Tighten restrictions on core <-> vendor socket comms
This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I633163cf67d60677c4725b754e01097dd5790aed
This commit is contained in:
Alex Klyubin
parent
6953b86716
commit
cf2ffdf0d8
7 changed files with 78 additions and 26 deletions
|
|
@ -3,3 +3,5 @@ typeattribute drmserver coredomain;
|
|||
init_daemon_domain(drmserver)
|
||||
|
||||
type_transition drmserver apk_data_file:sock_file drmserver_socket;
|
||||
|
||||
typeattribute drmserver_socket coredomain_socket;
|
||||
|
|
|
|||
|
|
@ -190,6 +190,12 @@ hal_client_domain(system_server, hal_vibrator)
|
|||
binder_call(system_server, hal_vr)
|
||||
hal_client_domain(system_server, hal_vr)
|
||||
hal_client_domain(system_server, hal_wifi)
|
||||
|
||||
# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
|
||||
# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
|
||||
# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
|
||||
typeattribute system_server socket_between_core_and_vendor_violators;
|
||||
|
||||
hal_client_domain(system_server, hal_wifi_supplicant)
|
||||
|
||||
# Talk to tombstoned to get ANR traces.
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
typeattribute wificond coredomain;
|
||||
|
||||
init_daemon_domain(wificond)
|
||||
|
||||
# TODO(b/36790991): Remove this once wificond is no longer permitted to touch wpa sockets
|
||||
typeattribute wificond socket_between_core_and_vendor_violators;
|
||||
|
|
|
|||
|
|
@ -124,6 +124,9 @@ attribute update_engine_common;
|
|||
# All core domains (as opposed to vendor/device-specific domains)
|
||||
attribute coredomain;
|
||||
|
||||
# All socket devices owned by core domain components
|
||||
attribute coredomain_socket;
|
||||
|
||||
# All vendor domains which violate the requirement of not using Binder
|
||||
# TODO(b/35870313): Remove this once there are no violations
|
||||
attribute binder_in_vendor_violators;
|
||||
|
|
|
|||
|
|
@ -554,6 +554,42 @@ full_treble_only(`
|
|||
-netdomain
|
||||
-socket_between_core_and_vendor_violators
|
||||
}, netd);
|
||||
|
||||
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-appdomain # appdomain restrictions below
|
||||
-socket_between_core_and_vendor_violators
|
||||
} {
|
||||
coredomain_socket
|
||||
core_data_file_type
|
||||
unlabeled # used only by core domains
|
||||
}:sock_file ~{ append getattr ioctl read write };
|
||||
neverallow {
|
||||
appdomain
|
||||
-coredomain
|
||||
} {
|
||||
coredomain_socket
|
||||
unlabeled # used only by core domains
|
||||
core_data_file_type
|
||||
-app_data_file
|
||||
-pdx_socket # used by VR layer
|
||||
}:sock_file ~{ append getattr ioctl read write };
|
||||
|
||||
# Core domains are not permitted to create/open sockets owned by vendor domains
|
||||
neverallow {
|
||||
coredomain
|
||||
-init
|
||||
-ueventd
|
||||
-socket_between_core_and_vendor_violators
|
||||
} {
|
||||
file_type
|
||||
dev_type
|
||||
-coredomain_socket
|
||||
-core_data_file_type
|
||||
-unlabeled
|
||||
}:sock_file ~{ append getattr ioctl read write };
|
||||
')
|
||||
|
||||
# Only authorized processes should be writing to files in /data/dalvik-cache
|
||||
|
|
|
|||
|
|
@ -224,34 +224,34 @@ type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
|
|||
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
|
||||
|
||||
# Socket types
|
||||
type adbd_socket, file_type;
|
||||
type bluetooth_socket, file_type;
|
||||
type dnsproxyd_socket, file_type, mlstrustedobject;
|
||||
type dumpstate_socket, file_type;
|
||||
type fwmarkd_socket, file_type, mlstrustedobject;
|
||||
type lmkd_socket, file_type;
|
||||
type logd_socket, file_type, mlstrustedobject;
|
||||
type logdr_socket, file_type, mlstrustedobject;
|
||||
type logdw_socket, file_type, mlstrustedobject;
|
||||
type mdns_socket, file_type;
|
||||
type mdnsd_socket, file_type, mlstrustedobject;
|
||||
type misc_logd_file, file_type;
|
||||
type mtpd_socket, file_type;
|
||||
type netd_socket, file_type;
|
||||
type pdx_socket, file_type, mlstrustedobject;
|
||||
type property_socket, file_type, mlstrustedobject;
|
||||
type racoon_socket, file_type;
|
||||
type adbd_socket, file_type, coredomain_socket;
|
||||
type bluetooth_socket, file_type, coredomain_socket;
|
||||
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type dumpstate_socket, file_type, coredomain_socket;
|
||||
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type lmkd_socket, file_type, coredomain_socket;
|
||||
type logd_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type mdns_socket, file_type, coredomain_socket;
|
||||
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type misc_logd_file, coredomain_socket, file_type;
|
||||
type mtpd_socket, file_type, coredomain_socket;
|
||||
type netd_socket, file_type, coredomain_socket;
|
||||
type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type property_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type racoon_socket, file_type, coredomain_socket;
|
||||
type rild_socket, file_type;
|
||||
type rild_debug_socket, file_type;
|
||||
type system_wpa_socket, file_type;
|
||||
type system_ndebug_socket, file_type, mlstrustedobject;
|
||||
type tombstoned_crash_socket, file_type, mlstrustedobject;
|
||||
type tombstoned_intercept_socket, file_type;
|
||||
type uncrypt_socket, file_type;
|
||||
type vold_socket, file_type;
|
||||
type webview_zygote_socket, file_type;
|
||||
type system_wpa_socket, file_type, coredomain_socket;
|
||||
type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
|
||||
type tombstoned_intercept_socket, file_type, coredomain_socket;
|
||||
type uncrypt_socket, file_type, coredomain_socket;
|
||||
type vold_socket, file_type, coredomain_socket;
|
||||
type webview_zygote_socket, file_type, coredomain_socket;
|
||||
type wpa_socket, file_type;
|
||||
type zygote_socket, file_type;
|
||||
type zygote_socket, file_type, coredomain_socket;
|
||||
type sap_uim_socket, file_type;
|
||||
# UART (for GPS) control proc file
|
||||
type gps_control, file_type;
|
||||
|
|
|
|||
4
vendor/hal_nfc_default.te
vendored
4
vendor/hal_nfc_default.te
vendored
|
|
@ -5,5 +5,7 @@ type hal_nfc_default_exec, exec_type, file_type;
|
|||
init_daemon_domain(hal_nfc_default)
|
||||
|
||||
# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
|
||||
# data type. Remove coredata_in_vendor_violators attribute.
|
||||
# data type. Remove coredata_in_vendor_violators and
|
||||
# socket_between_core_and_vendor_violators attribute associations below.
|
||||
typeattribute hal_nfc_default coredata_in_vendor_violators;
|
||||
typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
|
||||
|
|
|
|||
Loading…
Reference in a new issue