Merge "strengthen app_data_file neverallows" am: 46288c6b97

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2599511

Change-Id: I9588b6ca25d90b6faf2e7c6f994e1d0f13423011
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Steven Moreland 2023-05-26 16:59:47 +00:00 committed by Automerger Merge Worker
commit 5b0dad1c2a
14 changed files with 24 additions and 18 deletions

View file

@ -110,4 +110,4 @@ allow dex2oat apexd:fd use;
# Neverallow #
##############
neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
neverallow dex2oat app_data_file_type:notdevfile_class_set open;

View file

@ -56,7 +56,7 @@ allow ephemeral_app ashmem_device:chr_file rw_file_perms;
### neverallow rules
###
neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
neverallow ephemeral_app app_data_file_type:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

View file

@ -37,7 +37,7 @@ dontaudit isolated_app_all shell_data_file:dir search;
#####
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app_all { app_data_file privapp_data_file sdk_sandbox_data_file}:file open;
neverallow isolated_app_all app_data_file_type:file open;
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?

View file

@ -262,10 +262,10 @@ neverallow priv_app cgroup_v2:file *;
# application home directories. Code loading across a security boundary
# is dangerous and allows a full compromise of a privileged process
# by an unprivileged process. b/112357170
neverallow priv_app app_data_file:file no_x_file_perms;
neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;
# Do not follow untrusted app provided symlinks
neverallow priv_app app_data_file:lnk_file { open read getattr };
# Do not follow any app provided symlinks
neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };
# Do not allow getting permission-protected network information from sysfs.
neverallow priv_app sysfs_net:file *;

View file

@ -35,6 +35,6 @@ allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
neverallow rs rs:capability_class_set *;
neverallow { domain -appdomain } rs:process { dyntransition transition };
neverallow rs { domain -crash_dump }:process { dyntransition transition };
neverallow rs app_data_file:file_class_set ~r_file_perms;
neverallow rs app_data_file_type:file_class_set ~r_file_perms;
# rs should never use network sockets
neverallow rs *:network_socket_class_set *;

View file

@ -35,7 +35,7 @@ allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
### neverallow rules
###
neverallow sdk_sandbox_all { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
neverallow sdk_sandbox_all app_data_file_type:file { execute execute_no_trans };
# Receive or send uevent messages.
neverallow sdk_sandbox_all domain:netlink_kobject_uevent_socket *;
@ -66,8 +66,9 @@ neverallow sdk_sandbox_all { sdcard_type media_rw_data_file }:dir search;
neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
# TODO(b/280514080): shell_data_file shouldn't be allowed here
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox_all { app_data_file_type -sdk_sandbox_data_file -shell_data_file -radio_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;

View file

@ -58,7 +58,7 @@ dontaudit traced_perf domain:dir { search getattr open };
dontaudit traced_perf domain:process signal;
# Never allow access to app data files
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
neverallow traced_perf app_data_file_type:file *;
# Never allow profiling privileged or otherwise incompatible domains.
# Corresponding allow-rule is in private/domain.te.

View file

@ -660,7 +660,7 @@ neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init { app_data_file privapp_data_file }:lnk_file read;
neverallow init app_data_file_type:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;

View file

@ -60,7 +60,12 @@ neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
neverallow logd system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
neverallow logd {
app_data_file_type
system_data_file
packages_list_file
-shell_data_file # for bugreports
}:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;

View file

@ -17,7 +17,7 @@ neverallow logpersist dev_type:blk_file { read write };
neverallow logpersist domain:process ptrace;
# Write to files in /data/data or system files on /data except misc_logd_file
neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
# Only init should be allowed to enter the logpersist domain via exec()
# Following is a list of debug domains we know that transition to logpersist

View file

@ -28,4 +28,4 @@ get_prop(profman, device_config_runtime_native_boot_prop)
### neverallow rules
###
neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
neverallow profman app_data_file_type:notdevfile_class_set open;

View file

@ -28,5 +28,5 @@ neverallow recovery_persist domain:process ptrace;
neverallow recovery_persist system_file_type:dir_file_class_set write;
# Write to files in /data/data
neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
neverallow recovery_persist { app_data_file_type system_data_file }:dir_file_class_set write;

View file

@ -21,4 +21,4 @@ neverallow recovery_refresh domain:process ptrace;
neverallow recovery_refresh system_file_type:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;

View file

@ -301,7 +301,7 @@ neverallow { domain -init } vendor_init:process transition;
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
neverallow vendor_init app_data_file_type:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };