Commits · 06a0d786210332c0bb2a46b59f1796b74a133ac0 · Werner Sembach / AndroidSystemSEPolicy


Exclude execute from the rules allowing access to files,
and only add it back for the rootfs and files labeled
with system_file (/system, /vendor) or one of the types in exec_type
(files under /system that cause domain transitions).

Change-Id: Ic72d76dc92e79bcc75a38398425af3bb1274a009
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

5da08810

Strip exec* permissions from unconfined domains. · 4e416ea4

Stephen Smalley authored 11 years ago


This ensures that only domains that are explicitly allowed executable
memory permissions are granted them.

Unconfined domains retain full write + execute access to all file
types.  A further change could possibly restrict execute access to
a subset of file types, e.g. system_file + exec_type.

Change-Id: I842f5a2ac5921cc2bd0ab23a091eb808fdd89565
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

4e416ea4

Restrict ability to set checkreqprot. · 8b51674b

Stephen Smalley authored 11 years ago


Now that we set /sys/fs/selinux/checkreqprot via init.rc,
restrict the ability to set it to only the kernel domain.

Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

8b51674b

Jan 04, 2014

Don't allow zygote init:binder call · a730e50b

Nick Kralevich authored 11 years ago

init can't handle binder calls. It's always incorrect
to allow init:binder call, and represents a binder call
to a service without an SELinux domain. Adding this
allow rule was a mistake; the dumpstate SELinux domain didn't
exist at the time this rule was written, and dumpstate was
running under init's domain.

Add a neverallow rule to prevent the reintroduction of
this bug.

Change-Id: I78d35e675fd142d880f15329471778c18972bf50

a730e50b

Dec 09, 2013

Restrict mapping low memory. · e6a7b37d

Stephen Smalley authored 11 years ago


Label /proc/sys/vm/mmap_min_addr with proc_security to prevent
writing it by any domain other than init.  Also remove memprotect
mmap_zero permission from unconfineddomain so that it cannot pass
the SELinux check over mapping low memory.

Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

e6a7b37d

Restrict ptrace access by debuggerd and unconfineddomain. · 95e0842e

Stephen Smalley authored 11 years ago


Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

95e0842e

Dec 06, 2013

Restrict the ability to set usermodehelpers and proc security settings. · 7adb999e

Stephen Smalley authored 11 years ago


Limit the ability to write to the files that configure kernel
usermodehelpers and security-sensitive proc settings to the init domain.
Permissive domains can also continue to set these values.

The current list is not exhaustive, just an initial set.
Not all of these files will exist on all kernels/devices.
Controlling access to certain kernel usermodehelpers, e.g. cgroup
release_agent, will require kernel changes to support and cannot be
addressed here.

Expected output on e.g. flo after the change:
ls -Z /sys/kernel/uevent_helper /proc/sys/fs/suid_dumpable /proc/sys/kernel/core_pattern /proc/sys/kernel/dmesg_restrict /proc/sys/kernel/hotplug /proc/sys/kernel/kptr_restrict /proc/sys/kernel/poweroff_cmd /proc/sys/kernel/randomize_va_space /proc/sys/kernel/usermodehelper
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 uevent_helper
-rw-r--r-- root     root              u:object_r:proc_security:s0 suid_dumpable
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 core_pattern
-rw-r--r-- root     root              u:object_r:proc_security:s0 dmesg_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 hotplug
-rw-r--r-- root     root              u:object_r:proc_security:s0 kptr_restrict
-rw-r--r-- root     root              u:object_r:usermodehelper:s0 poweroff_cmd
-rw-r--r-- root     root              u:object_r:proc_security:s0 randomize_va_space
-rw------- root     root              u:object_r:usermodehelper:s0 bset
-rw------- root     root              u:object_r:usermodehelper:s0 inheritable

Change-Id: I3f24b4bb90f0916ead863be6afd66d15ac5e8de0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

7adb999e

Dec 02, 2013

Restrict the ability to set SELinux enforcing mode to init. · d99e6d5f

Stephen Smalley authored 11 years ago


Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.

Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

d99e6d5f

Nov 08, 2013
- Neverallow access to the kmem device from userspace. · ddf98fa8
  Geremy Condra authored 11 years ago
  
  Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4
  ddf98fa8
Oct 21, 2013

Clarify the expectations for the unconfined template. · 84d88314

Nick Kralevich authored 11 years ago

In https://android-review.googlesource.com/66562 , there
was a discussion about the role the unconfined template
plays. Document the unconfined template so that those
expectations are better understood.

Change-Id: I20ac01ac2d4496b8425b6f63d4106e8021bc9b2f

84d88314

Jul 16, 2013
- Only init should be able to load a security policy · 2637198f
  Nick Kralevich authored 11 years ago
  
  Bug: 9859477 Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b
  2637198f
Jul 11, 2013

domain.te: Add backwards compatibility for unlabeled files · 0c9708b2

Nick Kralevich authored 11 years ago

For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88

0c9708b2

May 22, 2013
- Clean up remaining denials. · 274d2927
  repo sync authored 11 years ago
  
  Bug: 8424461 Change-Id: I8f0b01cdb19b4a479d5de842f4e4844aeab00622
  274d2927
May 20, 2013

Make all domains unconfined. · 77d4731e

repo sync authored 11 years ago

This prevents denials from being generated by the base policy.
Over time, these rules will be incrementally tightened to improve
security.

Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11

77d4731e

Mar 21, 2013
- Require entrypoint to be explicitly granted for unconfined domains. · 9aea69c0
  Stephen Smalley authored 12 years ago
  
  Change-Id: Ieeaa002061c9e4224ea90dfa60dffb112aa152c2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
  9aea69c0
Mar 19, 2013

Update binder-related policy. · 9ce99e39

Stephen Smalley authored 12 years ago

The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.

Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

9ce99e39

Apr 04, 2012

Add policy for property service. · 124720a6

Stephen Smalley authored 12 years ago

New property_contexts file for property selabel backend.
New property.te file with property type declarations.
New property_service security class and set permission.
Allow rules for setting properties.

124720a6

Jan 04, 2012
- SE Android policy. · 2dd4e51d
  Stephen Smalley authored 13 years ago
  
  2dd4e51d