Skip to content
Snippets Groups Projects
Commit b49bc821 authored by Nick Kralevich's avatar Nick Kralevich Committed by android-build-merger
Browse files

Merge "Further restrict SELinux API access" 

am: 07667733

Change-Id: I0263926bbc950f0186bdd9a7fa3eb8b8f9072ee0
parents 4aac6fdb 07667733
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/app.te
+ 5
5
View file @ b49bc821
...@@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd) ...@@ -276,11 +276,6 @@ use_pdx({ appdomain -isolated_app -ephemeral_app }, bufferhubd)
allow appdomain runas_exec:file getattr; allow appdomain runas_exec:file getattr;
# Others are either allowed elsewhere or not desired. # Others are either allowed elsewhere or not desired.
# For cts/tests/tests/security/src/android/security/cts/SELinuxTest.java
# Check SELinux policy and contexts.
selinux_check_access(appdomain)
selinux_check_context(appdomain)
# Apps receive an open tun fd from the framework for # Apps receive an open tun fd from the framework for
# device traffic. Do not allow untrusted app to directly open tun_device # device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append }; allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
...@@ -441,6 +436,11 @@ neverallow appdomain ...@@ -441,6 +436,11 @@ neverallow appdomain
# Access to syslog(2) or /proc/kmsg. # Access to syslog(2) or /proc/kmsg.
neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console }; neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
# SELinux is not an API for apps to use
neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
neverallow { appdomain -shell } *:security { compute_av check_context };
neverallow { appdomain -shell } *:netlink_selinux_socket *;
# Ability to perform any filesystem operation other than statfs(2). # Ability to perform any filesystem operation other than statfs(2).
# i.e. no mount(2), unmount(2), etc. # i.e. no mount(2), unmount(2), etc.
neverallow appdomain fs_type:filesystem ~getattr; neverallow appdomain fs_type:filesystem ~getattr;
......
private/shell.te
+ 4
0
View file @ b49bc821
...@@ -13,3 +13,7 @@ app_domain(shell) ...@@ -13,3 +13,7 @@ app_domain(shell)
# allow shell to call dumpsys storaged # allow shell to call dumpsys storaged
binder_call(shell, storaged) binder_call(shell, storaged)
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
public/domain_deprecated.te
+ 0
30
View file @ b49bc821
...@@ -292,33 +292,3 @@ auditallow { ...@@ -292,33 +292,3 @@ auditallow {
-vold -vold
} proc_meminfo:file r_file_perms; } proc_meminfo:file r_file_perms;
') ')
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
userdebug_or_eng(`
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-appdomain
-installd
-keystore
-postinstall_dexopt
-runas
-servicemanager
-system_server
-ueventd
-zygote
} selinuxfs:file { open read ioctl lock }; # getattr granted in domain
')
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment