Move some rules around

Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
2018-11-28 17:50:24 -08:00 · 2018-11-28 17:50:24 -08:00 · 1e5021c450
commit 1e5021c450
parent b1dad09679
5 changed files with 107 additions and 107 deletions
--- a/private/app.te
+++ b/private/app.te
@ -13,3 +13,11 @@ allow appdomain priv_app_tmpfs:file read;
 neverallow appdomain system_server:udp_socket {
        accept append bind create ioctl listen lock name_bind
        relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+    { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+    { dyntransition };
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -14,6 +14,69 @@ neverallow {
 } sysfs_leds:file *;
 ')

+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+    # Limit access to /vendor/app
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        userdebug_or_eng(`-perfprofd')
+        userdebug_or_eng(`-heapprofd')
+        -postinstall_dexopt
+        -system_server
+    } vendor_app_file:dir { open read getattr search };
+')
+
+full_treble_only(`
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        userdebug_or_eng(`-perfprofd')
+        userdebug_or_eng(`-heapprofd')
+        -postinstall_dexopt
+        -system_server
+        -mediaserver
+    } vendor_app_file:file r_file_perms;
+')
+
+full_treble_only(`
+    # Limit access to /vendor/overlay
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+        -init
+        -installd
+        -system_server
+        -webview_zygote
+        -zygote
+        userdebug_or_eng(`-heapprofd')
+    } vendor_overlay_file:dir { getattr open read search };
+')
+
+full_treble_only(`
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+        -init
+        -installd
+        -system_server
+        -webview_zygote
+        -zygote
+        userdebug_or_eng(`-heapprofd')
+    } vendor_overlay_file:file r_file_perms;
+')
+
 # Core domains are not permitted to use kernel interfaces which are not
 # explicitly labeled.
 # TODO(b/65643247): Apply these neverallow rules to all coredomain.
--- a/private/domain.te
+++ b/private/domain.te
@ -23,6 +23,42 @@ userdebug_or_eng(`can_profile_heap({
  -vold
 })')

+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain -appdomain } cgroup:dir w_dir_perms;
+allow { domain -appdomain } cgroup:file w_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+    get_prop(domain, core_property_type)
+    get_prop(domain, exported_dalvik_prop)
+    get_prop(domain, exported_ffs_prop)
+    get_prop(domain, exported_system_radio_prop)
+    get_prop(domain, exported2_config_prop)
+    get_prop(domain, exported2_radio_prop)
+    get_prop(domain, exported2_system_prop)
+    get_prop(domain, exported2_vold_prop)
+    get_prop(domain, exported3_default_prop)
+    get_prop(domain, exported3_radio_prop)
+    get_prop(domain, exported3_system_prop)
+    get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+    get_prop({coredomain appdomain shell}, core_property_type)
+    get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+    get_prop({coredomain appdomain shell}, exported_ffs_prop)
+    get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+    get_prop({coredomain appdomain shell}, exported2_config_prop)
+    get_prop({coredomain appdomain shell}, exported2_radio_prop)
+    get_prop({coredomain appdomain shell}, exported2_system_prop)
+    get_prop({coredomain appdomain shell}, exported2_vold_prop)
+    get_prop({coredomain appdomain shell}, exported3_default_prop)
+    get_prop({coredomain appdomain shell}, exported3_radio_prop)
+    get_prop({coredomain appdomain shell}, exported3_system_prop)
+    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {
--- a/public/app.te
+++ b/public/app.te
@ -435,14 +435,6 @@ neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
 neverallow appdomain { domain -appdomain }:process
    { sigkill sigstop signal };

-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
-    { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
-    { dyntransition };
-
 # Write to rootfs.
 neverallow appdomain rootfs:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };
--- a/public/domain.te
+++ b/public/domain.te
@ -83,37 +83,6 @@ allow domain properties_device:dir { search getattr };
 allow domain properties_serial:file r_file_perms;
 allow domain property_info:file r_file_perms;

-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-not_compatible_property(`
-    get_prop(domain, core_property_type)
-    get_prop(domain, exported_dalvik_prop)
-    get_prop(domain, exported_ffs_prop)
-    get_prop(domain, exported_system_radio_prop)
-    get_prop(domain, exported2_config_prop)
-    get_prop(domain, exported2_radio_prop)
-    get_prop(domain, exported2_system_prop)
-    get_prop(domain, exported2_vold_prop)
-    get_prop(domain, exported3_default_prop)
-    get_prop(domain, exported3_radio_prop)
-    get_prop(domain, exported3_system_prop)
-    get_prop(domain, vendor_default_prop)
-')
-compatible_property_only(`
-    get_prop({coredomain appdomain shell}, core_property_type)
-    get_prop({coredomain appdomain shell}, exported_dalvik_prop)
-    get_prop({coredomain appdomain shell}, exported_ffs_prop)
-    get_prop({coredomain appdomain shell}, exported_system_radio_prop)
-    get_prop({coredomain appdomain shell}, exported2_config_prop)
-    get_prop({coredomain appdomain shell}, exported2_radio_prop)
-    get_prop({coredomain appdomain shell}, exported2_system_prop)
-    get_prop({coredomain appdomain shell}, exported2_vold_prop)
-    get_prop({coredomain appdomain shell}, exported3_default_prop)
-    get_prop({coredomain appdomain shell}, exported3_radio_prop)
-    get_prop({coredomain appdomain shell}, exported3_system_prop)
-    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
-')
-
 # Public readable properties
 get_prop(domain, debug_prop)
 get_prop(domain, exported_config_prop)
@ -251,11 +220,6 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;

-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { domain -appdomain } cgroup:dir w_dir_perms;
-allow { domain -appdomain } cgroup:file w_file_perms;
-
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker
 # The reason behind this is documented in b/6513400
@ -966,69 +930,6 @@ full_treble_only(`
    }:file_class_set ~{ append getattr ioctl read write map };
 ')

-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
-full_treble_only(`
-    # Limit access to /vendor/app
-    neverallow {
-        coredomain
-        -appdomain
-        -dex2oat
-        -idmap
-        -init
-        -installd
-        userdebug_or_eng(`-perfprofd')
-        userdebug_or_eng(`-heapprofd')
-        -postinstall_dexopt
-        -system_server
-    } vendor_app_file:dir { open read getattr search };
-')
-
-full_treble_only(`
-    neverallow {
-        coredomain
-        -appdomain
-        -dex2oat
-        -idmap
-        -init
-        -installd
-        userdebug_or_eng(`-perfprofd')
-        userdebug_or_eng(`-heapprofd')
-        -postinstall_dexopt
-        -system_server
-        -mediaserver
-    } vendor_app_file:file r_file_perms;
-')
-
-full_treble_only(`
-    # Limit access to /vendor/overlay
-    neverallow {
-        coredomain
-        -appdomain
-        -idmap
-        -init
-        -installd
-        -system_server
-        -webview_zygote
-        -zygote
-        userdebug_or_eng(`-heapprofd')
-    } vendor_overlay_file:dir { getattr open read search };
-')
-
-full_treble_only(`
-    neverallow {
-        coredomain
-        -appdomain
-        -idmap
-        -init
-        -installd
-        -system_server
-        -webview_zygote
-        -zygote
-        userdebug_or_eng(`-heapprofd')
-    } vendor_overlay_file:file r_file_perms;
-')
-
 full_treble_only(`
    # Non-vendor domains are not allowed to file execute shell
    # from vendor