From 1601132086b054adc70e7f8f38ed24574c90bc37 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 24 Feb 2014 15:06:11 -0500
Subject: [PATCH] Clean up socket rules.
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
bluetooth.te | 8 ++++++--
clatd.te | 2 +-
dhcp.te | 3 +--
dnsmasq.te | 5 ++---
domain.te | 3 ++-
drmserver.te | 4 ++--
dumpstate.te | 3 ---
hostapd.te | 7 ++++---
logd.te | 1 -
mtp.te | 3 ---
net.te | 13 +------------
netd.te | 8 +++-----
ppp.te | 3 ++-
racoon.te | 8 ++++----
rild.te | 9 ++++-----
surfaceflinger.te | 2 +-
system_server.te | 10 +++-------
tee.te | 2 +-
ueventd.te | 2 +-
vold.te | 2 +-
wpa_supplicant.te | 10 ++++++----
21 files changed, 45 insertions(+), 63 deletions(-)
diff --git a/bluetooth.te b/bluetooth.te
index d1fed20e6..16e7b0b85 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -20,17 +20,21 @@ allow bluetooth { tun_device uhid_device hci_attach_dev }:chr_file rw_file_perms
# Other domains that can create and use bluetooth sockets.
# SELinux does not presently define a specific socket class for
# bluetooth sockets, nor does it distinguish among the bluetooth protocols.
-allow bluetoothdomain self:socket *;
+# TODO: This should no longer be needed with bluedroid for bluetooth
+# but may be getting used for other non-bluetooth sockets that has no
+# specific class defined. Consider taking to specific domains.
+allow bluetoothdomain self:socket create_socket_perms;
# sysfs access.
allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow bluetooth self:capability net_admin;
# Allow clients to use a socket provided by the bluetooth app.
+# TODO: See if this is still required under bluedroid.
allow bluetoothdomain bluetooth:unix_stream_socket { read write shutdown };
# tethering
-allow bluetooth self:{ tun_socket udp_socket } { ioctl create };
+allow bluetooth self:tun_socket create_socket_perms;
allow bluetooth efs_file:dir search;
# Talk to init over the property socket.
diff --git a/clatd.te b/clatd.te
index ec2df7e04..497110293 100644
--- a/clatd.te
+++ b/clatd.te
@@ -19,7 +19,7 @@ allow clatd self:capability { net_admin setuid setgid };
# TODO: Run clatd in vpn group to avoid need for this on /dev/tun.
allow clatd self:capability dac_override;
-allow clatd self:netlink_route_socket { create_socket_perms nlmsg_write };
+allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:tun_socket create_socket_perms;
allow clatd tun_device:chr_file rw_file_perms;
allow clatd proc_net:file rw_file_perms;;
diff --git a/dhcp.te b/dhcp.te
index c930b0fec..89346d5a2 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -9,8 +9,7 @@ net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms;
-allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
-allow dhcp self:rawip_socket create_socket_perms;
+allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
diff --git a/dnsmasq.te b/dnsmasq.te
index 0e1658080..fcf7c6d3d 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -3,10 +3,9 @@ type dnsmasq, domain;
permissive_or_unconfined(dnsmasq)
type dnsmasq_exec, exec_type, file_type;
+net_domain(dnsmasq)
+
allow dnsmasq self:capability { net_bind_service setgid setuid };
-allow dnsmasq self:tcp_socket create_socket_perms;
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
-allow dnsmasq port:tcp_socket name_bind;
-allow dnsmasq node:tcp_socket node_bind;
diff --git a/domain.te b/domain.te
index 878ac9f05..013126baa 100644
--- a/domain.te
+++ b/domain.te
@@ -16,7 +16,8 @@ allow domain self:fd use;
allow domain self:dir r_dir_perms;
allow domain self:lnk_file r_file_perms;
allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:{ unix_dgram_socket unix_stream_socket } *;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
# Inherit or receive open files from others.
allow domain init:fd use;
diff --git a/drmserver.te b/drmserver.te
index eb050a2cd..a11700c1b 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -5,6 +5,8 @@ type drmserver_exec, exec_type, file_type;
init_daemon_domain(drmserver)
typeattribute drmserver mlstrustedsubject;
+net_domain(drmserver)
+
# Perform Binder IPC to system server.
binder_use(drmserver)
binder_call(drmserver, system_server)
@@ -17,8 +19,6 @@ binder_call(drmserver, mediaserver)
allow drmserver sdcard_type:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
-allow drmserver self:{ tcp_socket udp_socket } *;
-allow drmserver port:tcp_socket name_connect;
allow drmserver tee_device:chr_file rw_file_perms;
allow drmserver platform_app_data_file:file { read write getattr };
allow drmserver app_data_file:file { read write getattr };
diff --git a/dumpstate.te b/dumpstate.te
index 8ecb6cc24..749cc469e 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -47,9 +47,6 @@ allow dumpstate { appdomain system_server }:process signal;
# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
-# The /system/bin/ip command needs this for routing table information.
-allow dumpstate self:netlink_route_socket { write getattr setopt };
-
# The vdc command needs to talk to the vold socket.
unix_socket_connect(dumpstate, vold, vold)
diff --git a/hostapd.te b/hostapd.te
index e6e88e958..184b26f28 100644
--- a/hostapd.te
+++ b/hostapd.te
@@ -3,11 +3,12 @@ type hostapd, domain;
permissive_or_unconfined(hostapd)
type hostapd_exec, exec_type, file_type;
+net_domain(hostapd)
+
allow hostapd self:capability { net_admin net_raw setuid setgid };
allow hostapd self:netlink_socket create_socket_perms;
-allow hostapd self:packet_socket { create write read };
-allow hostapd self:netlink_route_socket { bind create write nlmsg_write read };
-allow hostapd self:udp_socket { create ioctl };
+allow hostapd self:packet_socket create_socket_perms;
+allow hostapd self:netlink_route_socket nlmsg_write;
allow hostapd wifi_data_file:file rw_file_perms;
allow hostapd wifi_data_file:dir create_dir_perms;
diff --git a/logd.te b/logd.te
index a1e3a53ec..796f7bbee 100644
--- a/logd.te
+++ b/logd.te
@@ -3,7 +3,6 @@ type logd, domain;
type logd_exec, exec_type, file_type;
init_daemon_domain(logd)
-allow logd self:unix_stream_socket *;
allow logd self:capability { setuid setgid sys_nice };
diff --git a/mtp.te b/mtp.te
index 9681daf49..320f4af61 100644
--- a/mtp.te
+++ b/mtp.te
@@ -7,10 +7,7 @@ init_daemon_domain(mtp)
net_domain(mtp)
# pptp policy
-allow mtp self:tcp_socket create_socket_perms;
allow mtp self:socket create_socket_perms;
-allow mtp self:rawip_socket create_socket_perms;
allow mtp self:capability net_raw;
allow mtp ppp:process signal;
-allow mtp port:tcp_socket name_connect;
allow mtp vpn_data_file:dir search;
diff --git a/net.te b/net.te
index c67f456fd..9942efe4a 100644
--- a/net.te
+++ b/net.te
@@ -13,18 +13,7 @@ allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
allow netdomain port_type:udp_socket name_bind;
allow netdomain port_type:tcp_socket name_bind;
# See changes to the routing table.
-allow netdomain self:netlink_route_socket {
- read
- bind
- create
- nlmsg_read
- ioctl
- getattr
- setattr
- getopt
- setopt
- shutdown
-};
+allow netdomain self:netlink_route_socket { create_socket_perms nlmsg_read };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/netd.te b/netd.te
index b8d26f957..19fcad22e 100644
--- a/netd.te
+++ b/netd.te
@@ -15,11 +15,9 @@ allow netd self:capability { net_admin net_raw kill };
# sufficient testing of the fsetid removal.
# dontaudit netd self:capability fsetid;
-allow netd self:netlink_kobject_uevent_socket *;
-allow netd self:netlink_route_socket *;
-allow netd self:netlink_nflog_socket *;
-allow netd self:rawip_socket *;
-allow netd self:unix_stream_socket *;
+allow netd self:netlink_kobject_uevent_socket create_socket_perms;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms;
allow netd shell_exec:file rx_file_perms;
allow netd system_file:file x_file_perms;
allow netd devpts:chr_file rw_file_perms;
diff --git a/ppp.te b/ppp.te
index 21838f16d..bcab33909 100644
--- a/ppp.te
+++ b/ppp.te
@@ -5,10 +5,11 @@ type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
domain_auto_trans(mtp, ppp_exec, ppp)
+net_domain(ppp)
+
allow ppp mtp:socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
allow ppp self:capability net_admin;
-allow ppp self:udp_socket create_socket_perms;
allow ppp system_file:file rx_file_perms;
allow ppp vpn_data_file:dir w_dir_perms;
allow ppp vpn_data_file:file create_file_perms;
diff --git a/racoon.te b/racoon.te
index 596cf7ee3..1fbdb07fa 100644
--- a/racoon.te
+++ b/racoon.te
@@ -6,17 +6,17 @@ type racoon_exec, exec_type, file_type;
init_daemon_domain(racoon)
typeattribute racoon mlstrustedsubject;
+net_domain(racoon)
+
binder_call(racoon, servicemanager)
binder_call(racoon, keystore)
allow racoon tun_device:chr_file r_file_perms;
allow racoon cgroup:dir { add_name create };
allow racoon kernel:system module_request;
-allow racoon port:udp_socket name_bind;
-allow racoon node:udp_socket node_bind;
-allow racoon self:{ key_socket udp_socket } create_socket_perms;
-allow racoon self:tun_socket create;
+allow racoon self:key_socket create_socket_perms;
+allow racoon self:tun_socket create_socket_perms;
allow racoon self:capability { net_admin net_bind_service net_raw setuid };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
diff --git a/rild.te b/rild.te
index 8de5c59ad..ea4d34f62 100644
--- a/rild.te
+++ b/rild.te
@@ -5,7 +5,7 @@ type rild_exec, exec_type, file_type;
init_daemon_domain(rild)
net_domain(rild)
-allow rild self:netlink_route_socket { setopt write };
+allow rild self:netlink_route_socket nlmsg_write;
allow rild kernel:system module_request;
unix_socket_connect(rild, property, init)
unix_socket_connect(rild, qemud, qemud)
@@ -38,10 +38,9 @@ allow rild gps_device:chr_file rw_file_perms;
allow rild tty_device:chr_file rw_file_perms;
-# Allow rild to create, bind, read, write to itself through a netlink socket
-allow rild self:netlink_socket { create bind read write };
-
-allow rild self:netlink_kobject_uevent_socket { bind create getopt read setopt };
+# Allow rild to create and use netlink sockets.
+allow rild self:netlink_socket create_socket_perms;
+allow rild self:netlink_kobject_uevent_socket create_socket_perms;
# Access to wake locks
allow rild sysfs_wake_lock:file rw_file_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 2a3087b6f..7d73696ab 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -28,7 +28,7 @@ allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket *;
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
# Set properties.
allow surfaceflinger system_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index ca95abf4a..2d5c331e6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -21,10 +21,6 @@ allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
allow system_server zygote_tmpfs:file read;
-# Needed to close the zygote socket, which involves getopt / getattr
-# This should be deleted after b/12061011 is fixed
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
# system server gets network and bluetooth permissions.
net_domain(system_server)
bluetooth_domain(system_server)
@@ -54,7 +50,7 @@ dontaudit system_server self:capability sys_ptrace;
allow system_server kernel:system module_request;
# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket *;
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms;
# Kill apps.
allow system_server appdomain:process { sigkill signal };
@@ -75,10 +71,10 @@ allow system_server qtaguid_device:chr_file rw_file_perms;
allow system_server debugfs:file r_file_perms;
# WifiWatchdog uses a packet_socket
-allow system_server self:packet_socket *;
+allow system_server self:packet_socket create_socket_perms;
# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create;
+allow system_server self:tun_socket create_socket_perms;
# Notify init of death.
allow system_server init:process sigchld;
diff --git a/tee.te b/tee.te
index a0d0d9830..7cf6ecd8d 100644
--- a/tee.te
+++ b/tee.te
@@ -11,4 +11,4 @@ allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket { create bind read };
+allow tee self:netlink_socket create_socket_perms;
diff --git a/ueventd.te b/ueventd.te
index 2af8e94bb..e80fa32b8 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -19,6 +19,6 @@ allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { create setattr unlink };
allow ueventd dev_type:blk_file { create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket *;
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
allow ueventd efs_file:dir search;
allow ueventd efs_file:file r_file_perms;
diff --git a/vold.te b/vold.te
index 18c909de6..d434b5e1a 100644
--- a/vold.te
+++ b/vold.te
@@ -19,7 +19,7 @@ allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket *;
+allow vold self:netlink_kobject_uevent_socket create_socket_perms;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
allow vold loop_device:blk_file rw_file_perms;
diff --git a/wpa_supplicant.te b/wpa_supplicant.te
index fd454bf95..5961f981f 100644
--- a/wpa_supplicant.te
+++ b/wpa_supplicant.te
@@ -3,13 +3,15 @@ type wpa, domain;
type wpa_exec, exec_type, file_type;
init_daemon_domain(wpa)
+
+net_domain(wpa)
+
allow wpa kernel:system module_request;
allow wpa self:capability { setuid net_admin setgid net_raw };
allow wpa cgroup:dir create_dir_perms;
-allow wpa self:netlink_route_socket *;
-allow wpa self:netlink_socket *;
-allow wpa self:packet_socket *;
-allow wpa self:udp_socket *;
+allow wpa self:netlink_route_socket nlmsg_write;
+allow wpa self:netlink_socket create_socket_perms;
+allow wpa self:packet_socket create_socket_perms;
allow wpa wifi_data_file:dir create_dir_perms;
allow wpa wifi_data_file:file create_file_perms;
unix_socket_send(wpa, system_wpa, system_server)
--
GitLab