Something went wrong on our end
Select Git revision
-
Jeff Vander Stoep authoredWith project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf)Jeff Vander Stoep authoredWith project Treble, we're relying heavily on attributes for permission inheritance and enforcement of separation between platform and vendor components. We neead tests that verify those attributes are correctly applied. This change adds the framework for those tests including a wrapper around libsepol for loading and querying policy, and a python module for running tests on policy and file_contexts. Included with the testing framework is a test asserting that the coredomain attribute is only applied to core processes. This verification is done using the following rules: 1. Domain's entrypoint is on /system - coredomain 2. Domain's entrypoint is on /vendor - not coredomain 3. Domain belongs to a whitelist of known coredomains - coredomain In a subsequent commit these tests will be applied at build time. However, I first need to fix existing Treble violations exposed by this test. These tests will also be applied during CTS. Test: LD_PRELOAD=$ANDROID_HOST_OUT/lib64/libsepolwrap.so python \ treble.py -p $OUT/vendor/etc/selinux/precompiled_sepolicy \ -f $OUT/vendor/etc/selinux/nonplat_file_contexts \ -f $OUT/system/etc/selinux/plat_file_contexts Bug: 37008075 Change-Id: I7825f5c2909a5801deaccf2bef2bfd227adb0ae9 (cherry picked from commit 0366afdf)
te_macros 10.63 KiB
#####################################
# domain_trans(olddomain, type, newdomain)
# Allow a transition from olddomain to newdomain
# upon executing a file labeled with type.
# This only allows the transition; it does not
# cause it to occur automatically - use domain_auto_trans
# if that is what you want.
#
define(`domain_trans', `
# Old domain may exec the file and transition to the new domain.
allow $1 $2:file { getattr open read execute };
allow $1 $3:process transition;
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr };
# New domain can send SIGCHLD to its caller.
allow $3 $1:process sigchld;
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
allow $1 $3:process { siginh rlimitinh };
')
#####################################
# domain_auto_trans(olddomain, type, newdomain)
# Automatically transition from olddomain to newdomain
# upon executing a file labeled with type.
#
define(`domain_auto_trans', `
# Allow the necessary permissions.
domain_trans($1,$2,$3)
# Make the transition occur by default.
type_transition $1 $2:process $3;
')
#####################################
# file_type_trans(domain, dir_type, file_type)
# Allow domain to create a file labeled file_type in a
# directory labeled dir_type.
# This only allows the transition; it does not
# cause it to occur automatically - use file_type_auto_trans
# if that is what you want.
#
define(`file_type_trans', `
# Allow the domain to add entries to the directory.
allow $1 $2:dir ra_dir_perms;
# Allow the domain to create the file.
allow $1 $3:notdevfile_class_set create_file_perms;
allow $1 $3:dir create_dir_perms;
')
#####################################
# file_type_auto_trans(domain, dir_type, file_type)
# Automatically label new files with file_type when
# they are created by domain in directories labeled dir_type.
#
define(`file_type_auto_trans', `
# Allow the necessary permissions.
file_type_trans($1, $2, $3)
# Make the transition occur by default.
type_transition $1 $2:dir $3;
type_transition $1 $2:notdevfile_class_set $3;
')
#####################################
# r_dir_file(domain, type)
# Allow the specified domain to read directories, files
# and symbolic links of the specified type.
define(`r_dir_file', `
allow $1 $2:dir r_dir_perms;
allow $1 $2:{ file lnk_file } r_file_perms;')
#####################################
# unconfined_domain(domain)
# Allow the specified domain to perform more privileged operations
# than would be typically allowed. Please see the comments at the
# top of unconfined.te.
#
define(`unconfined_domain', `
typeattribute $1 mlstrustedsubject;
typeattribute $1 unconfineddomain;
')
#####################################
# tmpfs_domain(domain)
# Define and allow access to a unique type for
# this domain when creating tmpfs / shmem / ashmem files.
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write };
')
#####################################
# init_daemon_domain(domain)
# Set up a transition from init to the daemon domain
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
tmpfs_domain($1)
')
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
# Label ashmem objects with our own unique type.
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
')
#####################################
# net_domain(domain)
# Allow a base set of permissions required for network access.
define(`net_domain', `
typeattribute $1 netdomain;
')
#####################################
# bluetooth_domain(domain)
# Allow a base set of permissions required for bluetooth access.
define(`bluetooth_domain', `
typeattribute $1 bluetoothdomain;
')
#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via
# socket to serverdomain.
define(`unix_socket_connect', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')
#####################################
# unix_socket_send(clientdomain, socket, serverdomain)
# Allow a local socket send from clientdomain via
# socket to serverdomain.define(`unix_socket_send', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_dgram_socket sendto;
')
#####################################
# binder_use(domain)
# Allow domain to use Binder IPC.
define(`binder_use', `
# Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer };
# rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te.
')
#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
define(`binder_call', `
# Call the server domain and optionally transfer references to it.
allow $1 $2:binder { call transfer };
# Allow the serverdomain to transfer references to the client on the reply.
allow $2 $1:binder transfer;
# Receive and use open files from the server.
allow $1 $2:fd use;
')
#####################################
# binder_service(domain)
# Mark a domain as being a Binder service domain.
# Used to allow binder IPC to the various system services.
define(`binder_service', `
typeattribute $1 binderservicedomain;
')
#####################################
# selinux_check_access(domain)
# Allow domain to check SELinux permissions via selinuxfs.
define(`selinux_check_access', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security compute_av;
allow $1 self:netlink_selinux_socket *;
')
#####################################
# selinux_check_context(domain)
# Allow domain to check SELinux contexts via selinuxfs.
define(`selinux_check_context', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security check_context;
')
#####################################
# selinux_getenforce(domain)
# Allow domain to check whether SELinux is enforcing.
define(`selinux_getenforce', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
')
#####################################
# selinux_setenforce(domain)
# Allow domain to set SELinux to enforcing.
define(`selinux_setenforce', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security setenforce;
')
#####################################
# selinux_setbool(domain)
# Allow domain to set SELinux booleans.
define(`selinux_setbool', `
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file rw_file_perms;
allow $1 kernel:security setbool;
')
#####################################
# security_access_policy(domain)
# Read only access to all policy files and
# selinuxfs
define(`security_access_policy', `
allow $1 security_file:dir r_dir_perms;
allow $1 security_file:file r_file_perms;
allow $1 security_file:lnk_file r_file_perms;
allow $1 selinuxfs:dir r_dir_perms;
allow $1 selinuxfs:file r_file_perms;
allow $1 rootfs:dir r_dir_perms;
allow $1 rootfs:file r_file_perms;
')
#####################################
# selinux_manage_policy(domain)
# Ability to manage policy files and
# trigger runtime reload.
define(`selinux_manage_policy', `
security_access_policy($1)
unix_socket_connect($1, property, init)
allow $1 security_file:dir create_dir_perms;
allow $1 security_file:file create_file_perms;
allow $1 security_file:lnk_file { create rename unlink };
allow $1 security_prop:property_service set;
')
#####################################
# mmac_manage_policy(domain)
# Ability to manage mmac policy files,
# trigger runtime reload, change
# mmac enforcing mode and access logcat.
define(`mmac_manage_policy', `
unix_socket_connect($1, property, init)
allow $1 security_file:dir create_dir_perms;
allow $1 security_file:file create_file_perms;
allow $1 security_file:lnk_file { create rename unlink };
allow $1 security_prop:property_service set;
')
#####################################
# access_kmsg(domain)
# Ability to read from kernel logs
# and execute the klogctl syscall
# in a non destructive manner. See
# man 2 klogctl
define(`access_kmsg', `
allow $1 kernel:system syslog_read;
')
#####################################
# write_klog(domain)
# Ability to write to kernel log via
# klog_write()
# See system/core/libcutil/klog.c
define(`write_klog', `
type_transition $1 device:chr_file klog_device "__kmsg__";
allow $1 klog_device:chr_file { create open write unlink };
allow $1 device:dir { write add_name remove_name };
')
#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
# Each domain gets a unique devpts type.
type $1_devpts, fs_type;
# Label the pty with the unique type when created.
type_transition $1 devpts:chr_file $1_devpts;
# Allow use of the pty after creation.
allow $1 $1_devpts:chr_file { open getattr read write ioctl };
# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
# allowed to everyone via domain.te.
')
#####################################
# Non system_app application set
#
define(`non_system_app_set', `{ appdomain -system_app }')
#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
# permissive_or_unconfined
# Returns "permissive $1" if FORCE_PERMISSIVE_TO_UNCONFINED is false,
# and "unconfined($1)" otherwise.
#
# This is used for experimental domains, where we want to ensure
# the domain is unconfined+enforcing once new SELinux policy development
# has ceased.
#
define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
define(`write_logd', `
userdebug_or_eng(`
# Debug output
type_transition $1 device:file logd_debug;
allow $1 device:dir rw_dir_perms;
allow $1 logd_debug:file create_file_perms;
')
unix_socket_send($1, logdw, logd)
')
#####################################
# read_logd(domain)
# Ability to read from android
# log daemon via sockets
define(`read_logd', `
unix_socket_connect($1, logdr, logd)
')
#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
define(`control_logd', `
# Group AID_LOG checked by filesystem & logd
# to permit control commands
unix_socket_connect($1, logd, logd)
')