Skip to content
Snippets Groups Projects
Commit 07667733 authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "Further restrict SELinux API access"

parents 9686cbcd 14e2e926
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/app.te
+ 5
5
View file @ 07667733
...@@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd) ...@@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
allow appdomain runas_exec:file getattr; allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired. # Others are either allowed elsewhere or not desired.
# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
# Check SELinux policy and contexts.
selinux_check_access(appdomain)
selinux_check_context(appdomain)
# Apps receive an open tun fd from the framework for # Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device # device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append }; allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
...@@ -441,6 +436,11 @@ neverallow appdomain ...@@ -441,6 +436,11 @@ neverallow appdomain
# Access to syslog(2) or /proc/kmsg. # Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
neverallow { appdomain -shell } *:security { compute_av check_context };
neverallow { appdomain -shell } *:netlink_selinux_socket *;
# Ability to perform any filesystem operation other than statfs(2). # Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc. # i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr; neverallow appdomain fs_type:filesystem ~getattr;
......
private/shell.te
+ 4
0
View file @ 07667733
...@@ -13,3 +13,7 @@ app_domain(shell) ...@@ -13,3 +13,7 @@ app_domain(shell)
# allow shell to call dumpsys storaged # allow shell to call dumpsys storaged
binder_call(shell, storaged) binder_call(shell, storaged)
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
public/domain_deprecated.te
+ 0
30
View file @ 07667733
...@@ -292,33 +292,3 @@ auditallow { ...@@ -292,33 +292,3 @@ auditallow {
-vold -vold
} proc_meminfo:file r_file_perms; } proc_meminfo:file r_file_perms;
') ')
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
')
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment