* [RFC] Add initial clipboard access control implementation
@ 2012-09-14 15:24 Joshua Brindle
2012-09-14 16:35 ` Stephen Smalley
2012-09-14 17:51 ` Stephen Smalley
0 siblings, 2 replies; 6+ messages in thread
From: Joshua Brindle @ 2012-09-14 15:24 UTC (permalink / raw)
To: selinux; +Cc: Joshua Brindle
This is an RFC for clipboard access controls in Android. I still need to do non-SELinux system guards and check for permission when onPrimaryClipChanged() sends notifications to apps listening for clipboard updates.
Change-Id: Ib0b6aeca59511ce71832aee1afd4150d1514a63c
---
.../java/com/android/server/ClipboardService.java | 25 ++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/services/java/com/android/server/ClipboardService.java b/services/java/com/android/server/ClipboardService.java
index 8a6a550..5908224 100644
--- a/services/java/com/android/server/ClipboardService.java
+++ b/services/java/com/android/server/ClipboardService.java
@@ -36,6 +36,7 @@ import android.os.Parcel;
import android.os.Process;
import android.os.RemoteCallbackList;
import android.os.RemoteException;
+import android.os.SELinux;
import android.os.UserId;
import android.util.Pair;
import android.util.Slog;
@@ -62,6 +63,7 @@ public class ClipboardService extends IClipboard.Stub {
= new RemoteCallbackList<IOnPrimaryClipChangedListener>();
ClipData primaryClip;
+ String securityLabel;
final HashSet<String> activePermissionOwners
= new HashSet<String>();
@@ -145,6 +147,8 @@ public class ClipboardService extends IClipboard.Stub {
clearActiveOwnersLocked();
PerUserClipboard clipboard = getClipboard();
clipboard.primaryClip = clip;
+ clipboard.securityLabel = SELinux.getPidContext(Binder.getCallingPid());
+ Slog.i(TAG, "Got clip for securityLabel=" + clipboard.securityLabel);
final int n = clipboard.primaryClipListeners.beginBroadcast();
for (int i = 0; i < n; i++) {
try {
@@ -162,6 +166,12 @@ public class ClipboardService extends IClipboard.Stub {
public ClipData getPrimaryClip(String pkg) {
synchronized (this) {
addActiveOwnerLocked(Binder.getCallingUid(), pkg);
+
+ // Did not add this to addActiveOwnerLocked because throwing an exception
+ // for an SELinux violation kills the app and is generally not desirable
+ if (!checkSELinuxAccess())
+ return null;
+
return getClipboard().primaryClip;
}
}
@@ -169,12 +179,18 @@ public class ClipboardService extends IClipboard.Stub {
public ClipDescription getPrimaryClipDescription() {
synchronized (this) {
PerUserClipboard clipboard = getClipboard();
+
+ if (!checkSELinuxAccess())
+ return null;
+
return clipboard.primaryClip != null ? clipboard.primaryClip.getDescription() : null;
}
}
public boolean hasPrimaryClip() {
synchronized (this) {
+ if (!checkSELinuxAccess())
+ return false;
return getClipboard().primaryClip != null;
}
}
@@ -193,6 +209,8 @@ public class ClipboardService extends IClipboard.Stub {
public boolean hasClipboardText() {
synchronized (this) {
+ if (!checkSELinuxAccess())
+ return false;
PerUserClipboard clipboard = getClipboard();
if (clipboard.primaryClip != null) {
CharSequence text = clipboard.primaryClip.getItemAt(0).getText();
@@ -308,4 +326,11 @@ public class ClipboardService extends IClipboard.Stub {
revokeItemLocked(clipboard.primaryClip.getItemAt(i));
}
}
+
+ private final boolean checkSELinuxAccess() {
+ String securityLabel = SELinux.getPidContext(Binder.getCallingPid());
+ Slog.i(TAG, "Get clip for securityLabel=" + securityLabel);
+ return SELinux.checkSELinuxAccess(securityLabel, getClipboard().securityLabel, "x_application_data", "paste");
+ }
+
}
--
1.7.9.5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [RFC] Add initial clipboard access control implementation
2012-09-14 15:24 [RFC] Add initial clipboard access control implementation Joshua Brindle
@ 2012-09-14 16:35 ` Stephen Smalley
2012-09-14 16:46 ` Joshua Brindle
2012-09-14 17:51 ` Stephen Smalley
1 sibling, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2012-09-14 16:35 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux
On Fri, 2012-09-14 at 11:24 -0400, Joshua Brindle wrote:
> This is an RFC for clipboard access controls in Android. I still need to do non-SELinux system guards and check for permission when onPrimaryClipChanged() sends notifications to apps listening for clipboard updates.
>
> Change-Id: Ib0b6aeca59511ce71832aee1afd4150d1514a63c
> ---
> .../java/com/android/server/ClipboardService.java | 25 ++++++++++++++++++++
> 1 file changed, 25 insertions(+)
Do you have a functioning policy for these controls (i.e. one that
allows normal operation but prevents something bad from happening)?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC] Add initial clipboard access control implementation
2012-09-14 16:35 ` Stephen Smalley
@ 2012-09-14 16:46 ` Joshua Brindle
0 siblings, 0 replies; 6+ messages in thread
From: Joshua Brindle @ 2012-09-14 16:46 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
Stephen Smalley wrote:
> On Fri, 2012-09-14 at 11:24 -0400, Joshua Brindle wrote:
>> This is an RFC for clipboard access controls in Android. I still need to do non-SELinux system guards and check for permission when onPrimaryClipChanged() sends notifications to apps listening for clipboard updates.
>>
>> Change-Id: Ib0b6aeca59511ce71832aee1afd4150d1514a63c
>> ---
>> .../java/com/android/server/ClipboardService.java | 25 ++++++++++++++++++++
>> 1 file changed, 25 insertions(+)
>
> Do you have a functioning policy for these controls (i.e. one that
> allows normal operation but prevents something bad from happening)?
>
Sort of. My policy is pretty hacked up because the only way this is
useful is if you have multiple, separate app domains, which the
appdomain attribute does a good job of not easily allowing without
duplicating all the rules.
To make devices behave as normal we just need:
allow appdomain appdomain : x_application_data paste;
in app.te, but that won't prevent pasting ever, someone who wants to use
this will have to make a new domain that isn't in the appdomain
attribute and copy all the rules.
On my todo list is to move all the appdomain rules to an interface so
that I can create new domains without access to each other but that
hasn't happened yet.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC] Add initial clipboard access control implementation
2012-09-14 15:24 [RFC] Add initial clipboard access control implementation Joshua Brindle
2012-09-14 16:35 ` Stephen Smalley
@ 2012-09-14 17:51 ` Stephen Smalley
2012-09-14 18:07 ` Joshua Brindle
1 sibling, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2012-09-14 17:51 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux
On Fri, 2012-09-14 at 11:24 -0400, Joshua Brindle wrote:
> This is an RFC for clipboard access controls in Android. I still need to do non-SELinux system guards and check for permission when onPrimaryClipChanged() sends notifications to apps listening for clipboard updates.
>
> Change-Id: Ib0b6aeca59511ce71832aee1afd4150d1514a63c
> ---
> .../java/com/android/server/ClipboardService.java | 25 ++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> diff --git a/services/java/com/android/server/ClipboardService.java b/services/java/com/android/server/ClipboardService.java
> index 8a6a550..5908224 100644
> --- a/services/java/com/android/server/ClipboardService.java
> +++ b/services/java/com/android/server/ClipboardService.java
> @@ -36,6 +36,7 @@ import android.os.Parcel;
> import android.os.Process;
> import android.os.RemoteCallbackList;
> import android.os.RemoteException;
> +import android.os.SELinux;
> import android.os.UserId;
> import android.util.Pair;
> import android.util.Slog;
> @@ -62,6 +63,7 @@ public class ClipboardService extends IClipboard.Stub {
> = new RemoteCallbackList<IOnPrimaryClipChangedListener>();
>
> ClipData primaryClip;
> + String securityLabel;
>
> final HashSet<String> activePermissionOwners
> = new HashSet<String>();
> @@ -145,6 +147,8 @@ public class ClipboardService extends IClipboard.Stub {
> clearActiveOwnersLocked();
> PerUserClipboard clipboard = getClipboard();
> clipboard.primaryClip = clip;
> + clipboard.securityLabel = SELinux.getPidContext(Binder.getCallingPid());
> + Slog.i(TAG, "Got clip for securityLabel=" + clipboard.securityLabel);
> final int n = clipboard.primaryClipListeners.beginBroadcast();
> for (int i = 0; i < n; i++) {
> try {
> @@ -162,6 +166,12 @@ public class ClipboardService extends IClipboard.Stub {
> public ClipData getPrimaryClip(String pkg) {
> synchronized (this) {
> addActiveOwnerLocked(Binder.getCallingUid(), pkg);
> +
> + // Did not add this to addActiveOwnerLocked because throwing an exception
> + // for an SELinux violation kills the app and is generally not desirable
> + if (!checkSELinuxAccess())
> + return null;
> +
> return getClipboard().primaryClip;
> }
> }
> @@ -169,12 +179,18 @@ public class ClipboardService extends IClipboard.Stub {
> public ClipDescription getPrimaryClipDescription() {
> synchronized (this) {
> PerUserClipboard clipboard = getClipboard();
> +
> + if (!checkSELinuxAccess())
> + return null;
> +
> return clipboard.primaryClip != null ? clipboard.primaryClip.getDescription() : null;
> }
> }
>
> public boolean hasPrimaryClip() {
> synchronized (this) {
> + if (!checkSELinuxAccess())
> + return false;
> return getClipboard().primaryClip != null;
> }
> }
> @@ -193,6 +209,8 @@ public class ClipboardService extends IClipboard.Stub {
>
> public boolean hasClipboardText() {
> synchronized (this) {
> + if (!checkSELinuxAccess())
> + return false;
> PerUserClipboard clipboard = getClipboard();
> if (clipboard.primaryClip != null) {
> CharSequence text = clipboard.primaryClip.getItemAt(0).getText();
> @@ -308,4 +326,11 @@ public class ClipboardService extends IClipboard.Stub {
> revokeItemLocked(clipboard.primaryClip.getItemAt(i));
> }
> }
> +
> + private final boolean checkSELinuxAccess() {
> + String securityLabel = SELinux.getPidContext(Binder.getCallingPid());
> + Slog.i(TAG, "Get clip for securityLabel=" + securityLabel);
> + return SELinux.checkSELinuxAccess(securityLabel, getClipboard().securityLabel, "x_application_data", "paste");
> + }
> +
> }
checkSELinuxAccess() internally checks whether SELinux is enabled and
always succeeds if not, so you don't need to separately check for
enabled status.
Likely of greater concern are the edge cases for Binder.getCallingPid()
and SELinux.getPidContext().
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC] Add initial clipboard access control implementation
2012-09-14 17:51 ` Stephen Smalley
@ 2012-09-14 18:07 ` Joshua Brindle
2012-09-14 18:49 ` Stephen Smalley
0 siblings, 1 reply; 6+ messages in thread
From: Joshua Brindle @ 2012-09-14 18:07 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
Stephen Smalley wrote:
<snip>
> Likely of greater concern are the edge cases for Binder.getCallingPid()
> and SELinux.getPidContext().
>
Are there plans to upstream Binder.getContext()?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [RFC] Add initial clipboard access control implementation
2012-09-14 18:07 ` Joshua Brindle
@ 2012-09-14 18:49 ` Stephen Smalley
0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2012-09-14 18:49 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux
On Fri, 2012-09-14 at 14:07 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> <snip>
> > Likely of greater concern are the edge cases for Binder.getCallingPid()
> > and SELinux.getPidContext().
> >
>
> Are there plans to upstream Binder.getContext()?
No, as per the Middleware MAC talk that we gave at LSS (slides available
from the wiki).
Anyway, I'd suggest adding some instrumentation to detect whether you
are encountering any of the interesting cases, e.g.
Binder.getCallingPid() equals Process.myPid() or SELinux.getPidContext()
returns NULL. The former can happen for a service-internal binder call
or if the service explicitly clears the calling identity because it is
trying to do something that requires more privilege than the caller, and
the latter can happen if the caller has died. In the former case, try
to get a traceback and see whether it is the correct behavior for that
situation.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-09-14 18:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-14 15:24 [RFC] Add initial clipboard access control implementation Joshua Brindle
2012-09-14 16:35 ` Stephen Smalley
2012-09-14 16:46 ` Joshua Brindle
2012-09-14 17:51 ` Stephen Smalley
2012-09-14 18:07 ` Joshua Brindle
2012-09-14 18:49 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.