From f90c41f6e8d5c1266e154f46586a2ceb260f1be6 Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Thu, 5 Jun 2014 15:52:02 -0700
Subject: [PATCH] Add SELinux rules for service_manager.
Add a service_mananger class with the verb add.
Add a type that groups the services for each of the
processes that is allowed to start services in service.te
and an attribute for all services controlled by the service
manager. Add the service_contexts file which maps service
name to target label.
Bug: 12909011
Change-Id: I017032a50bc90c57b536e80b972118016d340c7d
---
Android.mk | 23 +++++++++-
access_vectors | 5 +++
attributes | 3 ++
binderservicedomain.te | 4 ++
drmserver.te | 2 +
healthd.te | 2 +
inputflinger.te | 2 +
keystore.te | 2 +
mediaserver.te | 2 +
nfc.te | 2 +
radio.te | 2 +
security_classes | 3 ++
service.te | 10 +++++
service_contexts | 96 ++++++++++++++++++++++++++++++++++++++++++
servicemanager.te | 7 +++
surfaceflinger.te | 2 +
system_server.te | 2 +
17 files changed, 168 insertions(+), 1 deletion(-)
create mode 100644 service.te
create mode 100644 service_contexts
diff --git a/Android.mk b/Android.mk
index bdf26b357..1163477a7 100644
--- a/Android.mk
+++ b/Android.mk
@@ -197,6 +197,26 @@ $(LOCAL_BUILT_MODULE): $(ALL_PC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES
built_pc := $(LOCAL_BUILT_MODULE)
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := service_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+ALL_SVC_FILES := $(call build_policy, service_contexts)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(ALL_SVC_FILES) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(ALL_SVC_FILES) > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+
+built_svc := $(LOCAL_BUILT_MODULE)
+
##################################
##################################
@@ -243,7 +263,7 @@ LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc)
+$(LOCAL_BUILT_MODULE) : $(built_sepolicy) $(built_pc) $(built_fc) $(built_sc) $(built_svc)
@mkdir -p $(dir $@)
$(hide) echo -n $(BUILD_FINGERPRINT) > $@
@@ -255,5 +275,6 @@ built_sepolicy :=
built_sc :=
built_fc :=
built_pc :=
+built_svc :=
include $(call all-makefiles-under,$(LOCAL_PATH))
diff --git a/access_vectors b/access_vectors
index 265587220..7609d9dc0 100644
--- a/access_vectors
+++ b/access_vectors
@@ -888,3 +888,8 @@ class property_service
{
set
}
+
+class service_manager
+{
+ add
+}
diff --git a/attributes b/attributes
index 261500ffa..64de61a5e 100644
--- a/attributes
+++ b/attributes
@@ -39,6 +39,9 @@ attribute port_type;
# All types used for property service
attribute property_type;
+# All types used for services managed by service_manager.
+attribute service_manager_type;
+
# All domains that can override MLS restrictions.
# i.e. processes that can read up and write down.
attribute mlstrustedsubject;
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 757d80774..db2f93ffa 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -11,3 +11,7 @@ allow binderservicedomain devpts:chr_file rw_file_perms;
# Receive and write to a pipe received over Binder from an app.
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
+
+# Allow binderservicedomain to add services by default.
+allow binderservicedomain service_manager_type:service_manager add;
+auditallow binderservicedomain default_android_service:service_manager add;
diff --git a/drmserver.te b/drmserver.te
index e2b62df2e..19931766e 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -44,3 +44,5 @@ allow drmserver asec_apk_file:file { read getattr };
# Read /data/data/com.android.providers.telephony files passed over Binder.
allow drmserver radio_data_file:file { read getattr };
+
+allow drmserver drmserver_service:service_manager add;
diff --git a/healthd.te b/healthd.te
index 97c0ca589..08472ccd8 100644
--- a/healthd.te
+++ b/healthd.te
@@ -32,3 +32,5 @@ allow healthd ashmem_device:chr_file execute;
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
allow healthd self:capability sys_boot;
+
+allow healthd healthd_service:service_manager add;
diff --git a/inputflinger.te b/inputflinger.te
index b08b3453b..0bef25eee 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -8,3 +8,5 @@ binder_use(inputflinger)
binder_service(inputflinger)
binder_call(inputflinger, system_server)
+
+allow inputflinger inputflinger_service:service_manager add;
diff --git a/keystore.te b/keystore.te
index 8aa1d7d4a..3e627f827 100644
--- a/keystore.te
+++ b/keystore.te
@@ -25,3 +25,5 @@ neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *
neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
neverallow domain keystore:process ptrace;
+
+allow keystore keystore_service:service_manager add;
diff --git a/mediaserver.te b/mediaserver.te
index 439315f83..e4d5a23cb 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -78,3 +78,5 @@ unix_socket_connect(mediaserver, bluetooth, bluetooth)
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
+
+allow mediaserver mediaserver_service:service_manager add;
diff --git a/nfc.te b/nfc.te
index 0968c3513..65aaef76c 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,3 +13,5 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
allow nfc sysfs_nfc_power_writable:file rw_file_perms;
allow nfc sysfs:file write;
+
+allow nfc nfc_service:service_manager add;
diff --git a/radio.te b/radio.te
index d5bf42b19..4f1df1ff7 100644
--- a/radio.te
+++ b/radio.te
@@ -22,3 +22,5 @@ allow radio radio_prop:property_service set;
# ctl interface
allow radio ctl_rildaemon_prop:property_service set;
+
+allow radio radio_service:service_manager add;
diff --git a/security_classes b/security_classes
index 197805e3b..9ff494fdb 100644
--- a/security_classes
+++ b/security_classes
@@ -137,4 +137,7 @@ class zygote
# Property service
class property_service # userspace
+# Service manager
+class service_manager # userspace
+
# FLASK
diff --git a/service.te b/service.te
new file mode 100644
index 000000000..650ac139e
--- /dev/null
+++ b/service.te
@@ -0,0 +1,10 @@
+type default_android_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type healthd_service, service_manager_type;
+type inputflinger_service, service_manager_type;
+type keystore_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type surfaceflinger_service, service_manager_type;
+type system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
new file mode 100644
index 000000000..3720b46b8
--- /dev/null
+++ b/service_contexts
@@ -0,0 +1,96 @@
+accessibility u:object_r:system_server_service:s0
+account u:object_r:system_server_service:s0
+activity u:object_r:system_server_service:s0
+alarm u:object_r:system_server_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+appops u:object_r:system_server_service:s0
+appwidget u:object_r:system_server_service:s0
+assetatlas u:object_r:system_server_service:s0
+audio u:object_r:system_server_service:s0
+backup u:object_r:system_server_service:s0
+batteryproperties u:object_r:healthd_service:s0
+batterystats u:object_r:system_server_service:s0
+battery u:object_r:system_server_service:s0
+bluetooth_manager u:object_r:system_server_service:s0
+clipboard u:object_r:system_server_service:s0
+com.android.internal.telephony.mms.IMms u:object_r:system_server_service:s0
+commontime_management u:object_r:system_server_service:s0
+connectivity u:object_r:system_server_service:s0
+consumer_ir u:object_r:system_server_service:s0
+content u:object_r:system_server_service:s0
+country_detector u:object_r:system_server_service:s0
+cpuinfo u:object_r:system_server_service:s0
+dbinfo u:object_r:system_server_service:s0
+device_policy u:object_r:system_server_service:s0
+devicestoragemonitor u:object_r:system_server_service:s0
+diskstats u:object_r:system_server_service:s0
+display.qservice u:object_r:surfaceflinger_service:s0
+display u:object_r:system_server_service:s0
+DockObserver u:object_r:system_server_service:s0
+dreams u:object_r:system_server_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:system_server_service:s0
+entropy u:object_r:system_server_service:s0
+ethernet u:object_r:system_server_service:s0
+gfxinfo u:object_r:system_server_service:s0
+hardware u:object_r:system_server_service:s0
+hdmi_control u:object_r:system_server_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:system_server_service:s0
+input u:object_r:system_server_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+launcherapps u:object_r:system_server_service:s0
+location u:object_r:system_server_service:s0
+lock_settings u:object_r:system_server_service:s0
+media.audio_flinger u:object_r:mediaserver_service:s0
+media.audio_policy u:object_r:mediaserver_service:s0
+media.camera u:object_r:mediaserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media_router u:object_r:system_server_service:s0
+media_session u:object_r:system_server_service:s0
+meminfo u:object_r:system_server_service:s0
+mount u:object_r:system_server_service:s0
+netpolicy u:object_r:system_server_service:s0
+netstats u:object_r:system_server_service:s0
+network_management u:object_r:system_server_service:s0
+network_score u:object_r:system_server_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:system_server_service:s0
+package u:object_r:system_server_service:s0
+permission u:object_r:system_server_service:s0
+phone u:object_r:radio_service:s0
+power u:object_r:system_server_service:s0
+print u:object_r:system_server_service:s0
+procstats u:object_r:system_server_service:s0
+restrictions u:object_r:system_server_service:s0
+samplingprofiler u:object_r:system_server_service:s0
+scheduling_policy u:object_r:system_server_service:s0
+search u:object_r:system_server_service:s0
+sensorservice u:object_r:system_server_service:s0
+serial u:object_r:system_server_service:s0
+servicediscovery u:object_r:system_server_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+statusbar u:object_r:system_server_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+task u:object_r:system_server_service:s0
+telecomm u:object_r:radio_service:s0
+telephony.registry u:object_r:system_server_service:s0
+textservices u:object_r:system_server_service:s0
+trust u:object_r:system_server_service:s0
+tv_input u:object_r:system_server_service:s0
+uimode u:object_r:system_server_service:s0
+updatelock u:object_r:system_server_service:s0
+usagestats u:object_r:system_server_service:s0
+usb u:object_r:system_server_service:s0
+user u:object_r:system_server_service:s0
+vibrator u:object_r:system_server_service:s0
+voiceinteraction u:object_r:system_server_service:s0
+wallpaper u:object_r:system_server_service:s0
+wifip2p u:object_r:system_server_service:s0
+wifiscanner u:object_r:system_server_service:s0
+wifi u:object_r:system_server_service:s0
+window u:object_r:system_server_service:s0
+
+* u:object_r:default_android_service:s0
diff --git a/servicemanager.te b/servicemanager.te
index a78a485bb..f3dbca8f1 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -12,3 +12,10 @@ init_daemon_domain(servicemanager)
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager domain:binder transfer;
+
+# Get contexts of binder services that call servicemanager.
+allow servicemanager binderservicedomain:dir search;
+allow servicemanager binderservicedomain:file { read open };
+allow servicemanager binderservicedomain:process getattr;
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 6a40bfcbc..c50861209 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -57,6 +57,8 @@ r_dir_file(surfaceflinger, dumpstate)
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
+allow surfaceflinger surfaceflinger_service:service_manager add;
+
###
### Neverallow rules
###
diff --git a/system_server.te b/system_server.te
index aa4d6c403..11a1ebec6 100644
--- a/system_server.te
+++ b/system_server.te
@@ -350,6 +350,8 @@ allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
allow system_server pstorefs:dir r_dir_perms;
allow system_server pstorefs:file r_file_perms;
+allow system_server system_server_service:service_manager add;
+
###
### Neverallow rules
###
--
GitLab