diff --git a/public/attributes b/public/attributes index 8138a3fa2..77823cfa6 100644 --- a/public/attributes +++ b/public/attributes @@ -32,6 +32,7 @@ attribute data_file_type; expandattribute data_file_type false; # All types in /data, not in /data/vendor attribute core_data_file_type; +expandattribute core_data_file_type false; # All types in /vendor attribute vendor_file_type; @@ -130,6 +131,7 @@ attribute coredomain; # All socket devices owned by core domain components attribute coredomain_socket; +expandattribute coredomain_socket false; # All vendor domains which violate the requirement of not using Binder # TODO(b/35870313): Remove this once there are no violations diff --git a/public/domain.te b/public/domain.te index 308311c18..c09ee505f 100644 --- a/public/domain.te +++ b/public/domain.te @@ -670,7 +670,6 @@ full_treble_only(` # On full TREBLE devices, socket communications between core components and vendor components are # not permitted. -full_treble_only(` # Most general rules first, more specific rules below. # Core domains are not permitted to initiate communications to vendor domain sockets. @@ -678,6 +677,7 @@ full_treble_only(` # to obtain an already established socket via some public/official/stable API and then exchange # data with its peer over that socket. The wire format in this scenario is dicatated by the API # and thus does not break the core-vendor separation. +full_treble_only(` neverallow_establish_socket_comms({ coredomain -init @@ -687,7 +687,9 @@ full_treble_only(` -coredomain -socket_between_core_and_vendor_violators }); +') # Vendor domains are not permitted to initiate communications to core domain sockets +full_treble_only(` neverallow_establish_socket_comms({ domain -coredomain @@ -703,20 +705,25 @@ full_treble_only(` -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services }); +') # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets +full_treble_only(` neverallow_establish_socket_comms({ domain -coredomain -netdomain -socket_between_core_and_vendor_violators }, netd); +') # Vendor domains are not permitted to initiate create/open sockets owned by core domains +full_treble_only(` neverallow { domain -coredomain -appdomain # appdomain restrictions below + -data_between_core_and_vendor_violators # b/70393317 -socket_between_core_and_vendor_violators -vendor_init } { @@ -724,6 +731,8 @@ full_treble_only(` core_data_file_type unlabeled # used only by core domains }:sock_file ~{ append getattr ioctl read write }; +') +full_treble_only(` neverallow { appdomain -coredomain @@ -735,8 +744,10 @@ full_treble_only(` -pdx_endpoint_socket_type # used by VR layer -pdx_channel_socket_type # used by VR layer }:sock_file ~{ append getattr ioctl read write }; +') # Core domains are not permitted to create/open sockets owned by vendor domains +full_treble_only(` neverallow { coredomain -init diff --git a/public/file.te b/public/file.te index 02a43608e..932ecbf8b 100644 --- a/public/file.te +++ b/public/file.te @@ -317,7 +317,7 @@ type property_socket, file_type, coredomain_socket, mlstrustedobject; type racoon_socket, file_type, coredomain_socket; type rild_socket, file_type; type rild_debug_socket, file_type; -type system_wpa_socket, file_type, data_file_type, coredomain_socket; +type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket; type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject; type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; type tombstoned_java_trace_socket, file_type, mlstrustedobject; @@ -327,7 +327,7 @@ type traced_consumer_socket, file_type, coredomain_socket; type uncrypt_socket, file_type, coredomain_socket; type vold_socket, file_type, coredomain_socket; type webview_zygote_socket, file_type, coredomain_socket; -type wpa_socket, file_type, data_file_type; +type wpa_socket, file_type, data_file_type, core_data_file_type; type zygote_socket, file_type, coredomain_socket; # UART (for GPS) control proc file type gps_control, file_type; diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py index 275debb0b..ea9ba10f3 100644 --- a/tests/sepolicy_tests.py +++ b/tests/sepolicy_tests.py @@ -23,6 +23,10 @@ def TestDebugfsTypeViolations(pol): def TestVendorTypeViolations(pol): return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type") +def TestCoreDataTypeViolations(pol): + return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor/", + "/data/vendor_ce/", "/data/vendor_de/"], "core_data_file_type") + ### # extend OptionParser to allow the same option flag to be used multiple times. # This is used to allow multiple file_contexts files and tests to be @@ -40,7 +44,9 @@ class MultipleOption(Option): else: Option.take_action(self, action, dest, opt, value, values, parser) -Tests = ["TestDataTypeViolators"] +Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations", + "TestDebugfsTypeViolations", "TestVendorTypeViolations", + "TestCoreDataTypeViolations"] if __name__ == '__main__': usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so " @@ -87,6 +93,8 @@ if __name__ == '__main__': results += TestDebugfsTypeViolations(pol) if options.test is None or "TestVendorTypeViolations" in options.test: results += TestVendorTypeViolations(pol) + if options.test is None or "TestCoreDataTypeViolations" in options.test: + results += TestCoreDataTypeViolations(pol) if len(results) > 0: sys.exit(results)