Neverallow coredomain to kernel interface files.
Core domains should not be allowed access to kernel interfaces, which are not explicitly labeled. These interfaces include (but are not limited to): 1. /proc 2. /sys 3. /dev 4. debugfs 5. tracefs 6. inotifyfs 7. pstorefs 8. configfs 9. functionfs 10. usbfs 11. binfmt_miscfs We keep a lists of exceptions to the rule, which we will be gradually shrinking. This will help us prevent accidental regressions in our efforts to label kernel interfaces. Bug: 68159582 Test: bullhead, sailfish can build Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5
This commit is contained in:
Tri Vo
parent
61dc5fb26c
commit
502e43f7d9
1 changed files with 116 additions and 0 deletions
|
|
@ -16,3 +16,119 @@ neverallow {
|
|||
|
||||
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
||||
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
||||
|
||||
# Core domains are not permitted to use kernel interfaces which are not
|
||||
# explicitly labeled.
|
||||
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
|
||||
full_treble_only(`
|
||||
# /proc
|
||||
neverallow {
|
||||
coredomain
|
||||
-dumpstate
|
||||
-init
|
||||
-platform_app
|
||||
-priv_app
|
||||
-radio
|
||||
-shell
|
||||
-system_app
|
||||
-vold
|
||||
-vendor_init
|
||||
} proc:file no_rw_file_perms;
|
||||
|
||||
# /sys
|
||||
neverallow {
|
||||
coredomain
|
||||
-charger
|
||||
-dumpstate
|
||||
-healthd
|
||||
-init
|
||||
-mediaserver
|
||||
-priv_app
|
||||
-radio
|
||||
-storaged
|
||||
-system_app
|
||||
-system_server
|
||||
-ueventd
|
||||
-update_verifier
|
||||
-vold
|
||||
-vendor_init
|
||||
} sysfs:file no_rw_file_perms;
|
||||
|
||||
# /dev
|
||||
neverallow {
|
||||
coredomain
|
||||
-fsck
|
||||
-init
|
||||
-shell
|
||||
-ueventd
|
||||
-vendor_init
|
||||
} device:{ blk_file file } no_rw_file_perms;
|
||||
|
||||
# debugfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-dumpstate
|
||||
-init
|
||||
-system_server
|
||||
-vendor_init
|
||||
} debugfs:file no_rw_file_perms;
|
||||
|
||||
# tracefs
|
||||
neverallow {
|
||||
coredomain
|
||||
-atrace
|
||||
-dumpstate
|
||||
-init
|
||||
-perfprofd
|
||||
-shell
|
||||
-vendor_init
|
||||
} debugfs_tracing:file no_rw_file_perms;
|
||||
|
||||
# inotifyfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-vendor_init
|
||||
} inotify:file no_rw_file_perms;
|
||||
|
||||
# pstorefs
|
||||
neverallow {
|
||||
coredomain
|
||||
-bootstat
|
||||
-charger
|
||||
-dumpstate
|
||||
-healthd
|
||||
-init
|
||||
-logd
|
||||
-logpersist
|
||||
-recovery_persist
|
||||
-recovery_refresh
|
||||
-shell
|
||||
-system_server
|
||||
-vendor_init
|
||||
} pstorefs:file no_rw_file_perms;
|
||||
|
||||
# configfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-system_server
|
||||
-vendor_init
|
||||
} configfs:file no_rw_file_perms;
|
||||
|
||||
# functionfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-adbd
|
||||
-init
|
||||
-mediaprovider
|
||||
-vendor_init
|
||||
}functionfs:file no_rw_file_perms;
|
||||
|
||||
# usbfs and binfmt_miscfs
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-vendor_init
|
||||
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in a new issue