Merge "Add SELinux rules for service_manager."

b0ee91a4 · Nick Kralevich · Gerrit Code Review · a2e4e265 · f90c41f6 · b0ee91a4
Commit b0ee91a4 authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -197,6 +197,26 @@ $(LOCAL_BUILT_MODULE):  $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES

 built_pc := $(LOCAL_BUILT_MODULE)

+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+ALL_SVC_FILES := $(call build_policy, service_contexts)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE):  $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+	@mkdir -p $(dir $@)
+	$(hide) m4 -s $(ALL_SVC_FILES) > $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+
+built_svc := $(LOCAL_BUILT_MODULE)
+
 ##################################

 ##################################
@@ -243,7 +263,7 @@ LOCAL_MODULE_TAGS := optional
 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

 include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc)
+$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
 	@mkdir -p $(dir $@)
 	$(hide) echo -n $(BUILD_FINGERPRINT) > $@

@@ -255,5 +275,6 @@ built_sepolicy :=
 built_sc :=
 built_fc :=
 built_pc :=
+built_svc :=

 include $(call all-makefiles-under,$(LOCAL_PATH))
--- a/access_vectors
+++ b/access_vectors
@@ -888,3 +888,8 @@ class property_service
 {
 	set
 }
+
+class service_manager
+{
+	add
+}
--- a/attributes
+++ b/attributes
@@ -39,6 +39,9 @@ attribute port_type;
 # All types used for property service
 attribute property_type;

+# All types used for services managed by service_manager.
+attribute service_manager_type;
+
 # All domains that can override MLS restrictions.
 # i.e. processes that can read up and write down.
 attribute mlstrustedsubject;

--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -11,3 +11,7 @@ allow binderservicedomain devpts:chr_file rw_file_perms;
 # Receive and write to a pipe received over Binder from an app.
 allow binderservicedomain appdomain:fd use;
 allow binderservicedomain appdomain:fifo_file write;
+
+# Allow binderservicedomain to add services by default.
+allow binderservicedomain service_manager_type:service_manager add;
+auditallow binderservicedomain default_android_service:service_manager add;
--- a/drmserver.te
+++ b/drmserver.te
@@ -44,3 +44,5 @@ allow drmserver asec_apk_file:file { read getattr };

 # Read /data/data/com.android.providers.telephony files passed over Binder.
 allow drmserver radio_data_file:file { read getattr };
+
+allow drmserver drmserver_service:service_manager add;
--- a/healthd.te
+++ b/healthd.te
@@ -32,3 +32,5 @@ allow healthd ashmem_device:chr_file execute;
 allow healthd self:process execmem;
 allow healthd proc_sysrq:file rw_file_perms;
 allow healthd self:capability sys_boot;
+
+allow healthd healthd_service:service_manager add;
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -8,3 +8,5 @@ binder_use(inputflinger)
 binder_service(inputflinger)

 binder_call(inputflinger, system_server)
+
+allow inputflinger inputflinger_service:service_manager add;
--- a/keystore.te
+++ b/keystore.te
@@ -25,3 +25,5 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *
 neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;

 neverallow domain keystore:process ptrace;
+
+allow keystore keystore_service:service_manager add;
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,3 +78,5 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)

 # Connect to tee service.
 allow mediaserver tee:unix_stream_socket connectto;
+
+allow mediaserver mediaserver_service:service_manager add;
--- a/nfc.te
+++ b/nfc.te
@@ -13,3 +13,5 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;

 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
+
+allow nfc nfc_service:service_manager add;
--- a/radio.te
+++ b/radio.te
@@ -22,3 +22,5 @@ allow radio radio_prop:property_service set;

 # ctl interface
 allow radio ctl_rildaemon_prop:property_service set;
+
+allow radio radio_service:service_manager add;
--- a/security_classes
+++ b/security_classes
@@ -137,4 +137,7 @@ class zygote
 # Property service
 class property_service          # userspace

+# Service manager
+class service_manager           # userspace
+
 # FLASK
--- a/service.te
+++ b/service.te
+type default_android_service,   service_manager_type;
+type drmserver_service,         service_manager_type;
+type healthd_service,           service_manager_type;
+type inputflinger_service,      service_manager_type;
+type keystore_service,          service_manager_type;
+type mediaserver_service,       service_manager_type;
+type nfc_service,               service_manager_type;
+type radio_service,             service_manager_type;
+type surfaceflinger_service,    service_manager_type;
+type system_server_service,     service_manager_type;
--- a/service_contexts
+++ b/service_contexts
+accessibility                             u:object_r:system_server_service:s0
+account                                   u:object_r:system_server_service:s0
+activity                                  u:object_r:system_server_service:s0
+alarm                                     u:object_r:system_server_service:s0
+android.security.keystore                 u:object_r:keystore_service:s0
+appops                                    u:object_r:system_server_service:s0
+appwidget                                 u:object_r:system_server_service:s0
+assetatlas                                u:object_r:system_server_service:s0
+audio                                     u:object_r:system_server_service:s0
+backup                                    u:object_r:system_server_service:s0
+batteryproperties                         u:object_r:healthd_service:s0
+batterystats                              u:object_r:system_server_service:s0
+battery                                   u:object_r:system_server_service:s0
+bluetooth_manager                         u:object_r:system_server_service:s0
+clipboard                                 u:object_r:system_server_service:s0
+com.android.internal.telephony.mms.IMms   u:object_r:system_server_service:s0
+commontime_management                     u:object_r:system_server_service:s0
+connectivity                              u:object_r:system_server_service:s0
+consumer_ir                               u:object_r:system_server_service:s0
+content                                   u:object_r:system_server_service:s0
+country_detector                          u:object_r:system_server_service:s0
+cpuinfo                                   u:object_r:system_server_service:s0
+dbinfo                                    u:object_r:system_server_service:s0
+device_policy                             u:object_r:system_server_service:s0
+devicestoragemonitor                      u:object_r:system_server_service:s0
+diskstats                                 u:object_r:system_server_service:s0
+display.qservice                          u:object_r:surfaceflinger_service:s0
+display                                   u:object_r:system_server_service:s0
+DockObserver                              u:object_r:system_server_service:s0
+dreams                                    u:object_r:system_server_service:s0
+drm.drmManager                            u:object_r:drmserver_service:s0
+dropbox                                   u:object_r:system_server_service:s0
+entropy                                   u:object_r:system_server_service:s0
+ethernet                                  u:object_r:system_server_service:s0
+gfxinfo                                   u:object_r:system_server_service:s0
+hardware                                  u:object_r:system_server_service:s0
+hdmi_control                              u:object_r:system_server_service:s0
+inputflinger                              u:object_r:inputflinger_service:s0
+input_method                              u:object_r:system_server_service:s0
+input                                     u:object_r:system_server_service:s0
+iphonesubinfo                             u:object_r:radio_service:s0
+isms                                      u:object_r:radio_service:s0
+launcherapps                              u:object_r:system_server_service:s0
+location                                  u:object_r:system_server_service:s0
+lock_settings                             u:object_r:system_server_service:s0
+media.audio_flinger                       u:object_r:mediaserver_service:s0
+media.audio_policy                        u:object_r:mediaserver_service:s0
+media.camera                              u:object_r:mediaserver_service:s0
+media.player                              u:object_r:mediaserver_service:s0
+media_router                              u:object_r:system_server_service:s0
+media_session                             u:object_r:system_server_service:s0
+meminfo                                   u:object_r:system_server_service:s0
+mount                                     u:object_r:system_server_service:s0
+netpolicy                                 u:object_r:system_server_service:s0
+netstats                                  u:object_r:system_server_service:s0
+network_management                        u:object_r:system_server_service:s0
+network_score                             u:object_r:system_server_service:s0
+nfc                                       u:object_r:nfc_service:s0
+notification                              u:object_r:system_server_service:s0
+package                                   u:object_r:system_server_service:s0
+permission                                u:object_r:system_server_service:s0
+phone                                     u:object_r:radio_service:s0
+power                                     u:object_r:system_server_service:s0
+print                                     u:object_r:system_server_service:s0
+procstats                                 u:object_r:system_server_service:s0
+restrictions                              u:object_r:system_server_service:s0
+samplingprofiler                          u:object_r:system_server_service:s0
+scheduling_policy                         u:object_r:system_server_service:s0
+search                                    u:object_r:system_server_service:s0
+sensorservice                             u:object_r:system_server_service:s0
+serial                                    u:object_r:system_server_service:s0
+servicediscovery                          u:object_r:system_server_service:s0
+simphonebook                              u:object_r:radio_service:s0
+sip                                       u:object_r:radio_service:s0
+statusbar                                 u:object_r:system_server_service:s0
+SurfaceFlinger                            u:object_r:surfaceflinger_service:s0
+task                                      u:object_r:system_server_service:s0
+telecomm                                  u:object_r:radio_service:s0
+telephony.registry                        u:object_r:system_server_service:s0
+textservices                              u:object_r:system_server_service:s0
+trust                                     u:object_r:system_server_service:s0
+tv_input                                  u:object_r:system_server_service:s0
+uimode                                    u:object_r:system_server_service:s0
+updatelock                                u:object_r:system_server_service:s0
+usagestats                                u:object_r:system_server_service:s0
+usb                                       u:object_r:system_server_service:s0
+user                                      u:object_r:system_server_service:s0
+vibrator                                  u:object_r:system_server_service:s0
+voiceinteraction                          u:object_r:system_server_service:s0
+wallpaper                                 u:object_r:system_server_service:s0
+wifip2p                                   u:object_r:system_server_service:s0
+wifiscanner                               u:object_r:system_server_service:s0
+wifi                                      u:object_r:system_server_service:s0
+window                                    u:object_r:system_server_service:s0
+
+*                                         u:object_r:default_android_service:s0
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -12,3 +12,10 @@ init_daemon_domain(servicemanager)
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
 allow servicemanager domain:binder transfer;
+
+# Get contexts of binder services that call servicemanager.
+allow servicemanager binderservicedomain:dir search;
+allow servicemanager binderservicedomain:file { read open };
+allow servicemanager binderservicedomain:process getattr;
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -57,6 +57,8 @@ r_dir_file(surfaceflinger, dumpstate)
 allow surfaceflinger tee:unix_stream_socket connectto;
 allow surfaceflinger tee_device:chr_file rw_file_perms;

+allow surfaceflinger surfaceflinger_service:service_manager add;
+
 ###
 ### Neverallow rules
 ###

--- a/system_server.te
+++ b/system_server.te
@@ -350,6 +350,8 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
 allow system_server pstorefs:dir r_dir_perms;
 allow system_server pstorefs:file r_file_perms;

+allow system_server system_server_service:service_manager add;
+
 ###
 ### Neverallow rules
 ###