-
Stephen Smalley authored
Replace * or any permission set containing create with create_socket_perms or create_stream_socket_perms. Add net_domain() to all domains using network sockets and delete rules already covered by domain.te or net.te. For netlink_route_socket, only nlmsg_write needs to be separately granted to specific domains that are permitted to modify the routing table. Clarification: read/write permissions are just ability to perform read/recv() or write/send() on the socket, whereas nlmsg_read/ nlmsg_write permissions control ability to observe or modify the underlying kernel state accessed via the socket. See security/selinux/nlmsgtab.c in the kernel for the mapping of netlink message types to nlmsg_read or nlmsg_write. Delete legacy rule for b/12061011. This change does not touch any rules where only read/write were allowed to a socket created by another domain (inherited across exec or received across socket or binder IPC). We may wish to rewrite some or all of those rules with the rw_socket_perms macro but that is a separate change. Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
16011320
dumpstate.te 2.83 KiB
# dumpstate
type dumpstate, domain;
permissive_or_unconfined(dumpstate)
type dumpstate_exec, exec_type, file_type;
init_daemon_domain(dumpstate)
net_domain(dumpstate)
relabelto_domain(dumpstate)
binder_use(dumpstate)
# Drop privileges by switching UID / GID
allow dumpstate self:capability { setuid setgid };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
# Send signals to processes
allow dumpstate self:capability kill;
# Allow executing files on system, such as:
# /system/bin/toolbox
# /system/bin/logcat
# /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir { rw_dir_perms relabelto };
allow dumpstate anr_data_file:file create_file_perms;
allow dumpstate system_data_file:dir { create_dir_perms relabelfrom };
# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
allow dumpstate self:capability2 syslog;
allow dumpstate kernel:system syslog_read;
# Get process attributes
allow dumpstate domain:process getattr;
# Signal java processes to dump their stack
allow dumpstate { appdomain system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
# The vdc command needs to talk to the vold socket.
unix_socket_connect(dumpstate, vold, vold)
# Vibrate the device after we're done collecting the bugreport
# /sys/class/timed_output/vibrator/enable
# TODO: create a new file class, instead of allowing write access to all of /sys
allow dumpstate sysfs:file w_file_perms;
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, appdomain)
# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreportallow dumpstate shell_data_file:dir create_dir_perms;
allow dumpstate shell_data_file:file create_file_perms;
# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;
# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
# Dalvik Compiler JIT.
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate dumpstate_tmpfs:file execute;
allow dumpstate self:process execmem;
# For art.
allow dumpstate dalvikcache_data_file:file execute;
# logd access
read_logd(dumpstate)
control_logd(dumpstate)