Confine system_server, but leave it permissive for now. Change-Id: Ia0de9d739575c34a7391db5f0be24048d89a7bd1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 1ff644112e260d2aab55e696b32350dcda0a99b8 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Tue Oct 29 14:42:40 2013 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Tue Oct 29 14:49:29 2013 -0400
tree: d14b9b6f9dc725c6912236ab274987952b3c02c9
parent: fd22922d596d6816adf2f4eee050d3cac3e9ce16 [diff] [blame]
diff --git a/system_server.te b/system_server.te
index 2e86b6a..cae5cb0 100644
--- a/system_server.te
+++ b/system_server.te

@@ -2,9 +2,20 @@
 # System Server aka system_server spawned by zygote.
 # Most of the framework services run in this process.
 #
-type system_server, domain;
-unconfined_domain(system_server);
-relabelto_domain(system_server);
+type system_server, domain, mlstrustedsubject;
+permissive system_server;
+
+# Dalvik Compiler JIT Mapping.
+allow system_server self:process execmem;
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+allow system_server zygote_tmpfs:file read;
+
+# system server gets network and bluetooth permissions.
+net_domain(system_server)
+bluetooth_domain(system_server)
 
 # These are the capabilities assigned by the zygote to the
 # system server.
@@ -22,6 +33,124 @@
     sys_tty_config
 };
 
+# Triggered by /proc/pid accesses, not allowed.
+dontaudit system_server self:capability sys_ptrace;
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket *;
+
+# Kill apps.
+allow system_server appdomain:process { sigkill signal };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+
+# Read /proc data for apps.
+allow system_server appdomain:dir r_dir_perms;
+allow system_server appdomain:{ file lnk_file } rw_file_perms;
+
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
+allow system_server qtaguid_proc:file rw_file_perms;
+allow system_server qtaguid_device:chr_file rw_file_perms;
+
+# Read /sys/kernel/debug/wakeup_sources.
+allow system_server debugfs:file r_file_perms;
+
+# WifiWatchdog uses a packet_socket
+allow system_server self:packet_socket *;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create;
+
+# Notify init of death.
+allow system_server init:process sigchld;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system_server, property, init)
+unix_socket_connect(system_server, qemud, qemud)
+unix_socket_connect(system_server, installd, installd)
+unix_socket_connect(system_server, netd, netd)
+unix_socket_connect(system_server, vold, vold)
+unix_socket_connect(system_server, zygote, zygote)
+unix_socket_connect(system_server, keystore, keystore)
+unix_socket_connect(system_server, gps, gpsd)
+unix_socket_connect(system_server, racoon, racoon)
+unix_socket_send(system_server, wpa, wpa)
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+# Perform Binder IPC.
+tmpfs_domain(system_server)
+binder_use(system_server)
+binder_call(system_server, binderservicedomain)
+binder_call(system_server, appdomain)
+binder_service(system_server)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(system_server, appdomain)
+r_dir_file(system_server, mediaserver)
+allow system_server appdomain:process getattr;
+allow system_server mediaserver:process getattr;
+
+# Check SELinux permissions.
+selinux_check_access(system_server)
+
+# XXX Label sysfs files with a specific type?
+allow system_server sysfs:file rw_file_perms;
+allow system_server sysfs_nfc_power_writable:file rw_file_perms;
+
+# Access devices.
+allow system_server device:dir r_dir_perms;
+allow system_server mdns_socket:sock_file rw_file_perms;
+allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server graphics_device:dir search;
+allow system_server graphics_device:chr_file rw_file_perms;
+allow system_server iio_device:chr_file rw_file_perms;
+allow system_server input_device:dir r_dir_perms;
+allow system_server input_device:chr_file rw_file_perms;
+allow system_server tty_device:chr_file rw_file_perms;
+allow system_server urandom_device:chr_file rw_file_perms;
+allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:chr_file rw_file_perms;
+allow system_server qemu_device:chr_file rw_file_perms;
+allow system_server adbd_socket:sock_file rw_file_perms;
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file rw_file_perms;
+
+# Manage data files.
+allow system_server data_file_type:dir create_dir_perms;
+allow system_server data_file_type:notdevfile_class_set create_file_perms;
+
+# Read /file_contexts and /data/security/file_contexts
+security_access_policy(system_server)
+
+# Relabel apk files.
+relabelto_domain(system_server)
+allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file rw_file_perms;
+
+# Relabel /data/anr.
+allow system_server system_data_file:dir relabelfrom;
+allow system_server anr_data_file:dir relabelto;
+
+# Property Service write
+allow system_server system_prop:property_service set;
+allow system_server radio_prop:property_service set;
+
+# ctl interface
+allow system_server ctl_default_prop:property_service set;
+
 # Create a socket for receiving info from wpa.
 type_transition system_server wifi_data_file:sock_file system_wpa_socket;
 allow system_server system_wpa_socket:sock_file create_file_perms;
@@ -30,20 +159,53 @@
 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
+# Specify any arguments to zygote.
 allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
 
+# Manage cache files.
+allow system_server cache_file:dir { relabelfrom create_dir_perms };
+allow system_server cache_file:file { relabelfrom create_file_perms };
+
+# Run system programs, e.g. dexopt.
+allow system_server system_file:file x_file_perms;
+
+# Allow reading of /proc/pid data for other domains.
+# XXX dontaudit candidate
+allow system_server domain:dir r_dir_perms;
+allow system_server domain:file r_file_perms;
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_device:chr_file rw_file_perms;
+allow system_server gps_control:file rw_file_perms;
+
+# Allow system_server to use app-created sockets.
+allow system_server appdomain:{ tcp_socket udp_socket } { setopt read write };
+
+# Allow abstract socket connection
+allow system_server rild:unix_stream_socket connectto;
+
+# connect to vpn tunnel
+allow system_server mtp:unix_stream_socket { connectto };
+
+# BackupManagerService lets PMS create a data backup file
+allow system_server cache_backup_file:file create_file_perms;
+# Relabel /data/backup
+allow system_server backup_data_file:dir { relabelto relabelfrom };
+# Relabel /cache/.*\.{data|restore}
+allow system_server cache_backup_file:file { relabelto relabelfrom };
+# LocalTransport creates and relabels /cache/backup
+allow system_server cache_backup_file:dir { relabelto relabelfrom create_dir_perms };
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file rw_file_perms;
+allow system_server usb_device:dir r_dir_perms;
+
+# Allow system to talk to sensors
+allow system_server sensors_device:chr_file rw_file_perms;
+
 # Read from HW RNG (needed by EntropyMixer).
 allow system_server hw_random_device:chr_file r_file_perms;
 
-allow system_server backup_data_file:dir relabelto;
-allow system_server cache_backup_file:dir relabelto;
-allow system_server anr_data_file:dir relabelto;
-allow system_server system_data_file:dir relabelto;
-allow system_server apk_data_file:file relabelto;
-allow system_server apk_tmp_file:file relabelto;
-allow system_server cache_backup_file:file relabelto;
-allow system_server apk_private_tmp_file:file relabelto;
-allow system_server wallpaper_file:file relabelto;
-
 # Access to wake locks
 allow system_server sysfs_wake_lock:file rw_file_perms;
commit	1ff644112e260d2aab55e696b32350dcda0a99b8	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Tue Oct 29 14:42:40 2013 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Tue Oct 29 14:49:29 2013 -0400
tree	d14b9b6f9dc725c6912236ab274987952b3c02c9
parent	fd22922d596d6816adf2f4eee050d3cac3e9ce16 [diff] [blame]