From 2a604adf1b8fd887f01bc717d64fd1c8105f4d8e Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 4 Nov 2013 09:53:46 -0500
Subject: [PATCH] Confine healthd, but leave it permissive for now.
Remove unconfined_domain() and add the allow rules required for
operation of healthd. Restore the permissive declaration until
I8a3e0db15ec5f4eb05d455a57e8446a8c2b484c2 is applied to the 3.4
kernel.
Resolves the following denials in 4.4:
type=1400 audit(1383590167.750:14): avc: denied { read } for pid=49 comm="healthd" path="/sbin/healthd" dev="rootfs" ino=1232 scontext=u:r:healthd:s0 tcontext=u:object_r:rootfs:s0 tclass=file
type=1400 audit(1383590167.750:15): avc: denied { mknod } for pid=49 comm="healthd" capability=27 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:16): avc: denied { create } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc: denied { setopt } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590167.750:17): avc: denied { net_admin } for pid=49 comm="healthd" capability=12 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability
type=1400 audit(1383590167.750:18): avc: denied { bind } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
shell@generic:/ $ type=1400 audit(1383590168.800:21): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:22): avc: denied { transfer } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:servicemanager:s0 tclass=binder
type=1400 audit(1383590168.800:23): avc: denied { 0x10 } for pid=49 comm="healthd" capability=36 scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=capability2
type=1400 audit(1383590168.800:24): avc: denied { read } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:healthd:s0 tclass=netlink_kobject_uevent_socket
type=1400 audit(1383590212.320:161): avc: denied { call } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:161): avc: denied { transfer } for pid=376 comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:healthd:s0 tclass=binder
type=1400 audit(1383590212.320:162): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder
type=1400 audit(1383590275.930:463): avc: denied { call } for pid=49 comm="healthd" scontext=u:r:healthd:s0 tcontext=u:r:system_server:s0 tclass=binder
Change-Id: Iacd058edfa1e913a8f24ce8937d2d76c928d6740
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
healthd.te | 11 +++++++++--
system_server.te | 1 +
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/healthd.te b/healthd.te
index 2241f23cb..53e6e8ef9 100644
--- a/healthd.te
+++ b/healthd.te
@@ -4,8 +4,15 @@ type healthd, domain;
type healthd_exec, exec_type, file_type;
init_daemon_domain(healthd)
-unconfined_domain(healthd)
-allow healthd rootfs:file entrypoint;
+allow healthd rootfs:file { read entrypoint };
write_klog(healthd)
+allow healthd self:capability { net_admin mknod };
+allow healthd self:capability2 block_suspend;
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms;
+binder_use(healthd)
+binder_call(healthd, system_server)
+# Workaround for 0x10 / block_suspend capability2 denials.
+# Requires a kernel patch to fix properly.
+permissive healthd;
diff --git a/system_server.te b/system_server.te
index 53b98ee34..1ffa34d2b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -89,6 +89,7 @@ tmpfs_domain(system_server)
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain)
+binder_call(system_server, healthd)
binder_service(system_server)
# Read /proc/pid files for Binder clients.
--
GitLab