Add SELinux rules for service_manager.

Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.

Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d

Android.mk

@@ -197,6 +197,26 @@ $(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES
 
 built_pc := $(LOCAL_BUILT_MODULE)
 
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+ALL_SVC_FILES := $(call build_policy, service_contexts)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE):  $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+	@mkdir -p $(dir $@)
+	$(hide) m4 -s $(ALL_SVC_FILES) > $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+
+built_svc := $(LOCAL_BUILT_MODULE)
+
 ##################################
 
 ##################################
@@ -243,7 +263,7 @@ LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
 
 include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc)
+$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
 	@mkdir -p $(dir $@)
 	$(hide) echo -n $(BUILD_FINGERPRINT) > $@
 
@@ -255,5 +275,6 @@ built_sepolicy :=
 built_sc :=
 built_fc :=
 built_pc :=
+built_svc :=
 
 include $(call all-makefiles-under,$(LOCAL_PATH))

access_vectors

@@ -888,3 +888,8 @@ class property_service
 {
 	set
 }
+
+class service_manager
+{
+	add
+}

attributes

@@ -39,6 +39,9 @@ attribute port_type;
 # All types used for property service
 attribute property_type;
 
+# All types used for services managed by service_manager.
+attribute service_manager_type;
+
 # All domains that can override MLS restrictions.
 # i.e. processes that can read up and write down.
 attribute mlstrustedsubject;

binderservicedomain.te

@@ -11,3 +11,7 @@ allow binderservicedomain devpts:chr_file rw_file_perms;
 # Receive and write to a pipe received over Binder from an app.
 allow binderservicedomain appdomain:fd use;
 allow binderservicedomain appdomain:fifo_file write;
+
+# Allow binderservicedomain to add services by default.
+allow binderservicedomain service_manager_type:service_manager add;
+auditallow binderservicedomain default_android_service:service_manager add;

drmserver.te

@@ -44,3 +44,5 @@ allow drmserver asec_apk_file:file { read getattr };
 
 # Read /data/data/com.android.providers.telephony files passed over Binder.
 allow drmserver radio_data_file:file { read getattr };
+
+allow drmserver drmserver_service:service_manager add;

healthd.te

@@ -32,3 +32,5 @@ allow healthd ashmem_device:chr_file execute;
 allow healthd self:process execmem;
 allow healthd proc_sysrq:file rw_file_perms;
 allow healthd self:capability sys_boot;
+
+allow healthd healthd_service:service_manager add;

inputflinger.te

@@ -8,3 +8,5 @@ binder_use(inputflinger)
 binder_service(inputflinger)
 
 binder_call(inputflinger, system_server)
+
+allow inputflinger inputflinger_service:service_manager add;

keystore.te

@@ -25,3 +25,5 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *
 neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
 
 neverallow domain keystore:process ptrace;
+
+allow keystore keystore_service:service_manager add;

mediaserver.te

@@ -78,3 +78,5 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
 
 # Connect to tee service.
 allow mediaserver tee:unix_stream_socket connectto;
+
+allow mediaserver mediaserver_service:service_manager add;

nfc.te

@@ -13,3 +13,5 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
+
+allow nfc nfc_service:service_manager add;

radio.te

@@ -22,3 +22,5 @@ allow radio radio_prop:property_service set;
 
 # ctl interface
 allow radio ctl_rildaemon_prop:property_service set;
+
+allow radio radio_service:service_manager add;

security_classes

@@ -137,4 +137,7 @@ class zygote
 # Property service
 class property_service          # userspace
 
+# Service manager
+class service_manager           # userspace
+
 # FLASK

service.te

+type default_android_service,   service_manager_type;
+type drmserver_service,         service_manager_type;
+type healthd_service,           service_manager_type;
+type inputflinger_service,      service_manager_type;
+type keystore_service,          service_manager_type;
+type mediaserver_service,       service_manager_type;
+type nfc_service,               service_manager_type;
+type radio_service,             service_manager_type;
+type surfaceflinger_service,    service_manager_type;
+type system_server_service,     service_manager_type;

service_contexts

+accessibility                             u:object_r:system_server_service:s0
+account                                   u:object_r:system_server_service:s0
+activity                                  u:object_r:system_server_service:s0
+alarm                                     u:object_r:system_server_service:s0
+android.security.keystore                 u:object_r:keystore_service:s0
+appops                                    u:object_r:system_server_service:s0
+appwidget                                 u:object_r:system_server_service:s0
+assetatlas                                u:object_r:system_server_service:s0
+audio                                     u:object_r:system_server_service:s0
+backup                                    u:object_r:system_server_service:s0
+batteryproperties                         u:object_r:healthd_service:s0
+batterystats                              u:object_r:system_server_service:s0
+battery                                   u:object_r:system_server_service:s0
+bluetooth_manager                         u:object_r:system_server_service:s0
+clipboard                                 u:object_r:system_server_service:s0
+com.android.internal.telephony.mms.IMms   u:object_r:system_server_service:s0
+commontime_management                     u:object_r:system_server_service:s0
+connectivity                              u:object_r:system_server_service:s0
+consumer_ir                               u:object_r:system_server_service:s0
+content                                   u:object_r:system_server_service:s0
+country_detector                          u:object_r:system_server_service:s0
+cpuinfo                                   u:object_r:system_server_service:s0
+dbinfo                                    u:object_r:system_server_service:s0
+device_policy                             u:object_r:system_server_service:s0
+devicestoragemonitor                      u:object_r:system_server_service:s0
+diskstats                                 u:object_r:system_server_service:s0
+display.qservice                          u:object_r:surfaceflinger_service:s0
+display                                   u:object_r:system_server_service:s0
+DockObserver                              u:object_r:system_server_service:s0
+dreams                                    u:object_r:system_server_service:s0
+drm.drmManager                            u:object_r:drmserver_service:s0
+dropbox                                   u:object_r:system_server_service:s0
+entropy                                   u:object_r:system_server_service:s0
+ethernet                                  u:object_r:system_server_service:s0
+gfxinfo                                   u:object_r:system_server_service:s0
+hardware                                  u:object_r:system_server_service:s0
+hdmi_control                              u:object_r:system_server_service:s0
+inputflinger                              u:object_r:inputflinger_service:s0
+input_method                              u:object_r:system_server_service:s0
+input                                     u:object_r:system_server_service:s0
+iphonesubinfo                             u:object_r:radio_service:s0
+isms                                      u:object_r:radio_service:s0
+launcherapps                              u:object_r:system_server_service:s0
+location                                  u:object_r:system_server_service:s0
+lock_settings                             u:object_r:system_server_service:s0
+media.audio_flinger                       u:object_r:mediaserver_service:s0
+media.audio_policy                        u:object_r:mediaserver_service:s0
+media.camera                              u:object_r:mediaserver_service:s0
+media.player                              u:object_r:mediaserver_service:s0
+media_router                              u:object_r:system_server_service:s0
+media_session                             u:object_r:system_server_service:s0
+meminfo                                   u:object_r:system_server_service:s0
+mount                                     u:object_r:system_server_service:s0
+netpolicy                                 u:object_r:system_server_service:s0
+netstats                                  u:object_r:system_server_service:s0
+network_management                        u:object_r:system_server_service:s0
+network_score                             u:object_r:system_server_service:s0
+nfc                                       u:object_r:nfc_service:s0
+notification                              u:object_r:system_server_service:s0
+package                                   u:object_r:system_server_service:s0
+permission                                u:object_r:system_server_service:s0
+phone                                     u:object_r:radio_service:s0
+power                                     u:object_r:system_server_service:s0
+print                                     u:object_r:system_server_service:s0
+procstats                                 u:object_r:system_server_service:s0
+restrictions                              u:object_r:system_server_service:s0
+samplingprofiler                          u:object_r:system_server_service:s0
+scheduling_policy                         u:object_r:system_server_service:s0
+search                                    u:object_r:system_server_service:s0
+sensorservice                             u:object_r:system_server_service:s0
+serial                                    u:object_r:system_server_service:s0
+servicediscovery                          u:object_r:system_server_service:s0
+simphonebook                              u:object_r:radio_service:s0
+sip                                       u:object_r:radio_service:s0
+statusbar                                 u:object_r:system_server_service:s0
+SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
+task                                      u:object_r:system_server_service:s0
+telecomm                                  u:object_r:radio_service:s0
+telephony.registry                        u:object_r:system_server_service:s0
+textservices                              u:object_r:system_server_service:s0
+trust                                     u:object_r:system_server_service:s0
+tv_input                                  u:object_r:system_server_service:s0
+uimode                                    u:object_r:system_server_service:s0
+updatelock                                u:object_r:system_server_service:s0
+usagestats                                u:object_r:system_server_service:s0
+usb                                       u:object_r:system_server_service:s0
+user                                      u:object_r:system_server_service:s0
+vibrator                                  u:object_r:system_server_service:s0
+voiceinteraction                          u:object_r:system_server_service:s0
+wallpaper                                 u:object_r:system_server_service:s0
+wifip2p                                   u:object_r:system_server_service:s0
+wifiscanner                               u:object_r:system_server_service:s0
+wifi                                      u:object_r:system_server_service:s0
+window                                    u:object_r:system_server_service:s0
+
+*                                         u:object_r:default_android_service:s0

servicemanager.te

@@ -12,3 +12,10 @@ init_daemon_domain(servicemanager)
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
 allow servicemanager domain:binder transfer;
+
+# Get contexts of binder services that call servicemanager.
+allow servicemanager binderservicedomain:dir search;
+allow servicemanager binderservicedomain:file { read open };
+allow servicemanager binderservicedomain:process getattr;
+# Check SELinux permissions.
+selinux_check_access(servicemanager)

surfaceflinger.te

@@ -57,6 +57,8 @@ r_dir_file(surfaceflinger, dumpstate)
 allow surfaceflinger tee:unix_stream_socket connectto;
 allow surfaceflinger tee_device:chr_file rw_file_perms;
 
+allow surfaceflinger surfaceflinger_service:service_manager add;
+
 ###
 ### Neverallow rules
 ###

system_server.te

@@ -350,6 +350,8 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;
 
+allow system_server system_server_service:service_manager add;
+
 ###
 ### Neverallow rules
 ###