matching is case-insensitive. -# -# Precedence rules: -# (1) isSystemServer=true before isSystemServer=false. -# (2) Specified isOwner= before unspecified isOwner= boolean. -# (3) Specified user= string before unspecified user= string. -# (4) Fixed user= string before user= prefix (i.e. ending in *). -# (5) Longer user= prefix before shorter user= prefix. -# (6) Specified seinfo= string before unspecified seinfo= string. -# ':' character is reserved and may not be used. -# (7) Specified name= string before unspecified name= string. -# (8) Specified path= string before unspecified path= string. -# (9) Specified isPrivApp= before unspecified isPrivApp= boolean. -# -# Outputs: -# domain (string) -# type (string) -# levelFrom (string; one of none, all, app, or user) -# level (string) -# Only entries that specify domain= will be used for app process labeling. -# Only entries that specify type= will be used for app directory labeling. -# levelFrom=user is only supported for _app or _isolated UIDs. -# levelFrom=app or levelFrom=all is only supported for _app UIDs. -# level may be used to specify a fixed level for any UID. -# -# -# Neverallow Assertions -# Additional compile time assertion checks can be added as well. The assertion -# rules are lines beginning with the keyword neverallow. Full support for PCRE -# regular expressions exists on all input and output selectors. Neverallow -# rules are never output to the built seapp_contexts file. Like all keywords, -# neverallows are case-insensitive. A neverallow is asserted when all key value -# inputs are matched on a key value rule line. -# - -# only the system server can be in system_server domain -neverallow isSystemServer=false domain=system_server -neverallow isSystemServer="" domain=system_server - -# system domains should never be assigned outside of system uid -neverallow user=((?!system).)* domain=system_app -neverallow user=((?!system).)* type=system_app_data_file - -# anything with a non-known uid with a specified name should have a specified seinfo -neverallow user=_app name=.* seinfo="" -neverallow user=_app name=.* seinfo=default - -# neverallow shared relro to any other domain -# and neverallow any other uid into shared_relro -neverallow user=shared_relro domain=((?!shared_relro).)* -neverallow user=((?!shared_relro).)* domain=shared_relro - -# neverallow non-isolated uids into isolated_app domain -# and vice versa -neverallow user=_isolated domain=((?!isolated_app).)* -neverallow user=((?!_isolated).)* domain=isolated_app - -# uid shell should always be in shell domain, however non-shell -# uid's can be in shell domain -neverallow user=shell domain=((?!shell).)* - -isSystemServer=true domain=system_server -user=system seinfo=platform domain=system_app type=system_app_data_file -user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file -user=nfc seinfo=platform domain=nfc type=nfc_data_file -user=radio seinfo=platform domain=radio type=radio_data_file -user=shared_relro domain=shared_relro -user=shell seinfo=platform domain=shell type=shell_data_file -user=_isolated domain=isolated_app levelFrom=user -user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user -user=_app domain=untrusted_app type=app_data_file levelFrom=user diff --git a/security_classes b/security_classes deleted file mode 100644 index 680d3dd..0000000 --- a/security_classes +++ /dev/null @@ -1,110 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -# Classes marked as userspace are classes -# for userspace object managers - -class security -class process -class system -class capability - -# file-related classes -class filesystem -class file -class dir -class fd -class lnk_file -class chr_file -class blk_file -class sock_file -class fifo_file - -# network-related classes -class socket -class tcp_socket -class udp_socket -class rawip_socket -class node -class netif -class netlink_socket -class packet_socket -class key_socket -class unix_stream_socket -class unix_dgram_socket - -# sysv-ipc-related classes -class sem -class msg -class msgq -class shm -class ipc - -# extended netlink sockets -class netlink_route_socket -class netlink_firewall_socket -class netlink_tcpdiag_socket -class netlink_nflog_socket -class netlink_xfrm_socket -class netlink_selinux_socket -class netlink_audit_socket -class netlink_ip6fw_socket -class netlink_dnrt_socket - -# IPSec association -class association - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket - -class appletalk_socket - -class packet - -# Kernel access key retention -class key - -class dccp_socket - -class memprotect - -# network peer labels -class peer - -# Capabilities >= 32 -class capability2 - -# kernel services that need to override task security, e.g. cachefiles -class kernel_service - -class tun_socket - -class binder - -# Updated netlink classes for more recent netlink protocols. -class netlink_iscsi_socket -class netlink_fib_lookup_socket -class netlink_connector_socket -class netlink_netfilter_socket -class netlink_generic_socket -class netlink_scsitransport_socket -class netlink_rdma_socket -class netlink_crypto_socket - -# Property service -class property_service # userspace - -# Service manager -class service_manager # userspace - -# Keystore Key -class keystore_key # userspace - -# debuggerd service -class debuggerd # userspace - -class drmservice # userspace -# FLASK diff --git a/service.te b/service.te deleted file mode 100644 index fb5b9f4..0000000 --- a/service.te +++ /dev/null @@ -1,106 +0,0 @@ -type bluetooth_service, service_manager_type; -type default_android_service, service_manager_type; -type drmserver_service, service_manager_type; -type gatekeeper_service, app_api_service, service_manager_type; -type fingerprintd_service, service_manager_type; -type batteryproperties_service, app_api_service, service_manager_type; -type inputflinger_service, service_manager_type; -type keystore_service, service_manager_type; -type mediaserver_service, service_manager_type; -type nfc_service, service_manager_type; -type radio_service, service_manager_type; -type surfaceflinger_service, service_manager_type; -type system_app_service, service_manager_type; -type update_engine_service, service_manager_type; - -# system_server_services broken down -type accessibility_service, app_api_service, system_server_service, service_manager_type; -type account_service, app_api_service, system_server_service, service_manager_type; -type activity_service, app_api_service, system_server_service, service_manager_type; -type alarm_service, app_api_service, system_server_service, service_manager_type; -type appops_service, app_api_service, system_server_service, service_manager_type; -type appwidget_service, app_api_service, system_server_service, service_manager_type; -type assetatlas_service, app_api_service, system_server_service, service_manager_type; -type audio_service, app_api_service, system_server_service, service_manager_type; -type backup_service, app_api_service, system_server_service, service_manager_type; -type batterystats_service, app_api_service, system_server_service, service_manager_type; -type battery_service, system_server_service, service_manager_type; -type bluetooth_manager_service, app_api_service, system_server_service, service_manager_type; -type cameraproxy_service, system_server_service, service_manager_type; -type clipboard_service, app_api_service, system_server_service, service_manager_type; -type IProxyService_service, system_api_service, system_server_service, service_manager_type; -type commontime_management_service, system_server_service, service_manager_type; -type connectivity_service, app_api_service, system_server_service, service_manager_type; -type consumer_ir_service, app_api_service, system_server_service, service_manager_type; -type content_service, app_api_service, system_server_service, service_manager_type; -type country_detector_service, app_api_service, system_server_service, service_manager_type; -type cpuinfo_service, system_api_service, system_server_service, service_manager_type; -type dbinfo_service, system_api_service, system_server_service, service_manager_type; -type device_policy_service, app_api_service, system_server_service, service_manager_type; -type deviceidle_service, app_api_service, system_server_service, service_manager_type; -type devicestoragemonitor_service, system_server_service, service_manager_type; -type diskstats_service, system_api_service, system_server_service, service_manager_type; -type display_service, app_api_service, system_server_service, service_manager_type; -type DockObserver_service, system_server_service, service_manager_type; -type dreams_service, app_api_service, system_server_service, service_manager_type; -type dropbox_service, app_api_service, system_server_service, service_manager_type; -type ethernet_service, app_api_service, system_server_service, service_manager_type; -type fingerprint_service, app_api_service, system_server_service, service_manager_type; -type gfxinfo_service, system_api_service, system_server_service, service_manager_type; -type graphicsstats_service, app_api_service, system_server_service, service_manager_type; -type hardware_service, system_server_service, service_manager_type; -type hdmi_control_service, system_api_service, system_server_service, service_manager_type; -type input_method_service, app_api_service, system_server_service, service_manager_type; -type input_service, app_api_service, system_server_service, service_manager_type; -type imms_service, app_api_service, system_server_service, service_manager_type; -type jobscheduler_service, app_api_service, system_server_service, service_manager_type; -type launcherapps_service, app_api_service, system_server_service, service_manager_type; -type location_service, app_api_service, system_server_service, service_manager_type; -type lock_settings_service, system_api_service, system_server_service, service_manager_type; -type media_projection_service, app_api_service, system_server_service, service_manager_type; -type media_router_service, app_api_service, system_server_service, service_manager_type; -type media_session_service, app_api_service, system_server_service, service_manager_type; -type meminfo_service, system_api_service, system_server_service, service_manager_type; -type midi_service, app_api_service, system_server_service, service_manager_type; -type mount_service, app_api_service, system_server_service, service_manager_type; -type netpolicy_service, app_api_service, system_server_service, service_manager_type; -type netstats_service, app_api_service, system_server_service, service_manager_type; -type network_management_service, app_api_service, system_server_service, service_manager_type; -type network_score_service, system_api_service, system_server_service, service_manager_type; -type notification_service, app_api_service, system_server_service, service_manager_type; -type package_service, app_api_service, system_server_service, service_manager_type; -type permission_service, app_api_service, system_server_service, service_manager_type; -type persistent_data_block_service, system_api_service, system_server_service, service_manager_type; -type power_service, app_api_service, system_server_service, service_manager_type; -type print_service, app_api_service, system_server_service, service_manager_type; -type processinfo_service, system_server_service, service_manager_type; -type procstats_service, app_api_service, system_server_service, service_manager_type; -type recovery_service, system_server_service, service_manager_type; -type registry_service, app_api_service, system_server_service, service_manager_type; -type restrictions_service, app_api_service, system_server_service, service_manager_type; -type rttmanager_service, app_api_service, system_server_service, service_manager_type; -type samplingprofiler_service, system_server_service, service_manager_type; -type scheduling_policy_service, system_server_service, service_manager_type; -type search_service, app_api_service, system_server_service, service_manager_type; -type sensorservice_service, app_api_service, system_server_service, service_manager_type; -type serial_service, system_api_service, system_server_service, service_manager_type; -type servicediscovery_service, app_api_service, system_server_service, service_manager_type; -type statusbar_service, app_api_service, system_server_service, service_manager_type; -type task_service, system_server_service, service_manager_type; -type textservices_service, app_api_service, system_server_service, service_manager_type; -type telecom_service, app_api_service, system_server_service, service_manager_type; -type trust_service, app_api_service, system_server_service, service_manager_type; -type tv_input_service, app_api_service, system_server_service, service_manager_type; -type uimode_service, app_api_service, system_server_service, service_manager_type; -type updatelock_service, system_api_service, system_server_service, service_manager_type; -type usagestats_service, app_api_service, system_server_service, service_manager_type; -type usb_service, app_api_service, system_server_service, service_manager_type; -type user_service, app_api_service, system_server_service, service_manager_type; -type vibrator_service, app_api_service, system_server_service, service_manager_type; -type voiceinteraction_service, app_api_service, system_server_service, service_manager_type; -type wallpaper_service, app_api_service, system_server_service, service_manager_type; -type webviewupdate_service, app_api_service, system_server_service, service_manager_type; -type wifip2p_service, app_api_service, system_server_service, service_manager_type; -type wifiscanner_service, system_api_service, system_server_service, service_manager_type; -type wifi_service, app_api_service, system_server_service, service_manager_type; -type window_service, system_api_service, system_server_service, service_manager_type; diff --git a/service_contexts b/service_contexts deleted file mode 100644 index 0e77818..0000000 --- a/service_contexts +++ /dev/null @@ -1,132 +0,0 @@ -accessibility u:object_r:accessibility_service:s0 -account u:object_r:account_service:s0 -activity u:object_r:activity_service:s0 -alarm u:object_r:alarm_service:s0 -android.os.UpdateEngineService u:object_r:update_engine_service:s0 -android.security.keystore u:object_r:keystore_service:s0 -android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 -appops u:object_r:appops_service:s0 -appwidget u:object_r:appwidget_service:s0 -assetatlas u:object_r:assetatlas_service:s0 -audio u:object_r:audio_service:s0 -backup u:object_r:backup_service:s0 -batteryproperties u:object_r:batteryproperties_service:s0 -batterystats u:object_r:batterystats_service:s0 -battery u:object_r:battery_service:s0 -bluetooth_manager u:object_r:bluetooth_manager_service:s0 -bluetooth u:object_r:bluetooth_service:s0 -carrier_config u:object_r:radio_service:s0 -clipboard u:object_r:clipboard_service:s0 -com.android.net.IProxyService u:object_r:IProxyService_service:s0 -commontime_management u:object_r:commontime_management_service:s0 -common_time.clock u:object_r:mediaserver_service:s0 -common_time.config u:object_r:mediaserver_service:s0 -connectivity u:object_r:connectivity_service:s0 -consumer_ir u:object_r:consumer_ir_service:s0 -content u:object_r:content_service:s0 -country_detector u:object_r:country_detector_service:s0 -cpuinfo u:object_r:cpuinfo_service:s0 -dbinfo u:object_r:dbinfo_service:s0 -device_policy u:object_r:device_policy_service:s0 -deviceidle u:object_r:deviceidle_service:s0 -devicestoragemonitor u:object_r:devicestoragemonitor_service:s0 -diskstats u:object_r:diskstats_service:s0 -display.qservice u:object_r:surfaceflinger_service:s0 -display u:object_r:display_service:s0 -DockObserver u:object_r:DockObserver_service:s0 -dreams u:object_r:dreams_service:s0 -drm.drmManager u:object_r:drmserver_service:s0 -dropbox u:object_r:dropbox_service:s0 -ethernet u:object_r:ethernet_service:s0 -fingerprint u:object_r:fingerprint_service:s0 -android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0 -gfxinfo u:object_r:gfxinfo_service:s0 -graphicsstats u:object_r:graphicsstats_service:s0 -hardware u:object_r:hardware_service:s0 -hdmi_control u:object_r:hdmi_control_service:s0 -inputflinger u:object_r:inputflinger_service:s0 -input_method u:object_r:input_method_service:s0 -input u:object_r:input_service:s0 -iphonesubinfo_msim u:object_r:radio_service:s0 -iphonesubinfo2 u:object_r:radio_service:s0 -iphonesubinfo u:object_r:radio_service:s0 -ims u:object_r:radio_service:s0 -imms u:object_r:imms_service:s0 -isms_msim u:object_r:radio_service:s0 -isms2 u:object_r:radio_service:s0 -isms u:object_r:radio_service:s0 -isub u:object_r:radio_service:s0 -jobscheduler u:object_r:jobscheduler_service:s0 -launcherapps u:object_r:launcherapps_service:s0 -location u:object_r:location_service:s0 -lock_settings u:object_r:lock_settings_service:s0 -media.audio_flinger u:object_r:mediaserver_service:s0 -media.audio_policy u:object_r:mediaserver_service:s0 -media.camera u:object_r:mediaserver_service:s0 -media.camera.proxy u:object_r:cameraproxy_service:s0 -media.log u:object_r:mediaserver_service:s0 -media.player u:object_r:mediaserver_service:s0 -media.resource_manager u:object_r:mediaserver_service:s0 -media.radio u:object_r:mediaserver_service:s0 -media.sound_trigger_hw u:object_r:mediaserver_service:s0 -media_projection u:object_r:media_projection_service:s0 -media_router u:object_r:media_router_service:s0 -media_session u:object_r:media_session_service:s0 -meminfo u:object_r:meminfo_service:s0 -midi u:object_r:midi_service:s0 -mount u:object_r:mount_service:s0 -netpolicy u:object_r:netpolicy_service:s0 -netstats u:object_r:netstats_service:s0 -network_management u:object_r:network_management_service:s0 -network_score u:object_r:network_score_service:s0 -nfc u:object_r:nfc_service:s0 -notification u:object_r:notification_service:s0 -package u:object_r:package_service:s0 -permission u:object_r:permission_service:s0 -persistent_data_block u:object_r:persistent_data_block_service:s0 -phone_msim u:object_r:radio_service:s0 -phone1 u:object_r:radio_service:s0 -phone2 u:object_r:radio_service:s0 -phone u:object_r:radio_service:s0 -power u:object_r:power_service:s0 -print u:object_r:print_service:s0 -processinfo u:object_r:processinfo_service:s0 -procstats u:object_r:procstats_service:s0 -radio.phonesubinfo u:object_r:radio_service:s0 -radio.phone u:object_r:radio_service:s0 -radio.sms u:object_r:radio_service:s0 -recovery u:object_r:recovery_service:s0 -restrictions u:object_r:restrictions_service:s0 -rttmanager u:object_r:rttmanager_service:s0 -samplingprofiler u:object_r:samplingprofiler_service:s0 -scheduling_policy u:object_r:scheduling_policy_service:s0 -search u:object_r:search_service:s0 -sensorservice u:object_r:sensorservice_service:s0 -serial u:object_r:serial_service:s0 -servicediscovery u:object_r:servicediscovery_service:s0 -simphonebook_msim u:object_r:radio_service:s0 -simphonebook2 u:object_r:radio_service:s0 -simphonebook u:object_r:radio_service:s0 -sip u:object_r:radio_service:s0 -statusbar u:object_r:statusbar_service:s0 -SurfaceFlinger u:object_r:surfaceflinger_service:s0 -task u:object_r:task_service:s0 -telecom u:object_r:telecom_service:s0 -telephony.registry u:object_r:registry_service:s0 -textservices u:object_r:textservices_service:s0 -trust u:object_r:trust_service:s0 -tv_input u:object_r:tv_input_service:s0 -uimode u:object_r:uimode_service:s0 -updatelock u:object_r:updatelock_service:s0 -usagestats u:object_r:usagestats_service:s0 -usb u:object_r:usb_service:s0 -user u:object_r:user_service:s0 -vibrator u:object_r:vibrator_service:s0 -voiceinteraction u:object_r:voiceinteraction_service:s0 -wallpaper u:object_r:wallpaper_service:s0 -webviewupdate u:object_r:webviewupdate_service:s0 -wifip2p u:object_r:wifip2p_service:s0 -wifiscanner u:object_r:wifiscanner_service:s0 -wifi u:object_r:wifi_service:s0 -window u:object_r:window_service:s0 -* u:object_r:default_android_service:s0 diff --git a/servicemanager.te b/servicemanager.te deleted file mode 100644 index 84605d1..0000000 --- a/servicemanager.te +++ /dev/null @@ -1,17 +0,0 @@ -# servicemanager - the Binder context manager -type servicemanager, domain, domain_deprecated, mlstrustedsubject; -type servicemanager_exec, exec_type, file_type; - -init_daemon_domain(servicemanager) - -# Note that we do not use the binder_* macros here. -# servicemanager is unique in that it only provides -# name service (aka context manager) for Binder. -# As such, it only ever receives and transfers other references -# created by other domains. It never passes its own references -# or initiates a Binder IPC. -allow servicemanager self:binder set_context_mgr; -allow servicemanager { domain -init }:binder transfer; - -# Check SELinux permissions. -selinux_check_access(servicemanager) diff --git a/sgdisk.te b/sgdisk.te deleted file mode 100644 index 43636d4..0000000 --- a/sgdisk.te +++ /dev/null @@ -1,22 +0,0 @@ -# sgdisk called from vold -type sgdisk, domain, domain_deprecated; -type sgdisk_exec, exec_type, file_type; - -# Allowed to read/write low-level partition tables -allow sgdisk block_device:dir search; -allow sgdisk vold_device:blk_file rw_file_perms; - -# Inherit and use pty created by android_fork_execvp() -allow sgdisk devpts:chr_file { read write ioctl getattr }; - -# Allow stdin/out back to vold -allow sgdisk vold:fd use; -allow sgdisk vold:fifo_file { read write getattr }; - -# Used to probe kernel to reload partition tables -allow sgdisk self:capability sys_admin; - -# Only allow entry from vold -neverallow { domain -vold } sgdisk:process transition; -neverallow * sgdisk:process dyntransition; -neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; diff --git a/shared_relro.te b/shared_relro.te deleted file mode 100644 index 30af14a..0000000 --- a/shared_relro.te +++ /dev/null @@ -1,13 +0,0 @@ -# Process which creates/updates shared RELRO files to be used by other apps. -type shared_relro, domain, domain_deprecated; - -# The shared relro process is a Java program forked from the zygote, so it -# inherits from app to get basic permissions it needs to run. -app_domain(shared_relro) - -# Grant write access to the shared relro files/directory. -allow shared_relro shared_relro_file:dir rw_dir_perms; -allow shared_relro shared_relro_file:file create_file_perms; - -# Needs to contact the "webviewupdate" and "activity" services -allow shared_relro webviewupdate_service:service_manager find; diff --git a/shell.te b/shell.te deleted file mode 100644 index 8878873..0000000 --- a/shell.te +++ /dev/null @@ -1,135 +0,0 @@ -# Domain for shell processes spawned by ADB or console service. -type shell, domain, mlstrustedsubject; -type shell_exec, exec_type, file_type; - -# Create and use network sockets. -net_domain(shell) - -# Run app_process. -# XXX Transition into its own domain? -app_domain(shell) - -# logcat -read_logd(shell) -control_logd(shell) -# logcat -L (directly, or via dumpstate) -allow shell pstorefs:dir search; -allow shell pstorefs:file r_file_perms; -# logpersistd (nee logcatd) files -userdebug_or_eng(` - allow shell misc_logd_file:dir r_dir_perms; - allow shell misc_logd_file:file r_file_perms; -') - -# Root fs. -allow shell rootfs:dir r_dir_perms; - -# read files in /data/anr -allow shell anr_data_file:dir r_dir_perms; -allow shell anr_data_file:file r_file_perms; - -# Access /data/local/tmp. -allow shell shell_data_file:dir create_dir_perms; -allow shell shell_data_file:file create_file_perms; -allow shell shell_data_file:file rx_file_perms; -allow shell shell_data_file:lnk_file create_file_perms; - -# Read/execute files in /data/nativetest -userdebug_or_eng(` - allow shell nativetest_data_file:dir r_dir_perms; - allow shell nativetest_data_file:file rx_file_perms; -') - -# adb bugreport -unix_socket_connect(shell, dumpstate, dumpstate) - -allow shell devpts:chr_file rw_file_perms; -allow shell tty_device:chr_file rw_file_perms; -allow shell console_device:chr_file rw_file_perms; -allow shell input_device:dir r_dir_perms; -allow shell input_device:chr_file rw_file_perms; -r_dir_file(shell, system_file) -allow shell system_file:file x_file_perms; -allow shell toolbox_exec:file rx_file_perms; -allow shell shell_exec:file rx_file_perms; -allow shell zygote_exec:file rx_file_perms; - -r_dir_file(shell, apk_data_file) - -# Set properties. -set_prop(shell, shell_prop) -set_prop(shell, ctl_bugreport_prop) -set_prop(shell, ctl_dumpstate_prop) -set_prop(shell, dumpstate_prop) -set_prop(shell, debug_prop) -set_prop(shell, powerctl_prop) - -# systrace support - allow atrace to run -allow shell debugfs_tracing:dir r_dir_perms; -allow shell debugfs_tracing:file rw_file_perms; -allow shell debugfs_trace_marker:file getattr; -allow shell atrace_exec:file rx_file_perms; - -userdebug_or_eng(` - # "systrace --boot" support - allow boottrace service to run - allow shell boottrace_data_file:dir rw_dir_perms; - allow shell boottrace_data_file:file create_file_perms; - set_prop(shell, persist_debug_prop) -') - -# allow shell to run dmesg -allow shell kernel:system syslog_read; - -# allow shell access to services -allow shell servicemanager:service_manager list; -# don't allow shell to access GateKeeper service -allow shell { service_manager_type -gatekeeper_service }:service_manager find; - -# allow shell to look through /proc/ for ps, top, netstat -r_dir_file(shell, proc) -r_dir_file(shell, proc_net) -r_dir_file(shell, cgroup) -allow shell domain:dir { search open read getattr }; -allow shell domain:{ file lnk_file } { open read getattr }; - -# statvfs() of /proc and other labeled filesystems -# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) -allow shell { proc labeledfs }:filesystem getattr; - -# stat() of /dev -allow shell device:dir getattr; - -# allow shell to read /proc/pid/attr/current for ps -Z -allow shell domain:process getattr; - -# Allow pulling the SELinux policy for CTS purposes -allow shell selinuxfs:dir r_dir_perms; -allow shell selinuxfs:file r_file_perms; - -# enable shell domain to read/write files/dirs for bootchart data -# User will creates the start and stop file via adb shell -# and read other files created by init process under /data/bootchart -allow shell bootchart_data_file:dir rw_dir_perms; -allow shell bootchart_data_file:file create_file_perms; - -# Make sure strace works for the non-privileged shell user -allow shell self:process ptrace; - -# allow shell to get battery info -allow shell sysfs_batteryinfo:file r_file_perms; -allow shell sysfs:dir r_dir_perms; - -# Allow access to ion memory allocation device. -allow shell ion_device:chr_file rw_file_perms; - -### -### Neverallow rules -### - -# Do not allow shell to hard link to any files. -# In particular, if shell hard links to app data -# files, installd will not be able to guarantee the deletion -# of the linked to file. Hard links also contribute to security -# bugs, so we want to ensure the shell user never has this -# capability. -neverallow shell file_type:file link; diff --git a/slideshow.te b/slideshow.te deleted file mode 100644 index 3165a65..0000000 --- a/slideshow.te +++ /dev/null @@ -1,14 +0,0 @@ -# slideshow seclabel is specified in init.rc since -# it lives in the rootfs and has no unique file type. -type slideshow, domain, domain_deprecated; - -allow slideshow kmsg_device:chr_file rw_file_perms; -wakelock_use(slideshow) -allow slideshow device:dir r_dir_perms; -allow slideshow self:capability sys_tty_config; -allow slideshow graphics_device:dir r_dir_perms; -allow slideshow graphics_device:chr_file rw_file_perms; -allow slideshow input_device:dir r_dir_perms; -allow slideshow input_device:chr_file r_file_perms; -allow slideshow tty_device:chr_file rw_file_perms; - @@ -1,55 +0,0 @@ -# File types must be defined for file_contexts. -type su_exec, exec_type, file_type; - -userdebug_or_eng(` - # Domain used for su processes, as well as for adbd and adb shell - # after performing an adb root command. The domain definition is - # wrapped to ensure that it does not exist at all on -user builds. - type su, domain, mlstrustedsubject; - domain_auto_trans(shell, su_exec, su) - - # Allow dumpstate to call su on userdebug / eng builds to collect - # additional information. - domain_auto_trans(dumpstate, su_exec, su) - - # Make sure that dumpstate runs the same from the "su" domain as - # from the "init" domain. - domain_auto_trans(su, dumpstate_exec, dumpstate) - - # su is also permissive to permit setenforce. - permissive su; - - # Add su to various domains - net_domain(su) - app_domain(su) - - dontaudit su self:capability_class_set *; - dontaudit su kernel:security *; - dontaudit su kernel:system *; - dontaudit su self:memprotect *; - dontaudit su domain:process *; - dontaudit su domain:fd *; - dontaudit su domain:dir *; - dontaudit su domain:lnk_file *; - dontaudit su domain:{ fifo_file file } *; - dontaudit su domain:socket_class_set *; - dontaudit su domain:ipc_class_set *; - dontaudit su domain:key *; - dontaudit su fs_type:filesystem *; - dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; - dontaudit su node_type:node *; - dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; - dontaudit su netif_type:netif *; - dontaudit su port_type:socket_class_set *; - dontaudit su port_type:{ tcp_socket dccp_socket } *; - dontaudit su domain:peer *; - dontaudit su domain:binder *; - dontaudit su property_type:property_service *; - dontaudit su property_type:file *; - dontaudit su service_manager_type:service_manager *; - dontaudit su servicemanager:service_manager list; - dontaudit su keystore:keystore_key *; - dontaudit su domain:debuggerd *; - dontaudit su domain:drmservice *; - dontaudit su unlabeled:filesystem *; -') diff --git a/surfaceflinger.te b/surfaceflinger.te deleted file mode 100644 index fbe1dd0..0000000 --- a/surfaceflinger.te +++ /dev/null @@ -1,68 +0,0 @@ -# surfaceflinger - display compositor service -type surfaceflinger, domain, domain_deprecated; -type surfaceflinger_exec, exec_type, file_type; - -init_daemon_domain(surfaceflinger) -typeattribute surfaceflinger mlstrustedsubject; - -# Perform Binder IPC. -binder_use(surfaceflinger) -binder_call(surfaceflinger, binderservicedomain) -binder_call(surfaceflinger, appdomain) -binder_call(surfaceflinger, bootanim) -binder_service(surfaceflinger) - -# Binder IPC to bu, presently runs in adbd domain. -binder_call(surfaceflinger, adbd) - -# Read /proc/pid files for Binder clients. -r_dir_file(surfaceflinger, binderservicedomain) -r_dir_file(surfaceflinger, appdomain) - -# Access the GPU. -allow surfaceflinger gpu_device:chr_file rw_file_perms; - -# Access /dev/graphics/fb0. -allow surfaceflinger graphics_device:dir search; -allow surfaceflinger graphics_device:chr_file rw_file_perms; - -# Access /dev/video1. -allow surfaceflinger video_device:dir r_dir_perms; -allow surfaceflinger video_device:chr_file rw_file_perms; - -# Create and use netlink kobject uevent sockets. -allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms; - -# Set properties. -set_prop(surfaceflinger, system_prop) -set_prop(surfaceflinger, ctl_bootanim_prop) - -# Use open files supplied by an app. -allow surfaceflinger app_data_file:file { read write }; - -# Allow a dumpstate triggered screenshot -binder_call(surfaceflinger, dumpstate) -binder_call(surfaceflinger, shell) -r_dir_file(surfaceflinger, dumpstate) - -# Needed on some devices for playing DRM protected content, -# but seems expected and appropriate for all devices. -allow surfaceflinger tee:unix_stream_socket connectto; -allow surfaceflinger tee_device:chr_file rw_file_perms; - - -# media.player service -allow surfaceflinger mediaserver_service:service_manager find; -allow surfaceflinger permission_service:service_manager find; -allow surfaceflinger power_service:service_manager find; -allow surfaceflinger surfaceflinger_service:service_manager { add find }; -allow surfaceflinger window_service:service_manager find; - -### -### Neverallow rules -### -### surfaceflinger should NEVER do any of this - -# Do not allow accessing SDcard files as unsafe ejection could -# cause the kernel to kill the process. -neverallow surfaceflinger sdcard_type:file rw_file_perms; diff --git a/system_app.te b/system_app.te deleted file mode 100644 index 355f6d4..0000000 --- a/system_app.te +++ /dev/null @@ -1,73 +0,0 @@ -# -# Apps that run with the system UID, e.g. com.android.system.ui, -# com.android.settings. These are not as privileged as the system -# server. -# -type system_app, domain, domain_deprecated; -app_domain(system_app) -net_domain(system_app) -binder_service(system_app) - -# Read and write /data/data subdirectory. -allow system_app system_app_data_file:dir create_dir_perms; -allow system_app system_app_data_file:{ file lnk_file } create_file_perms; - -# Read and write to /data/misc/user. -allow system_app misc_user_data_file:dir create_dir_perms; -allow system_app misc_user_data_file:file create_file_perms; - -# Access to vold-mounted storage for measuring free space -allow system_app mnt_media_rw_file:dir search; - -# Read wallpaper file. -allow system_app wallpaper_file:file r_file_perms; - -# Write to properties -set_prop(system_app, bluetooth_prop) -set_prop(system_app, debug_prop) -set_prop(system_app, system_prop) -set_prop(system_app, logd_prop) -set_prop(system_app, net_radio_prop) -set_prop(system_app, system_radio_prop) -auditallow system_app net_radio_prop:property_service set; -auditallow system_app system_radio_prop:property_service set; - -# ctl interface -set_prop(system_app, ctl_default_prop) -set_prop(system_app, ctl_bugreport_prop) - -# Create /data/anr/traces.txt. -allow system_app anr_data_file:dir ra_dir_perms; -allow system_app anr_data_file:file create_file_perms; - -# Settings need to access app name and icon from asec -allow system_app asec_apk_file:file r_file_perms; - -allow system_app servicemanager:service_manager list; -allow system_app service_manager_type:service_manager find; - -allow system_app keystore:keystore_key { - get_state - get - insert - delete - exist - list - reset - password - lock - unlock - is_empty - sign - verify - grant - duplicate - clear_uid - user_changed -}; - -# /sys access -allow system_app sysfs_zram:dir search; -allow system_app sysfs_zram:file r_file_perms; - -control_logd(system_app) diff --git a/system_server.te b/system_server.te deleted file mode 100644 index 6ab48e7..0000000 --- a/system_server.te +++ /dev/null @@ -1,490 +0,0 @@ -# -# System Server aka system_server spawned by zygote. -# Most of the framework services run in this process. -# -type system_server, domain, domain_deprecated, mlstrustedsubject; - -# Define a type for tmpfs-backed ashmem regions. -tmpfs_domain(system_server) - -# For art. -allow system_server dalvikcache_data_file:file execute; -allow system_server dalvikcache_data_file:dir r_dir_perms; - -# /data/resource-cache -allow system_server resourcecache_data_file:file r_file_perms; -allow system_server resourcecache_data_file:dir r_dir_perms; - -# ptrace to processes in the same domain for debugging crashes. -allow system_server self:process ptrace; - -# Child of the zygote. -allow system_server zygote:fd use; -allow system_server zygote:process sigchld; -allow system_server zygote_tmpfs:file read; - -# May kill zygote on crashes. -allow system_server zygote:process sigkill; - -# Read /system/bin/app_process. -allow system_server zygote_exec:file r_file_perms; - -# Needed to close the zygote socket, which involves getopt / getattr -allow system_server zygote:unix_stream_socket { getopt getattr }; - -# system server gets network and bluetooth permissions. -net_domain(system_server) -bluetooth_domain(system_server) - -# These are the capabilities assigned by the zygote to the -# system server. -allow system_server self:capability { - kill - net_admin - net_bind_service - net_broadcast - net_raw - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config -}; - -wakelock_use(system_server) - -# Triggered by /proc/pid accesses, not allowed. -dontaudit system_server self:capability sys_ptrace; - -# Trigger module auto-load. -allow system_server kernel:system module_request; - -# Use netlink uevent sockets. -allow system_server self:netlink_kobject_uevent_socket create_socket_perms; - -# Use generic netlink sockets. -allow system_server self:netlink_socket create_socket_perms; -allow system_server self:netlink_generic_socket create_socket_perms; - -# Use generic "sockets" where the address family is not known -# to the kernel. -allow system_server self:socket create_socket_perms; - -# Set and get routes directly via netlink. -allow system_server self:netlink_route_socket nlmsg_write; - -# Kill apps. -allow system_server appdomain:process { sigkill signal }; - -# Set scheduling info for apps. -allow system_server appdomain:process { getsched setsched }; -allow system_server mediaserver:process { getsched setsched }; - -# Read /proc/pid data for all domains. This is used by ProcessCpuTracker -# within system_server to keep track of memory and CPU usage for -# all processes on the device. -r_dir_file(system_server, domain) - -# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. -allow system_server qtaguid_proc:file rw_file_perms; -allow system_server qtaguid_device:chr_file rw_file_perms; - -# Read /proc/uid_cputime/show_uid_stat. -allow system_server proc_uid_cputime_showstat:file r_file_perms; - -# Write /proc/uid_cputime/remove_uid_range. -allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; - -# Write to /proc/sysrq-trigger. -allow system_server proc_sysrq:file rw_file_perms; - -# Read /sys/kernel/debug/wakeup_sources. -allow system_server debugfs:file r_file_perms; - -# The DhcpClient and WifiWatchdog use packet_sockets -allow system_server self:packet_socket create_socket_perms; - -# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same -# as raw sockets, but the kernel doesn't yet distinguish between the two. -allow system_server node:rawip_socket node_bind; - -# 3rd party VPN clients require a tun_socket to be created -allow system_server self:tun_socket create_socket_perms; - -# Notify init of death. -allow system_server init:process sigchld; - -# Talk to init and various daemons via sockets. -unix_socket_connect(system_server, installd, installd) -unix_socket_connect(system_server, lmkd, lmkd) -unix_socket_connect(system_server, mtpd, mtp) -unix_socket_connect(system_server, netd, netd) -unix_socket_connect(system_server, vold, vold) -unix_socket_connect(system_server, zygote, zygote) -unix_socket_connect(system_server, gps, gpsd) -unix_socket_connect(system_server, racoon, racoon) -unix_socket_send(system_server, wpa, wpa) - -# Communicate over a socket created by surfaceflinger. -allow system_server surfaceflinger:unix_stream_socket { read write setopt }; - -# Perform Binder IPC. -binder_use(system_server) -binder_call(system_server, binderservicedomain) -binder_call(system_server, gatekeeperd) -binder_call(system_server, fingerprintd) -binder_call(system_server, appdomain) -binder_call(system_server, dumpstate) -binder_service(system_server) - -# Ask debuggerd to dump backtraces for native stacks of interest. -allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; - -# Read /proc/pid files for dumping stack traces of native processes. -r_dir_file(system_server, mediaserver) -r_dir_file(system_server, sdcardd) -r_dir_file(system_server, surfaceflinger) -r_dir_file(system_server, inputflinger) - -# Use sockets received over binder from various services. -allow system_server mediaserver:tcp_socket rw_socket_perms; -allow system_server mediaserver:udp_socket rw_socket_perms; - -# Check SELinux permissions. -selinux_check_access(system_server) - -# XXX Label sysfs files with a specific type? -allow system_server sysfs:file rw_file_perms; -allow system_server sysfs_nfc_power_writable:file rw_file_perms; -allow system_server sysfs_devices_system_cpu:file w_file_perms; -allow system_server sysfs_mac_address:file r_file_perms; -allow system_server sysfs_thermal:dir search; -allow system_server sysfs_thermal:file r_file_perms; - -# Access devices. -allow system_server device:dir r_dir_perms; -allow system_server mdns_socket:sock_file rw_file_perms; -allow system_server alarm_device:chr_file rw_file_perms; -allow system_server gpu_device:chr_file rw_file_perms; -allow system_server iio_device:chr_file rw_file_perms; -allow system_server input_device:dir r_dir_perms; -allow system_server input_device:chr_file rw_file_perms; -allow system_server radio_device:chr_file r_file_perms; -allow system_server tty_device:chr_file rw_file_perms; -allow system_server usbaccessory_device:chr_file rw_file_perms; -allow system_server video_device:dir r_dir_perms; -allow system_server video_device:chr_file rw_file_perms; -allow system_server adbd_socket:sock_file rw_file_perms; -allow system_server rtc_device:chr_file rw_file_perms; -allow system_server audio_device:dir r_dir_perms; - -# write access needed for MIDI -allow system_server audio_device:chr_file rw_file_perms; - -# tun device used for 3rd party vpn apps -allow system_server tun_device:chr_file rw_file_perms; - -# Manage system data files. -allow system_server system_data_file:dir create_dir_perms; -allow system_server system_data_file:notdevfile_class_set create_file_perms; -allow system_server keychain_data_file:dir create_dir_perms; -allow system_server keychain_data_file:file create_file_perms; - -# Manage /data/app. -allow system_server apk_data_file:dir create_dir_perms; -allow system_server apk_data_file:file { create_file_perms link }; -allow system_server apk_tmp_file:dir create_dir_perms; -allow system_server apk_tmp_file:file create_file_perms; - -# Manage /data/app-private. -allow system_server apk_private_data_file:dir create_dir_perms; -allow system_server apk_private_data_file:file create_file_perms; -allow system_server apk_private_tmp_file:dir create_dir_perms; -allow system_server apk_private_tmp_file:file create_file_perms; - -# Manage files within asec containers. -allow system_server asec_apk_file:dir create_dir_perms; -allow system_server asec_apk_file:file create_file_perms; -allow system_server asec_public_file:file create_file_perms; - -# Manage /data/anr. -allow system_server anr_data_file:dir create_dir_perms; -allow system_server anr_data_file:file create_file_perms; - -# Manage /data/backup. -allow system_server backup_data_file:dir create_dir_perms; -allow system_server backup_data_file:file create_file_perms; - -# Write to /data/system/heapdump -allow system_server heapdump_data_file:dir rw_dir_perms; -allow system_server heapdump_data_file:file create_file_perms; - -# Manage /data/misc/adb. -allow system_server adb_keys_file:dir create_dir_perms; -allow system_server adb_keys_file:file create_file_perms; - -# Manage /data/misc/sms. -# TODO: Split into a separate type? -allow system_server radio_data_file:dir create_dir_perms; -allow system_server radio_data_file:file create_file_perms; - -# Manage /data/misc/systemkeys. -allow system_server systemkeys_data_file:dir create_dir_perms; -allow system_server systemkeys_data_file:file create_file_perms; - -# Access /data/tombstones. -allow system_server tombstone_data_file:dir r_dir_perms; -allow system_server tombstone_data_file:file r_file_perms; - -# Manage /data/misc/vpn. -allow system_server vpn_data_file:dir create_dir_perms; -allow system_server vpn_data_file:file create_file_perms; - -# Manage /data/misc/wifi. -allow system_server wifi_data_file:dir create_dir_perms; -allow system_server wifi_data_file:file create_file_perms; - -# Manage /data/misc/zoneinfo. -allow system_server zoneinfo_data_file:dir create_dir_perms; -allow system_server zoneinfo_data_file:file create_file_perms; - -# Walk /data/data subdirectories. -# Types extracted from seapp_contexts type= fields. -allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; -# Also permit for unlabeled /data/data subdirectories and -# for unlabeled asec containers on upgrades from 4.2. -allow system_server unlabeled:dir r_dir_perms; -# Read pkg.apk file before it has been relabeled by vold. -allow system_server unlabeled:file r_file_perms; - -# Populate com.android.providers.settings/databases/settings.db. -allow system_server system_app_data_file:dir create_dir_perms; -allow system_server system_app_data_file:file create_file_perms; - -# Receive and use open app data files passed over binder IPC. -# Types extracted from seapp_contexts type= fields. -allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write }; - -# Receive and use open /data/media files passed over binder IPC. -allow system_server media_rw_data_file:file { getattr read write }; - -# Relabel apk files. -allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto }; -allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto }; - -# Relabel wallpaper. -allow system_server system_data_file:file relabelfrom; -allow system_server wallpaper_file:file relabelto; -allow system_server wallpaper_file:file { rw_file_perms unlink }; - -# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)? -allow system_server system_data_file:dir relabelfrom; - -# Property Service write -set_prop(system_server, system_prop) -set_prop(system_server, safemode_prop) -set_prop(system_server, dhcp_prop) -set_prop(system_server, net_radio_prop) -set_prop(system_server, system_radio_prop) -set_prop(system_server, debug_prop) -set_prop(system_server, powerctl_prop) -set_prop(system_server, fingerprint_prop) -set_prop(system_server, device_logging_prop) - -# ctl interface -set_prop(system_server, ctl_default_prop) -set_prop(system_server, ctl_dhcp_pan_prop) -set_prop(system_server, ctl_bugreport_prop) - -# Create a socket for receiving info from wpa. -type_transition system_server wifi_data_file:sock_file system_wpa_socket; -type_transition system_server wpa_socket:sock_file system_wpa_socket; -allow system_server wpa_socket:dir rw_dir_perms; -allow system_server system_wpa_socket:sock_file create_file_perms; - -# Remove sockets created by wpa_supplicant -allow system_server wpa_socket:sock_file unlink; - -# Create a socket for connections from debuggerd. -type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket"; -allow system_server system_ndebug_socket:sock_file create_file_perms; - -# Manage cache files. -allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms }; -allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms }; -allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms; - -# Run system programs, e.g. dexopt. -allow system_server system_file:file x_file_perms; - -# LocationManager(e.g, GPS) needs to read and write -# to uart driver and ctrl proc entry -allow system_server gps_device:chr_file rw_file_perms; -allow system_server gps_control:file rw_file_perms; - -# Allow system_server to use app-created sockets and pipes. -allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown }; -allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write }; - -# Allow abstract socket connection -allow system_server rild:unix_stream_socket connectto; - -# BackupManagerService lets PMS create a data backup file -allow system_server cache_backup_file:file create_file_perms; -# Relabel /data/backup -allow system_server backup_data_file:dir { relabelto relabelfrom }; -# Relabel /cache/.*\.{data|restore} -allow system_server cache_backup_file:file { relabelto relabelfrom }; -# LocalTransport creates and relabels /cache/backup -allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms }; - -# Allow system to talk to usb device -allow system_server usb_device:chr_file rw_file_perms; -allow system_server usb_device:dir r_dir_perms; - -# Allow system to talk to sensors -allow system_server sensors_device:chr_file rw_file_perms; - -# Read from HW RNG (needed by EntropyMixer). -allow system_server hw_random_device:chr_file r_file_perms; - -# Read and delete files under /dev/fscklogs. -r_dir_file(system_server, fscklogs) -allow system_server fscklogs:dir { write remove_name }; -allow system_server fscklogs:file unlink; - -# logd access, system_server inherit logd write socket -# (urge is to deprecate this long term) -allow system_server zygote:unix_dgram_socket write; - -# Read from log daemon. -read_logd(system_server) - -# Be consistent with DAC permissions. Allow system_server to write to -# /sys/module/lowmemorykiller/parameters/adj -# /sys/module/lowmemorykiller/parameters/minfree -allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms }; - -# Read /sys/fs/pstore/console-ramoops -# Don't worry about overly broad permissions for now, as there's -# only one file in /sys/fs/pstore -allow system_server pstorefs:dir r_dir_perms; -allow system_server pstorefs:file r_file_perms; - -# /sys access -allow system_server sysfs_zram:dir search; -allow system_server sysfs_zram:file r_file_perms; - -allow system_server drmserver_service:service_manager find; -allow system_server batteryproperties_service:service_manager find; -allow system_server keystore_service:service_manager find; -allow system_server gatekeeper_service:service_manager find; -allow system_server fingerprintd_service:service_manager find; -allow system_server mediaserver_service:service_manager find; -allow system_server nfc_service:service_manager find; -allow system_server radio_service:service_manager find; -allow system_server system_server_service:service_manager { add find }; -allow system_server surfaceflinger_service:service_manager find; - -allow system_server keystore:keystore_key { - get_state - get - insert - delete - exist - list - reset - password - lock - unlock - is_empty - sign - verify - grant - duplicate - clear_uid - add_auth - user_changed -}; - -# Allow system server to search and write to the persistent factory reset -# protection partition. This block device does not get wiped in a factory reset. -allow system_server block_device:dir search; -allow system_server frp_block_device:blk_file rw_file_perms; - -# Clean up old cgroups -allow system_server cgroup:dir { remove_name rmdir }; - -# /oem access -r_dir_file(system_server, oemfs) - -# Allow resolving per-user storage symlinks -allow system_server { mnt_user_file storage_file }:dir { getattr search }; -allow system_server { mnt_user_file storage_file }:lnk_file { getattr read }; - -# Allow statfs() on storage devices, which happens fast enough that -# we shouldn't be killed during unsafe removal -allow system_server sdcard_type:dir { getattr search }; - -# Traverse into expanded storage -allow system_server mnt_expand_file:dir r_dir_perms; - -# Allow system process to relabel the fingerprint directory after mkdir -# and delete the directory and files when no longer needed -allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write }; -allow system_server fingerprintd_data_file:file { getattr unlink }; - -userdebug_or_eng(` - # Allow system server to create and write method traces in /data/misc/trace. - allow system_server method_trace_data_file:dir w_dir_perms; - allow system_server method_trace_data_file:file { create w_file_perms }; -') - -# For AppFuse. -allow system_server vold:fd use; -allow system_server fuse_device:chr_file { read write ioctl getattr }; - -# Connect to adbd and use a socket transferred from it. -# Used for e.g. jdwp. -allow system_server adbd:unix_stream_socket connectto; -allow system_server adbd:fd use; -allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; - -### -### Neverallow rules -### -### system_server should NEVER do any of this - -# Do not allow opening files from external storage as unsafe ejection -# could cause the kernel to kill the system_server. -neverallow system_server sdcard_type:dir { open read write }; -neverallow system_server sdcard_type:file rw_file_perms; - -# system server should never be operating on zygote spawned app data -# files directly. Rather, they should always be passed via a -# file descriptor. -# Types extracted from seapp_contexts type= fields, excluding -# those types that system_server needs to open directly. -neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link }; - -# system_server should never be executing dex2oat. This is either -# a bug (for example, bug 16317188), or represents an attempt by -# system server to dynamically load a dex file, something we do not -# want to allow. -neverallow system_server dex2oat_exec:file no_x_file_perms; - -# system_server should never execute anything from /data except for /data/dalvik-cache files. -neverallow system_server { - data_file_type - -dalvikcache_data_file #mapping with PROT_EXEC -}:file no_x_file_perms; - -# The only block device system_server should be accessing is -# the frp_block_device. This helps avoid a system_server to root -# escalation by writing to raw block devices. -neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; - -# system_server should never use JIT functionality -neverallow system_server self:process execmem; -neverallow system_server ashmem_device:chr_file execute; -neverallow system_server system_server_tmpfs:file execute; diff --git a/te_macros b/te_macros deleted file mode 100644 index 84af301..0000000 --- a/te_macros +++ /dev/null @@ -1,338 +0,0 @@ -##################################### -# domain_trans(olddomain, type, newdomain) -# Allow a transition from olddomain to newdomain -# upon executing a file labeled with type. -# This only allows the transition; it does not -# cause it to occur automatically - use domain_auto_trans -# if that is what you want. -# -define(`domain_trans', ` -# Old domain may exec the file and transition to the new domain. -allow $1 $2:file { getattr open read execute }; -allow $1 $3:process transition; -# New domain is entered by executing the file. -allow $3 $2:file { entrypoint open read execute getattr }; -# New domain can send SIGCHLD to its caller. -allow $3 $1:process sigchld; -# Enable AT_SECURE, i.e. libc secure mode. -dontaudit $1 $3:process noatsecure; -# XXX dontaudit candidate but requires further study. -allow $1 $3:process { siginh rlimitinh }; -') - -##################################### -# domain_auto_trans(olddomain, type, newdomain) -# Automatically transition from olddomain to newdomain -# upon executing a file labeled with type. -# -define(`domain_auto_trans', ` -# Allow the necessary permissions. -domain_trans($1,$2,$3) -# Make the transition occur by default. -type_transition $1 $2:process $3; -') - -##################################### -# file_type_trans(domain, dir_type, file_type) -# Allow domain to create a file labeled file_type in a -# directory labeled dir_type. -# This only allows the transition; it does not -# cause it to occur automatically - use file_type_auto_trans -# if that is what you want. -# -define(`file_type_trans', ` -# Allow the domain to add entries to the directory. -allow $1 $2:dir ra_dir_perms; -# Allow the domain to create the file. -allow $1 $3:notdevfile_class_set create_file_perms; -allow $1 $3:dir create_dir_perms; -') - -##################################### -# file_type_auto_trans(domain, dir_type, file_type) -# Automatically label new files with file_type when -# they are created by domain in directories labeled dir_type. -# -define(`file_type_auto_trans', ` -# Allow the necessary permissions. -file_type_trans($1, $2, $3) -# Make the transition occur by default. -type_transition $1 $2:dir $3; -type_transition $1 $2:notdevfile_class_set $3; -') - -##################################### -# r_dir_file(domain, type) -# Allow the specified domain to read directories, files -# and symbolic links of the specified type. -define(`r_dir_file', ` -allow $1 $2:dir r_dir_perms; -allow $1 $2:{ file lnk_file } r_file_perms; -') - -##################################### -# tmpfs_domain(domain) -# Define and allow access to a unique type for -# this domain when creating tmpfs / shmem / ashmem files. -define(`tmpfs_domain', ` -type $1_tmpfs, file_type; -type_transition $1 tmpfs:file $1_tmpfs; -allow $1 $1_tmpfs:file { read write }; -') - -##################################### -# init_daemon_domain(domain) -# Set up a transition from init to the daemon domain -# upon executing its binary. -define(`init_daemon_domain', ` -domain_auto_trans(init, $1_exec, $1) -tmpfs_domain($1) -') - -##################################### -# app_domain(domain) -# Allow a base set of permissions required for all apps. -define(`app_domain', ` -typeattribute $1 appdomain; -# Label ashmem objects with our own unique type. -tmpfs_domain($1) -# Map with PROT_EXEC. -allow $1 $1_tmpfs:file execute; -') - -##################################### -# net_domain(domain) -# Allow a base set of permissions required for network access. -define(`net_domain', ` -typeattribute $1 netdomain; -') - -##################################### -# bluetooth_domain(domain) -# Allow a base set of permissions required for bluetooth access. -define(`bluetooth_domain', ` -typeattribute $1 bluetoothdomain; -') - -##################################### -# unix_socket_connect(clientdomain, socket, serverdomain) -# Allow a local socket connection from clientdomain via -# socket to serverdomain. -# -# Note: If you see denial records that distill to the -# following allow rules: -# allow clientdomain property_socket:sock_file write; -# allow clientdomain init:unix_stream_socket connectto; -# allow clientdomain something_prop:property_service set; -# -# This sequence is indicative of attempting to set a property. -# use set_prop(sourcedomain, targetproperty) -# -define(`unix_socket_connect', ` -ifelse($2, `property', ` - ifelse($3,`init', ` - print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.') - ') -') -__unix_socket_connect__($1, $2, $3) -') - -define(`__unix_socket_connect__', ` -allow $1 $2_socket:sock_file write; -allow $1 $3:unix_stream_socket connectto; -') - -##################################### -# set_prop(sourcedomain, targetproperty) -# Allows source domain to set the -# targetproperty. -# -define(`set_prop', ` -__unix_socket_connect__($1, property, init) -allow $1 $2:property_service set; -get_prop($1, $2) -') - -##################################### -# get_prop(sourcedomain, targetproperty) -# Allows source domain to read the -# targetproperty. -# -define(`get_prop', ` -allow $1 $2:file r_file_perms; -') - -##################################### -# unix_socket_send(clientdomain, socket, serverdomain) -# Allow a local socket send from clientdomain via -# socket to serverdomain. -define(`unix_socket_send', ` -allow $1 $2_socket:sock_file write; -allow $1 $3:unix_dgram_socket sendto; -') - -##################################### -# binder_use(domain) -# Allow domain to use Binder IPC. -define(`binder_use', ` -# Call the servicemanager and transfer references to it. -allow $1 servicemanager:binder { call transfer }; -# servicemanager performs getpidcon on clients. -allow servicemanager $1:dir search; -allow servicemanager $1:file { read open }; -allow servicemanager $1:process getattr; -# rw access to /dev/binder and /dev/ashmem is presently granted to -# all domains in domain.te. -') - -##################################### -# binder_call(clientdomain, serverdomain) -# Allow clientdomain to perform binder IPC to serverdomain. -define(`binder_call', ` -# Call the server domain and optionally transfer references to it. -allow $1 $2:binder { call transfer }; -# Allow the serverdomain to transfer references to the client on the reply. -allow $2 $1:binder transfer; -# Receive and use open files from the server. -allow $1 $2:fd use; -') - -##################################### -# binder_service(domain) -# Mark a domain as being a Binder service domain. -# Used to allow binder IPC to the various system services. -define(`binder_service', ` -typeattribute $1 binderservicedomain; -') - -##################################### -# wakelock_use(domain) -# Allow domain to manage wake locks -define(`wakelock_use', ` -# Access /sys/power/wake_lock and /sys/power/wake_unlock -allow $1 sysfs_wake_lock:file rw_file_perms; -# Accessing these files requires CAP_BLOCK_SUSPEND -allow $1 self:capability2 block_suspend; -') - -##################################### -# selinux_check_access(domain) -# Allow domain to check SELinux permissions via selinuxfs. -define(`selinux_check_access', ` -allow $1 selinuxfs:file rw_file_perms; -allow $1 kernel:security compute_av; -allow $1 self:netlink_selinux_socket *; -') - -##################################### -# selinux_check_context(domain) -# Allow domain to check SELinux contexts via selinuxfs. -define(`selinux_check_context', ` -allow $1 selinuxfs:file rw_file_perms; -allow $1 kernel:security check_context; -') - -##################################### -# selinux_setenforce(domain) -# Allow domain to set SELinux to enforcing. -define(`selinux_setenforce', ` -allow $1 selinuxfs:file rw_file_perms; -allow $1 kernel:security setenforce; -') - -##################################### -# selinux_setbool(domain) -# Allow domain to set SELinux booleans. -define(`selinux_setbool', ` -allow $1 selinuxfs:file rw_file_perms; -allow $1 kernel:security setbool; -') - -##################################### -# create_pty(domain) -# Allow domain to create and use a pty, isolated from any other domain ptys. -define(`create_pty', ` -# Each domain gets a unique devpts type. -type $1_devpts, fs_type; -# Label the pty with the unique type when created. -type_transition $1 devpts:chr_file $1_devpts; -# Allow use of the pty after creation. -allow $1 $1_devpts:chr_file { open getattr read write ioctl }; -# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms -# allowed to everyone via domain.te. -') - -##################################### -# Non system_app application set -# -define(`non_system_app_set', `{ appdomain -system_app }') - -##################################### -# Recovery only -# SELinux rules which apply only to recovery mode -# -define(`recovery_only', ifelse(target_recovery, `true', $1, )) - -##################################### -# Userdebug or eng builds -# SELinux rules which apply only to userdebug or eng builds -# -define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) -define(`eng', ifelse(target_build_variant, `eng', $1)) - -##################################### -# write_logd(domain) -# Ability to write to android log -# daemon via sockets -define(`write_logd', ` -unix_socket_send($1, logdw, logd) -allow $1 pmsg_device:chr_file w_file_perms; -') - -##################################### -# read_logd(domain) -# Ability to run logcat and read from android -# log daemon via sockets -define(`read_logd', ` -allow $1 logcat_exec:file rx_file_perms; -unix_socket_connect($1, logdr, logd) -') - -##################################### -# control_logd(domain) -# Ability to control -# android log daemon via sockets -define(`control_logd', ` -# Group AID_LOG checked by filesystem & logd -# to permit control commands -unix_socket_connect($1, logd, logd) -') - -##################################### -# use_keystore(domain) -# Ability to use keystore. -# Keystore is requires the following permissions -# to call getpidcon. -define(`use_keystore', ` - allow keystore $1:dir search; - allow keystore $1:file { read open }; - allow keystore $1:process getattr; - allow $1 keystore_service:service_manager find; - binder_call($1, keystore) -') - -########################################### -# use_drmservice(domain) -# Ability to use DrmService which requires -# DrmService to call getpidcon. -define(`use_drmservice', ` - allow drmserver $1:dir search; - allow drmserver $1:file { read open }; - allow drmserver $1:process getattr; -') - -########################################## -# print a message with a trailing newline -# print(`args') -define(`print', `errprint(`m4: '__file__: __line__`: $* -')') @@ -1,15 +0,0 @@ -## -# trusted execution environment (tee) daemon -# -type tee, domain, domain_deprecated; -type tee_exec, exec_type, file_type; -type tee_device, dev_type; -type tee_data_file, file_type, data_file_type; - -init_daemon_domain(tee) -allow tee self:capability { dac_override }; -allow tee tee_device:chr_file rw_file_perms; -allow tee tee_data_file:dir rw_dir_perms; -allow tee tee_data_file:file create_file_perms; -allow tee self:netlink_socket create_socket_perms; -allow tee self:netlink_generic_socket create_socket_perms; diff --git a/toolbox.te b/toolbox.te deleted file mode 100644 index 55de7eb..0000000 --- a/toolbox.te +++ /dev/null @@ -1,26 +0,0 @@ -# Any toolbox command run by init. -# At present, the only known usage is for running mkswap via fs_mgr. -# Do NOT use this domain for toolbox when run by any other domain. -type toolbox, domain, domain_deprecated; -type toolbox_exec, exec_type, file_type; - -init_daemon_domain(toolbox) - -# /dev/__null__ created by init prior to policy load, -# open fd inherited by fsck. -allow toolbox tmpfs:chr_file { read write ioctl }; - -# Inherit and use pty created by android_fork_execvp_ext(). -allow toolbox devpts:chr_file { read write getattr ioctl }; - -# mkswap-specific. -# Read/write block devices used for swap partitions. -# Assign swap_block_device type any such partition in your -# device/<vendor>/<product>/sepolicy/file_contexts file. -allow toolbox block_device:dir search; -allow toolbox swap_block_device:blk_file rw_file_perms; - -# Only allow entry from init via the toolbox binary. -neverallow { domain -init } toolbox:process transition; -neverallow * toolbox:process dyntransition; -neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; diff --git a/tools/Android.mk b/tools/Android.mk deleted file mode 100644 index 98f562c..0000000 --- a/tools/Android.mk +++ /dev/null @@ -1,55 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -include $(CLEAR_VARS) - -LOCAL_MODULE := checkseapp -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := \ - external/pcre \ - external/selinux/libsepol/include -LOCAL_CFLAGS := -DLINK_SEPOL_STATIC -Wall -Werror -LOCAL_SRC_FILES := check_seapp.c -LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_WHOLE_STATIC_LIBRARIES := libpcre -LOCAL_CXX_STL := none - -include $(BUILD_HOST_EXECUTABLE) - -################################### -include $(CLEAR_VARS) - -LOCAL_MODULE := checkfc -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/selinux/libsepol/include \ - external/libselinux/include -LOCAL_CFLAGS := -Wall -Werror -LOCAL_SRC_FILES := checkfc.c -LOCAL_STATIC_LIBRARIES := libsepol libselinux -LOCAL_CXX_STL := none - -include $(BUILD_HOST_EXECUTABLE) - -################################## -include $(CLEAR_VARS) - -LOCAL_MODULE := insertkeys.py -LOCAL_SRC_FILES := insertkeys.py -LOCAL_MODULE_CLASS := EXECUTABLES -LOCAL_IS_HOST_MODULE := true -LOCAL_MODULE_TAGS := optional - -include $(BUILD_PREBUILT) -################################### -include $(CLEAR_VARS) - -LOCAL_MODULE := sepolicy-check -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/selinux/libsepol/include -LOCAL_CFLAGS := -Wall -Werror -LOCAL_SRC_FILES := sepolicy-check.c -LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_CXX_STL := none - -include $(BUILD_HOST_EXECUTABLE) - -include $(call all-makefiles-under,$(LOCAL_PATH)) diff --git a/tools/README b/tools/README deleted file mode 100644 index 6035c03..0000000 --- a/tools/README +++ /dev/null @@ -1,63 +0,0 @@ -This directory contains a number of tools related to policy, some of -which are used in building and validating the policy and others are -available for help in auditing and analyzing policy. The tools are -described further below. - -checkfc - A utility for checking the validity of a file_contexts or a - property_contexts configuration file. Used as part of the policy - build to validate both files. Requires the sepolicy file as an - argument in order to check the validity of the security contexts - in the file_contexts or property_contexts file. - - Usage1: - checkfc sepolicy file_contexts - checkfc -p sepolicy property_contexts - - Also used to compare two file_contexts or file_contexts.bin files. - Displays one of subset, equal, superset, or incomparable. - - Usage2: - checkfc -c file_contexts1 file_contexts2 - - Example: - $ checkfc -c out/target/product/shamu/system/etc/general_file_contexts out/target/product/shamu/root/file_contexts.bin - subset - -checkseapp - A utility for merging together the main seapp_contexts - configuration and the device-specific one, and simultaneously - checking the validity of the configurations. Used as part of the - policy build process to merge and validate the configuration. - - Usage: - checkseapp -p sepolicy input_seapp_contexts0 [input_seapp_contexts1...] -o seapp_contexts - -insertkeys.py - A helper script for mapping tags in the signature stanzas of - mac_permissions.xml to public keys found in pem files. This - script is described further in the top-level sepolicy/README. - -post_process_mac_perms - A tool to help modify an existing mac_permissions.xml with additional app - certs not already found in that policy. This becomes useful when a directory - containing apps is searched and the certs from those apps are added to the - policy not already explicitly listed. - - Usage: - post_process_mac_perms [-h] -s SEINFO -d DIR -f POLICY - - -s SEINFO, --seinfo SEINFO seinfo tag for each generated stanza - -d DIR, --dir DIR Directory to search for apks - -f POLICY, --file POLICY mac_permissions.xml policy file - -sepolicy-check - A tool for auditing a sepolicy file for any allow rule that grants - a given permission. - - Usage: - sepolicy-check -s <domain> -t <type> -c <class> -p <permission> -P out/target/product/<board>/root/sepolicy - -sepolicy-analyze - A tool for performing various kinds of analysis on a sepolicy - file. diff --git a/tools/check_seapp.c b/tools/check_seapp.c deleted file mode 100644 index 69db388..0000000 --- a/tools/check_seapp.c +++ /dev/null @@ -1,1239 +0,0 @@ -#include <stdio.h> -#include <stdarg.h> -#include <ctype.h> -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <string.h> -#include <errno.h> -#include <stdint.h> -#include <search.h> -#include <stdbool.h> -#include <sepol/sepol.h> -#include <sepol/policydb/policydb.h> -#include <pcre.h> - -#define TABLE_SIZE 1024 -#define KVP_NUM_OF_RULES (sizeof(rules) / sizeof(key_map)) -#define log_set_verbose() do { logging_verbose = 1; log_info("Enabling verbose\n"); } while(0) -#define log_error(fmt, ...) log_msg(stderr, "Error: ", fmt, ##__VA_ARGS__) -#define log_warn(fmt, ...) log_msg(stderr, "Warning: ", fmt, ##__VA_ARGS__) -#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); } - -/** - * Initializes an empty, static list. - */ -#define list_init(free_fn) { .head = NULL, .tail = NULL, .freefn = free_fn } - -/** - * given an item in the list, finds the offset for the container - * it was stored in. - * - * @element The element from the list - * @type The container type ie what you allocated that has the list_element structure in it. - * @name The name of the field that is the list_element - * - */ -#define list_entry(element, type, name) \ - (type *)(((uint8_t *)element) - (uint8_t *)&(((type *)NULL)->name)) - -/** - * Iterates over the list, do not free elements from the list when using this. - * @list The list head to walk - * @var The variable name for the cursor - */ -#define list_for_each(list, var) \ - for(var = (list)->head; var != NULL; var = var->next) - - -typedef struct hash_entry hash_entry; -typedef enum key_dir key_dir; -typedef enum data_type data_type; -typedef enum rule_map_switch rule_map_switch; -typedef enum map_match map_match; -typedef struct key_map key_map; -typedef struct kvp kvp; -typedef struct rule_map rule_map; -typedef struct policy_info policy_info; -typedef struct list_element list_element; -typedef struct list list; -typedef struct key_map_regex key_map_regex; -typedef struct file_info file_info; - -enum map_match { - map_no_matches, - map_input_matched, - map_matched -}; - -const char *map_match_str[] = { - "do not match", - "match on all inputs", - "match on everything" -}; - -/** - * Whether or not the "key" from a key vaue pair is considered an - * input or an output. - */ -enum key_dir { - dir_in, dir_out -}; - -struct list_element { - list_element *next; -}; - -struct list { - list_element *head; - list_element *tail; - void (*freefn)(list_element *e); -}; - -struct key_map_regex { - pcre *compiled; - pcre_extra *extra; -}; - -/** - * The workhorse of the logic. This struct maps key value pairs to - * an associated set of meta data maintained in rule_map_new() - */ -struct key_map { - char *name; - key_dir dir; - char *data; - key_map_regex regex; - bool (*fn_validate)(char *value, char **errmsg); -}; - -/** - * Key value pair struct, this represents the raw kvp values coming - * from the rules files. - */ -struct kvp { - char *key; - char *value; -}; - -/** - * Rules are made up of meta data and an associated set of kvp stored in a - * key_map array. - */ -struct rule_map { - bool is_never_allow; - list violations; - list_element listify; - char *key; /** key value before hashing */ - size_t length; /** length of the key map */ - int lineno; /** Line number rule was encounter on */ - char *filename; /** File it was found in */ - key_map m[]; /** key value mapping */ -}; - -struct hash_entry { - list_element listify; - rule_map *r; /** The rule map to store at that location */ -}; - -/** - * Data associated for a policy file - */ -struct policy_info { - - char *policy_file_name; /** policy file path name */ - FILE *policy_file; /** file handle to the policy file */ - sepol_policydb_t *db; - sepol_policy_file_t *pf; - sepol_handle_t *handle; - sepol_context_t *con; -}; - -struct file_info { - FILE *file; /** file itself */ - const char *name; /** name of file. do not free, these are not alloc'd */ - list_element listify; -}; - -static void input_file_list_freefn(list_element *e); -static void line_order_list_freefn(list_element *e); -static void rule_map_free(rule_map *rm, bool is_in_htable); - -/** Set to !0 to enable verbose logging */ -static int logging_verbose = 0; - -/** file handle to the output file */ -static file_info out_file; - -static list input_file_list = list_init(input_file_list_freefn); - -static policy_info pol = { - .policy_file_name = NULL, - .policy_file = NULL, - .db = NULL, - .pf = NULL, - .handle = NULL, - .con = NULL -}; - -/** - * Head pointer to a linked list of - * rule map table entries (hash_entry), used for - * preserving the order of entries - * based on "first encounter" - */ -static list line_order_list = list_init(line_order_list_freefn); - -/* - * List of hash_entrys for never allow rules. - */ -static list nallow_list = list_init(line_order_list_freefn); - -/* validation call backs */ -static bool validate_bool(char *value, char **errmsg); -static bool validate_levelFrom(char *value, char **errmsg); -static bool validate_selinux_type(char *value, char **errmsg); -static bool validate_selinux_level(char *value, char **errmsg); - -/** - * The heart of the mapping process, this must be updated if a new key value pair is added - * to a rule. - */ -key_map rules[] = { - /*Inputs*/ - { .name = "isSystemServer", .dir = dir_in, .fn_validate = validate_bool }, - { .name = "isOwner", .dir = dir_in, .fn_validate = validate_bool }, - { .name = "user", .dir = dir_in, }, - { .name = "seinfo", .dir = dir_in, }, - { .name = "name", .dir = dir_in, }, - { .name = "path", .dir = dir_in, }, - { .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool }, - /*Outputs*/ - { .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type }, - { .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type }, - { .name = "levelFromUid", .dir = dir_out, .fn_validate = validate_bool }, - { .name = "levelFrom", .dir = dir_out, .fn_validate = validate_levelFrom }, - { .name = "level", .dir = dir_out, .fn_validate = validate_selinux_level }, -}; - -/** - * Appends to the end of the list. - * @list The list to append to - * @e the element to append - */ -void list_append(list *list, list_element *e) { - - memset(e, 0, sizeof(*e)); - - if (list->head == NULL ) { - list->head = list->tail = e; - return; - } - - list->tail->next = e; - list->tail = e; - return; -} - -/** - * Free's all the elements in the specified list. - * @list The list to free - */ -static void list_free(list *list) { - - list_element *tmp; - list_element *cursor = list->head; - - while (cursor) { - tmp = cursor; - cursor = cursor->next; - if (list->freefn) { - list->freefn(tmp); - } - } -} - -/* - * called when the lists are freed - */ -static void line_order_list_freefn(list_element *e) { - hash_entry *h = list_entry(e, typeof(*h), listify); - rule_map_free(h->r, true); - free(h); -} - -static void input_file_list_freefn(list_element *e) { - file_info *f = list_entry(e, typeof(*f), listify); - - if (f->file) { - fclose(f->file); - } - free(f); -} - -/** - * Send a logging message to a file - * @param out - * Output file to send message too - * @param prefix - * A special prefix to write to the file, such as "Error:" - * @param fmt - * The printf style formatter to use, such as "%d" - */ -static void __attribute__ ((format(printf, 3, 4))) -log_msg(FILE *out, const char *prefix, const char *fmt, ...) { - - fprintf(out, "%s", prefix); - va_list args; - va_start(args, fmt); - vfprintf(out, fmt, args); - va_end(args); -} - -/** - * Checks for a type in the policy. - * @param db - * The policy db to search - * @param type - * The type to search for - * @return - * 1 if the type is found, 0 otherwise. - * @warning - * This function always returns 1 if libsepol is not linked - * statically to this executable and LINK_SEPOL_STATIC is not - * defined. - */ -static int check_type(sepol_policydb_t *db, char *type) { - - int rc = 1; -#if defined(LINK_SEPOL_STATIC) - policydb_t *d = (policydb_t *)db; - hashtab_datum_t dat; - dat = hashtab_search(d->p_types.table, type); - rc = (dat == NULL) ? 0 : 1; -#endif - return rc; -} - -static bool match_regex(key_map *assert, const key_map *check) { - - char *tomatch = check->data; - - int ret = pcre_exec(assert->regex.compiled, assert->regex.extra, tomatch, - strlen(tomatch), 0, 0, NULL, 0); - - /* 0 from pcre_exec means matched */ - return !ret; -} - -static bool compile_regex(key_map *km, const char **errbuf, int *erroff) { - - size_t size; - char *anchored; - - /* - * Explicitly anchor all regex's - * The size is the length of the string to anchor (km->data), the anchor - * characters ^ and $ and the null byte. Hence strlen(km->data) + 3 - */ - size = strlen(km->data) + 3; - anchored = alloca(size); - sprintf(anchored, "^%s$", km->data); - - km->regex.compiled = pcre_compile(anchored, PCRE_DOTALL, errbuf, erroff, - NULL ); - if (!km->regex.compiled) { - return false; - } - - km->regex.extra = pcre_study(km->regex.compiled, 0, errbuf); - return true; -} - -static bool validate_bool(char *value, char **errmsg) { - - if (!strcmp("true", value) || !strcmp("false", value)) { - return true; - } - - *errmsg = "Expecting \"true\" or \"false\""; - return false; -} - -static bool validate_levelFrom(char *value, char **errmsg) { - - if(strcasecmp(value, "none") && strcasecmp(value, "all") && - strcasecmp(value, "app") && strcasecmp(value, "user")) { - *errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\""; - return false; - } - return true; -} - -static bool validate_selinux_type(char *value, char **errmsg) { - - /* - * No policy file present means we cannot check - * SE Linux types - */ - if (!pol.policy_file) { - return true; - } - - if(!check_type(pol.db, value)) { - *errmsg = "Expecting a valid SELinux type"; - return false; - } - - return true; -} - -static bool validate_selinux_level(char *value, char **errmsg) { - - /* - * No policy file present means we cannot check - * SE Linux MLS - */ - if (!pol.policy_file) { - return true; - } - - int ret = sepol_mls_check(pol.handle, pol.db, value); - if (ret < 0) { - *errmsg = "Expecting a valid SELinux MLS value"; - return false; - } - - return true; -} - -/** - * Validates a key_map against a set of enforcement rules, this - * function exits the application on a type that cannot be properly - * checked - * - * @param m - * The key map to check - * @param lineno - * The line number in the source file for the corresponding key map - * @return - * true if valid, false if invalid - */ -static bool key_map_validate(key_map *m, const char *filename, int lineno, - bool is_neverallow) { - - int erroff; - const char *errbuf; - bool rc = true; - char *key = m->name; - char *value = m->data; - char *errmsg = NULL; - - log_info("Validating %s=%s\n", key, value); - - /* - * Neverallows are completely skipped from sanity checking so you can match - * un-unspecified inputs. - */ - if (is_neverallow) { - if (!m->regex.compiled) { - rc = compile_regex(m, &errbuf, &erroff); - if (!rc) { - log_error("Invalid regex on line %d : %s PCRE error: %s at offset %d", - lineno, value, errbuf, erroff); - } - } - goto out; - } - - /* If the key has a validation routine, call it */ - if (m->fn_validate) { - rc = m->fn_validate(value, &errmsg); - - if (!rc) { - log_error("Could not validate key \"%s\" for value \"%s\" on line: %d in file: \"%s\": %s\n", key, value, - lineno, filename, errmsg); - } - } - -out: - log_info("Key map validate returning: %d\n", rc); - return rc; -} - -/** - * Prints a rule map back to a file - * @param fp - * The file handle to print too - * @param r - * The rule map to print - */ -static void rule_map_print(FILE *fp, rule_map *r) { - - size_t i; - key_map *m; - - for (i = 0; i < r->length; i++) { - m = &(r->m[i]); - if (i < r->length - 1) - fprintf(fp, "%s=%s ", m->name, m->data); - else - fprintf(fp, "%s=%s", m->name, m->data); - } -} - -/** - * Compare two rule maps for equality - * @param rmA - * a rule map to check - * @param rmB - * a rule map to check - * @return - * a map_match enum indicating the result - */ -static map_match rule_map_cmp(rule_map *rmA, rule_map *rmB) { - - size_t i; - size_t j; - int inputs_found = 0; - int num_of_matched_inputs = 0; - int input_mode = 0; - size_t matches = 0; - key_map *mA; - key_map *mB; - - for (i = 0; i < rmA->length; i++) { - mA = &(rmA->m[i]); - - for (j = 0; j < rmB->length; j++) { - mB = &(rmB->m[j]); - input_mode = 0; - - if (strcmp(mA->name, mB->name)) - continue; - - if (strcmp(mA->data, mB->data)) - continue; - - if (mB->dir != mA->dir) - continue; - else if (mB->dir == dir_in) { - input_mode = 1; - inputs_found++; - } - - if (input_mode) { - log_info("Matched input lines: name=%s data=%s\n", mA->name, mA->data); - num_of_matched_inputs++; - } - - /* Match found, move on */ - log_info("Matched lines: name=%s data=%s", mA->name, mA->data); - matches++; - break; - } - } - - /* If they all matched*/ - if (matches == rmA->length) { - log_info("Rule map cmp MATCH\n"); - return map_matched; - } - - /* They didn't all match but the input's did */ - else if (num_of_matched_inputs == inputs_found) { - log_info("Rule map cmp INPUT MATCH\n"); - return map_input_matched; - } - - /* They didn't all match, and the inputs didn't match, ie it didn't - * match */ - else { - log_info("Rule map cmp NO MATCH\n"); - return map_no_matches; - } -} - -/** - * Frees a rule map - * @param rm - * rule map to be freed. - * @is_in_htable - * True if the rule map has been added to the hash table, false - * otherwise. - */ -static void rule_map_free(rule_map *rm, bool is_in_htable) { - - size_t i; - size_t len = rm->length; - for (i = 0; i < len; i++) { - key_map *m = &(rm->m[i]); - free(m->data); - - if (m->regex.compiled) { - pcre_free(m->regex.compiled); - } - - if (m->regex.extra) { - pcre_free_study(m->regex.extra); - } - } - - /* - * hdestroy() frees comparsion keys for non glibc - * on GLIBC we always free on NON-GLIBC we free if - * it is not in the htable. - */ - if (rm->key) { -#ifdef __GLIBC__ - /* silence unused warning */ - (void)is_in_htable; - free(rm->key); -#else - if (!is_in_htable) { - free(rm->key); - } -#endif - } - - free(rm->filename); - free(rm); -} - -static void free_kvp(kvp *k) { - free(k->key); - free(k->value); -} - -/** - * Checks a rule_map for any variation of KVP's that shouldn't be allowed. - * It builds an assertion failure list for each rule map. - * Note that this function logs all errors. - * - * Current Checks: - * 1. That a specified name entry should have a specified seinfo entry as well. - * 2. That no rule violates a neverallow - * @param rm - * The rule map to check for validity. - */ -static void rule_map_validate(rule_map *rm) { - - size_t i, j; - const key_map *rule; - key_map *nrule; - hash_entry *e; - rule_map *assert; - list_element *cursor; - - list_for_each(&nallow_list, cursor) { - e = list_entry(cursor, typeof(*e), listify); - assert = e->r; - - size_t cnt = 0; - - for (j = 0; j < assert->length; j++) { - nrule = &(assert->m[j]); - - // mark that nrule->name is for a null check - bool is_null_check = !strcmp(nrule->data, "\"\""); - - for (i = 0; i < rm->length; i++) { - rule = &(rm->m[i]); - - if (!strcmp(rule->name, nrule->name)) { - - /* the name was found, (data cannot be false) then it was specified */ - is_null_check = false; - - if (match_regex(nrule, rule)) { - cnt++; - } - } - } - - /* - * the nrule was marked in a null check and we never found a match on nrule, thus - * it matched and we update the cnt - */ - if (is_null_check) { - cnt++; - } - } - if (cnt == assert->length) { - list_append(&rm->violations, &assert->listify); - } - } -} - -/** - * Given a set of key value pairs, this will construct a new rule map. - * On error this function calls exit. - * @param keys - * Keys from a rule line to map - * @param num_of_keys - * The length of the keys array - * @param lineno - * The line number the keys were extracted from - * @return - * A rule map pointer. - */ -static rule_map *rule_map_new(kvp keys[], size_t num_of_keys, int lineno, - const char *filename, bool is_never_allow) { - - size_t i = 0, j = 0; - rule_map *new_map = NULL; - kvp *k = NULL; - key_map *r = NULL, *x = NULL; - bool seen[KVP_NUM_OF_RULES]; - - for (i = 0; i < KVP_NUM_OF_RULES; i++) - seen[i] = false; - - new_map = calloc(1, (num_of_keys * sizeof(key_map)) + sizeof(rule_map)); - if (!new_map) - goto oom; - - new_map->is_never_allow = is_never_allow; - new_map->length = num_of_keys; - new_map->lineno = lineno; - new_map->filename = strdup(filename); - if (!new_map->filename) { - goto oom; - } - - /* For all the keys in a rule line*/ - for (i = 0; i < num_of_keys; i++) { - k = &(keys[i]); - r = &(new_map->m[i]); - - for (j = 0; j < KVP_NUM_OF_RULES; j++) { - x = &(rules[j]); - - /* Only assign key name to map name */ - if (strcasecmp(k->key, x->name)) { - if (i == KVP_NUM_OF_RULES) { - log_error("No match for key: %s\n", k->key); - goto err; - } - continue; - } - - if (seen[j]) { - log_error("Duplicated key: %s\n", k->key); - goto err; - } - seen[j] = true; - - memcpy(r, x, sizeof(key_map)); - - /* Assign rule map value to one from file */ - r->data = strdup(k->value); - if (!r->data) - goto oom; - - /* Enforce type check*/ - log_info("Validating keys!\n"); - if (!key_map_validate(r, filename, lineno, new_map->is_never_allow)) { - log_error("Could not validate\n"); - goto err; - } - - /* - * Only build key off of inputs with the exception of neverallows. - * Neverallows are keyed off of all key value pairs, - */ - if (r->dir == dir_in || new_map->is_never_allow) { - char *tmp; - int key_len = strlen(k->key); - int val_len = strlen(k->value); - int l = (new_map->key) ? strlen(new_map->key) : 0; - l = l + key_len + val_len; - l += 1; - - tmp = realloc(new_map->key, l); - if (!tmp) - goto oom; - - if (!new_map->key) - memset(tmp, 0, l); - - new_map->key = tmp; - - strncat(new_map->key, k->key, key_len); - strncat(new_map->key, k->value, val_len); - } - break; - } - free_kvp(k); - } - - if (new_map->key == NULL) { - log_error("Strange, no keys found, input file corrupt perhaps?\n"); - goto err; - } - - return new_map; - -oom: - log_error("Out of memory!\n"); -err: - if(new_map) { - rule_map_free(new_map, false); - for (; i < num_of_keys; i++) { - k = &(keys[i]); - free_kvp(k); - } - } - return NULL; -} - -/** - * Print the usage of the program - */ -static void usage() { - printf( - "checkseapp [options] <input file>\n" - "Processes an seapp_contexts file specified by argument <input file> (default stdin) " - "and allows later declarations to override previous ones on a match.\n" - "Options:\n" - "-h - print this help message\n" - "-v - enable verbose debugging informations\n" - "-p policy file - specify policy file for strict checking of output selectors against the policy\n" - "-o output file - specify output file or - for stdout. No argument runs in silent mode and outputs nothing\n"); -} - -static void init() { - - bool has_out_file; - list_element *cursor; - file_info *tmp; - - /* input files if the list is empty, use stdin */ - if (!input_file_list.head) { - log_info("Using stdin for input\n"); - tmp = malloc(sizeof(*tmp)); - if (!tmp) { - log_error("oom"); - exit(EXIT_FAILURE); - } - tmp->name = "stdin"; - tmp->file = stdin; - list_append(&input_file_list, &(tmp->listify)); - } - else { - list_for_each(&input_file_list, cursor) { - tmp = list_entry(cursor, typeof(*tmp), listify); - - log_info("Opening input file: \"%s\"\n", tmp->name); - tmp->file = fopen(tmp->name, "r"); - if (!tmp->file) { - log_error("Could not open file: %s error: %s\n", tmp->name, - strerror(errno)); - exit(EXIT_FAILURE); - } - } - } - - has_out_file = out_file.name != NULL; - - /* If output file is -, then use stdout, else open the path */ - if (has_out_file && !strcmp(out_file.name, "-")) { - out_file.file = stdout; - out_file.name = "stdout"; - } - else if (has_out_file) { - out_file.file = fopen(out_file.name, "w+"); - } - - if (has_out_file && !out_file.file) { - log_error("Could not open file: \"%s\" error: \"%s\"\n", out_file.name, - strerror(errno)); - exit(EXIT_FAILURE); - } - - if (pol.policy_file_name) { - log_info("Opening policy file: %s\n", pol.policy_file_name); - pol.policy_file = fopen(pol.policy_file_name, "rb"); - if (!pol.policy_file) { - log_error("Could not open file: %s error: %s\n", - pol.policy_file_name, strerror(errno)); - exit(EXIT_FAILURE); - } - - pol.handle = sepol_handle_create(); - if (!pol.handle) { - log_error("Could not create sepolicy handle: %s\n", - strerror(errno)); - exit(EXIT_FAILURE); - } - - if (sepol_policy_file_create(&pol.pf) < 0) { - log_error("Could not create sepolicy file: %s!\n", - strerror(errno)); - exit(EXIT_FAILURE); - } - - sepol_policy_file_set_fp(pol.pf, pol.policy_file); - sepol_policy_file_set_handle(pol.pf, pol.handle); - - if (sepol_policydb_create(&pol.db) < 0) { - log_error("Could not create sepolicy db: %s!\n", - strerror(errno)); - exit(EXIT_FAILURE); - } - - if (sepol_policydb_read(pol.db, pol.pf) < 0) { - log_error("Could not lod policy file to db: %s!\n", - strerror(errno)); - exit(EXIT_FAILURE); - } - } - - list_for_each(&input_file_list, cursor) { - tmp = list_entry(cursor, typeof(*tmp), listify); - log_info("Input file set to: \"%s\"\n", tmp->name); - } - - log_info("Policy file set to: \"%s\"\n", - (pol.policy_file_name == NULL) ? "None" : pol.policy_file_name); - log_info("Output file set to: \"%s\"\n", out_file.name); - -#if !defined(LINK_SEPOL_STATIC) - log_warn("LINK_SEPOL_STATIC is not defined\n""Not checking types!"); -#endif - -} - -/** - * Handle parsing and setting the global flags for the command line - * options. This function calls exit on failure. - * @param argc - * argument count - * @param argv - * argument list - */ -static void handle_options(int argc, char *argv[]) { - - int c; - file_info *input_file; - - while ((c = getopt(argc, argv, "ho:p:v")) != -1) { - switch (c) { - case 'h': - usage(); - exit(EXIT_SUCCESS); - case 'o': - out_file.name = optarg; - break; - case 'p': - pol.policy_file_name = optarg; - break; - case 'v': - log_set_verbose(); - break; - case '?': - if (optopt == 'o' || optopt == 'p') - log_error("Option -%c requires an argument.\n", optopt); - else if (isprint (optopt)) - log_error("Unknown option `-%c'.\n", optopt); - else { - log_error( - "Unknown option character `\\x%x'.\n", - optopt); - } - default: - exit(EXIT_FAILURE); - } - } - - for (c = optind; c < argc; c++) { - - input_file = calloc(1, sizeof(*input_file)); - if (!input_file) { - log_error("oom"); - exit(EXIT_FAILURE); - } - input_file->name = argv[c]; - list_append(&input_file_list, &input_file->listify); - } -} - -/** - * Adds a rule to the hash table and to the ordered list if needed. - * @param rm - * The rule map to add. - */ -static void rule_add(rule_map *rm) { - - map_match cmp; - ENTRY e; - ENTRY *f; - hash_entry *entry; - hash_entry *tmp; - list *list_to_addto; - - e.key = rm->key; - - log_info("Searching for key: %s\n", e.key); - /* Check to see if it has already been added*/ - f = hsearch(e, FIND); - - /* - * Since your only hashing on a partial key, the inputs we need to handle - * when you want to override the outputs for a given input set, as well as - * checking for duplicate entries. - */ - if(f) { - log_info("Existing entry found!\n"); - tmp = (hash_entry *)f->data; - cmp = rule_map_cmp(rm, tmp->r); - log_error("Duplicate line detected in file: %s\n" - "Lines %d and %d %s!\n", - rm->filename, tmp->r->lineno, rm->lineno, - map_match_str[cmp]); - rule_map_free(rm, false); - goto err; - } - /* It wasn't found, just add the rule map to the table */ - else { - - entry = malloc(sizeof(hash_entry)); - if (!entry) - goto oom; - - entry->r = rm; - e.data = entry; - - f = hsearch(e, ENTER); - if(f == NULL) { - goto oom; - } - - /* new entries must be added to the ordered list */ - entry->r = rm; - list_to_addto = rm->is_never_allow ? &nallow_list : &line_order_list; - list_append(list_to_addto, &entry->listify); - } - - return; -oom: - if (e.key) - free(e.key); - if (entry) - free(entry); - if (rm) - free(rm); - log_error("Out of memory in function: %s\n", __FUNCTION__); -err: - exit(EXIT_FAILURE); -} - -static void parse_file(file_info *in_file) { - - char *p; - size_t len; - char *token; - char *saveptr; - bool is_never_allow; - bool found_whitespace; - - size_t lineno = 0; - char *name = NULL; - char *value = NULL; - size_t token_cnt = 0; - - char line_buf[BUFSIZ]; - kvp keys[KVP_NUM_OF_RULES]; - - while (fgets(line_buf, sizeof(line_buf) - 1, in_file->file)) { - lineno++; - is_never_allow = false; - found_whitespace = false; - log_info("Got line %zu\n", lineno); - len = strlen(line_buf); - if (line_buf[len - 1] == '\n') - line_buf[len - 1] = '\0'; - p = line_buf; - - /* neverallow lines must start with neverallow (ie ^neverallow) */ - if (!strncasecmp(p, "neverallow", strlen("neverallow"))) { - p += strlen("neverallow"); - is_never_allow = true; - } - - /* strip trailing whitespace skip comments */ - while (isspace(*p)) { - p++; - found_whitespace = true; - } - if (*p == '#' || *p == '\0') - continue; - - token = strtok_r(p, " \t", &saveptr); - if (!token) - goto err; - - token_cnt = 0; - memset(keys, 0, sizeof(kvp) * KVP_NUM_OF_RULES); - while (1) { - - name = token; - value = strchr(name, '='); - if (!value) - goto err; - *value++ = 0; - - keys[token_cnt].key = strdup(name); - if (!keys[token_cnt].key) - goto oom; - - keys[token_cnt].value = strdup(value); - if (!keys[token_cnt].value) - goto oom; - - token_cnt++; - - token = strtok_r(NULL, " \t", &saveptr); - if (!token) - break; - - } /*End token parsing */ - - rule_map *r = rule_map_new(keys, token_cnt, lineno, in_file->name, is_never_allow); - if (!r) - goto err; - rule_add(r); - - } /* End file parsing */ - return; - -err: - log_error("Reading file: \"%s\" line: %zu name: \"%s\" value: \"%s\"\n", - in_file->name, lineno, name, value); - if(found_whitespace && name && !strcasecmp(name, "neverallow")) { - log_error("perhaps whitespace before neverallow\n"); - } - exit(EXIT_FAILURE); -oom: - log_error("In function %s: Out of memory\n", __FUNCTION__); - exit(EXIT_FAILURE); -} - -/** - * Parses the seapp_contexts file and neverallow file - * and adds them to the hash table and ordered list entries - * when it encounters them. - * Calls exit on failure. - */ -static void parse() { - - file_info *current; - list_element *cursor; - list_for_each(&input_file_list, cursor) { - current = list_entry(cursor, typeof(*current), listify); - parse_file(current); - } -} - -static void validate() { - - list_element *cursor, *v; - bool found_issues = false; - hash_entry *e; - rule_map *r; - list_for_each(&line_order_list, cursor) { - e = list_entry(cursor, typeof(*e), listify); - rule_map_validate(e->r); - } - - list_for_each(&line_order_list, cursor) { - e = list_entry(cursor, typeof(*e), listify); - r = e->r; - list_for_each(&r->violations, v) { - found_issues = true; - log_error("Rule in File \"%s\" on line %d: \"", e->r->filename, e->r->lineno); - rule_map_print(stderr, e->r); - r = list_entry(v, rule_map, listify); - fprintf(stderr, "\" violates neverallow in File \"%s\" on line %d: \"", r->filename, r->lineno); - rule_map_print(stderr, r); - fprintf(stderr, "\"\n"); - } - } - - if (found_issues) { - exit(EXIT_FAILURE); - } -} - -/** - * Should be called after parsing to cause the printing of the rule_maps - * stored in the ordered list, head first, which preserves the "first encountered" - * ordering. - */ -static void output() { - - hash_entry *e; - list_element *cursor; - - if (!out_file.file) { - log_info("No output file, not outputting.\n"); - return; - } - - list_for_each(&line_order_list, cursor) { - e = list_entry(cursor, hash_entry, listify); - rule_map_print(out_file.file, e->r); - fprintf(out_file.file, "\n"); - } -} - -/** - * This function is registered to the at exit handler and should clean up - * the programs dynamic resources, such as memory and fd's. - */ -static void cleanup() { - - /* Only close this when it was opened by me and not the crt */ - if (out_file.name && strcmp(out_file.name, "stdout") && out_file.file) { - log_info("Closing file: %s\n", out_file.name); - fclose(out_file.file); - } - - if (pol.policy_file) { - - log_info("Closing file: %s\n", pol.policy_file_name); - fclose(pol.policy_file); - - if (pol.db) - sepol_policydb_free(pol.db); - - if (pol.pf) - sepol_policy_file_free(pol.pf); - - if (pol.handle) - sepol_handle_destroy(pol.handle); - } - - log_info("Freeing lists\n"); - list_free(&input_file_list); - list_free(&line_order_list); - list_free(&nallow_list); - hdestroy(); -} - -int main(int argc, char *argv[]) { - if (!hcreate(TABLE_SIZE)) { - log_error("Could not create hash table: %s\n", strerror(errno)); - exit(EXIT_FAILURE); - } - atexit(cleanup); - handle_options(argc, argv); - init(); - log_info("Starting to parse\n"); - parse(); - log_info("Parsing completed, generating output\n"); - validate(); - output(); - log_info("Success, generated output\n"); - exit(EXIT_SUCCESS); -} diff --git a/tools/checkfc.c b/tools/checkfc.c deleted file mode 100644 index e7d19b0..0000000 --- a/tools/checkfc.c +++ /dev/null @@ -1,379 +0,0 @@ -#include <getopt.h> -#include <stdbool.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <sepol/module.h> -#include <sepol/policydb/policydb.h> -#include <sepol/sepol.h> -#include <selinux/selinux.h> -#include <selinux/label.h> -#include <sys/stat.h> -#include <sys/types.h> - -static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL }; -static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL }; -static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL }; - -typedef enum filemode filemode; -enum filemode { - filemode_file_contexts = 0, - filemode_property_contexts, - filemode_service_contexts -}; - -static struct { - /* policy */ - struct { - union { - /* Union these so we don't have to cast */ - sepol_policydb_t *sdb; - policydb_t *pdb; - }; - sepol_policy_file_t *pf; - sepol_handle_t *handle; - FILE *file; -#define SEHANDLE_CNT 2 - struct selabel_handle *sehnd[SEHANDLE_CNT]; - } sepolicy; - - /* assertions */ - struct { - const char * const *attrs; /* for the original set to print on error */ - ebitmap_t set; /* the ebitmap representation of the attrs */ - } assert; - -} global_state; - -static const char * const *filemode_to_assert_attrs(filemode mode) -{ - switch (mode) { - case filemode_file_contexts: - return CHECK_FC_ASSERT_ATTRS; - case filemode_property_contexts: - return CHECK_PC_ASSERT_ATTRS; - case filemode_service_contexts: - return CHECK_SC_ASSERT_ATTRS; - } - /* die on invalid parameters */ - fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode); - exit(1); -} - -static int get_attr_bit(policydb_t *policydb, const char *attr_name) -{ - struct type_datum *attr = hashtab_search(policydb->p_types.table, (char *)attr_name); - if (!attr) { - fprintf(stderr, "Error: \"%s\" is not defined in this policy.\n", attr_name); - return -1; - } - - if (attr->flavor != TYPE_ATTRIB) { - fprintf(stderr, "Error: \"%s\" is not an attribute in this policy.\n", attr_name); - return -1; - } - - return attr->s.value - 1; -} - -static bool ebitmap_attribute_assertion_init(ebitmap_t *assertions, const char * const attributes[]) -{ - - while (*attributes) { - - int bit_pos = get_attr_bit(global_state.sepolicy.pdb, *attributes); - if (bit_pos < 0) { - /* get_attr_bit() logs error */ - return false; - } - - int err = ebitmap_set_bit(assertions, bit_pos, 1); - if (err) { - fprintf(stderr, "Error: setting bit on assertion ebitmap!\n"); - return false; - } - attributes++; - } - return true; -} - -static bool is_type_of_attribute_set(policydb_t *policydb, const char *type_name, - ebitmap_t *attr_set) -{ - struct type_datum *type = hashtab_search(policydb->p_types.table, (char *)type_name); - if (!type) { - fprintf(stderr, "Error: \"%s\" is not defined in this policy.\n", type_name); - return false; - } - - if (type->flavor != TYPE_TYPE) { - fprintf(stderr, "Error: \"%s\" is not a type in this policy.\n", type_name); - return false; - } - - ebitmap_t dst; - ebitmap_init(&dst); - - /* Take the intersection, if the set is empty, then its a failure */ - int rc = ebitmap_and(&dst, attr_set, &policydb->type_attr_map[type->s.value - 1]); - if (rc) { - fprintf(stderr, "Error: Could not perform ebitmap_and: %d\n", rc); - exit(1); - } - - bool res = (bool)ebitmap_length(&dst); - - ebitmap_destroy(&dst); - return res; -} - -static void dump_char_array(FILE *stream, const char * const *strings) -{ - - const char * const *p = strings; - - fprintf(stream, "\""); - - while (*p) { - const char *s = *p++; - const char *fmt = *p ? "%s, " : "%s\""; - fprintf(stream, fmt, s); - } -} - -static int validate(char **contextp) -{ - bool res; - char *context = *contextp; - - sepol_context_t *ctx; - int rc = sepol_context_from_string(global_state.sepolicy.handle, context, - &ctx); - if (rc < 0) { - fprintf(stderr, "Error: Could not allocate context from string"); - exit(1); - } - - rc = sepol_context_check(global_state.sepolicy.handle, - global_state.sepolicy.sdb, ctx); - if (rc < 0) { - goto out; - } - - const char *type_name = sepol_context_get_type(ctx); - - uint32_t len = ebitmap_length(&global_state.assert.set); - if (len > 0) { - res = !is_type_of_attribute_set(global_state.sepolicy.pdb, type_name, - &global_state.assert.set); - if (res) { - fprintf(stderr, "Error: type \"%s\" is not of set: ", type_name); - dump_char_array(stderr, global_state.assert.attrs); - fprintf(stderr, "\n"); - /* The calls above did not affect rc, so set error before going to out */ - rc = -1; - goto out; - } - } - /* Success: Although it should be 0, we explicitly set rc to 0 for clarity */ - rc = 0; - - out: - sepol_context_free(ctx); - return rc; -} - -static void usage(char *name) { - fprintf(stderr, "usage1: %s [-p|-s] [-e] sepolicy context_file\n\n" - "Parses a context file and checks for syntax errors.\n" - "The context_file is assumed to be a file_contexts file\n" - "unless the -p or -s option is used to indicate the property or service backend respectively.\n" - "If -e is specified, then the context_file is allowed to be empty.\n\n" - - "usage2: %s -c file_contexts1 file_contexts2\n\n" - "Compares two file contexts files and reports one of subset, equal, superset, or incomparable.\n\n", - name, name); - exit(1); -} - -static void cleanup(void) { - - if (global_state.sepolicy.file) { - fclose(global_state.sepolicy.file); - } - - if (global_state.sepolicy.sdb) { - sepol_policydb_free(global_state.sepolicy.sdb); - } - - if (global_state.sepolicy.pf) { - sepol_policy_file_free(global_state.sepolicy.pf); - } - - if (global_state.sepolicy.handle) { - sepol_handle_destroy(global_state.sepolicy.handle); - } - - ebitmap_destroy(&global_state.assert.set); - - int i; - for (i = 0; i < SEHANDLE_CNT; i++) { - struct selabel_handle *sehnd = global_state.sepolicy.sehnd[i]; - if (sehnd) { - selabel_close(sehnd); - } - } -} - -static void do_compare_and_die_on_error(struct selinux_opt opts[], unsigned int backend, char *paths[]) -{ - enum selabel_cmp_result result; - char *result_str[] = { "subset", "equal", "superset", "incomparable" }; - int i; - - opts[0].value = NULL; /* not validating against a policy when comparing */ - - for (i = 0; i < SEHANDLE_CNT; i++) { - opts[1].value = paths[i]; - global_state.sepolicy.sehnd[i] = selabel_open(backend, opts, 2); - if (!global_state.sepolicy.sehnd[i]) { - fprintf(stderr, "Error: could not load context file from %s\n", paths[i]); - exit(1); - } - } - - result = selabel_cmp(global_state.sepolicy.sehnd[0], global_state.sepolicy.sehnd[1]); - printf("%s\n", result_str[result]); -} - -static void do_fc_check_and_die_on_error(struct selinux_opt opts[], unsigned int backend, filemode mode, - const char *sepolicy_file, const char *context_file, bool allow_empty) -{ - struct stat sb; - if (stat(context_file, &sb) < 0) { - perror("Error: could not get stat on file contexts file"); - exit(1); - } - - if (sb.st_size == 0) { - /* Nothing to check on empty file_contexts file if allowed*/ - if (allow_empty) { - return; - } - /* else: We could throw the error here, but libselinux backend will catch it */ - } - - global_state.sepolicy.file = fopen(sepolicy_file, "r"); - if (!global_state.sepolicy.file) { - perror("Error: could not open policy file"); - exit(1); - } - - global_state.sepolicy.handle = sepol_handle_create(); - if (!global_state.sepolicy.handle) { - fprintf(stderr, "Error: could not create policy handle: %s\n", strerror(errno)); - exit(1); - } - - if (sepol_policy_file_create(&global_state.sepolicy.pf) < 0) { - perror("Error: could not create policy handle"); - exit(1); - } - - sepol_policy_file_set_fp(global_state.sepolicy.pf, global_state.sepolicy.file); - sepol_policy_file_set_handle(global_state.sepolicy.pf, global_state.sepolicy.handle); - - int rc = sepol_policydb_create(&global_state.sepolicy.sdb); - if (rc < 0) { - perror("Error: could not create policy db"); - exit(1); - } - - rc = sepol_policydb_read(global_state.sepolicy.sdb, global_state.sepolicy.pf); - if (rc < 0) { - perror("Error: could not read file into policy db"); - exit(1); - } - - global_state.assert.attrs = filemode_to_assert_attrs(mode); - - bool ret = ebitmap_attribute_assertion_init(&global_state.assert.set, global_state.assert.attrs); - if (!ret) { - /* error messages logged by ebitmap_attribute_assertion_init() */ - exit(1); - } - - selinux_set_callback(SELINUX_CB_VALIDATE, - (union selinux_callback)&validate); - - opts[1].value = context_file; - - global_state.sepolicy.sehnd[0] = selabel_open(backend, opts, 2); - if (!global_state.sepolicy.sehnd[0]) { - fprintf(stderr, "Error: could not load context file from %s\n", context_file); - exit(1); - } -} - -int main(int argc, char **argv) -{ - struct selinux_opt opts[] = { - { SELABEL_OPT_VALIDATE, (void*)1 }, - { SELABEL_OPT_PATH, NULL } - }; - - // Default backend unless changed by input argument. - unsigned int backend = SELABEL_CTX_FILE; - - bool allow_empty = false; - bool compare = false; - char c; - - filemode mode = filemode_file_contexts; - - while ((c = getopt(argc, argv, "cpse")) != -1) { - switch (c) { - case 'c': - compare = true; - break; - case 'e': - allow_empty = true; - break; - case 'p': - mode = filemode_property_contexts; - backend = SELABEL_CTX_ANDROID_PROP; - break; - case 's': - mode = filemode_service_contexts; - backend = SELABEL_CTX_ANDROID_PROP; - break; - case 'h': - default: - usage(argv[0]); - break; - } - } - - int index = optind; - if (argc - optind != 2) { - usage(argv[0]); - } - - if (compare && backend != SELABEL_CTX_FILE) { - usage(argv[0]); - } - - atexit(cleanup); - - if (compare) { - do_compare_and_die_on_error(opts, backend, &(argv[index])); - } else { - /* remaining args are sepolicy file and context file */ - char *sepolicy_file = argv[index]; - char *context_file = argv[index + 1]; - - do_fc_check_and_die_on_error(opts, backend, mode, sepolicy_file, context_file, allow_empty); - } - exit(0); -} diff --git a/tools/fc_sort/Android.mk b/tools/fc_sort/Android.mk deleted file mode 100644 index f78d550..0000000 --- a/tools/fc_sort/Android.mk +++ /dev/null @@ -1,12 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -include $(CLEAR_VARS) - -LOCAL_MODULE := fc_sort -LOCAL_MODULE_TAGS := optional -LOCAL_SRC_FILES := fc_sort.c -LOCAL_CXX_STL := none - -include $(BUILD_HOST_EXECUTABLE) - -################################### diff --git a/tools/fc_sort/MODULE_LICENSE_GPL b/tools/fc_sort/MODULE_LICENSE_GPL deleted file mode 100644 index e69de29..0000000 --- a/tools/fc_sort/MODULE_LICENSE_GPL +++ /dev/null diff --git a/tools/fc_sort/NOTICE b/tools/fc_sort/NOTICE deleted file mode 100644 index 5b6e7c6..0000000 --- a/tools/fc_sort/NOTICE +++ /dev/null @@ -1,340 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - <one line to give the program's name and a brief idea of what it does.> - Copyright (C) <year> <name of author> - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - - -Also add information on how to contact you by electronic and paper mail. - -If the program is interactive, make it output a short notice like this -when it starts in an interactive mode: - - Gnomovision version 69, Copyright (C) year name of author - Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, the commands you use may -be called something other than `show w' and `show c'; they could even be -mouse-clicks or menu items--whatever suits your program. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the program, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the program - `Gnomovision' (which makes passes at compilers) written by James Hacker. - - <signature of Ty Coon>, 1 April 1989 - Ty Coon, President of Vice - -This General Public License does not permit incorporating your program into -proprietary programs. If your program is a subroutine library, you may -consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General -Public License instead of this License. diff --git a/tools/fc_sort/README b/tools/fc_sort/README deleted file mode 100644 index 0210dc7..0000000 --- a/tools/fc_sort/README +++ /dev/null @@ -1,9 +0,0 @@ -fc_sort is a tool used for sorting the file_contexts entries based on a heuristic that is - covered by a Fedora document. That document can be found here: - * https://fedoraproject.org/wiki/SELinux/ManagingFileContext - -The tool itself originates from: - * https://github.com/TresysTechnology/refpolicy - -It can be updated to the current tip of master branch with the below command: -$ wget https://raw.githubusercontent.com/TresysTechnology/refpolicy/master/support/fc_sort.c diff --git a/tools/fc_sort/fc_sort.c b/tools/fc_sort/fc_sort.c deleted file mode 100644 index f4d2cd0..0000000 --- a/tools/fc_sort/fc_sort.c +++ /dev/null @@ -1,567 +0,0 @@ -/* Copyright 2005,2013 Tresys Technology - * - * Some parts of this came from matchpathcon.c in libselinux - */ - -/* PURPOSE OF THIS PROGRAM - * The original setfiles sorting algorithm did not take into - * account regular expression specificity. With the current - * strict and targeted policies this is not an issue because - * the file contexts are partially hand sorted and concatenated - * in the right order so that the matches are generally correct. - * The way reference policy and loadable policy modules handle - * file contexts makes them come out in an unpredictable order - * and therefore setfiles (or this standalone tool) need to sort - * the regular expressions in a deterministic and stable way. - */ - -#define BUF_SIZE 4096; -#define _GNU_SOURCE - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> - -typedef unsigned char bool_t; - -/* file_context_node - * A node used in a linked list of file contexts.c - * Each node contains the regular expression, the type and - * the context, as well as information about the regular - * expression. The regular expression data (meta, stem_len - * and str_len) can be filled in by using the fc_fill_data - * function after the regular expression has been loaded. - * next points to the next node in the linked list. - */ -typedef struct file_context_node { - char *path; - char *file_type; - char *context; - bool_t meta; - int stem_len; - int str_len; - struct file_context_node *next; -} file_context_node_t; - -void file_context_node_destroy(file_context_node_t *x) -{ - free(x->path); - free(x->file_type); - free(x->context); -} - - - -/* file_context_bucket - * A node used in a linked list of buckets that contain - * file_context_node's. - * Each node contains a pointer to a file_context_node which - * is the header of its linked list. This linked list is the - * content of this bucket. - * next points to the next bucket in the linked list. - */ -typedef struct file_context_bucket { - file_context_node_t *data; - struct file_context_bucket *next; -} file_context_bucket_t; - - - -/* fc_compare - * Compares two file contexts' regular expressions and returns: - * -1 if a is less specific than b - * 0 if a and be are equally specific - * 1 if a is more specific than b - * The comparison is based on the following statements, - * in order from most important to least important, given a and b: - * If a is a regular expression and b is not, - * -> a is less specific than b. - * If a's stem length is shorter than b's stem length, - * -> a is less specific than b. - * If a's string length is shorter than b's string length, - * -> a is less specific than b. - * If a does not have a specified type and b does, - * -> a is less specific than b. - */ -int fc_compare(file_context_node_t *a, file_context_node_t *b) -{ - /* Check to see if either a or b have meta characters - * and the other doesn't. */ - if (a->meta && !b->meta) - return -1; - if (b->meta && !a->meta) - return 1; - - /* Check to see if either a or b have a shorter stem - * length than the other. */ - if (a->stem_len < b->stem_len) - return -1; - if (b->stem_len < a->stem_len) - return 1; - - /* Check to see if either a or b have a shorter string - * length than the other. */ - if (a->str_len < b->str_len) - return -1; - if (b->str_len < a->str_len) - return 1; - - /* Check to see if either a or b has a specified type - * and the other doesn't. */ - if (!a->file_type && b->file_type) - return -1; - if (!b->file_type && a->file_type) - return 1; - - /* If none of the above conditions were satisfied, - * then a and b are equally specific. */ - return 0; -} - - - -/* fc_merge - * Merges two sorted file context linked lists into one - * sorted one. - * Pass two lists a and b, and after the completion of fc_merge, - * the final list is contained in a, and b is empty. - */ -file_context_node_t *fc_merge(file_context_node_t *a, - file_context_node_t *b) -{ - file_context_node_t *a_current; - file_context_node_t *b_current; - file_context_node_t *temp; - file_context_node_t *jumpto; - - - - /* If a is a empty list, and b is not, - * set a as b and proceed to the end. */ - if (!a && b) - a = b; - /* If b is an empty list, leave a as it is. */ - else if (!b) { - } else { - /* Make it so the list a has the lesser - * first element always. */ - if (fc_compare(a, b) == 1) { - temp = a; - a = b; - b = temp; - } - a_current = a; - b_current = b; - - /* Merge by inserting b's nodes in between a's nodes. */ - while (a_current->next && b_current) { - jumpto = a_current->next; - - /* Insert b's nodes in between the current a node - * and the next a node.*/ - while (b_current && a_current->next && - fc_compare(a_current->next, - b_current) != -1) { - - - temp = a_current->next; - a_current->next = b_current; - b_current = b_current->next; - a_current->next->next = temp; - a_current = a_current->next; - } - - /* Skip all the inserted node from b to the - * next node in the original a. */ - a_current = jumpto; - } - - - /* if there is anything left in b to be inserted, - put it on the end */ - if (b_current) { - a_current->next = b_current; - } - } - - return a; -} - - - -/* fc_merge_sort - * Sorts file contexts from least specific to more specific. - * The bucket linked list is passed and after the completion - * of the fc_merge_sort function, there is only one bucket - * (pointed to by master) that contains a linked list - * of all the file contexts, in sorted order. - * Explanation of the algorithm: - * The algorithm implemented in fc_merge_sort is an iterative - * implementation of merge sort. - * At first, each bucket has a linked list of file contexts - * that are 1 element each. - * Each pass, each odd numbered bucket is merged into the bucket - * before it. This halves the number of buckets each pass. - * It will continue passing over the buckets (as described above) - * until there is only one bucket left, containing the list of - * file contexts, sorted. - */ -void fc_merge_sort(file_context_bucket_t *master) -{ - - - file_context_bucket_t *current; - file_context_bucket_t *temp; - - /* Loop until master is the only bucket left - * so that this will stop when master contains - * the sorted list. */ - while (master->next) { - current = master; - - /* This loop merges buckets two-by-two. */ - while (current) { - - if (current->next) { - - current->data = - fc_merge(current->data, - current->next->data); - - - - temp = current->next; - current->next = current->next->next; - - free(temp); - - } - - - current = current->next; - } - } - - -} - - - -/* fc_fill_data - * This processes a regular expression in a file context - * and sets the data held in file_context_node, namely - * meta, str_len and stem_len. - * The following changes are made to fc_node after the - * the completion of the function: - * fc_node->meta = 1 if path has a meta character, 0 if not. - * fc_node->str_len = The string length of the entire path - * fc_node->stem_len = The number of characters up until - * the first meta character. - */ -void fc_fill_data(file_context_node_t *fc_node) -{ - int c = 0; - - fc_node->meta = 0; - fc_node->stem_len = 0; - fc_node->str_len = 0; - - /* Process until the string termination character - * has been reached. - * Note: this while loop has been adapted from - * spec_hasMetaChars in matchpathcon.c from - * libselinux-1.22. */ - while (fc_node->path[c] != '\0') { - switch (fc_node->path[c]) { - case '.': - case '^': - case '$': - case '?': - case '*': - case '+': - case '|': - case '[': - case '(': - case '{': - /* If a meta character is found, - * set meta to one */ - fc_node->meta = 1; - break; - case '\\': - /* If a escape character is found, - * skip the next character. */ - c++; - default: - /* If no meta character has been found yet, - * add one to the stem length. */ - if (!fc_node->meta) - fc_node->stem_len++; - break; - } - - fc_node->str_len++; - c++; - } -} - -/* main - * This program takes in two arguments, the input filename and the - * output filename. The input file should be syntactically correct. - * Overall what is done in the main is read in the file and store each - * line of code, sort it, then output it to the output file. - */ -int main(int argc, char *argv[]) -{ - int lines; - size_t start, finish, regex_len, context_len; - size_t line_len, buf_len, i, j; - char *input_name, *output_name, *line_buf; - - file_context_node_t *temp; - file_context_node_t *head; - file_context_node_t *current; - file_context_bucket_t *master; - file_context_bucket_t *bcurrent; - - FILE *in_file, *out_file; - - - /* Check for the correct number of command line arguments. */ - if (argc < 2 || argc > 3) { - fprintf(stderr, "Usage: %s <infile> [<outfile>]\n",argv[0]); - return 1; - } - - input_name = argv[1]; - output_name = (argc >= 3) ? argv[2] : NULL; - - i = j = lines = 0; - - /* Open the input file. */ - if (!(in_file = fopen(input_name, "r"))) { - fprintf(stderr, "Error: failure opening input file for read.\n"); - return 1; - } - - /* Initialize the head of the linked list. */ - head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t)); - head->next = NULL; - - /* Parse the file into a file_context linked list. */ - line_buf = NULL; - - while ( getline(&line_buf, &buf_len, in_file) != -1 ){ - line_len = strlen(line_buf); - if( line_len == 0 || line_len == 1) - continue; - /* Get rid of whitespace from the front of the line. */ - for (i = 0; i < line_len; i++) { - if (!isspace(line_buf[i])) - break; - } - - - if (i >= line_len) - continue; - /* Check if the line isn't empty and isn't a comment */ - if (line_buf[i] == '#') - continue; - - /* We have a valid line - allocate a new node. */ - temp = (file_context_node_t *)malloc(sizeof(file_context_node_t)); - if (!temp) { - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - temp->next = NULL; - memset(temp, 0, sizeof(file_context_node_t)); - - /* Parse out the regular expression from the line. */ - start = i; - - - while (i < line_len && (!isspace(line_buf[i]))) - i++; - finish = i; - - - regex_len = finish - start; - - if (regex_len == 0) { - file_context_node_destroy(temp); - free(temp); - - - continue; - } - - temp->path = (char*)strndup(&line_buf[start], regex_len); - if (!temp->path) { - file_context_node_destroy(temp); - free(temp); - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - - /* Get rid of whitespace after the regular expression. */ - for (; i < line_len; i++) { - - if (!isspace(line_buf[i])) - break; - } - - if (i == line_len) { - file_context_node_destroy(temp); - free(temp); - continue; - } - - /* Parse out the type from the line (if it - * is there). */ - if (line_buf[i] == '-') { - temp->file_type = (char *)malloc(sizeof(char) * 3); - if (!(temp->file_type)) { - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - - if( i + 2 >= line_len ) { - file_context_node_destroy(temp); - free(temp); - - continue; - } - - /* Fill the type into the array. */ - temp->file_type[0] = line_buf[i]; - temp->file_type[1] = line_buf[i + 1]; - i += 2; - temp->file_type[2] = 0; - - /* Get rid of whitespace after the type. */ - for (; i < line_len; i++) { - if (!isspace(line_buf[i])) - break; - } - - if (i == line_len) { - - file_context_node_destroy(temp); - free(temp); - continue; - } - } - - /* Parse out the context from the line. */ - start = i; - while (i < line_len && (!isspace(line_buf[i]))) - i++; - finish = i; - - context_len = finish - start; - - temp->context = (char*)strndup(&line_buf[start], context_len); - if (!temp->context) { - file_context_node_destroy(temp); - free(temp); - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - - /* Set all the data about the regular - * expression. */ - fc_fill_data(temp); - - /* Link this line of code at the end of - * the linked list. */ - current->next = temp; - current = current->next; - lines++; - - - free(line_buf); - line_buf = NULL; - } - fclose(in_file); - - /* Create the bucket linked list from the earlier linked list. */ - current = head->next; - bcurrent = master = - (file_context_bucket_t *) - malloc(sizeof(file_context_bucket_t)); - bcurrent->next = NULL; - bcurrent->data = NULL; - - /* Go until all the nodes have been put in individual buckets. */ - while (current) { - /* Copy over the file context line into the bucket. */ - bcurrent->data = current; - current = current->next; - - /* Detach the node in the bucket from the old list. */ - bcurrent->data->next = NULL; - - /* If there should be another bucket, put one at the end. */ - if (current) { - bcurrent->next = - (file_context_bucket_t *) - malloc(sizeof(file_context_bucket_t)); - if (!(bcurrent->next)) { - printf - ("Error: failure allocating memory.\n"); - return -1; - } - - /* Make sure the new bucket thinks it's the end of the - * list. */ - bcurrent->next->next = NULL; - - bcurrent = bcurrent->next; - } - - } - - /* Sort the bucket list. */ - fc_merge_sort(master); - - /* Open the output file. */ - if (output_name) { - if (!(out_file = fopen(output_name, "w"))) { - printf("Error: failure opening output file for write.\n"); - return -1; - } - } else { - out_file = stdout; - } - - /* Output the sorted file_context linked list to the output file. */ - current = master->data; - while (current) { - /* Output the path. */ - fprintf(out_file, "%s\t\t", current->path); - - /* Output the type, if there is one. */ - if (current->file_type) { - fprintf(out_file, "%s\t", current->file_type); - } - - /* Output the context. */ - fprintf(out_file, "%s\n", current->context); - - /* Remove the node. */ - temp = current; - current = current->next; - - file_context_node_destroy(temp); - free(temp); - - } - free(master); - - if (output_name) { - fclose(out_file); - } - - return 0; -} diff --git a/tools/insertkeys.py b/tools/insertkeys.py deleted file mode 100755 index ca1e432..0000000 --- a/tools/insertkeys.py +++ /dev/null @@ -1,267 +0,0 @@ -#!/usr/bin/env python - -from xml.sax import saxutils, handler, make_parser -from optparse import OptionParser -import ConfigParser -import logging -import base64 -import sys -import os - -__VERSION = (0, 1) - -''' -This tool reads a mac_permissions.xml and replaces keywords in the signature -clause with keys provided by pem files. -''' - -class GenerateKeys(object): - def __init__(self, path): - ''' - Generates an object with Base16 and Base64 encoded versions of the keys - found in the supplied pem file argument. PEM files can contain multiple - certs, however this seems to be unused in Android as pkg manager grabs - the first cert in the APK. This will however support multiple certs in - the resulting generation with index[0] being the first cert in the pem - file. - ''' - - self._base64Key = list() - self._base16Key = list() - - if not os.path.isfile(path): - sys.exit("Path " + path + " does not exist or is not a file!") - - pkFile = open(path, 'rb').readlines() - base64Key = "" - lineNo = 1 - certNo = 1 - inCert = False - for line in pkFile: - line = line.strip() - # Are we starting the certificate? - if line == "-----BEGIN CERTIFICATE-----": - if inCert: - sys.exit("Encountered another BEGIN CERTIFICATE without END CERTIFICATE on " + - "line: " + str(lineNo)) - - inCert = True - - # Are we ending the ceritifcate? - elif line == "-----END CERTIFICATE-----": - if not inCert: - sys.exit("Encountered END CERTIFICATE before BEGIN CERTIFICATE on line: " - + str(lineNo)) - - # If we ended the certificate trip the flag - inCert = False - - # Sanity check the input - if len(base64Key) == 0: - sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: " - + path) - - # ... and append the certificate to the list - # Base 64 includes uppercase. DO NOT tolower() - self._base64Key.append(base64Key) - try: - # Pkgmanager and setool see hex strings with lowercase, lets be consistent - self._base16Key.append(base64.b16encode(base64.b64decode(base64Key)).lower()) - except TypeError: - sys.exit("Invalid certificate, certificate "+ str(certNo) + " found in file: " - + path) - - # After adding the key, reset the accumulator as pem files may have subsequent keys - base64Key="" - - # And increment your cert number - certNo = certNo + 1 - - # If we haven't started the certificate, then we should not encounter any data - elif not inCert: - if line is not "": - sys.exit("Detected erroneous line \""+ line + "\" on " + str(lineNo) - + " in pem file: " + path) - - # else we have started the certicate and need to append the data - elif inCert: - base64Key += line - - else: - # We should never hit this assert, if we do then an unaccounted for state - # was entered that was NOT addressed by the if/elif statements above - assert(False == True) - - # The last thing to do before looping up is to increment line number - lineNo = lineNo + 1 - - def __len__(self): - return len(self._base16Key) - - def __str__(self): - return str(self.getBase16Keys()) - - def getBase16Keys(self): - return self._base16Key - - def getBase64Keys(self): - return self._base64Key - -class ParseConfig(ConfigParser.ConfigParser): - - # This must be lowercase - OPTION_WILDCARD_TAG = "all" - - def generateKeyMap(self, target_build_variant, key_directory): - - keyMap = dict() - - for tag in self.sections(): - - options = self.options(tag) - - for option in options: - - # Only generate the key map for debug or release, - # not both! - if option != target_build_variant and \ - option != ParseConfig.OPTION_WILDCARD_TAG: - logging.info("Skipping " + tag + " : " + option + - " because target build variant is set to " + - str(target_build_variant)) - continue - - if tag in keyMap: - sys.exit("Duplicate tag detected " + tag) - - tag_path = os.path.expandvars(self.get(tag, option)) - path = os.path.join(key_directory, tag_path) - - keyMap[tag] = GenerateKeys(path) - - # Multiple certificates may exist in - # the pem file. GenerateKeys supports - # this however, the mac_permissions.xml - # as well as PMS do not. - assert len(keyMap[tag]) == 1 - - return keyMap - -class ReplaceTags(handler.ContentHandler): - - DEFAULT_TAG = "default" - PACKAGE_TAG = "package" - POLICY_TAG = "policy" - SIGNER_TAG = "signer" - SIGNATURE_TAG = "signature" - - TAGS_WITH_CHILDREN = [ DEFAULT_TAG, PACKAGE_TAG, POLICY_TAG, SIGNER_TAG ] - - XML_ENCODING_TAG = '<?xml version="1.0" encoding="iso-8859-1"?>' - - def __init__(self, keyMap, out=sys.stdout): - - handler.ContentHandler.__init__(self) - self._keyMap = keyMap - self._out = out - self._out.write(ReplaceTags.XML_ENCODING_TAG) - self._out.write("<!-- AUTOGENERATED FILE DO NOT MODIFY -->") - self._out.write("<policy>") - - def __del__(self): - self._out.write("</policy>") - - def startElement(self, tag, attrs): - if tag == ReplaceTags.POLICY_TAG: - return - - self._out.write('<' + tag) - - for (name, value) in attrs.items(): - - if name == ReplaceTags.SIGNATURE_TAG and value in self._keyMap: - for key in self._keyMap[value].getBase16Keys(): - logging.info("Replacing " + name + " " + value + " with " + key) - self._out.write(' %s="%s"' % (name, saxutils.escape(key))) - else: - self._out.write(' %s="%s"' % (name, saxutils.escape(value))) - - if tag in ReplaceTags.TAGS_WITH_CHILDREN: - self._out.write('>') - else: - self._out.write('/>') - - def endElement(self, tag): - if tag == ReplaceTags.POLICY_TAG: - return - - if tag in ReplaceTags.TAGS_WITH_CHILDREN: - self._out.write('</%s>' % tag) - - def characters(self, content): - if not content.isspace(): - self._out.write(saxutils.escape(content)) - - def ignorableWhitespace(self, content): - pass - - def processingInstruction(self, target, data): - self._out.write('<?%s %s?>' % (target, data)) - -if __name__ == "__main__": - - # Intentional double space to line up equls signs and opening " for - # readability. - usage = "usage: %prog [options] CONFIG_FILE MAC_PERMISSIONS_FILE [MAC_PERMISSIONS_FILE...]\n" - usage += "This tool allows one to configure an automatic inclusion\n" - usage += "of signing keys into the mac_permision.xml file(s) from the\n" - usage += "pem files. If mulitple mac_permision.xml files are included\n" - usage += "then they are unioned to produce a final version." - - version = "%prog " + str(__VERSION) - - parser = OptionParser(usage=usage, version=version) - - parser.add_option("-v", "--verbose", - action="store_true", dest="verbose", default=False, - help="Print internal operations to stdout") - - parser.add_option("-o", "--output", default="stdout", dest="output_file", - metavar="FILE", help="Specify an output file, default is stdout") - - parser.add_option("-c", "--cwd", default=os.getcwd(), dest="root", - metavar="DIR", help="Specify a root (CWD) directory to run this from, it" \ - "chdirs' AFTER loading the config file") - - parser.add_option("-t", "--target-build-variant", default="eng", dest="target_build_variant", - help="Specify the TARGET_BUILD_VARIANT, defaults to eng") - - parser.add_option("-d", "--key-directory", default="", dest="key_directory", - help="Specify a parent directory for keys") - - (options, args) = parser.parse_args() - - if len(args) < 2: - parser.error("Must specify a config file (keys.conf) AND mac_permissions.xml file(s)!") - - logging.basicConfig(level=logging.INFO if options.verbose == True else logging.WARN) - - # Read the config file - config = ParseConfig() - config.read(args[0]) - - os.chdir(options.root) - - output_file = sys.stdout if options.output_file == "stdout" else open(options.output_file, "w") - logging.info("Setting output file to: " + options.output_file) - - # Generate the key list - key_map = config.generateKeyMap(options.target_build_variant.lower(), options.key_directory) - logging.info("Generate key map:") - for k in key_map: - logging.info(k + " : " + str(key_map[k])) - # Generate the XML file with markup replaced with keys - parser = make_parser() - parser.setContentHandler(ReplaceTags(key_map, output_file)) - for f in args[1:]: - parser.parse(f) diff --git a/tools/post_process_mac_perms b/tools/post_process_mac_perms deleted file mode 100755 index 25893ed..0000000 --- a/tools/post_process_mac_perms +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/env python -# -# Copyright (C) 2013 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -""" -Tool to help modify an existing mac_permissions.xml with additional app -certs not already found in that policy. This becomes useful when a directory -containing apps is searched and the certs from those apps are added to the -policy not already explicitly listed. -""" - -import sys -import os -import argparse -from base64 import b16encode, b64decode -import fileinput -import re -import subprocess -import zipfile - -PEM_CERT_RE = """-----BEGIN CERTIFICATE----- -(.+?) ------END CERTIFICATE----- -""" -def collect_certs_for_app(filename): - app_certs = set() - with zipfile.ZipFile(filename, 'r') as apkzip: - for info in apkzip.infolist(): - name = info.filename - if name.startswith('META-INF/') and name.endswith(('.DSA', '.RSA')): - cmd = ['openssl', 'pkcs7', '-inform', 'DER', - '-outform', 'PEM', '-print_certs'] - p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - pem_string, err = p.communicate(apkzip.read(name)) - if err and err.strip(): - raise RuntimeError('Problem running openssl on %s (%s)' % (filename, e)) - - # turn multiline base64 to single line base16 - transform = lambda x: b16encode(b64decode(x.replace('\n', ''))).lower() - results = re.findall(PEM_CERT_RE, pem_string, re.DOTALL) - certs = [transform(i) for i in results] - - app_certs.update(certs) - - return app_certs - -def add_leftover_certs(args): - all_app_certs = set() - for dirpath, _, files in os.walk(args.dir): - transform = lambda x: os.path.join(dirpath, x) - condition = lambda x: x.endswith('.apk') - apps = [transform(i) for i in files if condition(i)] - - # Collect certs for each app found - for app in apps: - app_certs = collect_certs_for_app(app) - all_app_certs.update(app_certs) - - if all_app_certs: - policy_certs = set() - with open(args.policy, 'r') as f: - cert_pattern = 'signature="([a-fA-F0-9]+)"' - policy_certs = re.findall(cert_pattern, f.read()) - - cert_diff = all_app_certs.difference(policy_certs) - - # Build xml stanzas - inner_tag = '<seinfo value="%s"/>' % args.seinfo - stanza = '<signer signature="%s">%s</signer>' - new_stanzas = [stanza % (cert, inner_tag) for cert in cert_diff] - mac_perms_string = ''.join(new_stanzas) - mac_perms_string += '</policy>' - - # Inline replace with new policy stanzas - for line in fileinput.input(args.policy, inplace=True): - sys.stdout.write(line.replace('</policy>', mac_perms_string)) - -def main(argv): - parser = argparse.ArgumentParser(description=__doc__) - - parser.add_argument('-s', '--seinfo', dest='seinfo', required=True, - help='seinfo tag for each generated stanza') - parser.add_argument('-d', '--dir', dest='dir', required=True, - help='Directory to search for apks') - parser.add_argument('-f', '--file', dest='policy', required=True, - help='mac_permissions.xml policy file') - - parser.set_defaults(func=add_leftover_certs) - args = parser.parse_args() - args.func(args) - -if __name__ == '__main__': - main(sys.argv) diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk deleted file mode 100644 index 7568351..0000000 --- a/tools/sepolicy-analyze/Android.mk +++ /dev/null @@ -1,14 +0,0 @@ -LOCAL_PATH:= $(call my-dir) - -################################### -include $(CLEAR_VARS) - -LOCAL_MODULE := sepolicy-analyze -LOCAL_MODULE_TAGS := optional -LOCAL_C_INCLUDES := external/selinux/libsepol/include -LOCAL_CFLAGS := -Wall -Werror -LOCAL_SRC_FILES := sepolicy-analyze.c dups.c neverallow.c perm.c typecmp.c booleans.c attribute.c utils.c -LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_CXX_STL := none - -include $(BUILD_HOST_EXECUTABLE) diff --git a/tools/sepolicy-analyze/README b/tools/sepolicy-analyze/README deleted file mode 100644 index d18609a..0000000 --- a/tools/sepolicy-analyze/README +++ /dev/null @@ -1,94 +0,0 @@ -sepolicy-analyze - A component-ized tool for performing various kinds of analysis on a - sepolicy file. The current kinds of analysis that are currently - supported include: - - TYPE EQUIVALENCE (typecmp) - sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -e - - Display all type pairs that are "equivalent", i.e. they are - identical with respect to allow rules, including indirect allow - rules via attributes and default-enabled conditional rules - (i.e. default boolean values yield a true conditional expression). - - Equivalent types are candidates for being coalesced into a single - type. However, there may be legitimate reasons for them to remain - separate, for example: - the types may differ in a respect not - included in the current analysis, such as default-disabled - conditional rules, audit-related rules (auditallow or dontaudit), - default type transitions, or constraints (e.g. mls), or - the - current policy may be overly permissive with respect to one or the - other of the types and thus the correct action may be to tighten - access to one or the other rather than coalescing them together, - or - the domains that would in fact have different accesses to the - types may not yet be defined or may be unconfined in the policy - you are analyzing. - - TYPE DIFFERENCE (typecmp) - sepolicy-analyze out/target/product/<board>/root/sepolicy typecmp -d - - Display type pairs that differ and the first difference found - between the two types. This may be used in looking for similar - types that are not equivalent but may be candidates for coalescing. - - DUPLICATE ALLOW RULES (dups) - sepolicy-analyze out/target/product/<board>/root/sepolicy dups - - Displays duplicate allow rules, i.e. pairs of allow rules that - grant the same permissions where one allow rule is written - directly in terms of individual types and the other is written in - terms of attributes associated with those same types. The rule - with individual types is a candidate for removal. The rule with - individual types may be directly represented in the source policy - or may be a result of expansion of a type negation (e.g. domain - -foo -bar is expanded to individual allow rules by the policy - compiler). Domains with unconfineddomain will typically have such - duplicate rules as a natural side effect and can be ignored. - - PERMISSIVE DOMAINS (permissive) - sepolicy-analyze out/target/product/<board>/root/sepolicy permissive - - Displays domains in the policy that are permissive, i.e. avc - denials are logged but not enforced for these domains. While - permissive domains can be helpful during development, they - should not be present in a final -user build. - - BOOLEANS (booleans) - sepolicy-analyze out/target/product/<board>/root/sepolicy booleans - - Displays the boolean names in the policy (if any). - Policy booleans are forbidden in Android policy, so if there is any - output, the policy will fail CTS. - - ATTRIBUTE (attribute) - sepolicy-analyze out/target/product/<board>/root/sepolicy attribute <name> - - Displays the types associated with the specified attribute name. - - NEVERALLOW CHECKING (neverallow) - sepolicy-analyze out/target/product/<board>/root/sepolicy neverallow \ - [-w] [-d] [-f neverallows.conf] | [-n "neverallow string"] - - Check whether the sepolicy file violates any of the neverallow rules - from the neverallows.conf file or a given string, which contain neverallow - statements in the same format as the SELinux policy.conf file, i.e. after - m4 macro expansion of the rules from a .te file. You can use an entire - policy.conf file as the neverallows.conf file and sepolicy-analyze will - ignore everything except for the neverallows within it. You can also - specify this as a command-line string argument, which could be useful for - quickly checking an individual expanded rule or group of rules. If there are - no violations, sepolicy-analyze will exit successfully with no output. - Otherwise, sepolicy-analyze will report all violations and exit - with a non-zero exit status. - - The -w or --warn option may be used to warn on any types, attributes, - classes, or permissions from a neverallow rule that could not be resolved - within the sepolicy file. This can be normal due to differences between - the policy from which the neverallow rules were taken and the policy - being checked. Such values are ignored for the purposes of neverallow - checking. - - The -d or --debug option may be used to cause sepolicy-analyze to emit the - neverallow rules as it parses them. This is principally a debugging facility - for the parser but could also be used to extract neverallow rules from - a full policy.conf file and output them in a more easily parsed format. diff --git a/tools/sepolicy-analyze/attribute.c b/tools/sepolicy-analyze/attribute.c deleted file mode 100644 index 474bda2..0000000 --- a/tools/sepolicy-analyze/attribute.c +++ /dev/null @@ -1,39 +0,0 @@ -#include "attribute.h" - -void attribute_usage() { - fprintf(stderr, "\tattribute <attribute-name>\n"); -} - -static int list_attribute(policydb_t * policydb, char *name) -{ - struct type_datum *attr; - struct ebitmap_node *n; - unsigned int bit; - - attr = hashtab_search(policydb->p_types.table, name); - if (!attr) { - fprintf(stderr, "%s is not defined in this policy.\n", name); - return -1; - } - - if (attr->flavor != TYPE_ATTRIB) { - fprintf(stderr, "%s is a type not an attribute in this policy.\n", name); - return -1; - } - - ebitmap_for_each_bit(&policydb->attr_type_map[attr->s.value - 1], n, bit) { - if (!ebitmap_node_get_bit(n, bit)) - continue; - printf("%s\n", policydb->p_type_val_to_name[bit]); - } - - return 0; -} - -int attribute_func (int argc, char **argv, policydb_t *policydb) { - if (argc != 2) { - USAGE_ERROR = true; - return -1; - } - return list_attribute(policydb, argv[1]); -} diff --git a/tools/sepolicy-analyze/attribute.h b/tools/sepolicy-analyze/attribute.h deleted file mode 100644 index 05adcbd..0000000 --- a/tools/sepolicy-analyze/attribute.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef ATTRIBUTE_H -#define ATTRIBUTE_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void attribute_usage(void); -int attribute_func(int argc, char **argv, policydb_t *policydb); - -#endif /* ATTRIBUTE_H */ diff --git a/tools/sepolicy-analyze/booleans.c b/tools/sepolicy-analyze/booleans.c deleted file mode 100644 index c3b605d..0000000 --- a/tools/sepolicy-analyze/booleans.c +++ /dev/null @@ -1,22 +0,0 @@ -#include "booleans.h" - -void booleans_usage() { - fprintf(stderr, "\tbooleans\n"); -} - -static int list_booleans(hashtab_key_t k, - __attribute__ ((unused)) hashtab_datum_t d, - __attribute__ ((unused)) void *args) -{ - const char *name = k; - printf("%s\n", name); - return 0; -} - -int booleans_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) { - if (argc != 1) { - USAGE_ERROR = true; - return -1; - } - return hashtab_map(policydb->p_bools.table, list_booleans, NULL); -} diff --git a/tools/sepolicy-analyze/booleans.h b/tools/sepolicy-analyze/booleans.h deleted file mode 100644 index bfbe0e1..0000000 --- a/tools/sepolicy-analyze/booleans.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef BOOLEANS_H -#define BOOLEANS_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void booleans_usage(void); -int booleans_func(int argc, char **argv, policydb_t *policydb); - -#endif /* BOOLEANS_H */ diff --git a/tools/sepolicy-analyze/dups.c b/tools/sepolicy-analyze/dups.c deleted file mode 100644 index 88c2be2..0000000 --- a/tools/sepolicy-analyze/dups.c +++ /dev/null @@ -1,91 +0,0 @@ -#include <stdbool.h> -#include <stdio.h> -#include <sys/stat.h> -#include <sys/types.h> - -#include "dups.h" - -void dups_usage() { - fprintf(stderr, "\tdups\n"); -} - -static int find_dups_helper(avtab_key_t * k, avtab_datum_t * d, - void *args) -{ - policydb_t *policydb = args; - ebitmap_t *sattr, *tattr; - ebitmap_node_t *snode, *tnode; - unsigned int i, j; - avtab_key_t avkey; - avtab_ptr_t node; - struct type_datum *stype, *ttype, *stype2, *ttype2; - bool attrib1, attrib2; - - if (!(k->specified & AVTAB_ALLOWED)) - return 0; - - if (k->source_type == k->target_type) - return 0; /* self rule */ - - avkey.target_class = k->target_class; - avkey.specified = k->specified; - - sattr = &policydb->type_attr_map[k->source_type - 1]; - tattr = &policydb->type_attr_map[k->target_type - 1]; - stype = policydb->type_val_to_struct[k->source_type - 1]; - ttype = policydb->type_val_to_struct[k->target_type - 1]; - attrib1 = stype->flavor || ttype->flavor; - ebitmap_for_each_bit(sattr, snode, i) { - if (!ebitmap_node_get_bit(snode, i)) - continue; - ebitmap_for_each_bit(tattr, tnode, j) { - if (!ebitmap_node_get_bit(tnode, j)) - continue; - avkey.source_type = i + 1; - avkey.target_type = j + 1; - if (avkey.source_type == k->source_type && - avkey.target_type == k->target_type) - continue; - if (avkey.source_type == avkey.target_type) - continue; /* self rule */ - stype2 = policydb->type_val_to_struct[avkey.source_type - 1]; - ttype2 = policydb->type_val_to_struct[avkey.target_type - 1]; - attrib2 = stype2->flavor || ttype2->flavor; - if (attrib1 && attrib2) - continue; /* overlapping attribute-based rules */ - for (node = avtab_search_node(&policydb->te_avtab, &avkey); - node != NULL; - node = avtab_search_node_next(node, avkey.specified)) { - uint32_t perms = node->datum.data & d->data; - if ((attrib1 && perms == node->datum.data) || - (attrib2 && perms == d->data)) { - /* - * The attribute-based rule is a superset of the - * non-attribute-based rule. This is a dup. - */ - printf("Duplicate allow rule found:\n"); - display_allow(policydb, k, i, d->data); - display_allow(policydb, &node->key, i, node->datum.data); - printf("\n"); - } - } - } - } - - return 0; -} - -static int find_dups(policydb_t * policydb) -{ - if (avtab_map(&policydb->te_avtab, find_dups_helper, policydb)) - return -1; - return 0; -} - -int dups_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) { - if (argc != 1) { - USAGE_ERROR = true; - return -1; - } - return find_dups(policydb); -} diff --git a/tools/sepolicy-analyze/dups.h b/tools/sepolicy-analyze/dups.h deleted file mode 100644 index 0e77224..0000000 --- a/tools/sepolicy-analyze/dups.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef DUPS_H -#define DUPS_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void dups_usage(void); -int dups_func(int argc, char **argv, policydb_t *policydb); - -#endif /* DUPS_H */ diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c deleted file mode 100644 index b288ea7..0000000 --- a/tools/sepolicy-analyze/neverallow.c +++ /dev/null @@ -1,515 +0,0 @@ -#include <ctype.h> -#include <fcntl.h> -#include <getopt.h> -#include <stdbool.h> -#include <stdio.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <sys/types.h> -#include <unistd.h> - -#include "neverallow.h" - -static int debug; -static int warn; - -void neverallow_usage() { - fprintf(stderr, "\tneverallow [-w|--warn] [-d|--debug] [-n|--neverallows <neverallow-rules>] | [-f|--file <neverallow-file>]\n"); -} - -static int read_typeset(policydb_t *policydb, char **ptr, char *end, - type_set_t *typeset, uint32_t *flags) -{ - const char *keyword = "self"; - size_t keyword_size = strlen(keyword), len; - char *p = *ptr; - unsigned openparens = 0; - char *start, *id; - type_datum_t *type; - struct ebitmap_node *n; - unsigned int bit; - bool negate = false; - int rc; - - do { - while (p < end && isspace(*p)) - p++; - - if (p == end) - goto err; - - if (*p == '~') { - if (debug) - printf(" ~"); - typeset->flags = TYPE_COMP; - p++; - while (p < end && isspace(*p)) - p++; - if (p == end) - goto err; - } - - if (*p == '{') { - if (debug && !openparens) - printf(" {"); - openparens++; - p++; - continue; - } - - if (*p == '}') { - if (debug && openparens == 1) - printf(" }"); - if (openparens == 0) - goto err; - openparens--; - p++; - continue; - } - - if (*p == '*') { - if (debug) - printf(" *"); - typeset->flags = TYPE_STAR; - p++; - continue; - } - - if (*p == '-') { - if (debug) - printf(" -"); - negate = true; - p++; - continue; - } - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p) && *p != ':' && *p != ';' && *p != '{' && *p != '}' && *p != '#') - p++; - - if (p == start) - goto err; - - len = p - start; - if (len == keyword_size && !strncmp(start, keyword, keyword_size)) { - if (debug) - printf(" self"); - *flags |= RULE_SELF; - continue; - } - - id = calloc(1, len + 1); - if (!id) - goto err; - memcpy(id, start, len); - if (debug) - printf(" %s", id); - type = hashtab_search(policydb->p_types.table, id); - if (!type) { - if (warn) - fprintf(stderr, "Warning! Type or attribute %s used in neverallow undefined in policy being checked.\n", id); - negate = false; - continue; - } - free(id); - - if (type->flavor == TYPE_ATTRIB) { - if (negate) - rc = ebitmap_union(&typeset->negset, &policydb->attr_type_map[type->s.value - 1]); - else - rc = ebitmap_union(&typeset->types, &policydb->attr_type_map[type->s.value - 1]); - } else if (negate) { - rc = ebitmap_set_bit(&typeset->negset, type->s.value - 1, 1); - } else { - rc = ebitmap_set_bit(&typeset->types, type->s.value - 1, 1); - } - - negate = false; - - if (rc) - goto err; - - } while (p < end && openparens); - - if (p == end) - goto err; - - if (typeset->flags & TYPE_STAR) { - for (bit = 0; bit < policydb->p_types.nprim; bit++) { - if (ebitmap_get_bit(&typeset->negset, bit)) - continue; - if (policydb->type_val_to_struct[bit] && - policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB) - continue; - if (ebitmap_set_bit(&typeset->types, bit, 1)) - goto err; - } - } - - ebitmap_for_each_bit(&typeset->negset, n, bit) { - if (!ebitmap_node_get_bit(n, bit)) - continue; - if (ebitmap_set_bit(&typeset->types, bit, 0)) - goto err; - } - - if (typeset->flags & TYPE_COMP) { - for (bit = 0; bit < policydb->p_types.nprim; bit++) { - if (policydb->type_val_to_struct[bit] && - policydb->type_val_to_struct[bit]->flavor == TYPE_ATTRIB) - continue; - if (ebitmap_get_bit(&typeset->types, bit)) - ebitmap_set_bit(&typeset->types, bit, 0); - else { - if (ebitmap_set_bit(&typeset->types, bit, 1)) - goto err; - } - } - } - - if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags)) - fprintf(stderr, "Warning! Empty type set\n"); - - *ptr = p; - return 0; -err: - return -1; -} - -static int read_classperms(policydb_t *policydb, char **ptr, char *end, - class_perm_node_t **perms) -{ - char *p = *ptr; - unsigned openparens = 0; - char *id, *start; - class_datum_t *cls = NULL; - perm_datum_t *perm = NULL; - class_perm_node_t *classperms = NULL, *node = NULL; - bool complement = false; - - while (p < end && isspace(*p)) - p++; - - if (p == end || *p != ':') - goto err; - p++; - - if (debug) - printf(" :"); - - do { - while (p < end && isspace(*p)) - p++; - - if (p == end) - goto err; - - if (*p == '{') { - if (debug && !openparens) - printf(" {"); - openparens++; - p++; - continue; - } - - if (*p == '}') { - if (debug && openparens == 1) - printf(" }"); - if (openparens == 0) - goto err; - openparens--; - p++; - continue; - } - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#') - p++; - - if (p == start) - goto err; - - id = calloc(1, p - start + 1); - if (!id) - goto err; - memcpy(id, start, p - start); - if (debug) - printf(" %s", id); - cls = hashtab_search(policydb->p_classes.table, id); - if (!cls) { - if (warn) - fprintf(stderr, "Warning! Class %s used in neverallow undefined in policy being checked.\n", id); - continue; - } - - node = calloc(1, sizeof *node); - if (!node) - goto err; - node->tclass = cls->s.value; - node->next = classperms; - classperms = node; - free(id); - } while (p < end && openparens); - - if (p == end) - goto err; - - if (warn && !classperms) - fprintf(stderr, "Warning! Empty class set\n"); - - do { - while (p < end && isspace(*p)) - p++; - - if (p == end) - goto err; - - if (*p == '~') { - if (debug) - printf(" ~"); - complement = true; - p++; - while (p < end && isspace(*p)) - p++; - if (p == end) - goto err; - } - - if (*p == '{') { - if (debug && !openparens) - printf(" {"); - openparens++; - p++; - continue; - } - - if (*p == '}') { - if (debug && openparens == 1) - printf(" }"); - if (openparens == 0) - goto err; - openparens--; - p++; - continue; - } - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p) && *p != '{' && *p != '}' && *p != ';' && *p != '#') - p++; - - if (p == start) - goto err; - - id = calloc(1, p - start + 1); - if (!id) - goto err; - memcpy(id, start, p - start); - if (debug) - printf(" %s", id); - - if (!strcmp(id, "*")) { - for (node = classperms; node; node = node->next) - node->data = ~0; - continue; - } - - for (node = classperms; node; node = node->next) { - cls = policydb->class_val_to_struct[node->tclass-1]; - perm = hashtab_search(cls->permissions.table, id); - if (cls->comdatum && !perm) - perm = hashtab_search(cls->comdatum->permissions.table, id); - if (!perm) { - if (warn) - fprintf(stderr, "Warning! Permission %s used in neverallow undefined in class %s in policy being checked.\n", id, policydb->p_class_val_to_name[node->tclass-1]); - continue; - } - node->data |= 1U << (perm->s.value - 1); - } - free(id); - } while (p < end && openparens); - - if (p == end) - goto err; - - if (complement) { - for (node = classperms; node; node = node->next) - node->data = ~node->data; - } - - if (warn) { - for (node = classperms; node; node = node->next) - if (!node->data) - fprintf(stderr, "Warning! Empty permission set\n"); - } - - *perms = classperms; - *ptr = p; - return 0; -err: - return -1; -} - -static int check_neverallows(policydb_t *policydb, char *text, char *end) -{ - const char *keyword = "neverallow"; - size_t keyword_size = strlen(keyword), len; - struct avrule *neverallows = NULL, *avrule; - char *p, *start; - - p = text; - while (p < end) { - while (p < end && isspace(*p)) - p++; - - if (*p == '#') { - while (p < end && *p != '\n') - p++; - continue; - } - - start = p; - while (p < end && !isspace(*p)) - p++; - - len = p - start; - if (len != keyword_size || strncmp(start, keyword, keyword_size)) - continue; - - if (debug) - printf("neverallow"); - - avrule = calloc(1, sizeof *avrule); - if (!avrule) - goto err; - - avrule->specified = AVRULE_NEVERALLOW; - - if (read_typeset(policydb, &p, end, &avrule->stypes, &avrule->flags)) - goto err; - - if (read_typeset(policydb, &p, end, &avrule->ttypes, &avrule->flags)) - goto err; - - if (read_classperms(policydb, &p, end, &avrule->perms)) - goto err; - - while (p < end && *p != ';') - p++; - - if (p == end || *p != ';') - goto err; - - if (debug) - printf(";\n"); - - avrule->next = neverallows; - neverallows = avrule; - } - - if (!neverallows) - goto err; - - return check_assertions(NULL, policydb, neverallows); -err: - if (errno == ENOMEM) { - fprintf(stderr, "Out of memory while parsing neverallow rules\n"); - } else - fprintf(stderr, "Error while parsing neverallow rules\n"); - return -1; -} - -static int check_neverallows_file(policydb_t *policydb, const char *filename) -{ - int fd; - struct stat sb; - char *text, *end; - - fd = open(filename, O_RDONLY); - if (fd < 0) { - fprintf(stderr, "Could not open %s: %s\n", filename, strerror(errno)); - return -1; - } - if (fstat(fd, &sb) < 0) { - fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); - close(fd); - return -1; - } - text = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - end = text + sb.st_size; - if (text == MAP_FAILED) { - fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); - close(fd); - return -1; - } - close(fd); - return check_neverallows(policydb, text, end); -} - -static int check_neverallows_string(policydb_t *policydb, char *string, size_t len) -{ - char *text, *end; - text = string; - end = text + len; - return check_neverallows(policydb, text, end); -} - -int neverallow_func (int argc, char **argv, policydb_t *policydb) { - char *rules = 0, *file = 0; - char ch; - - struct option neverallow_options[] = { - {"debug", no_argument, NULL, 'd'}, - {"file_input", required_argument, NULL, 'f'}, - {"neverallow", required_argument, NULL, 'n'}, - {"warn", no_argument, NULL, 'w'}, - {NULL, 0, NULL, 0} - }; - - while ((ch = getopt_long(argc, argv, "df:n:w", neverallow_options, NULL)) != -1) { - switch (ch) { - case 'd': - debug = 1; - break; - case 'f': - file = optarg; - break; - case 'n': - rules = optarg; - break; - case 'w': - warn = 1; - break; - default: - USAGE_ERROR = true; - return -1; - } - } - - if (!(rules || file) || (rules && file)){ - USAGE_ERROR = true; - return -1; - } - if (file) { - return check_neverallows_file(policydb, file); - } else { - return check_neverallows_string(policydb, rules, strlen(rules)); - } -} diff --git a/tools/sepolicy-analyze/neverallow.h b/tools/sepolicy-analyze/neverallow.h deleted file mode 100644 index be80822..0000000 --- a/tools/sepolicy-analyze/neverallow.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef NEVERALLOW_H -#define NEVERALLOW_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void neverallow_usage(void); -int neverallow_func(int argc, char **argv, policydb_t *policydb); - -#endif /* NEVERALLOW_H */ diff --git a/tools/sepolicy-analyze/perm.c b/tools/sepolicy-analyze/perm.c deleted file mode 100644 index 4cc4869..0000000 --- a/tools/sepolicy-analyze/perm.c +++ /dev/null @@ -1,30 +0,0 @@ -#include "perm.h" - -void permissive_usage() { - fprintf(stderr, "\tpermissive\n"); -} - -static int list_permissive(policydb_t * policydb) -{ - struct ebitmap_node *n; - unsigned int bit; - - /* - * iterate over all domains and check if domain is in permissive - */ - ebitmap_for_each_bit(&policydb->permissive_map, n, bit) - { - if (ebitmap_node_get_bit(n, bit)) { - printf("%s\n", policydb->p_type_val_to_name[bit -1]); - } - } - return 0; -} - -int permissive_func (int argc, __attribute__ ((unused)) char **argv, policydb_t *policydb) { - if (argc != 1) { - USAGE_ERROR = true; - return -1; - } - return list_permissive(policydb); -} diff --git a/tools/sepolicy-analyze/perm.h b/tools/sepolicy-analyze/perm.h deleted file mode 100644 index 16e619a..0000000 --- a/tools/sepolicy-analyze/perm.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PERM_H -#define PERM_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void permissive_usage(void); -int permissive_func(int argc, char **argv, policydb_t *policydb); - -#endif /* PERM_H */ diff --git a/tools/sepolicy-analyze/sepolicy-analyze.c b/tools/sepolicy-analyze/sepolicy-analyze.c deleted file mode 100644 index b70eaaa..0000000 --- a/tools/sepolicy-analyze/sepolicy-analyze.c +++ /dev/null @@ -1,65 +0,0 @@ -#include <stddef.h> -#include <stdio.h> -#include <string.h> - -#include "dups.h" -#include "neverallow.h" -#include "perm.h" -#include "typecmp.h" -#include "booleans.h" -#include "attribute.h" -#include "utils.h" - -#define NUM_COMPONENTS (int) (sizeof(analyze_components)/sizeof(analyze_components[0])) - -#define COMP(x) { #x, sizeof(#x) - 1, x ##_usage, x ##_func } -static struct { - const char *key; - size_t keylen; - void (*usage) (void); - int (*func) (int argc, char **argv, policydb_t *policydb); -} analyze_components[] = { - COMP(dups), - COMP(neverallow), - COMP(permissive), - COMP(typecmp), - COMP(booleans), - COMP(attribute) -}; - -void usage(char *arg0) -{ - int i; - - fprintf(stderr, "%s must be called on a policy file with a component and the appropriate arguments specified\n", arg0); - fprintf(stderr, "%s <policy-file>:\n", arg0); - for(i = 0; i < NUM_COMPONENTS; i++) { - analyze_components[i].usage(); - } - exit(1); -} - -int main(int argc, char **argv) -{ - char *policy; - struct policy_file pf; - policydb_t policydb; - int rc; - int i; - - if (argc < 3) - usage(argv[0]); - policy = argv[1]; - if(load_policy(policy, &policydb, &pf)) - exit(1); - for(i = 0; i < NUM_COMPONENTS; i++) { - if (!strcmp(analyze_components[i].key, argv[2])) { - rc = analyze_components[i].func(argc - 2, argv + 2, &policydb); - if (rc && USAGE_ERROR) { - usage(argv[0]); } - return rc; - } - } - usage(argv[0]); - exit(0); -} diff --git a/tools/sepolicy-analyze/typecmp.c b/tools/sepolicy-analyze/typecmp.c deleted file mode 100644 index 5fffd63..0000000 --- a/tools/sepolicy-analyze/typecmp.c +++ /dev/null @@ -1,295 +0,0 @@ -#include <getopt.h> -#include <sepol/policydb/expand.h> - -#include "typecmp.h" - -void typecmp_usage() { - fprintf(stderr, "\ttypecmp [-d|--diff] [-e|--equiv]\n"); -} - -static int insert_type_rule(avtab_key_t * k, avtab_datum_t * d, - struct avtab_node *type_rules) -{ - struct avtab_node *p, *c, *n; - - for (p = type_rules, c = type_rules->next; c; p = c, c = c->next) { - /* - * Find the insertion point, keeping the list - * ordered by source type, then target type, then - * target class. - */ - if (k->source_type < c->key.source_type) - break; - if (k->source_type == c->key.source_type && - k->target_type < c->key.target_type) - break; - if (k->source_type == c->key.source_type && - k->target_type == c->key.target_type && - k->target_class <= c->key.target_class) - break; - } - - if (c && - k->source_type == c->key.source_type && - k->target_type == c->key.target_type && - k->target_class == c->key.target_class) { - c->datum.data |= d->data; - return 0; - } - - /* Insert the rule */ - n = malloc(sizeof(struct avtab_node)); - if (!n) { - fprintf(stderr, "out of memory\n"); - exit(1); - } - - n->key = *k; - n->datum = *d; - n->next = p->next; - p->next = n; - return 0; -} - -static int create_type_rules_helper(avtab_key_t * k, avtab_datum_t * d, - void *args) -{ - struct avtab_node *type_rules = args; - avtab_key_t key; - - /* - * Insert the rule into the list for - * the source type. The source type value - * is cleared as we want to compare against other type - * rules with different source types. - */ - key = *k; - key.source_type = 0; - if (k->source_type == k->target_type) { - /* Clear target type as well; this is a self rule. */ - key.target_type = 0; - } - if (insert_type_rule(&key, d, &type_rules[k->source_type - 1])) - return -1; - - if (k->source_type == k->target_type) - return 0; - - /* - * If the target type differs, then we also - * insert the rule into the list for the target - * type. We clear the target type value so that - * we can compare against other type rules with - * different target types. - */ - key = *k; - key.target_type = 0; - if (insert_type_rule(&key, d, &type_rules[k->target_type - 1])) - return -1; - - return 0; -} - -static int create_type_rules(avtab_key_t * k, avtab_datum_t * d, void *args) -{ - if (k->specified & AVTAB_ALLOWED) - return create_type_rules_helper(k, d, args); - return 0; -} - -static int create_type_rules_cond(avtab_key_t * k, avtab_datum_t * d, - void *args) -{ - if ((k->specified & (AVTAB_ALLOWED|AVTAB_ENABLED)) == - (AVTAB_ALLOWED|AVTAB_ENABLED)) - return create_type_rules_helper(k, d, args); - return 0; -} - -static void free_type_rules(struct avtab_node *l) -{ - struct avtab_node *tmp; - - while (l) { - tmp = l; - l = l->next; - free(tmp); - } -} - -static int find_match(policydb_t *policydb, struct avtab_node *l1, - int idx1, struct avtab_node *l2, int idx2) -{ - struct avtab_node *c; - uint32_t perms1, perms2; - - for (c = l2; c; c = c->next) { - if (l1->key.source_type < c->key.source_type) - break; - if (l1->key.source_type == c->key.source_type && - l1->key.target_type < c->key.target_type) - break; - if (l1->key.source_type == c->key.source_type && - l1->key.target_type == c->key.target_type && - l1->key.target_class <= c->key.target_class) - break; - } - - if (c && - l1->key.source_type == c->key.source_type && - l1->key.target_type == c->key.target_type && - l1->key.target_class == c->key.target_class) { - perms1 = l1->datum.data & ~c->datum.data; - perms2 = c->datum.data & ~l1->datum.data; - if (perms1 || perms2) { - if (perms1) - display_allow(policydb, &l1->key, idx1, perms1); - if (perms2) - display_allow(policydb, &c->key, idx2, perms2); - printf("\n"); - return 1; - } - } - - return 0; -} - -static int analyze_types(policydb_t * policydb, char diff, char equiv) -{ - avtab_t exp_avtab, exp_cond_avtab; - struct avtab_node *type_rules, *l1, *l2; - struct type_datum *type; - size_t i, j; - - /* - * Create a list of access vector rules for each type - * from the access vector table. - */ - type_rules = malloc(sizeof(struct avtab_node) * policydb->p_types.nprim); - if (!type_rules) { - fprintf(stderr, "out of memory\n"); - exit(1); - } - memset(type_rules, 0, sizeof(struct avtab_node) * policydb->p_types.nprim); - - if (avtab_init(&exp_avtab) || avtab_init(&exp_cond_avtab)) { - fputs("out of memory\n", stderr); - return -1; - } - - if (expand_avtab(policydb, &policydb->te_avtab, &exp_avtab)) { - fputs("out of memory\n", stderr); - avtab_destroy(&exp_avtab); - return -1; - } - - if (expand_avtab(policydb, &policydb->te_cond_avtab, &exp_cond_avtab)) { - fputs("out of memory\n", stderr); - avtab_destroy(&exp_avtab); /* */ - return -1; - } - - if (avtab_map(&exp_avtab, create_type_rules, type_rules)) - exit(1); - - if (avtab_map(&exp_cond_avtab, create_type_rules_cond, type_rules)) - exit(1); - - avtab_destroy(&exp_avtab); - avtab_destroy(&exp_cond_avtab); - - /* - * Compare the type lists and identify similar types. - */ - for (i = 0; i < policydb->p_types.nprim - 1; i++) { - if (!type_rules[i].next) - continue; - type = policydb->type_val_to_struct[i]; - if (type->flavor) { - free_type_rules(type_rules[i].next); - type_rules[i].next = NULL; - continue; - } - for (j = i + 1; j < policydb->p_types.nprim; j++) { - type = policydb->type_val_to_struct[j]; - if (type->flavor) { - free_type_rules(type_rules[j].next); - type_rules[j].next = NULL; - continue; - } - for (l1 = type_rules[i].next, l2 = type_rules[j].next; - l1 && l2; l1 = l1->next, l2 = l2->next) { - if (l1->key.source_type != l2->key.source_type) - break; - if (l1->key.target_type != l2->key.target_type) - break; - if (l1->key.target_class != l2->key.target_class - || l1->datum.data != l2->datum.data) - break; - } - if (l1 || l2) { - if (diff) { - printf - ("Types %s and %s differ, starting with:\n", - policydb->p_type_val_to_name[i], - policydb->p_type_val_to_name[j]); - - if (l1 && l2) { - if (find_match(policydb, l1, i, l2, j)) - continue; - if (find_match(policydb, l2, j, l1, i)) - continue; - } - if (l1) - display_allow(policydb, &l1->key, i, l1->datum.data); - if (l2) - display_allow(policydb, &l2->key, j, l2->datum.data); - printf("\n"); - } - continue; - } - free_type_rules(type_rules[j].next); - type_rules[j].next = NULL; - if (equiv) { - printf("Types %s and %s are equivalent.\n", - policydb->p_type_val_to_name[i], - policydb->p_type_val_to_name[j]); - } - } - free_type_rules(type_rules[i].next); - type_rules[i].next = NULL; - } - - free(type_rules); - return 0; -} - -int typecmp_func (int argc, char **argv, policydb_t *policydb) { - char ch, diff = 0, equiv = 0; - - struct option typecmp_options[] = { - {"diff", no_argument, NULL, 'd'}, - {"equiv", no_argument, NULL, 'e'}, - {NULL, 0, NULL, 0} - }; - - while ((ch = getopt_long(argc, argv, "de", typecmp_options, NULL)) != -1) { - switch (ch) { - case 'd': - diff = 1; - break; - case 'e': - equiv = 1; - break; - default: - USAGE_ERROR = true; - return -1; - } - } - - if (!(diff || equiv)) { - USAGE_ERROR = true; - return -1; - } - return analyze_types(policydb, diff, equiv); -} diff --git a/tools/sepolicy-analyze/typecmp.h b/tools/sepolicy-analyze/typecmp.h deleted file mode 100644 index f93daaa..0000000 --- a/tools/sepolicy-analyze/typecmp.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef TYPECMP_H -#define TYPECMP_H - -#include <sepol/policydb/policydb.h> - -#include "utils.h" - -void typecmp_usage(void); -int typecmp_func(int argc, char **argv, policydb_t *policydb); - -#endif /* TYPECMP_H */ diff --git a/tools/sepolicy-analyze/utils.c b/tools/sepolicy-analyze/utils.c deleted file mode 100644 index 5e52f59..0000000 --- a/tools/sepolicy-analyze/utils.c +++ /dev/null @@ -1,68 +0,0 @@ -#include <fcntl.h> -#include <sepol/policydb/policydb.h> -#include <sepol/policydb/util.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <unistd.h> - -#include "utils.h" - -bool USAGE_ERROR = false; - -void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms) -{ - printf(" allow %s %s:%s { %s };\n", - policydb->p_type_val_to_name[key->source_type - ? key->source_type - 1 : idx], - key->target_type == key->source_type ? "self" : - policydb->p_type_val_to_name[key->target_type - ? key->target_type - 1 : idx], - policydb->p_class_val_to_name[key->target_class - 1], - sepol_av_to_string - (policydb, key->target_class, perms)); -} - -int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf) -{ - int fd; - struct stat sb; - void *map; - int ret; - - fd = open(filename, O_RDONLY); - if (fd < 0) { - fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno)); - return 1; - } - if (fstat(fd, &sb) < 0) { - fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); - close(fd); - return 1; - } - map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (map == MAP_FAILED) { - fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); - close(fd); - return 1; - } - - policy_file_init(pf); - pf->type = PF_USE_MEMORY; - pf->data = map; - pf->len = sb.st_size; - if (policydb_init(policydb)) { - fprintf(stderr, "Could not initialize policydb!\n"); - close(fd); - munmap(map, sb.st_size); - return 1; - } - ret = policydb_read(policydb, pf, 0); - if (ret) { - fprintf(stderr, "error(s) encountered while parsing configuration\n"); - close(fd); - munmap(map, sb.st_size); - return 1; - } - - return 0; -} diff --git a/tools/sepolicy-analyze/utils.h b/tools/sepolicy-analyze/utils.h deleted file mode 100644 index 83f5a78..0000000 --- a/tools/sepolicy-analyze/utils.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef UTILS_H -#define UTILS_H - -#include <stdbool.h> -#include <stdint.h> -#include <sepol/policydb/avtab.h> -#include <sepol/policydb/policydb.h> - - -extern bool USAGE_ERROR; - -void display_allow(policydb_t *policydb, avtab_key_t *key, int idx, uint32_t perms); - -int load_policy(char *filename, policydb_t * policydb, struct policy_file *pf); - -#endif /* UTILS_H */ diff --git a/tools/sepolicy-check.c b/tools/sepolicy-check.c deleted file mode 100644 index 713e7c1..0000000 --- a/tools/sepolicy-check.c +++ /dev/null @@ -1,296 +0,0 @@ -#include <getopt.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/mman.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <stdio.h> -#include <sepol/policydb/policydb.h> -#include <sepol/policydb/services.h> -#include <sepol/policydb/expand.h> - -#define EQUALS 0 -#define NOT 1 -#define ANY 2 - -void usage(char *arg0) { - fprintf(stderr, "%s -s <source> -t <target> -c <class> -p <perm> -P <policy file>\n", arg0); - exit(1); -} - -void *cmalloc(size_t s) { - void *t = malloc(s); - if (t == NULL) { - fprintf(stderr, "Out of memory\n"); - exit(1); - } - return t; -} - -int parse_ops(char **arg) { - switch (*arg[0]) { - case '-': - *arg = *arg + 1; - return NOT; - case '*': - return ANY; - default: - return EQUALS; - } -} - -int check(int op, uint16_t arg1, uint16_t arg2) { - switch (op) { - case EQUALS: - return arg1 == arg2; - case NOT: - return arg1 != arg2; - case ANY: - return 1; - default: - fprintf(stderr, "Bad op while checking!"); - return 2; - } -} - -int check_perm(avtab_ptr_t current, perm_datum_t *perm) { - uint16_t perm_bitmask = 1U << (perm->s.value - 1); - return (current->datum.data & perm_bitmask) != 0; -} - - -int expand_and_check(int s_op, uint32_t source_type, - int t_op, uint32_t target_type, - int c_op, uint32_t target_class, - perm_datum_t *perm, policydb_t *policy, avtab_t *avtab) { - avtab_t exp_avtab; - avtab_ptr_t cur; - unsigned int i; - int match; - - if (avtab_init(&exp_avtab)) { - fputs("out of memory\n", stderr); - return -1; - } - - if (expand_avtab(policy, avtab, &exp_avtab)) { - fputs("out of memory\n", stderr); - avtab_destroy(&exp_avtab); - return -1; - } - - for (i = 0; i < exp_avtab.nslot; i++) { - for (cur = exp_avtab.htable[i]; cur; cur = cur->next) { - match = 1; - match &= check(s_op, source_type, cur->key.source_type); - match &= check(t_op, target_type, cur->key.target_type); - match &= check(c_op, target_class, cur->key.target_class); - match &= check_perm(cur, perm); - if (match) { - avtab_destroy(&exp_avtab); - return 1; - } - } - } - - avtab_destroy(&exp_avtab); - return 0; -} - -/* - * Checks to see if a rule matching the given arguments already exists. - * - * The format for the arguments is as follows: - * - * - A bare string is treated as a literal and will be matched by equality. - * - A string starting with "-" will be matched by inequality. - * - A string starting with "*" will be treated as a wildcard. - * - * The return codes for this function are as follows: - * - * - 0 indicates a successful return without a match - * - 1 indicates a successful return with a match - * - -1 indicates an error - */ -int check_rule(char *s, char *t, char *c, char *p, policydb_t *policy) { - type_datum_t *src = NULL; - type_datum_t *tgt = NULL; - class_datum_t *cls = NULL; - perm_datum_t *perm = NULL; - int s_op = parse_ops(&s); - int t_op = parse_ops(&t); - int c_op = parse_ops(&c); - int p_op = parse_ops(&p); - avtab_key_t key; - int match; - - key.source_type = key.target_type = key.target_class = 0; - - if (s_op != ANY) { - src = hashtab_search(policy->p_types.table, s); - if (src == NULL) { - fprintf(stderr, "source type %s does not exist\n", s); - return -1; - } - } - if (t_op != ANY) { - tgt = hashtab_search(policy->p_types.table, t); - if (tgt == NULL) { - fprintf(stderr, "target type %s does not exist\n", t); - return -1; - } - } - if (c_op != ANY) { - cls = hashtab_search(policy->p_classes.table, c); - if (cls == NULL) { - fprintf(stderr, "class %s does not exist\n", c); - return -1; - } - } - if (p_op != ANY) { - perm = hashtab_search(cls->permissions.table, p); - if (perm == NULL) { - if (cls->comdatum == NULL) { - fprintf(stderr, "perm %s does not exist in class %s\n", p, c); - return -1; - } - perm = hashtab_search(cls->comdatum->permissions.table, p); - if (perm == NULL) { - fprintf(stderr, "perm %s does not exist in class %s\n", p, c); - return -1; - } - } - } - - if (s_op != ANY) - key.source_type = src->s.value; - if (t_op != ANY) - key.target_type = tgt->s.value; - if (c_op != ANY) - key.target_class = cls->s.value; - - /* Check unconditional rules after attribute expansion. */ - match = expand_and_check(s_op, key.source_type, - t_op, key.target_type, - c_op, key.target_class, - perm, policy, &policy->te_avtab); - if (match) - return match; - - /* Check conditional rules after attribute expansion. */ - return expand_and_check(s_op, key.source_type, - t_op, key.target_type, - c_op, key.target_class, - perm, policy, &policy->te_cond_avtab); -} - -int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf) { - int fd; - struct stat sb; - void *map; - int ret; - - fd = open(filename, O_RDONLY); - if (fd < 0) { - fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno)); - return 1; - } - if (fstat(fd, &sb) < 0) { - fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno)); - close(fd); - return 1; - } - map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); - if (map == MAP_FAILED) { - fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno)); - close(fd); - return 1; - } - - policy_file_init(pf); - pf->type = PF_USE_MEMORY; - pf->data = map; - pf->len = sb.st_size; - if (policydb_init(policydb)) { - fprintf(stderr, "Could not initialize policydb!\n"); - close(fd); - munmap(map, sb.st_size); - return 1; - } - ret = policydb_read(policydb, pf, 0); - if (ret) { - fprintf(stderr, "error(s) encountered while parsing configuration\n"); - close(fd); - munmap(map, sb.st_size); - return 1; - } - - return 0; -} - - -int main(int argc, char **argv) -{ - char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL; - policydb_t policydb; - struct policy_file pf; - sidtab_t sidtab; - char ch; - int match = 1; - - struct option long_options[] = { - {"source", required_argument, NULL, 's'}, - {"target", required_argument, NULL, 't'}, - {"class", required_argument, NULL, 'c'}, - {"perm", required_argument, NULL, 'p'}, - {"policy", required_argument, NULL, 'P'}, - {NULL, 0, NULL, 0} - }; - - while ((ch = getopt_long(argc, argv, "s:t:c:p:P:", long_options, NULL)) != -1) { - switch (ch) { - case 's': - source = optarg; - break; - case 't': - target = optarg; - break; - case 'c': - class = optarg; - break; - case 'p': - perm = optarg; - break; - case 'P': - policy = optarg; - break; - default: - usage(argv[0]); - } - } - - if (!source || !target || !class || !perm || !policy) - usage(argv[0]); - - sepol_set_policydb(&policydb); - sepol_set_sidtab(&sidtab); - - if (load_policy(policy, &policydb, &pf)) - goto out; - - match = check_rule(source, target, class, perm, &policydb); - if (match < 0) { - fprintf(stderr, "Error checking rules!\n"); - goto out; - } else if (match > 0) { - printf("Match found!\n"); - goto out; - } - - match = 0; - -out: - policydb_destroy(&policydb); - return match; -} diff --git a/tzdatacheck.te b/tzdatacheck.te deleted file mode 100644 index f61cb47..0000000 --- a/tzdatacheck.te +++ /dev/null @@ -1,8 +0,0 @@ -# The tzdatacheck command run by init. -type tzdatacheck, domain, domain_deprecated; -type tzdatacheck_exec, exec_type, file_type; - -init_daemon_domain(tzdatacheck) - -allow tzdatacheck zoneinfo_data_file:dir create_dir_perms; -allow tzdatacheck zoneinfo_data_file:file unlink; diff --git a/ueventd.te b/ueventd.te deleted file mode 100644 index f67c0db..0000000 --- a/ueventd.te +++ /dev/null @@ -1,42 +0,0 @@ -# ueventd seclabel is specified in init.rc since -# it lives in the rootfs and has no unique file type. -type ueventd, domain, domain_deprecated; -tmpfs_domain(ueventd) - -# TODO: why is ueventd using __kmsg__ when it should just create -# and use /dev/kmsg instead? -type_transition ueventd device:chr_file klog_device "__kmsg__"; -allow ueventd klog_device:chr_file { create open write unlink }; - -allow ueventd init:process sigchld; -allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; -allow ueventd device:file create_file_perms; -allow ueventd device:chr_file rw_file_perms; -allow ueventd sysfs:file rw_file_perms; -allow ueventd sysfs_hwrandom:file w_file_perms; -allow ueventd sysfs_zram_uevent:file w_file_perms; -allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr }; -allow ueventd sysfs_type:dir { relabelfrom relabelto setattr r_dir_perms }; -allow ueventd sysfs_devices_system_cpu:file rw_file_perms; -allow ueventd tmpfs:chr_file rw_file_perms; -allow ueventd dev_type:dir create_dir_perms; -allow ueventd dev_type:lnk_file { create unlink }; -allow ueventd dev_type:chr_file { create setattr unlink }; -allow ueventd dev_type:blk_file { create setattr unlink }; -allow ueventd self:netlink_kobject_uevent_socket create_socket_perms; -allow ueventd efs_file:dir search; -allow ueventd efs_file:file r_file_perms; - -# Use setfscreatecon() to label /dev directories and files. -allow ueventd self:process setfscreate; - -##### -##### neverallow rules -##### - -# ueventd must never set properties, otherwise deadlocks may occur. -# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941 -# No writing to the property socket, connecting to init, or setting properties. -neverallow ueventd property_socket:sock_file write; -neverallow ueventd init:unix_stream_socket connectto; -neverallow ueventd property_type:property_service set; diff --git a/uncrypt.te b/uncrypt.te deleted file mode 100644 index 9231a4d..0000000 --- a/uncrypt.te +++ /dev/null @@ -1,33 +0,0 @@ -# uncrypt -type uncrypt, domain, domain_deprecated, mlstrustedsubject; -type uncrypt_exec, exec_type, file_type; - -init_daemon_domain(uncrypt) - -allow uncrypt self:capability dac_override; - -# Read OTA zip file from /data/data/com.google.android.gsf/app_download -r_dir_file(uncrypt, app_data_file) - -userdebug_or_eng(` - # For debugging, allow /data/local/tmp access - r_dir_file(uncrypt, shell_data_file) -') - -# Read /cache/recovery/command -# Read /cache/recovery/uncrypt_file -# Write to pipe file /cache/recovery/uncrypt_status -allow uncrypt cache_recovery_file:dir rw_dir_perms; -allow uncrypt cache_recovery_file:file create_file_perms; -allow uncrypt cache_recovery_file:fifo_file w_file_perms; - -# Set a property to reboot the device. -set_prop(uncrypt, powerctl_prop) - -# Raw writes to block device -allow uncrypt self:capability sys_rawio; -allow uncrypt misc_block_device:blk_file w_file_perms; -allow uncrypt block_device:dir r_dir_perms; - -# Access userdata block device. -allow uncrypt userdata_block_device:blk_file w_file_perms; diff --git a/untrusted_app.te b/untrusted_app.te deleted file mode 100644 index 47ccb55..0000000 --- a/untrusted_app.te +++ /dev/null @@ -1,178 +0,0 @@ -### -### Untrusted apps. -### -### This file defines the rules for untrusted apps. -### Apps are labeled based on mac_permissions.xml (maps signer and -### optionally package name to seinfo value) and seapp_contexts (maps UID -### and optionally seinfo value to domain for process and type for data -### directory). The untrusted_app domain is the default assignment in -### seapp_contexts for any app with UID between APP_AID (10000) -### and AID_ISOLATED_START (99000) if the app has no specific seinfo -### value as determined from mac_permissions.xml. In current AOSP, this -### domain is assigned to all non-system apps as well as to any system apps -### that are not signed by the platform key. To move -### a system app into a specific domain, add a signer entry for it to -### mac_permissions.xml and assign it one of the pre-existing seinfo values -### or define and use a new seinfo value in both mac_permissions.xml and -### seapp_contexts. -### -### untrusted_app includes all the appdomain rules, plus the -### additional following rules: -### - -type untrusted_app, domain; -app_domain(untrusted_app) -net_domain(untrusted_app) -bluetooth_domain(untrusted_app) - -# Some apps ship with shared libraries and binaries that they write out -# to their sandbox directory and then execute. -allow untrusted_app app_data_file:file { rx_file_perms execmod }; - -# ASEC -allow untrusted_app asec_apk_file:file r_file_perms; -# Execute libs in asec containers. -allow untrusted_app asec_public_file:file { execute execmod }; - -# Allow the allocation and use of ptys -# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm -create_pty(untrusted_app) - -# Used by Finsky / Android "Verify Apps" functionality when -# running "adb install foo.apk". -# TODO: Long term, we don't want apps probing into shell data files. -# Figure out a way to remove these rules. -allow untrusted_app shell_data_file:file r_file_perms; -allow untrusted_app shell_data_file:dir r_dir_perms; - -# Read and write system app data files passed over Binder. -# Motivating case was /data/data/com.android.settings/cache/*.jpg for -# cropping or taking user photos. -allow untrusted_app system_app_data_file:file { read write getattr }; - -# -# Rules migrated from old app domains coalesced into untrusted_app. -# This includes what used to be media_app, shared_app, and release_app. -# - -# Access to /data/media. -allow untrusted_app media_rw_data_file:dir create_dir_perms; -allow untrusted_app media_rw_data_file:file create_file_perms; - -# Traverse into /mnt/media_rw for bypassing FUSE daemon -# TODO: narrow this to just MediaProvider -allow untrusted_app mnt_media_rw_file:dir search; - -# allow cts to query all services -allow untrusted_app servicemanager:service_manager list; - -allow untrusted_app drmserver_service:service_manager find; -allow untrusted_app mediaserver_service:service_manager find; -allow untrusted_app nfc_service:service_manager find; -allow untrusted_app radio_service:service_manager find; -allow untrusted_app surfaceflinger_service:service_manager find; -allow untrusted_app app_api_service:service_manager find; - -# Allow GMS core to access perfprofd output, which is stored -# in /data/misc/perfprofd/. GMS core will need to list all -# data stored in that directory to process them one by one. -userdebug_or_eng(` - allow untrusted_app perfprofd_data_file:file r_file_perms; - allow untrusted_app perfprofd_data_file:dir r_dir_perms; -') - -# gdbserver for ndk-gdb ptrace attaches to app process. -allow untrusted_app self:process ptrace; - -# Programs routinely attempt to scan through /system, looking -# for files. Suppress the denials when they occur. -dontaudit untrusted_app exec_type:file getattr; - -# TODO: switch to meminfo service -allow untrusted_app proc_meminfo:file r_file_perms; - -# access /proc/net/xt_qtguid/stats -r_dir_file(untrusted_app, proc_net) - -# Cts: HwRngTest -allow untrusted_app sysfs_hwrandom:dir search; -allow untrusted_app sysfs_hwrandom:file r_file_perms; - -### -### neverallow rules -### - -# Receive or send uevent messages. -neverallow untrusted_app domain:netlink_kobject_uevent_socket *; - -# Receive or send generic netlink messages -neverallow untrusted_app domain:netlink_socket *; - -# Too much leaky information in debugfs. It's a security -# best practice to ensure these files aren't readable. -neverallow untrusted_app debugfs_type:file read; - -# Do not allow untrusted apps to register services. -# Only trusted components of Android should be registering -# services. -neverallow untrusted_app service_manager_type:service_manager add; - -# Do not allow untrusted_apps to connect to the property service -# or set properties. b/10243159 -neverallow untrusted_app property_socket:sock_file write; -neverallow untrusted_app init:unix_stream_socket connectto; -neverallow untrusted_app property_type:property_service set; - -# Do not allow untrusted_app to be assigned mlstrustedsubject. -# This would undermine the per-user isolation model being -# enforced via levelFrom=user in seapp_contexts and the mls -# constraints. As there is no direct way to specify a neverallow -# on attribute assignment, this relies on the fact that fork -# permission only makes sense within a domain (hence should -# never be granted to any other domain within mlstrustedsubject) -# and untrusted_app is allowed fork permission to itself. -neverallow untrusted_app mlstrustedsubject:process fork; - -# Do not allow untrusted_app to hard link to any files. -# In particular, if untrusted_app links to other app data -# files, installd will not be able to guarantee the deletion -# of the linked to file. Hard links also contribute to security -# bugs, so we want to ensure untrusted_app never has this -# capability. -neverallow untrusted_app file_type:file link; - -# Do not allow untrusted_app to access network MAC address file -neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; - -# Do not allow untrusted_app access to /cache -neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; -neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr }; - -# Do not allow untrusted_app to set system properties. -neverallow untrusted_app property_socket:sock_file write; -neverallow untrusted_app property_type:property_service set; - -# Do not allow untrusted_app to create/unlink files outside of its sandbox, -# internal storage or sdcard. -# World accessible data locations allow application to fill the device -# with unaccounted for data. This data will not get removed during -# application un-installation. -neverallow untrusted_app { - fs_type - -fuse # sdcard - file_type - -app_data_file # The apps sandbox itself - -media_rw_data_file # Internal storage. Known that apps can - # leave artfacts here after uninstall. - userdebug_or_eng(` - -method_trace_data_file # only on ro.debuggable=1 - -coredump_file # userdebug/eng only - ') -}:dir_file_class_set { create unlink }; - -# Do not allow untrusted_app to directly open tun_device -neverallow untrusted_app tun_device:chr_file open; - -# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) -neverallow untrusted_app anr_data_file:file ~{ open append }; -neverallow untrusted_app anr_data_file:dir ~search; diff --git a/update_engine.te b/update_engine.te deleted file mode 100644 index cf614e6..0000000 --- a/update_engine.te +++ /dev/null @@ -1,60 +0,0 @@ -# Domain for update_engine daemon. -type update_engine, domain, domain_deprecated; -type update_engine_exec, exec_type, file_type; -type update_engine_data_file, file_type, data_file_type; - -init_daemon_domain(update_engine); -net_domain(update_engine); - -# Following permissions are needed for update_engine. -allow update_engine self:process { setsched }; -allow update_engine self:capability { fowner sys_admin }; -allow update_engine kmsg_device:chr_file w_file_perms; -allow update_engine update_engine_exec:file rx_file_perms; -wakelock_use(update_engine); - -# Ignore these denials. -dontaudit update_engine kernel:process setsched; - -# Allow using persistent storage in /data/misc/update_engine. -allow update_engine update_engine_data_file:dir { create_dir_perms }; -allow update_engine update_engine_data_file:file { create_file_perms }; - -# Allow update_engine to reach block devices in /dev/block. -allow update_engine block_device:dir search; - -# Allow read/write on system and boot partitions. -allow update_engine boot_block_device:blk_file rw_file_perms; -allow update_engine system_block_device:blk_file rw_file_perms; - -# Don't allow kernel module loading, just silence the logs. -dontaudit update_engine kernel:system module_request; - -# Allow update_engine to mount on the /postinstall directory and reset the -# labels on the mounted filesystem to postinstall_file. -allow update_engine postinstall_mnt_dir:dir mounton; -allow update_engine postinstall_file:filesystem { mount unmount relabelfrom relabelto }; -allow update_engine labeledfs:filesystem relabelfrom; - -# Allow update_engine to read and execute postinstall_file. -allow update_engine postinstall_file:file rx_file_perms; -allow update_engine postinstall_file:lnk_file r_file_perms; -allow update_engine postinstall_file:dir r_dir_perms; - -# The postinstall program is run by update_engine and will always be tagged as a -# postinstall_file regardless of its attributes in the new system. -domain_auto_trans(update_engine, postinstall_file, postinstall) - -# A postinstall program is typically a shell script (with a #!), so we allow -# to execute those. -allow update_engine shell_exec:file rx_file_perms; - -# Register the service to perform Binder IPC. -binder_use(update_engine) -allow update_engine update_engine_service:service_manager { add }; - -# Allow update_engine to call the callback function provided by priv_app. -binder_call(update_engine, priv_app) - -# Allow read/write bootctrl block device. -allow update_engine bootctrl_block_device:blk_file rw_file_perms; diff --git a/update_verifier.te b/update_verifier.te deleted file mode 100644 index 42567fe..0000000 --- a/update_verifier.te +++ /dev/null @@ -1,10 +0,0 @@ -# update_verifier -type update_verifier, domain; -type update_verifier_exec, exec_type, file_type; - -init_daemon_domain(update_verifier) - -# Raw writes to bootctrl block device -allow update_verifier bootctrl_block_device:blk_file rw_file_perms; - -# TODO: Add rules to allow update_verifier to read system_block_device. @@ -1 +0,0 @@ -user u roles { r } level s0 range s0 - mls_systemhigh; @@ -1,23 +0,0 @@ -# vdc spawned from init for the following services: -# defaultcrypto -# encrypt -# -# We also transition into this domain from dumpstate, when -# collecting bug reports. - -type vdc, domain, domain_deprecated; -type vdc_exec, exec_type, file_type; - -init_daemon_domain(vdc) - -unix_socket_connect(vdc, vold, vold) - -# vdc sends information back to dumpstate when "adb bugreport" is used -allow vdc dumpstate:fd use; -allow vdc dumpstate:unix_stream_socket { read write getattr }; - -# vdc information is written to shell owned bugreport files -allow vdc shell_data_file:file { write getattr }; - -# Why? -allow vdc dumpstate:unix_dgram_socket { read write }; diff --git a/vold.te b/vold.te deleted file mode 100644 index 737037d..0000000 --- a/vold.te +++ /dev/null @@ -1,193 +0,0 @@ -# volume manager -type vold, domain, domain_deprecated; -type vold_exec, exec_type, file_type; - -init_daemon_domain(vold) - -# Switch to more restrictive domains when executing common tools -domain_auto_trans(vold, sgdisk_exec, sgdisk); -domain_auto_trans(vold, sdcardd_exec, sdcardd); - -# Read already opened /cache files. -allow vold cache_file:dir r_dir_perms; -allow vold cache_file:file { getattr read }; -allow vold cache_file:lnk_file r_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(vold, proc) -r_dir_file(vold, proc_net) -r_dir_file(vold, sysfs) -r_dir_file(vold, rootfs) - -# For a handful of probing tools, we choose an even more restrictive -# domain when working with untrusted block devices -domain_trans(vold, shell_exec, blkid); -domain_trans(vold, shell_exec, blkid_untrusted); -domain_trans(vold, fsck_exec, fsck); -domain_trans(vold, fsck_exec, fsck_untrusted); - -# Allow us to jump into execution domains of above tools -allow vold self:process setexec; - -# For sgdisk launched through popen() -allow vold shell_exec:file rx_file_perms; - -typeattribute vold mlstrustedsubject; -allow vold self:process setfscreate; -allow vold system_file:file x_file_perms; -allow vold block_device:dir create_dir_perms; -allow vold device:dir write; -allow vold devpts:chr_file rw_file_perms; -allow vold rootfs:dir mounton; -allow vold sdcard_type:dir mounton; # TODO: deprecated in M -allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M -allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M -allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M - -# Manage locations where storage is mounted -allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; -allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms; - -# Access to storage that backs emulated FUSE daemons for migration optimization -allow vold media_rw_data_file:dir create_dir_perms; -allow vold media_rw_data_file:file create_file_perms; - -# Newly created storage dirs are always treated as mount stubs to prevent us -# from accidentally writing when the mount point isn't present. -type_transition vold storage_file:dir storage_stub_file; -type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; - -# Allow mounting of storage devices -allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; -allow vold sdcard_type:filesystem { mount unmount remount }; - -# Manage per-user primary symlinks -allow vold mnt_user_file:dir create_dir_perms; -allow vold mnt_user_file:lnk_file create_file_perms; - -# Allow to create and mount expanded storage -allow vold mnt_expand_file:dir { create_dir_perms mounton }; -allow vold apk_data_file:dir { create getattr setattr }; -allow vold shell_data_file:dir { create getattr setattr }; - -allow vold tmpfs:filesystem { mount unmount }; -allow vold tmpfs:dir create_dir_perms; -allow vold tmpfs:dir mounton; -allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; -allow vold self:netlink_kobject_uevent_socket create_socket_perms; -allow vold app_data_file:dir search; -allow vold app_data_file:file rw_file_perms; -allow vold loop_device:blk_file create_file_perms; -allow vold vold_device:blk_file create_file_perms; -allow vold dm_device:chr_file rw_file_perms; -allow vold dm_device:blk_file rw_file_perms; -# For vold Process::killProcessesWithOpenFiles function. -allow vold domain:dir r_dir_perms; -allow vold domain:{ file lnk_file } r_file_perms; -allow vold domain:process { signal sigkill }; -allow vold self:capability { sys_ptrace kill }; - -# XXX Label sysfs files with a specific type? -allow vold sysfs:file rw_file_perms; - -allow vold kmsg_device:chr_file rw_file_perms; - -# Run fsck in the fsck domain. -allow vold fsck_exec:file { r_file_perms execute }; - -# Log fsck results -allow vold fscklogs:dir rw_dir_perms; -allow vold fscklogs:file create_file_perms; - -# -# Rules to support encrypted fs support. -# - -# Unmount and mount the fs. -allow vold labeledfs:filesystem { mount unmount remount }; - -# Access /efs/userdata_footer. -# XXX Split into a separate type? -allow vold efs_file:file rw_file_perms; - -# Create and mount on /data/tmp_mnt and management of expansion mounts -allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; - -# Set scheduling policy of kernel processes -allow vold kernel:process setsched; - -# Property Service -set_prop(vold, vold_prop) -set_prop(vold, powerctl_prop) -set_prop(vold, ctl_fuse_prop) -set_prop(vold, restorecon_prop) - -# ASEC -allow vold asec_image_file:file create_file_perms; -allow vold asec_image_file:dir rw_dir_perms; -allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; -allow vold asec_public_file:dir { relabelto setattr }; -allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; -allow vold asec_public_file:file { relabelto setattr }; -# restorecon files in asec containers created on 4.2 or earlier. -allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; -allow vold unlabeled:file { r_file_perms setattr relabelfrom }; - -# Handle wake locks (used for device encryption) -wakelock_use(vold) - -# talk to batteryservice -binder_use(vold) -binder_call(vold, healthd) - -# talk to keymaster -allow vold tee_device:chr_file rw_file_perms; - -# Access userdata block device. -allow vold userdata_block_device:blk_file rw_file_perms; - -# Access metadata block device used for encryption meta-data. -allow vold metadata_block_device:blk_file rw_file_perms; - -# Allow vold to manipulate /data/unencrypted -allow vold unencrypted_data_file:{ file } create_file_perms; -allow vold unencrypted_data_file:dir create_dir_perms; - -# Write to /proc/sys/vm/drop_caches -allow vold proc_drop_caches:file w_file_perms; - -# Give vold a place where only vold can store files; everyone else is off limits -allow vold vold_data_file:dir create_dir_perms; -allow vold vold_data_file:file create_file_perms; - -# linux keyring configuration -allow vold init:key { write search setattr }; -allow vold vold:key { write search setattr }; - -# vold temporarily changes its priority when running benchmarks -allow vold self:capability sys_nice; - -# vold needs to chroot into app namespaces to remount when runtime permissions change -allow vold self:capability sys_chroot; -allow vold storage_file:dir mounton; - -# For AppFuse. -allow vold fuse_device:chr_file rw_file_perms; -allow vold fuse:filesystem { relabelfrom }; -allow vold app_fusefs:filesystem { relabelfrom relabelto }; -allow vold app_fusefs:filesystem { mount unmount }; - -# coldboot of /sys/block -allow vold sysfs_zram:dir r_dir_perms; -allow vold sysfs_zram_uevent:file rw_file_perms; - -# MoveTask.cpp executes cp and rm -allow vold toolbox_exec:file rx_file_perms; - -neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; -neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; -neverallow { domain -vold -init } vold_data_file:dir *; -neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *; -neverallow { domain -vold -init } restorecon_prop:property_service set; - -neverallow vold fsck_exec:file execute_no_trans; diff --git a/watchdogd.te b/watchdogd.te deleted file mode 100644 index 00292a9..0000000 --- a/watchdogd.te +++ /dev/null @@ -1,4 +0,0 @@ -# watchdogd seclabel is specified in init.<board>.rc -type watchdogd, domain; -allow watchdogd watchdog_device:chr_file rw_file_perms; -allow watchdogd kmsg_device:chr_file rw_file_perms; @@ -1,48 +0,0 @@ -# wpa - wpa supplicant or equivalent -type wpa, domain, domain_deprecated; -type wpa_exec, exec_type, file_type; - -init_daemon_domain(wpa) - -net_domain(wpa) - -allow wpa kernel:system module_request; -allow wpa self:capability { setuid net_admin setgid net_raw }; -allow wpa cgroup:dir create_dir_perms; -allow wpa self:netlink_route_socket nlmsg_write; -allow wpa self:netlink_socket create_socket_perms; -allow wpa self:netlink_generic_socket create_socket_perms; -allow wpa self:packet_socket create_socket_perms; -allow wpa wifi_data_file:dir create_dir_perms; -allow wpa wifi_data_file:file create_file_perms; -unix_socket_send(wpa, system_wpa, system_server) - -binder_use(wpa) - -# Create a socket for receiving info from wpa -type_transition wpa wifi_data_file:dir wpa_socket "sockets"; -allow wpa wpa_socket:dir create_dir_perms; -allow wpa wpa_socket:sock_file create_file_perms; - -use_keystore(wpa) - -# WPA (wifi) has a restricted set of permissions from the default. -allow wpa keystore:keystore_key { - get - sign - verify -}; - -# Allow wpa_cli to work. wpa_cli creates a socket in -# /data/misc/wifi/sockets which wpa supplicant communicates with. -userdebug_or_eng(` - unix_socket_send(wpa, wpa, su) -') - -### -### neverallow rules -### - -# wpa_supplicant should not trust any data from sdcards -neverallow wpa sdcard_type:dir ~getattr; -neverallow wpa sdcard_type:file *; diff --git a/zygote.te b/zygote.te deleted file mode 100644 index e1be061..0000000 --- a/zygote.te +++ /dev/null @@ -1,97 +0,0 @@ -# zygote -type zygote, domain, domain_deprecated; -type zygote_exec, exec_type, file_type; - -init_daemon_domain(zygote) -typeattribute zygote mlstrustedsubject; -# Override DAC on files and switch uid/gid. -allow zygote self:capability { dac_override setgid setuid fowner chown }; -# Drop capabilities from bounding set. -allow zygote self:capability setpcap; -# Switch SELinux context to app domains. -allow zygote self:process setcurrent; -allow zygote system_server:process dyntransition; -allow zygote appdomain:process dyntransition; -# Allow zygote to read app /proc/pid dirs (b/10455872) -allow zygote appdomain:dir { getattr search }; -allow zygote appdomain:file { r_file_perms }; -# Move children into the peer process group. -allow zygote system_server:process { getpgid setpgid }; -allow zygote appdomain:process { getpgid setpgid }; -# Read system data. -allow zygote system_data_file:dir r_dir_perms; -allow zygote system_data_file:file r_file_perms; -# Write to /data/dalvik-cache. -allow zygote dalvikcache_data_file:dir create_dir_perms; -allow zygote dalvikcache_data_file:file create_file_perms; -# Create symlinks in /data/dalvik-cache -allow zygote dalvikcache_data_file:lnk_file create_file_perms; -# Write to /data/resource-cache -allow zygote resourcecache_data_file:dir rw_dir_perms; -allow zygote resourcecache_data_file:file create_file_perms; -# For art. -allow zygote dalvikcache_data_file:file execute; -# Execute idmap and dex2oat within zygote's own domain. -# TODO: Should either of these be transitioned to the same domain -# used by installd or stay in-domain for zygote? -allow zygote idmap_exec:file rx_file_perms; -allow zygote dex2oat_exec:file rx_file_perms; -# Control cgroups. -allow zygote cgroup:dir create_dir_perms; -allow zygote self:capability sys_admin; -# Check validity of SELinux context before use. -selinux_check_context(zygote) -# Check SELinux permissions. -selinux_check_access(zygote) - -# Native bridge functionality requires that zygote replaces -# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount -allow zygote proc_cpuinfo:file mounton; - -# Allow remounting rootfs as MS_SLAVE -allow zygote rootfs:dir mounton; -allow zygote tmpfs:filesystem { mount unmount }; -allow zygote fuse:filesystem { unmount }; - -# Allowed to create user-specific storage source if started before vold -allow zygote mnt_user_file:dir create_dir_perms; -allow zygote mnt_user_file:lnk_file create_file_perms; -# Allowed to mount user-specific storage into place -allow zygote storage_file:dir { search mounton }; - -# Handle --invoke-with command when launching Zygote with a wrapper command. -allow zygote zygote_exec:file rx_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(zygote, proc_net) - -# Root fs. -allow zygote rootfs:file r_file_perms; - -# System file accesses. -allow zygote system_file:dir r_dir_perms; -allow zygote system_file:file r_file_perms; - -userdebug_or_eng(` - # Allow zygote to create and write method traces in /data/misc/trace. - allow zygote method_trace_data_file:dir w_dir_perms; - allow zygote method_trace_data_file:file { create w_file_perms }; -') - -### -### neverallow rules -### - -# Ensure that all types assigned to app processes are included -# in the appdomain attribute, so that all allow and neverallow rules -# written on appdomain are applied to all app processes. -# This is achieved by ensuring that it is impossible for zygote to -# setcon (dyntransition) to any types other than those associated -# with appdomain plus system_server. -neverallow zygote ~{ appdomain system_server }:process dyntransition; - -# Zygote should never execute anything from /data except for /data/dalvik-cache files. -neverallow zygote { - data_file_type - -dalvikcache_data_file # map PROT_EXEC -}:file no_x_file_perms; |