Clean up, unify, and deduplicate app domain rules.

Coalesce a number of allow rules replicated among multiple app domains. Get rid of duplicated rules already covered by domain, appdomain, or platformappdomain rules. Split the platformappdomain rules to their own platformappdomain.te file, document them more fully, and note the inheritance in each of the relevant *_app.te files. Generalize isolated app unix_stream_socket rules to all app domains to resolve denials such as: avc: denied { read write } for pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket avc: denied { read write } for pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getattr } for pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket avc: denied { getopt } for pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket Change-Id: I770d7d51d498b15447219083739153265d951fe5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
TeamFlex · Mar 7, 2014 · b0db712 · b0db712
1 parent d9d9d2f
commit b0db712
Show file tree

Hide file tree

Showing 12 changed files with 36 additions and 81 deletions.
diff --git a/app.te b/app.te
@@ -42,7 +42,7 @@ allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 allow appdomain appdomain:fifo_file rw_file_perms;
 
 # Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
@@ -69,7 +69,7 @@ allow appdomain anr_data_file:file { open append };
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
@@ -89,14 +89,11 @@ binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
@@ -112,6 +109,10 @@ allow appdomain download_file:file r_file_perms;
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow appdomain media_rw_data_file:file { read getattr };
 
+# Access SDcard.
+allow appdomain sdcard_type:dir create_dir_perms;
+allow appdomain sdcard_type:file create_file_perms;
+
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #

diff --git a/bluetooth.te b/bluetooth.te
@@ -43,10 +43,6 @@ unix_socket_connect(bluetooth, property, init)
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 
-# bluetooth file transfers
-allow bluetooth sdcard_internal:dir create_dir_perms;
-allow bluetooth sdcard_internal:file create_file_perms;
-
 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;
 

diff --git a/isolated_app.te b/isolated_app.te
@@ -12,12 +12,3 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-allow isolated_app dalvikcache_data_file:file execute;
-allow isolated_app apk_data_file:dir getattr;
diff --git a/media_app.te b/media_app.te
@@ -10,20 +10,15 @@ binder_service(media_app)
 net_domain(media_app)
 # Access /dev/mtp_usb.
 allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir (in particular, file_contexts for restorecon).
-allow media_app rootfs:file r_file_perms;
+# Create download files.
 allow media_app download_file:dir rw_dir_perms;
 allow media_app download_file:file create_file_perms;
 # Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
 allow media_app platform_app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;
+
+# inherits from platformappdomain.te
diff --git a/nfc.te b/nfc.te
@@ -13,6 +13,3 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
-
-allow nfc sdcard_type:dir create_dir_perms;
-allow nfc sdcard_type:file create_file_perms;
diff --git a/platform_app.te b/platform_app.te
@@ -10,10 +10,7 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
+# Read from /data/local/tmp or /data/data/com.android.shell.
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
@@ -26,20 +23,5 @@ allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
 # Access download files.
 allow platform_app download_file:file rw_file_perms;
-# Allow BackupManagerService to backup all app domains
-allow platform_app appdomain:fifo_file write;
 
-#
-# Rules for all platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/platformappdomain.te b/platformappdomain.te
@@ -0,0 +1,21 @@
+#
+# Rules for all platform app domains.
+# These rules are inherited by any domain that includes platform_app_domain().
+# Presently this consists of the four app domains corresponding to apps
+# signed by one of the four build keys: platform_app, shared_app, media_app,
+# release_app.  These app domains use platform_app_data_file rather
+# than app_data_file for their /data/data directories (as specified via
+# type= in seapp_contexts) and have greater permissions to specific
+# directories owned by groups that are restricted to apps with
+# Android permissions that are signature|system.
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;
+# Write to /cache.
+allow platformappdomain cache_file:dir create_dir_perms;
+allow platformappdomain cache_file:file create_file_perms;
diff --git a/release_app.te b/release_app.te
@@ -11,6 +11,4 @@ net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
 
-# Write to /cache.
-allow release_app cache_file:dir rw_dir_perms;
-allow release_app cache_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/shared_app.te b/shared_app.te
@@ -10,3 +10,5 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
+
+# inherits from platformappdomain.te
diff --git a/shelldomain.te b/shelldomain.te
@@ -5,10 +5,6 @@ allow shelldomain shell_data_file:dir create_dir_perms;
 allow shelldomain shell_data_file:file create_file_perms;
 allow shelldomain shell_data_file:file rx_file_perms;
 
-# Access sdcard.
-allow shelldomain sdcard_type:dir create_dir_perms;
-allow shelldomain sdcard_type:file create_file_perms;
-
 # adb bugreport
 unix_socket_connect(shelldomain, dumpstate, dumpstate)
 
@@ -29,13 +25,3 @@ allow shelldomain shell_prop:property_service set;
 allow shelldomain ctl_dumpstate_prop:property_service set;
 allow shelldomain debug_prop:property_service set;
 allow shelldomain powerctl_prop:property_service set;
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shelldomain, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shelldomain app_data_file:dir search;
-
-# ps and ps -Z output for app processes.
-r_dir_file(shelldomain, appdomain)
-allow shelldomain appdomain:process getattr;
diff --git a/system_app.te b/system_app.te
@@ -20,12 +20,6 @@ allow system_app wallpaper_file:file r_file_perms;
 # Write to dalvikcache.
 allow system_app dalvikcache_data_file:file { write setattr };
 
-# Read SELinux enforcing status.
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;

diff --git a/untrusted_app.te b/untrusted_app.te
@@ -32,14 +32,6 @@ allow untrusted_app app_data_file:file rx_file_perms;
 
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
-# Internal SDCard rw access.
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-
-# External SDCard rw access.
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-
 # ASEC
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;