Merge "Move platform/vendor data violations to device policy"

This commit is contained in:
TreeHugger Robot 2017-11-22 18:27:37 +00:00 committed by Android (Google) Code Review
commit a4eea616d3
6 changed files with 73 additions and 31 deletions

View file

@ -673,6 +673,79 @@ full_treble_only(`
}:sock_file ~{ append getattr ioctl read write };
')
# On TREBLE devices, vendor and system components are only allowed to share
# files by passing open FDs over hwbinder. Ban all directory access and all file
# accesses other than what can be applied to an open FD such as
# ioctl/stat/read/write/append. This is enforced by segregating /data.
# Vendor domains may directly access file in /data/vendor by path, but may only
# access files outside of /data/vendor via an open FD passed over hwbinder.
# Likewise, core domains may only directly access files outside /data/vendor by
# path and files in /data/vendor by open FD.
full_treble_only(`
# only coredomains may only access core_data_file_type, particularly not
# /data/vendor
neverallow {
coredomain
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
-vendor_init
} {
data_file_type
-core_data_file_type
}:file_class_set ~{ append getattr ioctl read write };
neverallow {
coredomain
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
-vendor_init
} {
data_file_type
-core_data_file_type
}:dir *;
')
full_treble_only(`
# vendor domains may only access files in /data/vendor, never core_data_file_types
neverallow {
domain
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
} {
core_data_file_type
# libc includes functions like mktime and localtime which attempt to access
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
}:file_class_set ~{ append getattr ioctl read write };
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
neverallow {
domain
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
-zoneinfo_data_file
}:dir *;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
neverallow {
domain
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
} {
system_data_file # default label for files on /data. Covered below
}:dir ~{ getattr search };
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`

View file

@ -33,11 +33,6 @@ allow hal_drm hal_graphics_allocator:fd use;
# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;
# Allow access to app_data and media_data_files
allow hal_drm media_data_file:dir create_dir_perms;
allow hal_drm media_data_file:file create_file_perms;
allow hal_drm media_data_file:file { getattr read };
allow hal_drm sysfs:file r_file_perms;
allow hal_drm tee_device:chr_file rw_file_perms;

View file

@ -5,12 +5,6 @@ binder_call(hal_fingerprint_server, hal_fingerprint_client)
add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
# allow HAL module to read/write/unlink contents of this dir
allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;

View file

@ -10,7 +10,3 @@ set_prop(hal_nfc, nfc_prop)
# NFC device access.
allow hal_nfc nfc_device:chr_file rw_file_perms;
# Data file accesses.
allow hal_nfc nfc_data_file:dir create_dir_perms;
allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;

View file

@ -19,12 +19,6 @@ allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
# Create a socket for receiving info from wpa
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
###
### neverallow rules

10
vendor/hostapd.te vendored
View file

@ -21,13 +21,3 @@ allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hostapd self:packet_socket create_socket_perms_no_ioctl;
allow hostapd self:netlink_route_socket nlmsg_write;
# hostapd can read and write WiFi related data and configuration.
# For example, the entropy file is periodically updated.
allow hostapd wifi_data_file:file rw_file_perms;
r_dir_file(hostapd, wifi_data_file)
# hostapd wants to create the directory holding its control socket.
allow hostapd hostapd_socket:dir create_dir_perms;
# hostapd needs to create, bind to, read, and write its control socket.
allow hostapd hostapd_socket:sock_file create_file_perms;