From c69db035ee32e34256c3cd8562e28bc4f5fba2db Mon Sep 17 00:00:00 2001
From: topjohnwu <topjohnwu@gmail.com>
Date: Tue, 13 Sep 2016 06:19:07 +0800
Subject: [PATCH] Add built-in rules

---
 builtin_rules.c   | 324 ++++++++++++++++++++++++++++++++++++++++++++++
 sepolicy-inject.c |   5 +-
 2 files changed, 327 insertions(+), 2 deletions(-)
 create mode 100644 builtin_rules.c

diff --git a/builtin_rules.c b/builtin_rules.c
new file mode 100644
index 000000000..491e53e37
--- /dev/null
+++ b/builtin_rules.c
@@ -0,0 +1,324 @@
+#include <stdio.h>
+#include <sepol/policydb/policydb.h>
+
+#define ALL NULL
+
+extern int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy);
+extern void create_domain(char *d, policydb_t *policy);
+extern int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy);
+extern int add_type(char *domainS, char *typeS, policydb_t *policy);
+
+policydb_t *policy;
+
+void allow(char *s, char *t, char *c, char *p) {
+	add_rule(s, t, c, p, AVTAB_ALLOWED, 0, policy);
+}
+
+void noaudit(char *s, char *t, char *c, char *p) {
+	add_rule(s, t, c, p, AVTAB_AUDITDENY, 0, policy);
+}
+
+void deny(char *s, char *t, char *c, char *p) {
+	add_rule(s, t, c, p, AVTAB_ALLOWED, 1, policy);
+}
+
+void setPermissive(char* permissive, int permissive_value) {
+	type_datum_t *type;
+	create_domain(permissive, policy);
+	type = hashtab_search(policy->p_types.table, permissive);
+	if (type == NULL) {
+			fprintf(stderr, "type %s does not exist\n", permissive);
+			return;
+	}
+	if (ebitmap_set_bit(&policy->permissive_map, type->s.value, permissive_value)) {
+		fprintf(stderr, "Could not set bit in permissive map\n");
+		return;
+	}
+}
+
+int exists(char* source) {
+	return (int) hashtab_search(policy->p_types.table, source);
+}
+
+void samsung() {
+	deny("init", "kernel", "security", "load_policy");
+	deny("policyloader_app", "security_spota_file", "dir", "read");
+	deny("policyloader_app", "security_spota_file", "dir", "write");
+	deny("policyloader_app", "security_spota_file", "file", "read");
+	deny("policyloader_app", "security_spota_file", "file", "write");
+	deny("system_server", "security_spota_file", "dir", "read");
+	deny("system_server", "security_spota_file", "dir", "write");
+	deny("system_server", "security_spota_file", "file", "read");
+	deny("system_server", "security_spota_file", "file", "write");
+	deny("system_app", "security_spota_file", "dir", "read");
+	deny("system_app", "security_spota_file", "dir", "write");
+	deny("system_app", "security_spota_file", "file", "read");
+	deny("system_app", "security_spota_file", "file", "write");
+	deny("installd", "security_spota_file", "dir", "read");
+	deny("installd", "security_spota_file", "dir", "write");
+	deny("installd", "security_spota_file", "file", "read");
+	deny("installd", "security_spota_file", "file", "write");
+	deny("init", "security_spota_file", "dir", "read");
+	deny("init", "security_spota_file", "dir", "write");
+	deny("init", "security_spota_file", "file", "read");
+	deny("init", "security_spota_file", "file", "write");
+	deny("ueventd", "security_spota_file", "dir", "read");
+	deny("ueventd", "security_spota_file", "dir", "write");
+	deny("ueventd", "security_spota_file", "file", "read");
+	deny("ueventd", "security_spota_file", "file", "write");
+	deny("runas", "security_spota_file", "dir", "read");
+	deny("runas", "security_spota_file", "dir", "write");
+	deny("runas", "security_spota_file", "file", "read");
+	deny("runas", "security_spota_file", "file", "write");
+	deny("drsd", "security_spota_file", "dir", "read");
+	deny("drsd", "security_spota_file", "dir", "write");
+	deny("drsd", "security_spota_file", "file", "read");
+	deny("drsd", "security_spota_file", "file", "write");
+	deny("debuggerd", "security_spota_file", "dir", "read");
+	deny("debuggerd", "security_spota_file", "dir", "write");
+	deny("debuggerd", "security_spota_file", "file", "read");
+	deny("debuggerd", "security_spota_file", "file", "write");
+	deny("vold", "security_spota_file", "dir", "read");
+	deny("vold", "security_spota_file", "dir", "write");
+	deny("vold", "security_spota_file", "file", "read");
+	deny("vold", "security_spota_file", "file", "write");
+	deny("zygote", "security_spota_file", "dir", "read");
+	deny("zygote", "security_spota_file", "dir", "write");
+	deny("zygote", "security_spota_file", "file", "read");
+	deny("zygote", "security_spota_file", "file", "write");
+	deny("auditd", "security_spota_file", "dir", "read");
+	deny("auditd", "security_spota_file", "dir", "write");
+	deny("auditd", "security_spota_file", "file", "read");
+	deny("auditd", "security_spota_file", "file", "write");
+	deny("servicemanager", "security_spota_file", "dir", "read");
+	deny("servicemanager", "security_spota_file", "dir", "write");
+	deny("servicemanager", "security_spota_file", "file", "read");
+	deny("servicemanager", "security_spota_file", "file", "write");
+	deny("itsonbs", "security_spota_file", "dir", "read");
+	deny("itsonbs", "security_spota_file", "dir", "write");
+	deny("itsonbs", "security_spota_file", "file", "read");
+	deny("itsonbs", "security_spota_file", "file", "write");
+	deny("commonplatformappdomain", "security_spota_file", "dir", "read");
+	deny("commonplatformappdomain", "security_spota_file", "dir", "write");
+	deny("commonplatformappdomain", "security_spota_file", "file", "read");
+	deny("commonplatformappdomain", "security_spota_file", "file", "write");
+}
+
+void allowSuClient(char *target) {
+	allow(target, "rootfs", "file", "execute_no_trans");
+	allow(target, "rootfs", "file", "execute");
+	allow(target, "su_daemon", "unix_stream_socket", "connectto");
+	allow(target, "su_daemon", "unix_stream_socket", "getopt");
+	allow(target, "su_device", "dir", "search");
+	allow(target, "su_device", "dir", "read");
+	allow(target, "su_device", "sock_file", "read");
+	allow(target, "su_device", "sock_file", "write");
+	allow("su_daemon", target, "fd", "use");
+	allow("su_daemon", target, "fifo_file", "read");
+	allow("su_daemon", target, "fifo_file", "write");
+	allow("su_daemon", target, "fifo_file", "getattr");
+	allow("su_daemon", target, "fifo_file", "ioctl");
+	allow("su_daemon", target, "dir", "search");
+	allow("su_daemon", target, "file", "read");
+	allow("su_daemon", target, "file", "open");
+	allow("su_daemon", target, "lnk_file", "read");
+	allow("su_daemon", "su_daemon", "capability", "sys_ptrace");
+}
+
+void suDaemonRights() {
+	allow("su_daemon", "rootfs", "file", "entrypoint");
+	allow("su_daemon", "su_daemon", "dir", "search");
+	allow("su_daemon", "su_daemon", "dir", "read");
+	allow("su_daemon", "su_daemon", "file", "read");
+	allow("su_daemon", "su_daemon", "file", "write");
+	allow("su_daemon", "su_daemon", "file", "open");
+	allow("su_daemon", "su_daemon", "lnk_file", "read");
+	allow("su_daemon", "su_daemon", "unix_dgram_socket", "create");
+	allow("su_daemon", "su_daemon", "unix_dgram_socket", "connect");
+	allow("su_daemon", "su_daemon", "unix_dgram_socket", "write");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "create");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "ioctl");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "read");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "getattr");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "write");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "setattr");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "lock");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "append");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "bind");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "connect");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "getopt");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "setopt");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "shutdown");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "listen");
+	allow("su_daemon", "su_daemon", "unix_stream_socket", "accept");
+	allow("su_daemon", "devpts", "chr_file", "read");
+	allow("su_daemon", "devpts", "chr_file", "write");
+	allow("su_daemon", "devpts", "chr_file", "open");
+	allow("su_daemon", "devpts", "chr_file", "getattr");
+	allow("su_daemon", "untrusted_app_devpts", "chr_file", "read");
+	allow("su_daemon", "untrusted_app_devpts", "chr_file", "write");
+	allow("su_daemon", "untrusted_app_devpts", "chr_file", "open");
+	allow("su_daemon", "untrusted_app_devpts", "chr_file", "getattr");
+	allow("su_daemon", "su_daemon", "capability", "setuid");
+	allow("su_daemon", "su_daemon", "capability", "setgid");
+	allow("su_daemon", "app_data_file", "dir", "getattr");
+	allow("su_daemon", "app_data_file", "dir", "search");
+	allow("su_daemon", "app_data_file", "dir", "write");
+	allow("su_daemon", "app_data_file", "dir", "add_name");
+	allow("su_daemon", "app_data_file", "file", "getattr");
+	allow("su_daemon", "app_data_file", "file", "read");
+	allow("su_daemon", "app_data_file", "file", "open");
+	allow("su_daemon", "app_data_file", "file", "lock");
+	allow("su_daemon", "su_daemon", "capability", "dac_override");
+	allow("su_daemon", "su_daemon", "process", "fork");
+	allow("su_daemon", "su_daemon", "process", "sigchld");
+	allow("su_daemon", "toolbox_exec", "file", "execute");
+	allow("su_daemon", "toolbox_exec", "file", "read");
+	allow("su_daemon", "toolbox_exec", "file", "open");
+	allow("su_daemon", "toolbox_exec", "file", "execute_no_trans");
+	allow("su_daemon", "device", "dir", "write");
+	allow("su_daemon", "device", "dir", "add_name");
+	allow("su_daemon", "su_device", "dir", "create");
+	allow("su_daemon", "su_device", "dir", "setattr");
+	allow("su_daemon", "su_device", "dir", "remove_name");
+	allow("su_daemon", "su_device", "dir", "add_name");
+	allow("su_daemon", "su_device", "sock_file", "create");
+	allow("su_daemon", "su_device", "sock_file", "unlink");
+	allow("su_daemon", "zygote_exec", "file", "execute");
+	allow("su_daemon", "zygote_exec", "file", "read");
+	allow("su_daemon", "zygote_exec", "file", "open");
+	allow("su_daemon", "zygote_exec", "file", "execute_no_trans");
+	allow("su_daemon", "zygote_exec", "lnk_file", "read");
+	allow("su_daemon", "zygote_exec", "lnk_file", "getattr");
+	allow("su_daemon", "su_device", "dir", "search");
+	allow("su_daemon", "su_device", "dir", "write");
+	allow("su_daemon", "su_device", "dir", "add_name");
+	allow("su_daemon", "su_daemon", "process", "setexec");
+	allow("su_daemon", "shell_exec", "file", "execute");
+	allow("su_daemon", "shell_exec", "file", "read");
+	allow("su_daemon", "shell_exec", "file", "open");
+	allow("su_daemon", "su_daemon", "capability", "chown");
+	allow("su_daemon", "su", "process", "transition");
+	noaudit("su_daemon", "su", "process", "siginh rlimitinh noatsecure");
+}
+
+void suBind() {
+	allow("su_daemon", "su_exec", "file", "mounton");
+	allow("su_daemon", "su_exec", "file", "read");
+	allow("su_daemon", "su_device", "dir", ALL);
+	allow("su_daemon", "su_device", "file", ALL);
+	allow("su_daemon", "su_device", "lnk_file", ALL);
+	allow("su_daemon", "system_file", "file", "relabelto");
+}
+
+void suRights() {
+	allow("su_daemon", "su_daemon", "capability", "sys_admin");
+	allow("servicemanager", "su", "dir", "search");
+	allow("servicemanager", "su", "dir", "read");
+	allow("servicemanager", "su", "file", "open");
+	allow("servicemanager", "su", "file", "read");
+	allow("servicemanager", "su", "process", "getattr");
+	allow("servicemanager", "su", "binder", "transfer");
+	allow("system_server", "su", "binder", "call");
+}
+
+void otherToSU() {
+	// allowLog
+	allow("logd", "su", "dir", "search");
+	allow("logd", "su", "file", "read");
+	allow("logd", "su", "file", "open");
+	allow("logd", "su", "file", "getattr");
+
+	// suBackL0
+	allow("system_server", "su", "binder", "call");
+	allow("system_server", "su", "binder", "transfer");
+
+	// ES Explorer opens a sokcet
+	allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
+	allow("untrusted_app", "su", "unix_stream_socket", "read");
+	allow("untrusted_app", "su", "unix_stream_socket", "getattr");
+	allow("untrusted_app", "su", "unix_stream_socket", "write");
+	allow("untrusted_app", "su", "unix_stream_socket", "setattr");
+	allow("untrusted_app", "su", "unix_stream_socket", "lock");
+	allow("untrusted_app", "su", "unix_stream_socket", "append");
+	allow("untrusted_app", "su", "unix_stream_socket", "bind");
+	allow("untrusted_app", "su", "unix_stream_socket", "connect");
+	allow("untrusted_app", "su", "unix_stream_socket", "getopt");
+	allow("untrusted_app", "su", "unix_stream_socket", "setopt");
+	allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
+	allow("untrusted_app", "su", "unix_stream_socket", "connectto");
+
+	// Any domain is allowed to send su "sigchld"
+	allow(ALL, "su", "process", "sigchld");
+
+	// uNetworkL0
+	add_type("su", "netdomain", policy);
+	add_type("su", "bluetoothdomain", policy);
+
+	// suBackL6
+	allow("surfaceflinger", "app_data_file", "dir", ALL);
+	allow("surfaceflinger", "app_data_file", "file", ALL);
+	allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
+	add_type("surfaceflinger", "mlstrustedsubject", policy);
+}
+
+void suL9() {
+	allow("su_daemon", "su_daemon", "dir", ALL);
+	allow("su_daemon", "su_daemon", "file", ALL);
+	allow("su_daemon", "su_daemon", "lnk_file", ALL);
+	allow("su_daemon", "system_data_file", "dir", ALL);
+	allow("su_daemon", "system_data_file", "file", ALL);
+	allow("su_daemon", "system_data_file", "lnk_file", ALL);
+	allow("su_daemon", "labeledfs", "filesystem", "associate");
+	allow("su_daemon", "su_daemon", "process", "setfscreate");
+	allow("su_daemon", "tmpfs", "filesystem", "associate");
+	allow("su_daemon", "su_daemon", "file", "relabelfrom");
+	allow("su_daemon", "system_file", "file", "mounton");
+}
+
+void builtin_rules(policydb_t *policydb) {
+	policy = policydb;
+
+	// Samsung specific
+	// Prevent system from loading policy
+	if(exists("knox_system_app")) {
+		samsung();
+	}
+
+	// Create domains if they don't exist
+	setPermissive("su", 1);
+	setPermissive("su_device", 0);
+	setPermissive("su_daemon", 0);
+
+	// Autotransition su's socket to su_device
+	add_transition("su_daemon", "device", "su_device", "file", policy);
+	add_transition("su_daemon", "device", "su_device", "dir", policy);
+	allow("su_device", "tmpfs", "filesystem", "associate");
+
+	// Transition from untrusted_app to su_client
+	allowSuClient("shell");
+	allowSuClient("untrusted_app");
+	allowSuClient("platform_app");
+	allowSuClient("su");
+
+	if(exists("ssd_tool")) {
+		allowSuClient("ssd_tool");
+	}
+
+	// Allow init to execute su daemon/transition
+	allow("init", "su_daemon", "process", "transition");
+	noaudit("init", "su_daemon", "process", "rlimitinh");
+	noaudit("init", "su_daemon", "process", "siginh");
+	noaudit("init", "su_daemon", "process", "noatsecure");
+	suDaemonRights();
+	suBind();
+	suRights();
+	otherToSU();
+
+	// Need to set su_device/su as trusted to be accessible from other categories
+	add_type("su_device", "mlstrustedobject", policy);
+	add_type("su_daemon", "mlstrustedsubject", policy);
+	add_type("su", "mlstrustedsubject", policy);
+
+	suL9();
+}
\ No newline at end of file
diff --git a/sepolicy-inject.c b/sepolicy-inject.c
index d926f699a..2fa4b886b 100644
--- a/sepolicy-inject.c
+++ b/sepolicy-inject.c
@@ -23,6 +23,8 @@
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/constraint.h>
 
+extern void builtin_rules(policydb_t *policydb);
+
 void usage(char *arg0) {
 	fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
 	fprintf(stderr, "\tInject a rule\n\n");
@@ -651,8 +653,7 @@ int main(int argc, char **argv)
 		return 1;
 
 	if (builtin) {
-		// TODO: Create builtin rules
-		// builtin(&policydb);
+		builtin_rules(&policydb);
 	}
 	else if (permissive) {
 		type_datum_t *type;