From 939b50ff61aa748d5eb219c717371b261aa0d172 Mon Sep 17 00:00:00 2001 From: Dan Cashman Date: Thu, 15 Jun 2017 09:20:01 -0700 Subject: [PATCH] Add extraneous neverallow rule to enforce attribute inclusion. Due to the massively increased number of attributes in SELinux policy as part of the treble changes, we have had to remove attributes from policy for performance reasons. Unfortunately, some attributes are required to be in policy to ensure that our neverallow rules are being properly enforced. Usually this is not a problem, since neverallow rules indicate that an attribute should be kept, but this is not currently the case when the attribute is part of a negation in a group. This is particularly problematic with treble since some attributes may exist for HALs that have no implementation, and thus no types. In particular, this has caused an issue with the neverallows added in our macros. Add an extraneous neverallow rule to each of those auto-generated neverallow rules to make sure that they are not removed from policy, until the policy compiler is fixed to avoid this. Also add corresponding rules for other types which have been removed due to no corresponding rules. Bug: 62591065 Bug: 62658302 Test: Attributes present in policy and CTS passes. sepolicy-analyze also works on platform-only policy. Change-Id: Ic3fc034cdbd04a94167f8240cf562297e8d7c762 --- public/domain.te | 8 ++++++++ public/te_macros | 2 ++ 2 files changed, 10 insertions(+) diff --git a/public/domain.te b/public/domain.te index 34cbadcfc..d2b370a21 100644 --- a/public/domain.te +++ b/public/domain.te @@ -497,6 +497,7 @@ neverallow { -recovery -ueventd } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; +neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr; @@ -555,6 +556,7 @@ full_treble_only(` -appdomain -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone } servicemanager:binder { call transfer }; + neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302 ') # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. @@ -613,6 +615,7 @@ full_treble_only(` -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services }); + neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302 # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets neverallow_establish_socket_comms({ @@ -644,6 +647,10 @@ full_treble_only(` -pdx_endpoint_socket_type # used by VR layer -pdx_channel_socket_type # used by VR layer }:sock_file ~{ append getattr ioctl read write }; + neverallow { + pdx_endpoint_socket_type + pdx_channel_socket_type + } unlabeled:service_manager list; #TODO: b/62658302 # Core domains are not permitted to create/open sockets owned by vendor domains neverallow { @@ -728,6 +735,7 @@ full_treble_only(` -crash_dump_exec -netutils_wrapper_exec }:file { entrypoint execute execute_no_trans }; + neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302 ') # Only authorized processes should be writing to files in /data/dalvik-cache diff --git a/public/te_macros b/public/te_macros index b1937d85d..d65eb889c 100644 --- a/public/te_macros +++ b/public/te_macros @@ -550,6 +550,7 @@ define(`use_drmservice', ` define(`add_service', ` allow $1 $2:service_manager { add find }; neverallow { domain -$1 } $2:service_manager add; + neverallow $1 unlabeled:service_manager add; #TODO: b/62658302 ') ########################################### @@ -561,6 +562,7 @@ define(`add_hwservice', ` allow $1 $2:hwservice_manager { add find }; allow $1 hidl_base_hwservice:hwservice_manager add; neverallow { domain -$1 } $2:hwservice_manager add; + neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302 ') ##########################################