Commits · 04ee5dfb80491f8493fedcd099bd4551c9503c83 · Werner Sembach / AndroidSystemSEPolicy

Jan 30, 2014

Remove MAC capabilities from unconfined domains. · 04ee5dfb

Stephen Smalley authored 11 years ago

Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files. That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.

CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed. CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.

Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.

Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

04ee5dfb

Jan 13, 2014

ashmem_device is a character device, not a regular file. · 9fe4e7b8
Stephen Smalley authored 11 years ago
```
Change-Id: Ie3d73d2c8d5c73e8bd359123f6fd3c006f332323
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
```
9fe4e7b8

Allow recovery to execute ashmem_device and tmpfs. · 9a40702a

Stephen Smalley authored 11 years ago


Requires execmem and ashmem_device:chr_file execute similar to bootanim
presumably for the display.

Did not see any cache_file execute denials and do not see any
exec of /cache files in the code, only reading/interpreting scripts,
so I removed cache_file rx_file_perms.

Did not see any tmpfs execute denials in /proc/last_kmsg but the
source code appears to extract the update-binary to a tmpfs mount
in /tmp and then exec it.  So I retained that rule.

Tested with adb sideload.

Change-Id: I8ca5f2cd390be1adf063f16e6280cc4cd1833c0e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

9a40702a

Add a domain for the recovery console. · 6d10ca8f

Stephen Smalley authored 11 years ago


Define a domain for use by the recovery init.rc file for
/sbin/recovery.  Start with a copy of the kernel domain
rules since that is what /sbin/recovery was previously running in,
and then add rules as appropriate.

Change-Id:  Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

6d10ca8f