From fee49159e760162b0e8ee5a4590c50a65b8e322f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 19 Jun 2014 10:27:02 -0400
Subject: [PATCH] Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.
Remove the ability to set properties from unconfineddomain.
Allow init to set any property. Allow recovery to set ctl_default_prop
to restart adbd.
Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
dhcp.te | 2 +-
init.te | 3 +++
netd.te | 2 ++
property.te | 4 +++-
property_contexts | 22 ++++++++++------------
radio.te | 4 ++++
recovery.te | 3 +++
rild.te | 5 ++++-
system_app.te | 5 ++++-
system_server.te | 4 +++-
unconfined.te | 1 -
11 files changed, 37 insertions(+), 18 deletions(-)
diff --git a/dhcp.te b/dhcp.te
index 2e5b3d408..32a6cccb1 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -13,7 +13,7 @@ allow dhcp shell_exec:file rx_file_perms;
allow dhcp system_file:file rx_file_perms;
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net:file write;
-allow dhcp system_prop:property_service set ;
+allow dhcp dhcp_prop:property_service set;
allow dhcp pan_result_prop:property_service set;
unix_socket_connect(dhcp, property, init)
diff --git a/init.te b/init.te
index c781849e5..191c57069 100644
--- a/init.te
+++ b/init.te
@@ -86,6 +86,9 @@ allow init self:process { setexec setfscreate setsockcreate };
allow init property_data_file:dir create_dir_perms;
allow init property_data_file:file create_file_perms;
+# Set any property.
+allow init property_type:property_service set;
+
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
diff --git a/netd.te b/netd.te
index 6fe1ad313..b7c30eb15 100644
--- a/netd.te
+++ b/netd.te
@@ -31,7 +31,9 @@ allow netd sysfs:file write;
# Set dhcp lease for PAN connection
unix_socket_connect(netd, property, init)
+allow netd dhcp_prop:property_service set;
allow netd system_prop:property_service set;
+auditallow netd system_prop:property_service set;
# Connect to PAN
domain_auto_trans(netd, dhcp_exec, dhcp)
diff --git a/property.te b/property.te
index aa1c9a8f5..9d6f10612 100644
--- a/property.te
+++ b/property.te
@@ -2,10 +2,12 @@ type default_prop, property_type;
type shell_prop, property_type;
type debug_prop, property_type;
type debuggerd_prop, property_type;
+type dhcp_prop, property_type;
type radio_prop, property_type;
+type net_radio_prop, property_type;
+type system_radio_prop, property_type;
type system_prop, property_type;
type vold_prop, property_type;
-type rild_prop, property_type;
type ctl_bootanim_prop, property_type;
type ctl_default_prop, property_type;
type ctl_dhcp_pan_prop, property_type;
diff --git a/property_contexts b/property_contexts
index 76dcbc4d5..48f7fae69 100644
--- a/property_contexts
+++ b/property_contexts
@@ -2,19 +2,17 @@
# property service keys
#
#
-net.rmnet u:object_r:radio_prop:s0
-net.gprs u:object_r:radio_prop:s0
-net.ppp u:object_r:radio_prop:s0
-net.qmi u:object_r:radio_prop:s0
-net.lte u:object_r:radio_prop:s0
-net.cdma u:object_r:radio_prop:s0
+net.rmnet u:object_r:net_radio_prop:s0
+net.gprs u:object_r:net_radio_prop:s0
+net.ppp u:object_r:net_radio_prop:s0
+net.qmi u:object_r:net_radio_prop:s0
+net.lte u:object_r:net_radio_prop:s0
+net.cdma u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_radio_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
+ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
persist.radio u:object_r:radio_prop:s0
-net.dns u:object_r:radio_prop:s0
-sys.usb.config u:object_r:radio_prop:s0
-
-ril. u:object_r:rild_prop:s0
-ril.cdma u:object_r:radio_prop:s0
net. u:object_r:system_prop:s0
dev. u:object_r:system_prop:s0
@@ -24,7 +22,7 @@ sys. u:object_r:system_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
service. u:object_r:system_prop:s0
wlan. u:object_r:system_prop:s0
-dhcp. u:object_r:system_prop:s0
+dhcp. u:object_r:dhcp_prop:s0
dhcp.bt-pan.result u:object_r:pan_result_prop:s0
bluetooth. u:object_r:bluetooth_prop:s0
diff --git a/radio.te b/radio.te
index 4f1df1ff7..d0018eac2 100644
--- a/radio.te
+++ b/radio.te
@@ -19,6 +19,10 @@ allow radio alarm_device:chr_file rw_file_perms;
# Property service
allow radio radio_prop:property_service set;
+allow radio net_radio_prop:property_service set;
+allow radio system_radio_prop:property_service set;
+auditallow radio net_radio_prop:property_service set;
+auditallow radio system_radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
diff --git a/recovery.te b/recovery.te
index 13c21c2fe..9ee3a040a 100644
--- a/recovery.te
+++ b/recovery.te
@@ -77,6 +77,9 @@ recovery_only(`
allow recovery powerctl_prop:property_service set;
unix_socket_connect(recovery, property, init)
+ # Start/stop adbd via ctl.start adbd
+ allow recovery ctl_default_prop:property_service set;
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/rild.te b/rild.te
index f272862ca..d8e48d5e6 100644
--- a/rild.te
+++ b/rild.te
@@ -26,8 +26,11 @@ allow rild system_data_file:file r_file_perms;
allow rild system_file:file x_file_perms;
# property service
-allow rild rild_prop:property_service set;
allow rild radio_prop:property_service set;
+allow rild net_radio_prop:property_service set;
+allow rild system_radio_prop:property_service set;
+auditallow rild net_radio_prop:property_service set;
+auditallow rild system_radio_prop:property_service set;
# Read/Write to uart driver (for GPS)
allow rild gps_device:chr_file rw_file_perms;
diff --git a/system_app.te b/system_app.te
index 5b9f8a074..eb5fa9f4c 100644
--- a/system_app.te
+++ b/system_app.te
@@ -30,7 +30,10 @@ allow system_app dalvikcache_data_file:file { write setattr };
# Write to properties
unix_socket_connect(system_app, property, init)
allow system_app debug_prop:property_service set;
-allow system_app radio_prop:property_service set;
+allow system_app net_radio_prop:property_service set;
+allow system_app system_radio_prop:property_service set;
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
allow system_app system_prop:property_service set;
allow system_app ctl_bugreport_prop:property_service set;
allow system_app logd_prop:property_service set;
diff --git a/system_server.te b/system_server.te
index 236f4c4d6..619e5f906 100644
--- a/system_server.te
+++ b/system_server.te
@@ -271,7 +271,9 @@ allow system_server anr_data_file:dir relabelto;
# Property Service write
allow system_server system_prop:property_service set;
-allow system_server radio_prop:property_service set;
+allow system_server dhcp_prop:property_service set;
+allow system_server net_radio_prop:property_service set;
+allow system_server system_radio_prop:property_service set;
allow system_server debug_prop:property_service set;
allow system_server powerctl_prop:property_service set;
diff --git a/unconfined.te b/unconfined.te
index b3e374dc1..6b64fb95e 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -109,4 +109,3 @@ allow unconfineddomain node_type:node *;
allow unconfineddomain netif_type:netif *;
allow unconfineddomain domain:peer recv;
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain { property_type -security_prop }:property_service set;
--
GitLab