Initial selinux policy support for memfd

Move all app tmpfs types to appdomain_tmpfs. These are still protected by mls categories and DAC. TODO clean up other app tmpfs types in a separate change. Treble-ize tmpfs passing between graphics composer HAL and surfaceflinger. Bug: 122854450 Test: boot Blueline with memfd enabled. Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
2019-01-29 14:43:45 -08:00 · 2019-01-29 14:43:45 -08:00 · 9f5d0d90a3
commit 9f5d0d90a3
parent 37ab42e542
12 changed files with 34 additions and 23 deletions
--- a/private/app.te
+++ b/private/app.te
@ -1,15 +1,3 @@
 # TODO: deal with tmpfs_domain pub/priv split properly
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
 # Read from (but not create) system_server buffers transferred through
 # ashmem, e.g. battery stats.
 allow appdomain system_server_tmpfs:file read;
 # Get info from priv_app through ashmem, such as contact
 # info etc.
 allow appdomain priv_app_tmpfs:file read;
 # Allow apps to read the Test Harness Mode property. This property is used in
 # the implementation of ActivityManager.isDeviceInTestHarnessMode()
 get_prop(appdomain, test_harness_prop)
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -7,8 +7,6 @@
  ( new_objects
    activity_task_service
    adb_service
    app_binding_service
    app_prediction_service
    apex_data_file
    apex_mnt_dir
    apex_key_file
@ -17,6 +15,9 @@
    apexd_exec
    apexd_prop
    apexd_tmpfs
    appdomain_tmpfs
    app_binding_service
    app_prediction_service
    app_zygote
    app_zygote_tmpfs
    biometric_service
@ -47,6 +48,7 @@
    external_vibrator_service
    hal_atrace_hwservice
    hal_face_hwservice
    hal_graphics_composer_server_tmpfs
    hal_health_storage_hwservice
    hal_input_classifier_hwservice
    hal_power_stats_hwservice
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@ -2,3 +2,6 @@ typeattribute mediaextractor coredomain;
 init_daemon_domain(mediaextractor)
 tmpfs_domain(mediaextractor)
 allow mediaextractor appdomain_tmpfs:file { getattr map read write };
 allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
 allow mediaextractor system_server_tmpfs:file { getattr map read write };
--- a/private/mls
+++ b/private/mls
@ -57,14 +57,14 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
 	     ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file sock_file } { open setattr unlink link rename }
-	     ( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+	     ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
 # For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
 mlsconstrain { lnk_file } { open setattr unlink link rename read }
 	     ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
 # For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
 # TODO: Migrate to equivalence when it's no longer needed.
 mlsconstrain { lnk_file } { open setattr unlink link rename read }
-	     ( (t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+	     ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
 #
 # Constraints for file types other than app data files.
@ -76,7 +76,7 @@ mlsconstrain dir { read getattr search }
 	     (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
-	     (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 # Write operations: Subject must be equivalent to the object unless the
 # subject or the object is trusted.
@ -84,7 +84,7 @@ mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
 	     (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
-	     (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 # Special case for FIFOs.
 # These can be unnamed pipes, in which case they will be labeled with the
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@ -4,6 +4,7 @@ typeattribute surfaceflinger coredomain;
 type surfaceflinger_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(surfaceflinger)
 tmpfs_domain(surfaceflinger)
 typeattribute surfaceflinger mlstrustedsubject;
 typeattribute surfaceflinger display_service_server;
@ -13,6 +14,7 @@ read_runtime_log_tags(surfaceflinger)
 # Perform HwBinder IPC.
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
 typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
 hal_client_domain(surfaceflinger, hal_omx)
 hal_client_domain(surfaceflinger, hal_configstore)
 hal_client_domain(surfaceflinger, hal_power)
--- a/private/system_server.te
+++ b/private/system_server.te
@ -13,6 +13,7 @@ tmpfs_domain(system_server)
 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
 allow system_server zygote_tmpfs:file read;
 allow system_server appdomain_tmpfs:file { getattr map read write };
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
--- a/public/app.te
+++ b/public/app.te
@ -6,6 +6,7 @@
 ### extend from this policy. Only policies which should apply to ALL
 ### zygote spawned apps should be added here.
 ###
 type appdomain_tmpfs, file_type;
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
@ -351,6 +352,12 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
 # Read access to FDs from the DropboxManagerService.
 allow appdomain dropbox_data_file:file { getattr read };
 # Read tmpfs types from these processes.
 allow appdomain audioserver_tmpfs:file { getattr map read write };
 allow appdomain system_server_tmpfs:file { getattr map read write };
 allow appdomain zygote_tmpfs:file { map read };
 ###
 ### Neverallow rules
 ###
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@ -1,6 +1,12 @@
 type hal_graphics_composer_server_tmpfs, file_type;
 attribute hal_graphics_composer_client_tmpfs;
 expandattribute hal_graphics_composer_client_tmpfs true;
 # HwBinder IPC from client to server, and callbacks
 binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
 binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
 allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
 allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
 hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@ -1,2 +1,3 @@
 # surfaceflinger - display compositor service
 type surfaceflinger, domain;
 type surfaceflinger_tmpfs, file_type;
--- a/public/system_server.te
+++ b/public/system_server.te
@ -3,4 +3,4 @@
 # Most of the framework services run in this process.
 #
 type system_server, domain;
-type system_server_tmpfs, file_type;
+type system_server_tmpfs, file_type, mlstrustedobject;
--- a/public/te_macros
+++ b/public/te_macros
@ -168,10 +168,9 @@ domain_auto_trans(init, $1_exec, $1)
 # Allow a base set of permissions required for all apps.
 define(`app_domain', `
 typeattribute $1 appdomain;
-# Label ashmem objects with our own unique type.
+# Label tmpfs objects for all apps.
-tmpfs_domain($1)
+type_transition $1 tmpfs:file appdomain_tmpfs;
-# Map with PROT_EXEC.
+allow $1 appdomain_tmpfs:file { execute getattr map read write };
 allow $1 $1_tmpfs:file execute;
 neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
 # The Android security model guarantees the confidentiality and integrity
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@ -3,6 +3,8 @@ hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
 type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_composer_default)
 type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
 allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
 # b/68864350
 dontaudit hal_graphics_composer_default unlabeled:dir search;