Skip to content
Snippets Groups Projects
Commit b33539d4 authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

Merge "Further restrict SELinux API access" am: 07667733 am: b49bc821 am: 1ffa6f80 

am: c4df0d71

Change-Id: Id7db26226955d9ce15481db62988d872d8114299
parents d1aca04c c4df0d71
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/app.te
+ 5
5
View file @ b33539d4
...@@ -312,11 +312,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd) ...@@ -312,11 +312,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
allow appdomain runas_exec:file getattr; allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired. # Others are either allowed elsewhere or not desired.
# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
# Check SELinux policy and contexts.
selinux_check_access(appdomain)
selinux_check_context(appdomain)
# Apps receive an open tun fd from the framework for # Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device # device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append }; allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
...@@ -480,6 +475,11 @@ neverallow appdomain ...@@ -480,6 +475,11 @@ neverallow appdomain
# Access to syslog(2) or /proc/kmsg. # Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
neverallow { appdomain -shell } *:security { compute_av check_context };
neverallow { appdomain -shell } *:netlink_selinux_socket *;
# Ability to perform any filesystem operation other than statfs(2). # Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc. # i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr; neverallow appdomain fs_type:filesystem ~getattr;
......
private/shell.te
+ 4
0
View file @ b33539d4
...@@ -17,3 +17,7 @@ app_domain(shell) ...@@ -17,3 +17,7 @@ app_domain(shell)
# allow shell to call dumpsys storaged # allow shell to call dumpsys storaged
binder_call(shell, storaged) binder_call(shell, storaged)
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
public/domain_deprecated.te
+ 0
30
View file @ b33539d4
...@@ -284,33 +284,3 @@ auditallow { ...@@ -284,33 +284,3 @@ auditallow {
-vold -vold
} proc_meminfo:file r_file_perms; } proc_meminfo:file r_file_perms;
') ')
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
')
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment