From cd82557d4069c20bda8e18aa7f72fc0521a3ae32 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Thu, 11 Dec 2014 16:01:27 -0800
Subject: [PATCH] Restrict service_manager find and list access.
All domains are currently granted list and find service_manager
permissions, but this is not necessary. Pare the permissions
which did not trigger any of the auditallow reporting.
Bug: 18106000
Change-Id: Ie0ce8de2af8af2cbe4ce388a2dcf4534694c994a
---
adbd.te | 6 +-----
bluetooth.te | 11 +++--------
bootanim.te | 4 +---
domain.te | 5 -----
drmserver.te | 11 ++---------
dumpstate.te | 24 +++++++++++-------------
healthd.te | 6 +-----
inputflinger.te | 6 +-----
isolated_app.te | 11 +++--------
keystore.te | 6 +-----
mediaserver.te | 15 ++++-----------
nfc.te | 12 +++---------
platform_app.te | 13 ++++---------
radio.te | 15 ++++-----------
surfaceflinger.te | 14 +++++---------
system_app.te | 16 +++++-----------
system_server.te | 22 ++++++++++++++++++----
untrusted_app.te | 19 +++++++------------
18 files changed, 74 insertions(+), 142 deletions(-)
diff --git a/adbd.te b/adbd.te
index c21e70331..f5cebd269 100644
--- a/adbd.te
+++ b/adbd.te
@@ -79,8 +79,4 @@ allow adbd system_file:file r_file_perms;
allow adbd kernel:security read_policy;
-service_manager_local_audit_domain(adbd)
-auditallow adbd {
- service_manager_type
- -surfaceflinger_service
-}:service_manager find;
+allow adbd surfaceflinger_service:service_manager find;
diff --git a/bluetooth.te b/bluetooth.te
index 56fe17058..d6adc3b49 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,14 +49,9 @@ allow bluetooth bluetooth_prop:property_service set;
allow bluetooth pan_result_prop:property_service set;
allow bluetooth ctl_dhcp_pan_prop:property_service set;
-# Audited locally.
-service_manager_local_audit_domain(bluetooth)
-auditallow bluetooth {
- service_manager_type
- -bluetooth_service
- -radio_service
- -system_server_service
-}:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth system_server_service:service_manager find;
###
### Neverallow rules
diff --git a/bootanim.te b/bootanim.te
index e0e25b967..dd1e57a4d 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -16,6 +16,4 @@ allow bootanim oemfs:file r_file_perms;
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(bootanim)
-auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
diff --git a/domain.te b/domain.te
index 243c992f3..52920a72d 100644
--- a/domain.te
+++ b/domain.te
@@ -165,11 +165,6 @@ allow domain security_file:lnk_file r_file_perms;
allow domain asec_public_file:file r_file_perms;
allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
-allow domain servicemanager:service_manager list;
-auditallow { domain -dumpstate } servicemanager:service_manager list;
-allow domain service_manager_type:service_manager find;
-auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
-
###
### neverallow rules
###
diff --git a/drmserver.te b/drmserver.te
index ba7e62fc2..37edbfe9a 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -45,18 +45,11 @@ allow drmserver asec_apk_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
-allow drmserver drmserver_service:service_manager add;
-
# /oem access
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver {
- service_manager_type
- -drmserver_service
- -system_server_service
-}:service_manager find;
+allow drmserver drmserver_service:service_manager { add find };
+allow drmserver system_server_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/dumpstate.te b/dumpstate.te
index e5ccb562d..df1506702 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -106,17 +106,15 @@ allow dumpstate tombstone_data_file:file r_file_perms;
# Access /system/bin executables to determine type of executable.
allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms;
-service_manager_local_audit_domain(dumpstate)
-auditallow dumpstate {
- service_manager_type
- -drmserver_service
- -healthd_service
- -inputflinger_service
- -keystore_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -system_app_service
- -system_server_service
+allow dumpstate {
+ drmserver_service
+ healthd_service
+ inputflinger_service
+ keystore_service
+ mediaserver_service
+ nfc_service
+ radio_service
+ surfaceflinger_service
+ system_app_service
+ system_server_service
}:service_manager find;
diff --git a/healthd.te b/healthd.te
index 3cb69bf8e..2ea825c8f 100644
--- a/healthd.te
+++ b/healthd.te
@@ -38,11 +38,7 @@ allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
-allow healthd healthd_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(healthd)
-auditallow healthd { service_manager_type -healthd_service }:service_manager find;
+allow healthd healthd_service:service_manager { add find };
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
diff --git a/inputflinger.te b/inputflinger.te
index 4377a104f..0a8dd9023 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -8,8 +8,4 @@ binder_service(inputflinger)
binder_call(inputflinger, system_server)
-allow inputflinger inputflinger_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(inputflinger)
-auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;
+allow inputflinger inputflinger_service:service_manager { add find };
diff --git a/isolated_app.te b/isolated_app.te
index 6fc7a99ab..8c4549293 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,11 +21,6 @@ neverallow isolated_app app_data_file:file open;
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:file { rw_file_perms execute };
-# Audited locally.
-service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app {
- service_manager_type
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow isolated_app radio_service:service_manager find;
+allow isolated_app surfaceflinger_service:service_manager find;
+allow isolated_app system_server_service:service_manager find;
diff --git a/keystore.te b/keystore.te
index 700b99ba0..6a89df33a 100644
--- a/keystore.te
+++ b/keystore.te
@@ -26,11 +26,7 @@ neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
-allow keystore keystore_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(keystore)
-auditallow keystore { service_manager_type -keystore_service }:service_manager find;
+allow keystore keystore_service:service_manager { add find };
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/mediaserver.te b/mediaserver.te
index 711f4df7e..54112af2a 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,22 +78,15 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
-allow mediaserver mediaserver_service:service_manager add;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaserver_service:service_manager { add find };
+allow mediaserver system_server_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
# /oem access
allow mediaserver oemfs:dir search;
allow mediaserver oemfs:file r_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(mediaserver)
-auditallow mediaserver {
- service_manager_type
- -drmserver_service
- -mediaserver_service
- -system_server_service
- -surfaceflinger_service
-}:service_manager find;
-
use_drmservice(mediaserver)
allow mediaserver drmserver:drmservice {
consumeRights
diff --git a/nfc.te b/nfc.te
index 4113d3172..ad88bd98f 100644
--- a/nfc.te
+++ b/nfc.te
@@ -18,13 +18,7 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
+allow nfc mediaserver_service:service_manager find;
allow nfc nfc_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(nfc)
-auditallow nfc {
- service_manager_type
- -mediaserver_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow nfc surfaceflinger_service:service_manager find;
+allow nfc system_server_service:service_manager find;
diff --git a/platform_app.te b/platform_app.te
index a44e35d8a..d34c9f1fc 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -28,12 +28,7 @@ allow platform_app media_rw_data_file:file create_file_perms;
allow platform_app cache_file:dir create_dir_perms;
allow platform_app cache_file:file create_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(platform_app)
-auditallow platform_app {
- service_manager_type
- -mediaserver_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow platform_app mediaserver_service:service_manager find;
+allow platform_app radio_service:service_manager find;
+allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app system_server_service:service_manager find;
diff --git a/radio.te b/radio.te
index e6ffac267..9282055f2 100644
--- a/radio.te
+++ b/radio.te
@@ -30,14 +30,7 @@ auditallow radio system_radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
-allow radio radio_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(radio)
-auditallow radio {
- service_manager_type
- -mediaserver_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio radio_service:service_manager { add find };
+allow radio surfaceflinger_service:service_manager find;
+allow radio system_server_service:service_manager find;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index ff91993ec..02cb43310 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -57,15 +57,11 @@ r_dir_file(surfaceflinger, dumpstate)
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
-allow surfaceflinger surfaceflinger_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(surfaceflinger)
-auditallow surfaceflinger {
- service_manager_type
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+
+# media.player service
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+allow surfaceflinger system_server_service:service_manager find;
###
### Neverallow rules
diff --git a/system_app.te b/system_app.te
index fed44d1f6..9a91624cf 100644
--- a/system_app.te
+++ b/system_app.te
@@ -48,7 +48,12 @@ allow system_app anr_data_file:file create_file_perms;
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+allow system_app keystore_service:service_manager find;
+allow system_app nfc_service:service_manager find;
+allow system_app radio_service:service_manager find;
+allow system_app surfaceflinger_service:service_manager find;
allow system_app system_app_service:service_manager add;
+allow system_app system_server_service:service_manager find;
allow system_app keystore:keystore_key {
test
@@ -70,14 +75,3 @@ allow system_app keystore:keystore_key {
};
control_logd(system_app)
-
-# Audited locally.
-service_manager_local_audit_domain(system_app)
-auditallow system_app {
- service_manager_type
- -keystore_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
diff --git a/system_server.te b/system_server.te
index a8348e720..9dc1e90c8 100644
--- a/system_server.te
+++ b/system_server.te
@@ -364,10 +364,24 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
-allow system_server system_server_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(system_server)
+allow system_server healthd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server system_server_service:service_manager { add find };
+allow system_server surfaceflinger_service:service_manager find;
+
+# TODO: Remove. Make up for previously lacking auditing.
+allow system_server service_manager_type:service_manager find;
+auditallow system_server {
+ service_manager_type
+ -healthd_service
+ -keystore_service
+ -mediaserver_service
+ -radio_service
+ -system_server_service
+ -surfaceflinger_service
+}:service_manager find;
allow system_server keystore:keystore_key {
test
diff --git a/untrusted_app.te b/untrusted_app.te
index 3fd4a40cc..e55807601 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -63,18 +63,13 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
-# Audited locally.
-service_manager_local_audit_domain(untrusted_app)
-auditallow untrusted_app {
- service_manager_type
- -drmserver_service
- -keystore_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -surfaceflinger_service
- -system_server_service
-}:service_manager find;
+allow untrusted_app drmserver_service:service_manager find;
+allow untrusted_app keystore_service:service_manager find;
+allow untrusted_app mediaserver_service:service_manager find;
+allow untrusted_app nfc_service:service_manager find;
+allow untrusted_app radio_service:service_manager find;
+allow untrusted_app surfaceflinger_service:service_manager find;
+allow untrusted_app system_server_service:service_manager find;
###
### neverallow rules
--
GitLab