diff --git a/target/board/generic/sepolicy/createns.te b/target/board/generic/sepolicy/createns.te new file mode 100644 index 000000000..1eaf9ef58 --- /dev/null +++ b/target/board/generic/sepolicy/createns.te @@ -0,0 +1,14 @@ +# Network namespace creation +type createns, domain; +type createns_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(createns) + +allow createns self:capability { sys_admin net_raw setuid setgid }; +allow createns varrun_file:dir { add_name search write }; +allow createns varrun_file:file { create mounton open read write }; + +#Allow createns itself to be run by init in its own domain +domain_auto_trans(goldfish_setup, createns_exec, createns); +allow createns goldfish_setup:fd use; + diff --git a/target/board/generic/sepolicy/dhcpclient.te b/target/board/generic/sepolicy/dhcpclient.te new file mode 100644 index 000000000..df71fca38 --- /dev/null +++ b/target/board/generic/sepolicy/dhcpclient.te @@ -0,0 +1,20 @@ +# DHCP client +type dhcpclient, domain; +type dhcpclient_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(dhcpclient) +net_domain(dhcpclient) + +allow dhcpclient execns:fd use; + +set_prop(dhcpclient, net_eth0_prop); +allow dhcpclient self:capability { net_admin net_raw }; +allow dhcpclient self:udp_socket create; +allow dhcpclient self:netlink_route_socket { write nlmsg_write }; +allow dhcpclient varrun_file:dir search; +allow dhcpclient self:packet_socket { create bind write read }; +allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS + SIOCSIFADDR + SIOCSIFNETMASK + SIOCSIFMTU + SIOCGIFHWADDR }; diff --git a/target/board/generic/sepolicy/dhcpserver.te b/target/board/generic/sepolicy/dhcpserver.te new file mode 100644 index 000000000..7e8ba263a --- /dev/null +++ b/target/board/generic/sepolicy/dhcpserver.te @@ -0,0 +1,12 @@ +# DHCP server +type dhcpserver, domain; +type dhcpserver_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(dhcpserver) +net_domain(dhcpserver) + +allow dhcpserver execns:fd use; + +get_prop(dhcpserver, net_eth0_prop); +allow dhcpserver self:udp_socket { ioctl create setopt bind }; +allow dhcpserver self:capability { net_raw net_bind_service }; diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te new file mode 100644 index 000000000..9675a99c7 --- /dev/null +++ b/target/board/generic/sepolicy/execns.te @@ -0,0 +1,34 @@ +# Network namespace transitions +type execns, domain; +type execns_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(execns) + +allow execns varrun_file:dir search; +allow execns varrun_file:file r_file_perms; +allow execns self:capability sys_admin; +allow execns nsfs:file { open read }; + +#Allow execns itself to be run by init in its own domain +domain_auto_trans(init, execns_exec, execns); + +# Allow dhcpclient to be run by execns in its own domain +domain_auto_trans(execns, dhcpclient_exec, dhcpclient); + +# Allow dhcpserver to be run by execns in its own domain +domain_auto_trans(execns, dhcpserver_exec, dhcpserver); + +# Rules to allow execution of hostapd and allow it to run +allow execns hal_wifi_hostapd_default_exec:file { execute_no_trans }; +allow execns self:capability { net_admin net_raw }; +allow execns self:netlink_generic_socket { bind create getattr read setopt write }; +allow execns self:netlink_route_socket { bind create read write nlmsg_write }; +allow execns execns:udp_socket { create ioctl }; +allow execns self:packet_socket { create setopt }; +allow execns sysfs_net:dir { search }; +allowxperm execns self:udp_socket ioctl priv_sock_ioctls; + +# Allow execns to read createns proc file to get the namespace file +allow execns createns:file read; +allow execns createns:dir search; +allow execns createns:lnk_file read; diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te new file mode 100644 index 000000000..b0aa217ae --- /dev/null +++ b/target/board/generic/sepolicy/file.te @@ -0,0 +1,4 @@ +type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type varrun_file, file_type, data_file_type, mlstrustedobject; +type mediadrm_vendor_data_file, file_type, data_file_type; +type nsfs, fs_type; diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts index 521c65ee6..73fe75245 100644 --- a/target/board/generic/sepolicy/file_contexts +++ b/target/board/generic/sepolicy/file_contexts @@ -17,7 +17,13 @@ /dev/ttyS2 u:object_r:console_device:s0 /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 +/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 +/vendor/bin/createns u:object_r:createns_exec:s0 +/vendor/bin/execns u:object_r:execns_exec:s0 +/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 +/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 +/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 @@ -33,3 +39,8 @@ /vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0 + +# data +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0 + diff --git a/target/board/generic/sepolicy/genfs_contexts b/target/board/generic/sepolicy/genfs_contexts index 91cedf13d..1b816263b 100644 --- a/target/board/generic/sepolicy/genfs_contexts +++ b/target/board/generic/sepolicy/genfs_contexts @@ -15,3 +15,6 @@ genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0 genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0 + +# /proc//ns +genfscon nsfs / u:object_r:nsfs:s0 diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te index eb913e921..3041436b3 100644 --- a/target/board/generic/sepolicy/goldfish_setup.te +++ b/target/board/generic/sepolicy/goldfish_setup.te @@ -4,10 +4,44 @@ type goldfish_setup_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(goldfish_setup) -set_prop(goldfish_setup, debug_prop); +# TODO(b/79502552): Invalid property access from emulator vendor +#set_prop(goldfish_setup, debug_prop); allow goldfish_setup self:capability { net_admin net_raw }; allow goldfish_setup self:udp_socket { create ioctl }; allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; wakelock_use(goldfish_setup); allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; + +# Set system properties to start services +set_prop(goldfish_setup, ctl_default_prop); + +# Set up WiFi +allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; +allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl; +allow goldfish_setup self:capability { sys_module sys_admin }; +allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; +allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; +allow goldfish_setup execns_exec:file rx_file_perms; +allow goldfish_setup proc_net:file rw_file_perms; +allow goldfish_setup proc:file r_file_perms; +allow goldfish_setup nsfs:file r_file_perms; +allow goldfish_setup system_data_file:dir getattr; +allow goldfish_setup kernel:system module_request; +set_prop(goldfish_setup, qemu_prop); +get_prop(goldfish_setup, net_share_prop); +# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw +allow goldfish_setup system_file:file execute_no_trans; +# Allow goldfish_setup to run init.wifi.sh +allow goldfish_setup goldfish_setup_exec:file execute_no_trans; +#Allow goldfish_setup to run createns in its own domain +domain_auto_trans(goldfish_setup, createns_exec, createns); +# iw +allow goldfish_setup sysfs:file { read open }; +# iptables +allow goldfish_setup system_file:file lock; +allow goldfish_setup self:rawip_socket { create getopt setopt }; +# Allow goldfish_setup to read createns proc file to get the namespace file +allow goldfish_setup createns:file { read }; +allow goldfish_setup createns:dir { search }; +allow goldfish_setup createns:lnk_file { read }; diff --git a/target/board/generic/sepolicy/hal_drm_widevine.te b/target/board/generic/sepolicy/hal_drm_widevine.te index 42d462a75..d49000d14 100644 --- a/target/board/generic/sepolicy/hal_drm_widevine.te +++ b/target/board/generic/sepolicy/hal_drm_widevine.te @@ -10,3 +10,5 @@ allow hal_drm { appdomain -isolated_app }:fd use; vndbinder_use(hal_drm_widevine); hal_client_domain(hal_drm_widevine, hal_graphics_composer); +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; diff --git a/target/board/generic/sepolicy/hal_gnss_default.te b/target/board/generic/sepolicy/hal_gnss_default.te index ddc68cc69..0dd3d0356 100644 --- a/target/board/generic/sepolicy/hal_gnss_default.te +++ b/target/board/generic/sepolicy/hal_gnss_default.te @@ -1 +1,3 @@ -vndbinder_use(hal_gnss_default); +#============= hal_gnss_default ============== +allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write }; + diff --git a/target/board/generic/sepolicy/hal_graphics_composer_default.te b/target/board/generic/sepolicy/hal_graphics_composer_default.te index 40ecda659..034bdeff9 100644 --- a/target/board/generic/sepolicy/hal_graphics_composer_default.te +++ b/target/board/generic/sepolicy/hal_graphics_composer_default.te @@ -1 +1,3 @@ -vndbinder_use(hal_graphics_composer_default); +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write }; + diff --git a/target/board/generic/sepolicy/hal_wifi_default.te b/target/board/generic/sepolicy/hal_wifi_default.te new file mode 100644 index 000000000..de4b9969b --- /dev/null +++ b/target/board/generic/sepolicy/hal_wifi_default.te @@ -0,0 +1 @@ +allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read }; diff --git a/target/board/generic/sepolicy/ipv6proxy.te b/target/board/generic/sepolicy/ipv6proxy.te new file mode 100644 index 000000000..22976fe9b --- /dev/null +++ b/target/board/generic/sepolicy/ipv6proxy.te @@ -0,0 +1,16 @@ +# IPv6 proxying +type ipv6proxy, domain; +type ipv6proxy_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(ipv6proxy) +net_domain(ipv6proxy) + +# Allow ipv6proxy to be run by execns in its own domain +domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy); +allow ipv6proxy execns:fd use; + +allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw }; +allow ipv6proxy self:packet_socket { bind create read }; +allow ipv6proxy self:netlink_route_socket nlmsg_write; +allow ipv6proxy varrun_file:dir search; +allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR }; diff --git a/target/board/generic/sepolicy/property.te b/target/board/generic/sepolicy/property.te index 56e02ef9b..3593a39dd 100644 --- a/target/board/generic/sepolicy/property.te +++ b/target/board/generic/sepolicy/property.te @@ -1,3 +1,5 @@ type qemu_prop, property_type; type qemu_cmdline, property_type; type radio_noril_prop, property_type; +type net_eth0_prop, property_type; +type net_share_prop, property_type; diff --git a/target/board/generic/sepolicy/property_contexts b/target/board/generic/sepolicy/property_contexts index 3a61b6ba8..f7a241cfb 100644 --- a/target/board/generic/sepolicy/property_contexts +++ b/target/board/generic/sepolicy/property_contexts @@ -1,5 +1,8 @@ qemu. u:object_r:qemu_prop:s0 qemu.cmdline u:object_r:qemu_cmdline:s0 +vendor.qemu u:object_r:qemu_prop:s0 ro.emu. u:object_r:qemu_prop:s0 ro.emulator. u:object_r:qemu_prop:s0 ro.radio.noril u:object_r:radio_noril_prop:s0 +net.eth0. u:object_r:net_eth0_prop:s0 +net.shared_net_ip u:object_r:net_share_prop:s0 diff --git a/target/board/generic/sepolicy/qemu_props.te b/target/board/generic/sepolicy/qemu_props.te index 0f5ec8c94..b3e2d9552 100644 --- a/target/board/generic/sepolicy/qemu_props.te +++ b/target/board/generic/sepolicy/qemu_props.te @@ -5,5 +5,6 @@ type qemu_props_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(qemu_props) set_prop(qemu_props, qemu_prop) -set_prop(qemu_props, dalvik_prop) +# TODO(b/79502552): Invalid property access from emulator vendor +#set_prop(qemu_props, qemu_cmdline) set_prop(qemu_props, qemu_cmdline) diff --git a/target/board/generic/sepolicy/radio.te b/target/board/generic/sepolicy/radio.te new file mode 100644 index 000000000..742d3b2d2 --- /dev/null +++ b/target/board/generic/sepolicy/radio.te @@ -0,0 +1,3 @@ +# Allow the radio to read these properties, they only have an SELinux label in +# the emulator. +get_prop(radio, net_eth0_prop); diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te new file mode 100644 index 000000000..ea183739a --- /dev/null +++ b/target/board/generic/sepolicy/rild.te @@ -0,0 +1,3 @@ +# Allow rild to read these properties, they only have an SELinux label in the +# emulator. +get_prop(rild, net_eth0_prop); diff --git a/target/board/generic/sepolicy/vendor_init.te b/target/board/generic/sepolicy/vendor_init.te new file mode 100644 index 000000000..b18d3913f --- /dev/null +++ b/target/board/generic/sepolicy/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, qemu_prop)