[PATCH external/sepolicy] Add selinux network script to policy

[PATCH external/sepolicy] Add selinux network script to policy

[jbrindle]

From: Joshua Brindle <jbrindle@tresys.com>

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 Android.mk         |   13 +++++++++++++
 selinux-network.sh |   18 ++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100755 selinux-network.sh

diff --git a/Android.mk b/Android.mk
index 68f4c69..002a656 100644
--- a/Android.mk
+++ b/Android.mk
@@ -85,4 +85,17 @@ $(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
 property_contexts :=
 ##################################
 
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux-network.sh
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+LOCAL_MODULE_CLASS := EXECUTABLES
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
+
+include $(BUILD_PREBUILT)
+
+##################################
+
 endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/selinux-network.sh b/selinux-network.sh
new file mode 100755
index 0000000..7d38623
--- /dev/null
+++ b/selinux-network.sh
@@ -0,0 +1,18 @@
+#!/system/bin/sh
+
+IPTABLES="/system/bin/iptables"
+
+#$IPTABLES -t security -A INPUT -i wlan0 -j SECMARK --selctx u:object_r:packet:s0
+#$IPTABLES -t security -A INPUT -i lo -j SECMARK --selctx u:object_r:lo_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0
+#$IPTABLES -t security -A INPUT -i ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0
+
+#$IPTABLES -t security -A OUTPUT -o wlan0 -j SECMARK --selctx u:object_r:packet:s0
+#$IPTABLES -t security -A OUTPUT -o lo -j SECMARK --selctx u:object_r:lo_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0
+#$IPTABLES -t security -A OUTPUT -o ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0
+
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH build] add selinux-network.sh to SELINUX_DEPENDS for SELinux network labeling

[jbrindle]

From: Joshua Brindle <jbrindle@tresys.com>

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 core/Makefile |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/Makefile b/core/Makefile
index 146d56e..7d3af0f 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -343,7 +343,7 @@ INTERNAL_RAMDISK_FILES := $(filter $(TARGET_ROOT_OUT)/%, \
 BUILT_RAMDISK_TARGET := $(PRODUCT_OUT)/ramdisk.img
 
 ifeq ($(HAVE_SELINUX),true)
-SELINUX_DEPENDS := sepolicy file_contexts seapp_contexts property_contexts
+SELINUX_DEPENDS := sepolicy file_contexts seapp_contexts property_contexts selinux-network.sh
 endif
 
 #ifeq ($(HAVE_MAC),true)
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH system/core] add SELinux network labeling script to startup

[jbrindle]

From: Joshua Brindle <jbrindle@tresys.com>

Change-Id: I47100243b04d9629d44c8962eafeacabdcd0e6d2

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 rootdir/init.rc |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 7131095..1aa7bc1 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -372,6 +372,10 @@ service console /system/bin/sh
     user shell
     group log
 
+service netlabels /system/bin/selinux-network.sh
+    class core
+    oneshot
+
 on property:ro.debuggable=1
     start console
 
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH kernel/tegra] Add security table to netfilter config

[jbrindle]

From: Joshua Brindle <jbrindle@tresys.com>

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 arch/arm/configs/stingray_defconfig |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm/configs/stingray_defconfig b/arch/arm/configs/stingray_defconfig
index 9fe1fdd..18afde8 100644
--- a/arch/arm/configs/stingray_defconfig
+++ b/arch/arm/configs/stingray_defconfig
@@ -463,3 +463,5 @@ CONFIG_NETWORK_SECMARK=y
 CONFIG_NF_CONNTRACK_SECMARK=y
 CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
 CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_IP_NF_SECURITY=y
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH kernel/omap] Add security table to netfilter config

[jbrindle]

From: Joshua Brindle <jbrindle@tresys.com>

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 arch/arm/configs/tuna_defconfig |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm/configs/tuna_defconfig b/arch/arm/configs/tuna_defconfig
index 775e34b..fb1d1ff 100644
--- a/arch/arm/configs/tuna_defconfig
+++ b/arch/arm/configs/tuna_defconfig
@@ -439,4 +439,6 @@ CONFIG_NETWORK_SECMARK=y
 CONFIG_NF_CONNTRACK_SECMARK=y
 CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
 CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_IP_NF_SECURITY=y
 
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH kernel/samsung] enable secmark labeling and netfilter security table for SE Android network access controls

[jbrindle]

From: Joshua Brindle <jbrindle@tresys.com>

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 arch/arm/configs/herring_defconfig |    6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/arm/configs/herring_defconfig b/arch/arm/configs/herring_defconfig
index 5986957..6aebfd6 100644
--- a/arch/arm/configs/herring_defconfig
+++ b/arch/arm/configs/herring_defconfig
@@ -391,4 +391,10 @@ CONFIG_SECURITY=y
 CONFIG_LSM_MMAP_MIN_ADDR=4096
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_IP_NF_SECURITY=y
 
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH kernel/goldfish] enable netfilter, secmark, and security tables

[jbrindle]

From: Joshua Brindle <jbrindle@tresys.com>

ARM kernels needed netfilter enabled in addition to secmark and security tables
The x86 kernel had secmark enabled and only needed security tables

This enables netfilter based SE Android network access controls

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 arch/arm/configs/goldfish_armv7_defconfig |   41 +++++++++++++++++++++++++++--
 arch/arm/configs/goldfish_defconfig       |   40 ++++++++++++++++++++++++++--
 arch/x86/configs/goldfish_defconfig       |    3 ++-
 3 files changed, 79 insertions(+), 5 deletions(-)

diff --git a/arch/arm/configs/goldfish_armv7_defconfig b/arch/arm/configs/goldfish_armv7_defconfig
index 9f51a14..24b3d4f 100644
--- a/arch/arm/configs/goldfish_armv7_defconfig
+++ b/arch/arm/configs/goldfish_armv7_defconfig
@@ -333,8 +333,45 @@ CONFIG_DEFAULT_TCP_CONG="cubic"
 # CONFIG_TCP_MD5SIG is not set
 CONFIG_IPV6=y
 CONFIG_ANDROID_PARANOID_NETWORK=y
-# CONFIG_NETWORK_SECMARK is not set
-# CONFIG_NETFILTER is not set
+
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETWORK_SECMARK=y
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_LOG=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_SECURITY=y
+
 # CONFIG_IP_DCCP is not set
 # CONFIG_IP_SCTP is not set
 # CONFIG_TIPC is not set
diff --git a/arch/arm/configs/goldfish_defconfig b/arch/arm/configs/goldfish_defconfig
index f7e49ea..58e498a 100644
--- a/arch/arm/configs/goldfish_defconfig
+++ b/arch/arm/configs/goldfish_defconfig
@@ -330,8 +330,44 @@ CONFIG_DEFAULT_TCP_CONG="cubic"
 # CONFIG_TCP_MD5SIG is not set
 CONFIG_IPV6=y
 CONFIG_ANDROID_PARANOID_NETWORK=y
-# CONFIG_NETWORK_SECMARK is not set
-# CONFIG_NETFILTER is not set
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NF_CONNTRACK_FTP=y
+CONFIG_NF_CONNTRACK_IRC=y
+CONFIG_NF_CONNTRACK_SIP=y
+CONFIG_NF_CT_NETLINK=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETWORK_SECMARK=y
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+CONFIG_IP_NF_TARGET_LOG=y
+CONFIG_IP_NF_TARGET_ULOG=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_SECURITY=y
+
 # CONFIG_IP_DCCP is not set
 # CONFIG_IP_SCTP is not set
 # CONFIG_TIPC is not set
diff --git a/arch/x86/configs/goldfish_defconfig b/arch/x86/configs/goldfish_defconfig
index fceb7e2f..508f540 100644
--- a/arch/x86/configs/goldfish_defconfig
+++ b/arch/x86/configs/goldfish_defconfig
@@ -451,9 +451,10 @@ CONFIG_IPV6=y
 CONFIG_NETLABEL=y
 CONFIG_ANDROID_PARANOID_NETWORK=y
 CONFIG_NETWORK_SECMARK=y
+CONFIG_IP_NF_SECURITY=y
 CONFIG_NETFILTER=y
 # CONFIG_NETFILTER_DEBUG is not set
-# CONFIG_NETFILTER_ADVANCED is not set
+CONFIG_NETFILTER_ADVANCED=y
 
 #
 # Core Netfilter Configuration
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH external/sepolicy] Add selinux network script to policy

[Stephen Smalley]

On Wed, 2012-06-20 at 11:58 -0400, jbrindle@tresys.com wrote:
> From: Joshua Brindle <jbrindle@tresys.com>
> 
> Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
> ---
>  Android.mk         |   13 +++++++++++++
>  selinux-network.sh |   18 ++++++++++++++++++
>  2 files changed, 31 insertions(+)
>  create mode 100755 selinux-network.sh

Thanks, merged all 7 patches.  A few notes:
- I merged these on the master or seandroid branches and then merged
master or seandroid onto mmac.  Some of your patches were against mmac
so I fixed those by hand.

- I haven't yet cherry-picked them onto seandroid-4.0.4 and mmac-4.0.4,
but will likely do so.

- Do we want some basic attribute/type definitions and allow rules in
the base policy to support this functionality, even though by default
the iptables secmark rules are commented out?  Something like the
following patch to support at least the wlan0 and lo secmark labeling:

diff --git a/attributes b/attributes
index 1016ec6..3bc4a9f 100644
--- a/attributes
+++ b/attributes
@@ -33,6 +33,9 @@ attribute netif_type;
 # All types used for network ports.
 attribute port_type;
 
+# All types used for secmark packet labeling.
+attribute packet_type;
+
 # All types used for property service
 attribute property_type;
 
diff --git a/net.te b/net.te
index b10cecd..500e958 100644
--- a/net.te
+++ b/net.te
@@ -2,6 +2,8 @@
 type node, node_type;
 type netif, netif_type;
 type port, port_type;
+type packet, packet_type;
+type lo_packet, packet_type;
 
 # Use network sockets.
 allow netdomain self:{ tcp_socket udp_socket } *;
@@ -13,6 +15,9 @@ allow netdomain port_type:udp_socket name_bind;
 allow netdomain port_type:tcp_socket name_bind;
 # Get route information.
 allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
+# Send/recv packets.
+allow netdomain packet:packet { send recv };
+allow netdomain lo_packet:packet { send recv };
 
 # Talks to netd via dnsproxyd socket.
 unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/netd.te b/netd.te
index 47687dc..6bfe2e2 100644
--- a/netd.te
+++ b/netd.te
@@ -12,6 +12,7 @@ allow netd self:rawip_socket *;
 allow netd self:udp_socket *;
 allow netd node:udp_socket node_bind;
 allow netd port:udp_socket name_bind;
+allow netd lo_packet:packet { send recv };
 allow netd self:unix_stream_socket *;
 allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
diff --git a/unconfined.te b/unconfined.te
index ff53595..21d62c1 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,5 +20,6 @@ allow unconfineddomain netif_type:netif *;
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
+allow unconfineddomain packet_type:packet *;
 allow unconfineddomain domain:binder { call transfer receive };
 allow unconfineddomain property_type:property_service set;




-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH external/sepolicy] Add selinux network script to policy

[Joshua Brindle]

Stephen Smalley wrote:
> On Wed, 2012-06-20 at 11:58 -0400, jbrindle@tresys.com wrote:
>> From: Joshua Brindle<jbrindle@tresys.com>
>>
>> Signed-off-by: Joshua Brindle<jbrindle@tresys.com>
>> ---
>>   Android.mk         |   13 +++++++++++++
>>   selinux-network.sh |   18 ++++++++++++++++++
>>   2 files changed, 31 insertions(+)
>>   create mode 100755 selinux-network.sh
>
> Thanks, merged all 7 patches.  A few notes:
> - I merged these on the master or seandroid branches and then merged
> master or seandroid onto mmac.  Some of your patches were against mmac
> so I fixed those by hand.
>
> - I haven't yet cherry-picked them onto seandroid-4.0.4 and mmac-4.0.4,
> but will likely do so.
>
> - Do we want some basic attribute/type definitions and allow rules in
> the base policy to support this functionality, even though by default
> the iptables secmark rules are commented out?  Something like the
> following patch to support at least the wlan0 and lo secmark labeling:

I think the below is fine. I modified the policy here but hadn't gotten around 
to removing the various vpn types to submit. I wasn't really sure how to handle 
it since I expect vpn apps to label new interfaces, but we don't want local 
policy management. Should we just add a handful and the implementers can use 
them however they want?

>
> diff --git a/attributes b/attributes
> index 1016ec6..3bc4a9f 100644
> --- a/attributes
> +++ b/attributes
> @@ -33,6 +33,9 @@ attribute netif_type;
>   # All types used for network ports.
>   attribute port_type;
>
> +# All types used for secmark packet labeling.
> +attribute packet_type;
> +
>   # All types used for property service
>   attribute property_type;
>
> diff --git a/net.te b/net.te
> index b10cecd..500e958 100644
> --- a/net.te
> +++ b/net.te
> @@ -2,6 +2,8 @@
>   type node, node_type;
>   type netif, netif_type;
>   type port, port_type;
> +type packet, packet_type;
> +type lo_packet, packet_type;
>
>   # Use network sockets.
>   allow netdomain self:{ tcp_socket udp_socket } *;
> @@ -13,6 +15,9 @@ allow netdomain port_type:udp_socket name_bind;
>   allow netdomain port_type:tcp_socket name_bind;
>   # Get route information.
>   allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
> +# Send/recv packets.
> +allow netdomain packet:packet { send recv };
> +allow netdomain lo_packet:packet { send recv };
>
>   # Talks to netd via dnsproxyd socket.
>   unix_socket_connect(netdomain, dnsproxyd, netd)
> diff --git a/netd.te b/netd.te
> index 47687dc..6bfe2e2 100644
> --- a/netd.te
> +++ b/netd.te
> @@ -12,6 +12,7 @@ allow netd self:rawip_socket *;
>   allow netd self:udp_socket *;
>   allow netd node:udp_socket node_bind;
>   allow netd port:udp_socket name_bind;
> +allow netd lo_packet:packet { send recv };
>   allow netd self:unix_stream_socket *;
>   allow netd shell_exec:file rx_file_perms;
>   allow netd system_file:file x_file_perms;
> diff --git a/unconfined.te b/unconfined.te
> index ff53595..21d62c1 100644
> --- a/unconfined.te
> +++ b/unconfined.te
> @@ -20,5 +20,6 @@ allow unconfineddomain netif_type:netif *;
>   allow unconfineddomain port_type:socket_class_set name_bind;
>   allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
>   allow unconfineddomain domain:peer recv;
> +allow unconfineddomain packet_type:packet *;
>   allow unconfineddomain domain:binder { call transfer receive };
>   allow unconfineddomain property_type:property_service set;
>
>
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.