three patches to external/sepolicy

three patches to external/sepolicy

[Haiqing Jiang]

[PATCH 1/3] external/sepolicy: the media apps from third-party are labeled with media_app instead of untrusted_app
The applications installed from third party, which will be "untrusted_app" (e.g., cts test apks), do not have "seinfo==media".
Therefore, these applications will not be labeled as "media_app" (policy in seapp_contexts). But these applications will
call the same permissions of regular media_app. So, we need to add these untrusted_app to media_app class. 

Note that those application are for CTS test (currently we do not find others). So a better way should be proposing 
bool-enabled scheme in seapp_contexts, which has been discussed among us yesterday. We could update later 
if the new scheme is done. (Waiting for you guys' comments) 

[PATCH 2/3] external/sepolicy: install daemon link/unlink application data files
the installer daemon get the permissions (link, unlink) the application data files. 

[PATCH 3/3] external/sepolicy: system r/w udp_socket of untrusted apps
system get the read/write permissions on udp_socket related to untrusted applications. 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 1/3] external/sepolicy: the media apps from third-party are labeled with media_app instead of untrusted_app

[Haiqing Jiang]

From: hqjiang <hqjiang1988@gmail.com>

---
 seapp_contexts |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/seapp_contexts b/seapp_contexts
index 502206a..1e98f91 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -38,3 +38,4 @@ user=app_* seinfo=shared domain=shared_app levelFromUid=true
 user=app_* seinfo=media domain=media_app levelFromUid=true
 user=app_* seinfo=release domain=release_app levelFromUid=true
 user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
+user=app_* name=android.process.media domain=media_app levelFromUid=true
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/3] external/sepolicy: install daemon link/unlink application data files

[Haiqing Jiang]

From: hqjiang <hqjiang1988@gmail.com>

---
 installd.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/installd.te b/installd.te
index 466125e..5211f0a 100644
--- a/installd.te
+++ b/installd.te
@@ -20,3 +20,5 @@ dontaudit installd self:capability sys_admin;
 selinux_check_context(installd)
 # Read /seapp_contexts, presently on the rootfs.
 allow installd rootfs:file r_file_perms;
+# Link/Unlink app_data_file
+allow installd app_data_file:lnk_file link_file_perms;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 3/3] external/sepolicy: system r/w udp_socket of untrusted apps

[Haiqing Jiang]

From: hqjiang <hqjiang1988@gmail.com>

---
 system.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/system.te b/system.te
index a4065cf..5c34f81 100644
--- a/system.te
+++ b/system.te
@@ -196,3 +196,6 @@ allow system domain:file r_file_perms;
 # to uart driver and ctrl proc entry
 allow system gps_device:chr_file rw_file_perms;
 allow system gps_control:file rw_file_perms;
+
+# system Read/Write udp_socket of untrusted_app
+allow system untrusted_app:udp_socket { read write };
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/3] external/sepolicy: the media apps from third-party are labeled with media_app instead of untrusted_app

[Stephen Smalley]

On Thu, 2012-07-19 at 14:49 -0700, Haiqing Jiang wrote:
> From: hqjiang <hqjiang1988@gmail.com>
> 
> ---
>  seapp_contexts |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/seapp_contexts b/seapp_contexts
> index 502206a..1e98f91 100644
> --- a/seapp_contexts
> +++ b/seapp_contexts
> @@ -38,3 +38,4 @@ user=app_* seinfo=shared domain=shared_app levelFromUid=true
>  user=app_* seinfo=media domain=media_app levelFromUid=true
>  user=app_* seinfo=release domain=release_app levelFromUid=true
>  user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
> +user=app_* name=android.process.media domain=media_app levelFromUid=true

Wouldn't this allow an arbitrary third party app to run in media_app,
just by using android.process.media as its package name?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 2/3] external/sepolicy: install daemon link/unlink application data files

[Stephen Smalley]

On Thu, 2012-07-19 at 14:49 -0700, Haiqing Jiang wrote:
> From: hqjiang <hqjiang1988@gmail.com>
> 
> ---
>  installd.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/installd.te b/installd.te
> index 466125e..5211f0a 100644
> --- a/installd.te
> +++ b/installd.te
> @@ -20,3 +20,5 @@ dontaudit installd self:capability sys_admin;
>  selinux_check_context(installd)
>  # Read /seapp_contexts, presently on the rootfs.
>  allow installd rootfs:file r_file_perms;
> +# Link/Unlink app_data_file
> +allow installd app_data_file:lnk_file link_file_perms;

What actual permissions were required?  link (create a hard link)
doesn't make sense on a symlink (lnk_file).  unlink and rename are
legitimate, but wondering whether anything other than unlink was
required.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/3] external/sepolicy: system r/w udp_socket of untrusted apps

[Stephen Smalley]

On Thu, 2012-07-19 at 14:49 -0700, Haiqing Jiang wrote:
> From: hqjiang <hqjiang1988@gmail.com>
> 
> ---
>  system.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/system.te b/system.te
> index a4065cf..5c34f81 100644
> --- a/system.te
> +++ b/system.te
> @@ -196,3 +196,6 @@ allow system domain:file r_file_perms;
>  # to uart driver and ctrl proc entry
>  allow system gps_device:chr_file rw_file_perms;
>  allow system gps_control:file rw_file_perms;
> +
> +# system Read/Write udp_socket of untrusted_app
> +allow system untrusted_app:udp_socket { read write };

So an app is passing a socket fd to the system_server over Binder and
the system_server is then writing to the socket?  Wonder why.  Anyway,
rather than writing this only in terms of one app domain
(untrusted_app), cover all cases by using the appdomain attribute, i.e.
allow system appdomain:udp_socket { read write };

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/3] external/sepolicy: the media apps from third-party are labeled with media_app instead of untrusted_app

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 1207 bytes --]

Right.. It could be. We are thinking of adding bool-enabled scheme in
seapp_contexts.

On Mon, Jul 23, 2012 at 6:17 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2012-07-19 at 14:49 -0700, Haiqing Jiang wrote:
> > From: hqjiang <hqjiang1988@gmail.com>
> >
> > ---
> >  seapp_contexts |    1 +
> >  1 files changed, 1 insertions(+), 0 deletions(-)
> >
> > diff --git a/seapp_contexts b/seapp_contexts
> > index 502206a..1e98f91 100644
> > --- a/seapp_contexts
> > +++ b/seapp_contexts
> > @@ -38,3 +38,4 @@ user=app_* seinfo=shared domain=shared_app
> levelFromUid=true
> >  user=app_* seinfo=media domain=media_app levelFromUid=true
> >  user=app_* seinfo=release domain=release_app levelFromUid=true
> >  user=app_* seinfo=release name=com.android.browser domain=browser_app
> levelFromUid=true
> > +user=app_* name=android.process.media domain=media_app levelFromUid=true
>
> Wouldn't this allow an arbitrary third party app to run in media_app,
> just by using android.process.media as its package name?
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 1816 bytes --]

Re: [PATCH 2/3] external/sepolicy: install daemon link/unlink application data files

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 1151 bytes --]

You are right. Only required permission is unlink.

On Mon, Jul 23, 2012 at 6:18 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2012-07-19 at 14:49 -0700, Haiqing Jiang wrote:
> > From: hqjiang <hqjiang1988@gmail.com>
> >
> > ---
> >  installd.te |    2 ++
> >  1 files changed, 2 insertions(+), 0 deletions(-)
> >
> > diff --git a/installd.te b/installd.te
> > index 466125e..5211f0a 100644
> > --- a/installd.te
> > +++ b/installd.te
> > @@ -20,3 +20,5 @@ dontaudit installd self:capability sys_admin;
> >  selinux_check_context(installd)
> >  # Read /seapp_contexts, presently on the rootfs.
> >  allow installd rootfs:file r_file_perms;
> > +# Link/Unlink app_data_file
> > +allow installd app_data_file:lnk_file link_file_perms;
>
> What actual permissions were required?  link (create a hard link)
> doesn't make sense on a symlink (lnk_file).  unlink and rename are
> legitimate, but wondering whether anything other than unlink was
> required.
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 1776 bytes --]

Re: [PATCH 3/3] external/sepolicy: system r/w udp_socket of untrusted apps

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 1287 bytes --]

That will be fine. Appdomain is more general. Thanks.

On Mon, Jul 23, 2012 at 6:20 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2012-07-19 at 14:49 -0700, Haiqing Jiang wrote:
> > From: hqjiang <hqjiang1988@gmail.com>
> >
> > ---
> >  system.te |    3 +++
> >  1 files changed, 3 insertions(+), 0 deletions(-)
> >
> > diff --git a/system.te b/system.te
> > index a4065cf..5c34f81 100644
> > --- a/system.te
> > +++ b/system.te
> > @@ -196,3 +196,6 @@ allow system domain:file r_file_perms;
> >  # to uart driver and ctrl proc entry
> >  allow system gps_device:chr_file rw_file_perms;
> >  allow system gps_control:file rw_file_perms;
> > +
> > +# system Read/Write udp_socket of untrusted_app
> > +allow system untrusted_app:udp_socket { read write };
>
> So an app is passing a socket fd to the system_server over Binder and
> the system_server is then writing to the socket?  Wonder why.  Anyway,
> rather than writing this only in terms of one app domain
> (untrusted_app), cover all cases by using the appdomain attribute, i.e.
> allow system appdomain:udp_socket { read write };
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 1917 bytes --]