Merge "strengthen app_data_file neverallows"

2023-05-26 15:32:15 +00:00 · 2023-05-26 15:32:15 +00:00 · 46288c6b97
commit 46288c6b97
parent ffeb680417 f3722d5a71
14 changed files with 24 additions and 18 deletions
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@ -110,4 +110,4 @@ allow dex2oat apexd:fd use;
 # Neverallow #
 ##############

-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow dex2oat app_data_file_type:notdevfile_class_set open;
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@ -56,7 +56,7 @@ allow ephemeral_app ashmem_device:chr_file rw_file_perms;
 ### neverallow rules
 ###

-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
+neverallow ephemeral_app app_data_file_type:file execute_no_trans;

 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@ -37,7 +37,7 @@ dontaudit isolated_app_all shell_data_file:dir search;
 #####

 # Isolated apps should not directly open app data files themselves.
-neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
+neverallow isolated_app_all app_data_file_type:file open;

 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -262,10 +262,10 @@ neverallow priv_app cgroup_v2:file *;
 # application home directories. Code loading across a security boundary
 # is dangerous and allows a full compromise of a privileged process
 # by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
+neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;

-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
+# Do not follow any app provided symlinks
+neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };

 # Do not allow getting permission-protected network information from sysfs.
 neverallow priv_app sysfs_net:file *;
--- a/private/rs.te
+++ b/private/rs.te
@ -35,6 +35,6 @@ allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
 neverallow rs rs:capability_class_set *;
 neverallow { domain -appdomain } rs:process { dyntransition transition };
 neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
+neverallow rs app_data_file_type:file_class_set ~r_file_perms;
 # rs should never use network sockets
 neverallow rs *:network_socket_class_set *;
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@ -35,7 +35,7 @@ allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
 ### neverallow rules
 ###

-neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };

 # Receive or send uevent messages.
 neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@ -66,8 +66,9 @@ neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
 neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;

 # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
-neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
+# TODO(b/280514080): shell_data_file shouldn't be allowed here
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
+neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };

 # SDK sandbox processes don't  have any access to external storage
 neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@ -58,7 +58,7 @@ dontaudit traced_perf domain:dir { search getattr open };
 dontaudit traced_perf domain:process signal;

 # Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
+neverallow traced_perf app_data_file_type:file *;

 # Never allow profiling privileged or otherwise incompatible domains.
 # Corresponding allow-rule is in private/domain.te.
--- a/public/init.te
+++ b/public/init.te
@ -660,7 +660,7 @@ neverallow init { file_type fs_type -init_exec }:file entrypoint;

 # Never read/follow symlinks created by shell or untrusted apps.
 neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
+neverallow init app_data_file_type:lnk_file read;

 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
--- a/public/logd.te
+++ b/public/logd.te
@ -60,7 +60,12 @@ neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
 neverallow logd system_file_type:dir_file_class_set write;

 # Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
+neverallow logd {
+    app_data_file_type
+    system_data_file
+    packages_list_file
+    -shell_data_file # for bugreports
+}:dir_file_class_set write;

 # Only init is allowed to enter the logd domain via exec()
 neverallow { domain -init } logd:process transition;
--- a/public/logpersist.te
+++ b/public/logpersist.te
@ -17,7 +17,7 @@ neverallow logpersist dev_type:blk_file { read write };
 neverallow logpersist domain:process ptrace;

 # Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;

 # Only init should be allowed to enter the logpersist domain via exec()
 # Following is a list of debug domains we know that transition to logpersist
--- a/public/profman.te
+++ b/public/profman.te
@ -28,4 +28,4 @@ get_prop(profman, device_config_runtime_native_boot_prop)
 ### neverallow rules
 ###

-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
+neverallow profman app_data_file_type:notdevfile_class_set open;
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@ -28,5 +28,5 @@ neverallow recovery_persist domain:process ptrace;
 neverallow recovery_persist system_file_type:dir_file_class_set write;

 # Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;

--- a/public/recovery_refresh.te
+++ b/public/recovery_refresh.te
@ -21,4 +21,4 @@ neverallow recovery_refresh domain:process ptrace;
 neverallow recovery_refresh system_file_type:dir_file_class_set write;

 # Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
+neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -301,7 +301,7 @@ neverallow { domain -init } vendor_init:process transition;
 neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;

 # Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
+neverallow vendor_init app_data_file_type:lnk_file read;
 neverallow vendor_init shell_data_file:lnk_file read;
 # Init should not be creating subdirectories in /data/local/tmp
 neverallow vendor_init shell_data_file:dir { write add_name remove_name };