Further restrict SELinux API access

Remove SELinux access from domain_deprecated. Access to SELinux APIs can be granted on a per-domain basis. Remove appdomain access to SELinux APIs. SELinux APIs are not public and are not intended for application use. In particular, some exploits poll on /sys/fs/selinux/enforce to determine if the attack was successful, and we want to ensure that the behavior isn't allowed. This access was only granted in the past for CTS purposes, but all the relevant CTS tests have been moved to the shell domain. Bug: 27756382 Bug: 28760354 Test: Device boots and no obvious problems. No collected denials. Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b

Further restrict SELinux API access
14e2e926 · Nick Kralevich · bf030965 · 14e2e926 · 14e2e926 · 14e2e926
Commit 14e2e926 authored 8 years ago by Nick Kralevich
--- a/private/app.te
+++ b/private/app.te
@@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
 allow appdomain runas_exec:file getattr;
 # Others are either allowed elsewhere or not desired.

-# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
-# Check SELinux policy and contexts.
-selinux_check_access(appdomain)
-selinux_check_context(appdomain)
-
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
@@ -441,6 +436,11 @@ neverallow appdomain
 # Access to syslog(2) or /proc/kmsg.
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };

+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
 neverallow appdomain fs_type:filesystem ~getattr;

--- a/private/shell.te
+++ b/private/shell.te
@@ -13,3 +13,7 @@ app_domain(shell)

 # allow shell to call dumpsys storaged
 binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -292,33 +292,3 @@ auditallow {
  -vold
 } proc_meminfo:file r_file_perms;
 ')
-
-# Get SELinux enforcing status.
-allow domain_deprecated selinuxfs:dir r_dir_perms;
-allow domain_deprecated selinuxfs:file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -keystore
-  -postinstall_dexopt
-  -runas
-  -servicemanager
-  -system_server
-  -ueventd
-  -zygote
-} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
-')