Implement SELinux/MAC checks for property service.
This is a set of changes to the init property service
implementation to apply a SELinux check over who can
change what properties. Also included control hooks
for the 'ctl' keys.
Change-Id: I5a18809bf5536f6459a36b6bf0d622b9f5061aa0
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/init/property_service.c b/init/property_service.c
index 471c3dc..5017375 100644
--- a/init/property_service.c
+++ b/init/property_service.c
@@ -40,6 +40,11 @@
#include <sys/atomics.h>
#include <private/android_filesystem_config.h>
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#endif
+
#include "property_service.h"
#include "init.h"
#include "util.h"
@@ -192,23 +197,77 @@
__futex_wake(&pi->serial, INT32_MAX);
}
+static int check_mac_perms(const char *name, char *sctx)
+{
+#ifdef HAVE_SELINUX
+ if (is_selinux_enabled() <= 0)
+ return 1;
+
+ char *tctx = NULL;
+ const char *class = "property_service";
+ const char *perm = "set";
+ int result = 0;
+
+ if (!sctx)
+ goto err;
+
+ if (!sehandle_prop)
+ goto err;
+
+ if (selabel_lookup(sehandle_prop, &tctx, name, 1) != 0)
+ goto err;
+
+ if (selinux_check_access(sctx, tctx, class, perm, name) == 0)
+ result = 1;
+
+ freecon(tctx);
+ err:
+ return result;
+
+#endif
+ return 1;
+}
+
+static int check_control_mac_perms(const char *name, char *sctx)
+{
+#ifdef HAVE_SELINUX
+
+ /*
+ * Create a name prefix out of ctl.<service name>
+ * The new prefix allows the use of the existing
+ * property service backend labeling while avoiding
+ * mislabels based on true property prefixes.
+ */
+ char ctl_name[PROP_VALUE_MAX+4];
+ int ret = snprintf(ctl_name, sizeof(ctl_name), "ctl.%s", name);
+
+ if (ret < 0 || (size_t) ret >= sizeof(ctl_name))
+ return 0;
+
+ return check_mac_perms(ctl_name, sctx);
+
+#endif
+ return 1;
+}
+
/*
* Checks permissions for starting/stoping system services.
* AID_SYSTEM and AID_ROOT are always allowed.
*
* Returns 1 if uid allowed, 0 otherwise.
*/
-static int check_control_perms(const char *name, unsigned int uid, unsigned int gid) {
+static int check_control_perms(const char *name, unsigned int uid, unsigned int gid, char *sctx) {
+
int i;
if (uid == AID_SYSTEM || uid == AID_ROOT)
- return 1;
+ return check_control_mac_perms(name, sctx);
/* Search the ACL */
for (i = 0; control_perms[i].service; i++) {
if (strcmp(control_perms[i].service, name) == 0) {
if ((uid && control_perms[i].uid == uid) ||
(gid && control_perms[i].gid == gid)) {
- return 1;
+ return check_control_mac_perms(name, sctx);
}
}
}
@@ -219,22 +278,22 @@
* Checks permissions for setting system properties.
* Returns 1 if uid allowed, 0 otherwise.
*/
-static int check_perms(const char *name, unsigned int uid, unsigned int gid)
+static int check_perms(const char *name, unsigned int uid, unsigned int gid, char *sctx)
{
int i;
- if (uid == 0)
- return 1;
-
if(!strncmp(name, "ro.", 3))
name +=3;
+ if (uid == 0)
+ return check_mac_perms(name, sctx);
+
for (i = 0; property_perms[i].prefix; i++) {
- int tmp;
if (strncmp(property_perms[i].prefix, name,
strlen(property_perms[i].prefix)) == 0) {
if ((uid && property_perms[i].uid == uid) ||
(gid && property_perms[i].gid == gid)) {
- return 1;
+
+ return check_mac_perms(name, sctx);
}
}
}
@@ -355,6 +414,7 @@
struct sockaddr_un addr;
socklen_t addr_size = sizeof(addr);
socklen_t cr_size = sizeof(cr);
+ char * source_ctx = NULL;
if ((s = accept(property_set_fd, (struct sockaddr *) &addr, &addr_size)) < 0) {
return;
@@ -380,18 +440,22 @@
msg.name[PROP_NAME_MAX-1] = 0;
msg.value[PROP_VALUE_MAX-1] = 0;
+#ifdef HAVE_SELINUX
+ getpeercon(s, &source_ctx);
+#endif
+
if(memcmp(msg.name,"ctl.",4) == 0) {
// Keep the old close-socket-early behavior when handling
// ctl.* properties.
close(s);
- if (check_control_perms(msg.value, cr.uid, cr.gid)) {
+ if (check_control_perms(msg.value, cr.uid, cr.gid, source_ctx)) {
handle_control_message((char*) msg.name + 4, (char*) msg.value);
} else {
ERROR("sys_prop: Unable to %s service ctl [%s] uid:%d gid:%d pid:%d\n",
msg.name + 4, msg.value, cr.uid, cr.gid, cr.pid);
}
} else {
- if (check_perms(msg.name, cr.uid, cr.gid)) {
+ if (check_perms(msg.name, cr.uid, cr.gid, source_ctx)) {
property_set((char*) msg.name, (char*) msg.value);
} else {
ERROR("sys_prop: permission denied uid:%d name:%s\n",
@@ -403,6 +467,10 @@
// the property is written to memory.
close(s);
}
+#ifdef HAVE_SELINUX
+ freecon(source_ctx);
+#endif
+
break;
default: