From 1e5021c450a06eb738209948d1522747d3f327fa Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 28 Nov 2018 17:50:24 -0800 Subject: [PATCH] Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5 --- private/app.te | 8 ++++ private/coredomain.te | 63 +++++++++++++++++++++++++++ private/domain.te | 36 ++++++++++++++++ public/app.te | 8 ---- public/domain.te | 99 ------------------------------------------- 5 files changed, 107 insertions(+), 107 deletions(-) diff --git a/private/app.te b/private/app.te index 7d9bc89ed..b2c1be334 100644 --- a/private/app.te +++ b/private/app.te @@ -13,3 +13,11 @@ allow appdomain priv_app_tmpfs:file read; neverallow appdomain system_server:udp_socket { accept append bind create ioctl listen lock name_bind relabelfrom relabelto setattr shutdown }; + +# Transition to a non-app domain. +# Exception for the shell and su domains, can transition to runas, etc. +# Exception for crash_dump. +neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process + { transition }; +neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process + { dyntransition }; diff --git a/private/coredomain.te b/private/coredomain.te index 2fbbbfd1a..78ffb27df 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -14,6 +14,69 @@ neverallow { } sysfs_leds:file *; ') +# On TREBLE devices, a limited set of files in /vendor are accessible to +# only a few whitelisted coredomains to keep system/vendor separation. +full_treble_only(` + # Limit access to /vendor/app + neverallow { + coredomain + -appdomain + -dex2oat + -idmap + -init + -installd + userdebug_or_eng(`-perfprofd') + userdebug_or_eng(`-heapprofd') + -postinstall_dexopt + -system_server + } vendor_app_file:dir { open read getattr search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -dex2oat + -idmap + -init + -installd + userdebug_or_eng(`-perfprofd') + userdebug_or_eng(`-heapprofd') + -postinstall_dexopt + -system_server + -mediaserver + } vendor_app_file:file r_file_perms; +') + +full_treble_only(` + # Limit access to /vendor/overlay + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -system_server + -webview_zygote + -zygote + userdebug_or_eng(`-heapprofd') + } vendor_overlay_file:dir { getattr open read search }; +') + +full_treble_only(` + neverallow { + coredomain + -appdomain + -idmap + -init + -installd + -system_server + -webview_zygote + -zygote + userdebug_or_eng(`-heapprofd') + } vendor_overlay_file:file r_file_perms; +') + # Core domains are not permitted to use kernel interfaces which are not # explicitly labeled. # TODO(b/65643247): Apply these neverallow rules to all coredomain. diff --git a/private/domain.te b/private/domain.te index 65688b20f..7a41ab213 100644 --- a/private/domain.te +++ b/private/domain.te @@ -23,6 +23,42 @@ userdebug_or_eng(`can_profile_heap({ -vold })') +# Path resolution access in cgroups. +allow domain cgroup:dir search; +allow { domain -appdomain } cgroup:dir w_dir_perms; +allow { domain -appdomain } cgroup:file w_file_perms; + +# For now, everyone can access core property files +# Device specific properties are not granted by default +not_compatible_property(` + get_prop(domain, core_property_type) + get_prop(domain, exported_dalvik_prop) + get_prop(domain, exported_ffs_prop) + get_prop(domain, exported_system_radio_prop) + get_prop(domain, exported2_config_prop) + get_prop(domain, exported2_radio_prop) + get_prop(domain, exported2_system_prop) + get_prop(domain, exported2_vold_prop) + get_prop(domain, exported3_default_prop) + get_prop(domain, exported3_radio_prop) + get_prop(domain, exported3_system_prop) + get_prop(domain, vendor_default_prop) +') +compatible_property_only(` + get_prop({coredomain appdomain shell}, core_property_type) + get_prop({coredomain appdomain shell}, exported_dalvik_prop) + get_prop({coredomain appdomain shell}, exported_ffs_prop) + get_prop({coredomain appdomain shell}, exported_system_radio_prop) + get_prop({coredomain appdomain shell}, exported2_config_prop) + get_prop({coredomain appdomain shell}, exported2_radio_prop) + get_prop({coredomain appdomain shell}, exported2_system_prop) + get_prop({coredomain appdomain shell}, exported2_vold_prop) + get_prop({coredomain appdomain shell}, exported3_default_prop) + get_prop({coredomain appdomain shell}, exported3_radio_prop) + get_prop({coredomain appdomain shell}, exported3_system_prop) + get_prop({domain -coredomain -appdomain}, vendor_default_prop) +') + # Limit ability to ptrace or read sensitive /proc/pid files of processes # with other UIDs to these whitelisted domains. neverallow { diff --git a/public/app.te b/public/app.te index 40dee5dcd..aa735b470 100644 --- a/public/app.te +++ b/public/app.te @@ -435,14 +435,6 @@ neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms; neverallow appdomain { domain -appdomain }:process { sigkill sigstop signal }; -# Transition to a non-app domain. -# Exception for the shell and su domains, can transition to runas, etc. -# Exception for crash_dump. -neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process - { transition }; -neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process - { dyntransition }; - # Write to rootfs. neverallow appdomain rootfs:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; diff --git a/public/domain.te b/public/domain.te index 67002c93f..c536c127d 100644 --- a/public/domain.te +++ b/public/domain.te @@ -83,37 +83,6 @@ allow domain properties_device:dir { search getattr }; allow domain properties_serial:file r_file_perms; allow domain property_info:file r_file_perms; -# For now, everyone can access core property files -# Device specific properties are not granted by default -not_compatible_property(` - get_prop(domain, core_property_type) - get_prop(domain, exported_dalvik_prop) - get_prop(domain, exported_ffs_prop) - get_prop(domain, exported_system_radio_prop) - get_prop(domain, exported2_config_prop) - get_prop(domain, exported2_radio_prop) - get_prop(domain, exported2_system_prop) - get_prop(domain, exported2_vold_prop) - get_prop(domain, exported3_default_prop) - get_prop(domain, exported3_radio_prop) - get_prop(domain, exported3_system_prop) - get_prop(domain, vendor_default_prop) -') -compatible_property_only(` - get_prop({coredomain appdomain shell}, core_property_type) - get_prop({coredomain appdomain shell}, exported_dalvik_prop) - get_prop({coredomain appdomain shell}, exported_ffs_prop) - get_prop({coredomain appdomain shell}, exported_system_radio_prop) - get_prop({coredomain appdomain shell}, exported2_config_prop) - get_prop({coredomain appdomain shell}, exported2_radio_prop) - get_prop({coredomain appdomain shell}, exported2_system_prop) - get_prop({coredomain appdomain shell}, exported2_vold_prop) - get_prop({coredomain appdomain shell}, exported3_default_prop) - get_prop({coredomain appdomain shell}, exported3_radio_prop) - get_prop({coredomain appdomain shell}, exported3_system_prop) - get_prop({domain -coredomain -appdomain}, vendor_default_prop) -') - # Public readable properties get_prop(domain, debug_prop) get_prop(domain, exported_config_prop) @@ -251,11 +220,6 @@ allow domain selinuxfs:file getattr; allow domain sysfs:dir search; allow domain selinuxfs:filesystem getattr; -# Path resolution access in cgroups. -allow domain cgroup:dir search; -allow { domain -appdomain } cgroup:dir w_dir_perms; -allow { domain -appdomain } cgroup:file w_file_perms; - # Almost all processes log tracing information to # /sys/kernel/debug/tracing/trace_marker # The reason behind this is documented in b/6513400 @@ -966,69 +930,6 @@ full_treble_only(` }:file_class_set ~{ append getattr ioctl read write map }; ') -# On TREBLE devices, a limited set of files in /vendor are accessible to -# only a few whitelisted coredomains to keep system/vendor separation. -full_treble_only(` - # Limit access to /vendor/app - neverallow { - coredomain - -appdomain - -dex2oat - -idmap - -init - -installd - userdebug_or_eng(`-perfprofd') - userdebug_or_eng(`-heapprofd') - -postinstall_dexopt - -system_server - } vendor_app_file:dir { open read getattr search }; -') - -full_treble_only(` - neverallow { - coredomain - -appdomain - -dex2oat - -idmap - -init - -installd - userdebug_or_eng(`-perfprofd') - userdebug_or_eng(`-heapprofd') - -postinstall_dexopt - -system_server - -mediaserver - } vendor_app_file:file r_file_perms; -') - -full_treble_only(` - # Limit access to /vendor/overlay - neverallow { - coredomain - -appdomain - -idmap - -init - -installd - -system_server - -webview_zygote - -zygote - userdebug_or_eng(`-heapprofd') - } vendor_overlay_file:dir { getattr open read search }; -') - -full_treble_only(` - neverallow { - coredomain - -appdomain - -idmap - -init - -installd - -system_server - -webview_zygote - -zygote - userdebug_or_eng(`-heapprofd') - } vendor_overlay_file:file r_file_perms; -') - full_treble_only(` # Non-vendor domains are not allowed to file execute shell # from vendor