This repository has been archived by the owner on Jul 18, 2018. It is now read-only.
forked from phhusson/sepolicy-inject
-
Notifications
You must be signed in to change notification settings - Fork 37
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
327 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,324 @@ | ||
#include <stdio.h> | ||
#include <sepol/policydb/policydb.h> | ||
|
||
#define ALL NULL | ||
|
||
extern int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy); | ||
extern void create_domain(char *d, policydb_t *policy); | ||
extern int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy); | ||
extern int add_type(char *domainS, char *typeS, policydb_t *policy); | ||
|
||
policydb_t *policy; | ||
|
||
void allow(char *s, char *t, char *c, char *p) { | ||
add_rule(s, t, c, p, AVTAB_ALLOWED, 0, policy); | ||
} | ||
|
||
void noaudit(char *s, char *t, char *c, char *p) { | ||
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0, policy); | ||
} | ||
|
||
void deny(char *s, char *t, char *c, char *p) { | ||
add_rule(s, t, c, p, AVTAB_ALLOWED, 1, policy); | ||
} | ||
|
||
void setPermissive(char* permissive, int permissive_value) { | ||
type_datum_t *type; | ||
create_domain(permissive, policy); | ||
type = hashtab_search(policy->p_types.table, permissive); | ||
if (type == NULL) { | ||
fprintf(stderr, "type %s does not exist\n", permissive); | ||
return; | ||
} | ||
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, permissive_value)) { | ||
fprintf(stderr, "Could not set bit in permissive map\n"); | ||
return; | ||
} | ||
} | ||
|
||
int exists(char* source) { | ||
return (int) hashtab_search(policy->p_types.table, source); | ||
} | ||
|
||
void samsung() { | ||
deny("init", "kernel", "security", "load_policy"); | ||
deny("policyloader_app", "security_spota_file", "dir", "read"); | ||
deny("policyloader_app", "security_spota_file", "dir", "write"); | ||
deny("policyloader_app", "security_spota_file", "file", "read"); | ||
deny("policyloader_app", "security_spota_file", "file", "write"); | ||
deny("system_server", "security_spota_file", "dir", "read"); | ||
deny("system_server", "security_spota_file", "dir", "write"); | ||
deny("system_server", "security_spota_file", "file", "read"); | ||
deny("system_server", "security_spota_file", "file", "write"); | ||
deny("system_app", "security_spota_file", "dir", "read"); | ||
deny("system_app", "security_spota_file", "dir", "write"); | ||
deny("system_app", "security_spota_file", "file", "read"); | ||
deny("system_app", "security_spota_file", "file", "write"); | ||
deny("installd", "security_spota_file", "dir", "read"); | ||
deny("installd", "security_spota_file", "dir", "write"); | ||
deny("installd", "security_spota_file", "file", "read"); | ||
deny("installd", "security_spota_file", "file", "write"); | ||
deny("init", "security_spota_file", "dir", "read"); | ||
deny("init", "security_spota_file", "dir", "write"); | ||
deny("init", "security_spota_file", "file", "read"); | ||
deny("init", "security_spota_file", "file", "write"); | ||
deny("ueventd", "security_spota_file", "dir", "read"); | ||
deny("ueventd", "security_spota_file", "dir", "write"); | ||
deny("ueventd", "security_spota_file", "file", "read"); | ||
deny("ueventd", "security_spota_file", "file", "write"); | ||
deny("runas", "security_spota_file", "dir", "read"); | ||
deny("runas", "security_spota_file", "dir", "write"); | ||
deny("runas", "security_spota_file", "file", "read"); | ||
deny("runas", "security_spota_file", "file", "write"); | ||
deny("drsd", "security_spota_file", "dir", "read"); | ||
deny("drsd", "security_spota_file", "dir", "write"); | ||
deny("drsd", "security_spota_file", "file", "read"); | ||
deny("drsd", "security_spota_file", "file", "write"); | ||
deny("debuggerd", "security_spota_file", "dir", "read"); | ||
deny("debuggerd", "security_spota_file", "dir", "write"); | ||
deny("debuggerd", "security_spota_file", "file", "read"); | ||
deny("debuggerd", "security_spota_file", "file", "write"); | ||
deny("vold", "security_spota_file", "dir", "read"); | ||
deny("vold", "security_spota_file", "dir", "write"); | ||
deny("vold", "security_spota_file", "file", "read"); | ||
deny("vold", "security_spota_file", "file", "write"); | ||
deny("zygote", "security_spota_file", "dir", "read"); | ||
deny("zygote", "security_spota_file", "dir", "write"); | ||
deny("zygote", "security_spota_file", "file", "read"); | ||
deny("zygote", "security_spota_file", "file", "write"); | ||
deny("auditd", "security_spota_file", "dir", "read"); | ||
deny("auditd", "security_spota_file", "dir", "write"); | ||
deny("auditd", "security_spota_file", "file", "read"); | ||
deny("auditd", "security_spota_file", "file", "write"); | ||
deny("servicemanager", "security_spota_file", "dir", "read"); | ||
deny("servicemanager", "security_spota_file", "dir", "write"); | ||
deny("servicemanager", "security_spota_file", "file", "read"); | ||
deny("servicemanager", "security_spota_file", "file", "write"); | ||
deny("itsonbs", "security_spota_file", "dir", "read"); | ||
deny("itsonbs", "security_spota_file", "dir", "write"); | ||
deny("itsonbs", "security_spota_file", "file", "read"); | ||
deny("itsonbs", "security_spota_file", "file", "write"); | ||
deny("commonplatformappdomain", "security_spota_file", "dir", "read"); | ||
deny("commonplatformappdomain", "security_spota_file", "dir", "write"); | ||
deny("commonplatformappdomain", "security_spota_file", "file", "read"); | ||
deny("commonplatformappdomain", "security_spota_file", "file", "write"); | ||
} | ||
|
||
void allowSuClient(char *target) { | ||
allow(target, "rootfs", "file", "execute_no_trans"); | ||
allow(target, "rootfs", "file", "execute"); | ||
allow(target, "su_daemon", "unix_stream_socket", "connectto"); | ||
allow(target, "su_daemon", "unix_stream_socket", "getopt"); | ||
allow(target, "su_device", "dir", "search"); | ||
allow(target, "su_device", "dir", "read"); | ||
allow(target, "su_device", "sock_file", "read"); | ||
allow(target, "su_device", "sock_file", "write"); | ||
allow("su_daemon", target, "fd", "use"); | ||
allow("su_daemon", target, "fifo_file", "read"); | ||
allow("su_daemon", target, "fifo_file", "write"); | ||
allow("su_daemon", target, "fifo_file", "getattr"); | ||
allow("su_daemon", target, "fifo_file", "ioctl"); | ||
allow("su_daemon", target, "dir", "search"); | ||
allow("su_daemon", target, "file", "read"); | ||
allow("su_daemon", target, "file", "open"); | ||
allow("su_daemon", target, "lnk_file", "read"); | ||
allow("su_daemon", "su_daemon", "capability", "sys_ptrace"); | ||
} | ||
|
||
void suDaemonRights() { | ||
allow("su_daemon", "rootfs", "file", "entrypoint"); | ||
allow("su_daemon", "su_daemon", "dir", "search"); | ||
allow("su_daemon", "su_daemon", "dir", "read"); | ||
allow("su_daemon", "su_daemon", "file", "read"); | ||
allow("su_daemon", "su_daemon", "file", "write"); | ||
allow("su_daemon", "su_daemon", "file", "open"); | ||
allow("su_daemon", "su_daemon", "lnk_file", "read"); | ||
allow("su_daemon", "su_daemon", "unix_dgram_socket", "create"); | ||
allow("su_daemon", "su_daemon", "unix_dgram_socket", "connect"); | ||
allow("su_daemon", "su_daemon", "unix_dgram_socket", "write"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "create"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "ioctl"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "read"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "getattr"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "write"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "setattr"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "lock"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "append"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "bind"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "connect"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "getopt"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "setopt"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "shutdown"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "listen"); | ||
allow("su_daemon", "su_daemon", "unix_stream_socket", "accept"); | ||
allow("su_daemon", "devpts", "chr_file", "read"); | ||
allow("su_daemon", "devpts", "chr_file", "write"); | ||
allow("su_daemon", "devpts", "chr_file", "open"); | ||
allow("su_daemon", "devpts", "chr_file", "getattr"); | ||
allow("su_daemon", "untrusted_app_devpts", "chr_file", "read"); | ||
allow("su_daemon", "untrusted_app_devpts", "chr_file", "write"); | ||
allow("su_daemon", "untrusted_app_devpts", "chr_file", "open"); | ||
allow("su_daemon", "untrusted_app_devpts", "chr_file", "getattr"); | ||
allow("su_daemon", "su_daemon", "capability", "setuid"); | ||
allow("su_daemon", "su_daemon", "capability", "setgid"); | ||
allow("su_daemon", "app_data_file", "dir", "getattr"); | ||
allow("su_daemon", "app_data_file", "dir", "search"); | ||
allow("su_daemon", "app_data_file", "dir", "write"); | ||
allow("su_daemon", "app_data_file", "dir", "add_name"); | ||
allow("su_daemon", "app_data_file", "file", "getattr"); | ||
allow("su_daemon", "app_data_file", "file", "read"); | ||
allow("su_daemon", "app_data_file", "file", "open"); | ||
allow("su_daemon", "app_data_file", "file", "lock"); | ||
allow("su_daemon", "su_daemon", "capability", "dac_override"); | ||
allow("su_daemon", "su_daemon", "process", "fork"); | ||
allow("su_daemon", "su_daemon", "process", "sigchld"); | ||
allow("su_daemon", "toolbox_exec", "file", "execute"); | ||
allow("su_daemon", "toolbox_exec", "file", "read"); | ||
allow("su_daemon", "toolbox_exec", "file", "open"); | ||
allow("su_daemon", "toolbox_exec", "file", "execute_no_trans"); | ||
allow("su_daemon", "device", "dir", "write"); | ||
allow("su_daemon", "device", "dir", "add_name"); | ||
allow("su_daemon", "su_device", "dir", "create"); | ||
allow("su_daemon", "su_device", "dir", "setattr"); | ||
allow("su_daemon", "su_device", "dir", "remove_name"); | ||
allow("su_daemon", "su_device", "dir", "add_name"); | ||
allow("su_daemon", "su_device", "sock_file", "create"); | ||
allow("su_daemon", "su_device", "sock_file", "unlink"); | ||
allow("su_daemon", "zygote_exec", "file", "execute"); | ||
allow("su_daemon", "zygote_exec", "file", "read"); | ||
allow("su_daemon", "zygote_exec", "file", "open"); | ||
allow("su_daemon", "zygote_exec", "file", "execute_no_trans"); | ||
allow("su_daemon", "zygote_exec", "lnk_file", "read"); | ||
allow("su_daemon", "zygote_exec", "lnk_file", "getattr"); | ||
allow("su_daemon", "su_device", "dir", "search"); | ||
allow("su_daemon", "su_device", "dir", "write"); | ||
allow("su_daemon", "su_device", "dir", "add_name"); | ||
allow("su_daemon", "su_daemon", "process", "setexec"); | ||
allow("su_daemon", "shell_exec", "file", "execute"); | ||
allow("su_daemon", "shell_exec", "file", "read"); | ||
allow("su_daemon", "shell_exec", "file", "open"); | ||
allow("su_daemon", "su_daemon", "capability", "chown"); | ||
allow("su_daemon", "su", "process", "transition"); | ||
noaudit("su_daemon", "su", "process", "siginh rlimitinh noatsecure"); | ||
} | ||
|
||
void suBind() { | ||
allow("su_daemon", "su_exec", "file", "mounton"); | ||
allow("su_daemon", "su_exec", "file", "read"); | ||
allow("su_daemon", "su_device", "dir", ALL); | ||
allow("su_daemon", "su_device", "file", ALL); | ||
allow("su_daemon", "su_device", "lnk_file", ALL); | ||
allow("su_daemon", "system_file", "file", "relabelto"); | ||
} | ||
|
||
void suRights() { | ||
allow("su_daemon", "su_daemon", "capability", "sys_admin"); | ||
allow("servicemanager", "su", "dir", "search"); | ||
allow("servicemanager", "su", "dir", "read"); | ||
allow("servicemanager", "su", "file", "open"); | ||
allow("servicemanager", "su", "file", "read"); | ||
allow("servicemanager", "su", "process", "getattr"); | ||
allow("servicemanager", "su", "binder", "transfer"); | ||
allow("system_server", "su", "binder", "call"); | ||
} | ||
|
||
void otherToSU() { | ||
// allowLog | ||
allow("logd", "su", "dir", "search"); | ||
allow("logd", "su", "file", "read"); | ||
allow("logd", "su", "file", "open"); | ||
allow("logd", "su", "file", "getattr"); | ||
|
||
// suBackL0 | ||
allow("system_server", "su", "binder", "call"); | ||
allow("system_server", "su", "binder", "transfer"); | ||
|
||
// ES Explorer opens a sokcet | ||
allow("untrusted_app", "su", "unix_stream_socket", "ioctl"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "read"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "getattr"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "write"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "setattr"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "lock"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "append"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "bind"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "connect"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "getopt"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "setopt"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "shutdown"); | ||
allow("untrusted_app", "su", "unix_stream_socket", "connectto"); | ||
|
||
// Any domain is allowed to send su "sigchld" | ||
allow(ALL, "su", "process", "sigchld"); | ||
|
||
// uNetworkL0 | ||
add_type("su", "netdomain", policy); | ||
add_type("su", "bluetoothdomain", policy); | ||
|
||
// suBackL6 | ||
allow("surfaceflinger", "app_data_file", "dir", ALL); | ||
allow("surfaceflinger", "app_data_file", "file", ALL); | ||
allow("surfaceflinger", "app_data_file", "lnk_file", ALL); | ||
add_type("surfaceflinger", "mlstrustedsubject", policy); | ||
} | ||
|
||
void suL9() { | ||
allow("su_daemon", "su_daemon", "dir", ALL); | ||
allow("su_daemon", "su_daemon", "file", ALL); | ||
allow("su_daemon", "su_daemon", "lnk_file", ALL); | ||
allow("su_daemon", "system_data_file", "dir", ALL); | ||
allow("su_daemon", "system_data_file", "file", ALL); | ||
allow("su_daemon", "system_data_file", "lnk_file", ALL); | ||
allow("su_daemon", "labeledfs", "filesystem", "associate"); | ||
allow("su_daemon", "su_daemon", "process", "setfscreate"); | ||
allow("su_daemon", "tmpfs", "filesystem", "associate"); | ||
allow("su_daemon", "su_daemon", "file", "relabelfrom"); | ||
allow("su_daemon", "system_file", "file", "mounton"); | ||
} | ||
|
||
void builtin_rules(policydb_t *policydb) { | ||
policy = policydb; | ||
|
||
// Samsung specific | ||
// Prevent system from loading policy | ||
if(exists("knox_system_app")) { | ||
samsung(); | ||
} | ||
|
||
// Create domains if they don't exist | ||
setPermissive("su", 1); | ||
setPermissive("su_device", 0); | ||
setPermissive("su_daemon", 0); | ||
|
||
// Autotransition su's socket to su_device | ||
add_transition("su_daemon", "device", "su_device", "file", policy); | ||
add_transition("su_daemon", "device", "su_device", "dir", policy); | ||
allow("su_device", "tmpfs", "filesystem", "associate"); | ||
|
||
// Transition from untrusted_app to su_client | ||
allowSuClient("shell"); | ||
allowSuClient("untrusted_app"); | ||
allowSuClient("platform_app"); | ||
allowSuClient("su"); | ||
|
||
if(exists("ssd_tool")) { | ||
allowSuClient("ssd_tool"); | ||
} | ||
|
||
// Allow init to execute su daemon/transition | ||
allow("init", "su_daemon", "process", "transition"); | ||
noaudit("init", "su_daemon", "process", "rlimitinh"); | ||
noaudit("init", "su_daemon", "process", "siginh"); | ||
noaudit("init", "su_daemon", "process", "noatsecure"); | ||
suDaemonRights(); | ||
suBind(); | ||
suRights(); | ||
otherToSU(); | ||
|
||
// Need to set su_device/su as trusted to be accessible from other categories | ||
add_type("su_device", "mlstrustedobject", policy); | ||
add_type("su_daemon", "mlstrustedsubject", policy); | ||
add_type("su", "mlstrustedsubject", policy); | ||
|
||
suL9(); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters