Commits · b4c4424c99dcb5aace69f3bc5593635e045fb519 · Werner Sembach / AndroidSystemSEPolicy

Feb 27, 2015

dontaudit clatd self:capability ipc_lock · b4c4424c

Nick Kralevich authored 10 years ago

clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
capable(CAP_IPC_LOCK), and then checks to see the requested amount is
under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
does not need CAP_IPC_LOCK, so we suppress any denials we see
from clatd asking for this capability.
See https://android-review.googlesource.com/127940

Suppresses the following denial:
type=1400 audit(1424916750.163:7): avc: denied { ipc_lock } for pid=3458 comm="clatd" capability=14 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

Change-Id: Ica108f66010dfc6a5431efa0b4e58f6a784672d1

b4c4424c

Feb 25, 2015

Revert /proc/net related changes · 5cf3994d

Nick Kralevich authored 10 years ago

Revert the tightening of /proc/net access. These changes
are causing a lot of denials, and I want additional time to
figure out a better solution.

Addresses the following denials (and many more):

avc: denied { read } for comm="SyncAdapterThre" name="stats" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="facebook.katana" name="iface_stat_fmt" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="IntentService[C" name="if_inet6" dev="proc" ino=X scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { read } for comm="dumpstate" name="iface_stat_all" dev="proc" ino=X scontext=u:r:dumpstate:s0 tcontext=u:object_r:proc_net:s0 tclass=file

This reverts commit 0f0324cc
and commit 99940d1a

Bug: 9496886
Bug: 19034637
Change-Id: I436a6e3638ac9ed49afbee214e752fe2b0112868

5cf3994d

Jan 14, 2015

remove /proc/net read access from domain.te · 99940d1a

Nick Kralevich authored 10 years ago

SELinux domains wanting read access to /proc/net need to
explicitly declare it.

TODO: fixup the ListeningPortsTest cts test so that it's not
broken.

Bug: 9496886
Change-Id: Ia9f1214348ac4051542daa661d35950eb271b2e4

99940d1a

Jun 13, 2014

Remove clatd's dac_override abilities. · 1d75c90b

Lorenzo Colitti authored 10 years ago

These are no longer necessary after the clatd change to acquire
membership in AID_VPN when dropping root privileges.

Change-Id: I9955296fe79e6dcbaa12acad1f1438e11d3b06cf

1d75c90b

Remove clatd's ability to write to proc files. · 81c03013

Lorenzo Colitti authored 10 years ago

This is no longer required now that clatd has switched from IPv6
forwarding to sockets.

Bug: 15340961
Change-Id: Id7d503b842882d30e6cb860ed0af69ad4ea3e62c

81c03013

Jun 12, 2014

Allow clatd to read from packet sockets and write to raw sockets · 6cd57a43

Lorenzo Colitti authored 10 years ago

This addresses the following denials that occur when switching
clatd from an IPv6 tun interface to packet and raw sockets:

avc: denied { net_raw } for pid=3540 comm="clatd" capability=13 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability
avc: denied { create } for pid=3540 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket
avc: denied { bind } for pid=3540 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket
avc: denied { setopt } for pid=3540 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket
avc: denied { read } for pid=3540 comm="clatd" path="socket:[19117]" dev="sockfs" ino=19117 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=packet_socket

Bug: 15340961
Change-Id: I3c06e8e3e0cfc0869a7b73c803bbffe28369ee5e

6cd57a43

Mar 14, 2014

Allow clatd to use local/unix datagram socket inherited from netd. · e42cebe6

Stephen Smalley authored 11 years ago

Addresses denials such as:
avc: denied { read write } for pid=3142 comm="clatd" path="socket:[12029]" dev="sockfs" ino=12029 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=unix_dgram_socket

Change-Id: I5111410870c71bbfaf6b5310d8f5fd8f10db4f20
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

e42cebe6

Mar 07, 2014

Make clatd enforcing. · de9ebc2a

Stephen Smalley authored 11 years ago


Change-Id: I764086a83d89d5c94c13400cab590933727d261b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

de9ebc2a

Feb 25, 2014

Clean up socket rules. · 16011320

Stephen Smalley authored 11 years ago


Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

16011320

Feb 21, 2014

Address SELinux denials with clatd. · a770ee5b

Stephen Smalley authored 11 years ago


<5>[  216.710405] type=1400 audit(1392934645.702:17): avc:  denied  { use } for  pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fd

<5>[  216.710553] type=1400 audit(1392934645.702:18): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9368]" dev="sockfs" ino=9368 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_kobject_uevent_socket

<5>[  216.710727] type=1400 audit(1392934645.702:19): avc:  denied  { read } for  pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file

<5>[  216.710872] type=1400 audit(1392934645.702:20): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[8214]" dev="sockfs" ino=8214 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=unix_stream_socket

<5>[  216.711037] type=1400 audit(1392934645.702:21): avc:  denied  { write } for  pid=2273 comm="clatd" path="pipe:[9369]" dev="pipefs" ino=9369 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=fifo_file

<5>[  216.711208] type=1400 audit(1392934645.702:22): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9370]" dev="sockfs" ino=9370 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_route_socket

<5>[  216.711334] type=1400 audit(1392934645.702:23): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[9372]" dev="sockfs" ino=9372 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=netlink_nflog_socket

<5>[  216.711513] type=1400 audit(1392934645.702:24): avc:  denied  { read write } for  pid=2273 comm="clatd" path="socket:[11078]" dev="sockfs" ino=11078 scontext=u:r:clatd:s0 tcontext=u:r:netd:s0 tclass=udp_socket

<5>[  216.713390] type=1400 audit(1392934645.702:25): avc:  denied  { dac_override } for  pid=2273 comm="clatd" capability=1 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[  216.713528] type=1400 audit(1392934645.702:26): avc:  denied  { read write } for  pid=2273 comm="clatd" name="tun" dev="tmpfs" ino=6127 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[  314.513898] type=1400 audit(1392934743.501:42): avc:  denied  { setopt } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.514482] type=1400 audit(1392934743.501:43): avc:  denied  { getattr } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.515196] type=1400 audit(1392934743.501:44): avc:  denied  { write } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[  314.516077] type=1400 audit(1392934743.501:45): avc:  denied  { connect } for  pid=2273 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

<5>[ 22.257024] type=1400 audit(1393016186.443:12): avc: denied { open } for pid=1934 comm="clatd" name="tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[ 22.257274] type=1400 audit(1393016186.443:13): avc: denied { net_admin } for pid=1934 comm="clatd" capability=12 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.257445] type=1400 audit(1393016186.443:14): avc: denied { write } for pid=1934 comm="clatd" name="forwarding" dev="proc" ino=10684 scontext=u:r:clatd:s0 tcontext=u:object_r:proc_net:s0 tclass=file

<5>[ 22.257618] type=1400 audit(1393016186.443:15): avc: denied { setgid } for pid=1934 comm="clatd" capability=6 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.257753] type=1400 audit(1393016186.443:16): avc: denied { setuid } for pid=1934 comm="clatd" capability=7 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

<5>[ 22.385005] type=1400 audit(1393016186.573:17): avc: denied { ioctl } for pid=1934 comm="clatd" path="/dev/tun" dev="tmpfs" ino=6117 scontext=u:r:clatd:s0 tcontext=u:object_r:tun_device:s0 tclass=chr_file

<5>[ 22.385269] type=1400 audit(1393016186.573:18): avc: denied { create } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=tun_socket

<5>[ 22.388955] type=1400 audit(1393016186.573:19): avc: denied { nlmsg_write } for pid=1934 comm="clatd" scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=netlink_route_socket

Change-Id: Ic760597df1aa4b33b3cb6e9a504dbcbd6f5d0116
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

a770ee5b

Feb 11, 2014

Make clatd permissive or unconfined. · f321456e

Stephen Smalley authored 11 years ago


Otherwise we'll never see denials in userdebug or eng builds and
never make progress on confining it.  clatd does exist in AOSP
and is built by default, and is started via netd.

Change-Id: Iee6e0845fad7647962d73cb6d047f27924fa799a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

f321456e

Oct 21, 2013

Move unconfined domains out of permissive mode. · 353c72e3

Nick Kralevich authored 11 years ago

This change removes the permissive line from unconfined
domains. Unconfined domains can do (mostly) anything, so moving
these domains into enforcing should be a no-op.

The following domains were deliberately NOT changed:
1) kernel
2) init

In the future, this gives us the ability to tighten up the
rules in unconfined, and have those tightened rules actually
work.

When we're ready to tighten up the rules for these domains,
we can:

1) Remove unconfined_domain and re-add the permissive line.
2) Submit the domain in permissive but NOT unconfined.
3) Remove the permissive line
4) Wait a few days and submit the no-permissive change.

For instance, if we were ready to do this for adb, we'd identify
a list of possible rules which allow adbd to work, re-add
the permissive line, and then upload those changes to AOSP.
After sufficient testing, we'd then move adb to enforcing.
We'd repeat this for each domain until everything is enforcing
and out of unconfined.

Change-Id: If674190de3262969322fb2e93d9a0e734f8b9245

353c72e3

Aug 05, 2013
- Fix clatd, broken by selinux policing /dev/tun · ab7dfabb
  Lorenzo Colitti authored 11 years ago
  
  Bug: 10175701 Change-Id: I185df22bdbaafd56725760ec6c71340b67455046
  ab7dfabb