From cf2ffdf0d86f485dfff05a2f13819997bfd462e1 Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Thu, 30 Mar 2017 17:39:00 -0700 Subject: [PATCH] Tighten restrictions on core <-> vendor socket comms This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I633163cf67d60677c4725b754e01097dd5790aed --- private/drmserver.te | 2 ++ private/system_server.te | 6 +++++ private/wificond.te | 3 +++ public/attributes | 3 +++ public/domain.te | 36 ++++++++++++++++++++++++++++ public/file.te | 50 +++++++++++++++++++-------------------- vendor/hal_nfc_default.te | 4 +++- 7 files changed, 78 insertions(+), 26 deletions(-) diff --git a/private/drmserver.te b/private/drmserver.te index 45663bbe1..afe4f0aae 100644 --- a/private/drmserver.te +++ b/private/drmserver.te @@ -3,3 +3,5 @@ typeattribute drmserver coredomain; init_daemon_domain(drmserver) type_transition drmserver apk_data_file:sock_file drmserver_socket; + +typeattribute drmserver_socket coredomain_socket; diff --git a/private/system_server.te b/private/system_server.te index ddeeb1b97..a731f5a48 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -190,6 +190,12 @@ hal_client_domain(system_server, hal_vibrator) binder_call(system_server, hal_vr) hal_client_domain(system_server, hal_vr) hal_client_domain(system_server, hal_wifi) + +# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full +# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a +# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket. +typeattribute system_server socket_between_core_and_vendor_violators; + hal_client_domain(system_server, hal_wifi_supplicant) # Talk to tombstoned to get ANR traces. diff --git a/private/wificond.te b/private/wificond.te index 5476e3385..b9e48b2b5 100644 --- a/private/wificond.te +++ b/private/wificond.te @@ -1,3 +1,6 @@ typeattribute wificond coredomain; init_daemon_domain(wificond) + +# TODO(b/36790991): Remove this once wificond is no longer permitted to touch wpa sockets +typeattribute wificond socket_between_core_and_vendor_violators; diff --git a/public/attributes b/public/attributes index d9d123fd0..9f42c9ab7 100644 --- a/public/attributes +++ b/public/attributes @@ -124,6 +124,9 @@ attribute update_engine_common; # All core domains (as opposed to vendor/device-specific domains) attribute coredomain; +# All socket devices owned by core domain components +attribute coredomain_socket; + # All vendor domains which violate the requirement of not using Binder # TODO(b/35870313): Remove this once there are no violations attribute binder_in_vendor_violators; diff --git a/public/domain.te b/public/domain.te index bd5cb895c..fc4db7e2b 100644 --- a/public/domain.te +++ b/public/domain.te @@ -554,6 +554,42 @@ full_treble_only(` -netdomain -socket_between_core_and_vendor_violators }, netd); + + # Vendor domains are not permitted to initiate create/open sockets owned by core domains + neverallow { + domain + -coredomain + -appdomain # appdomain restrictions below + -socket_between_core_and_vendor_violators + } { + coredomain_socket + core_data_file_type + unlabeled # used only by core domains + }:sock_file ~{ append getattr ioctl read write }; + neverallow { + appdomain + -coredomain + } { + coredomain_socket + unlabeled # used only by core domains + core_data_file_type + -app_data_file + -pdx_socket # used by VR layer + }:sock_file ~{ append getattr ioctl read write }; + + # Core domains are not permitted to create/open sockets owned by vendor domains + neverallow { + coredomain + -init + -ueventd + -socket_between_core_and_vendor_violators + } { + file_type + dev_type + -coredomain_socket + -core_data_file_type + -unlabeled + }:sock_file ~{ append getattr ioctl read write }; ') # Only authorized processes should be writing to files in /data/dalvik-cache diff --git a/public/file.te b/public/file.te index d7a82bc6c..1634e3361 100644 --- a/public/file.te +++ b/public/file.te @@ -224,34 +224,34 @@ type fingerprintd_data_file, file_type, data_file_type, core_data_file_type; type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; # Socket types -type adbd_socket, file_type; -type bluetooth_socket, file_type; -type dnsproxyd_socket, file_type, mlstrustedobject; -type dumpstate_socket, file_type; -type fwmarkd_socket, file_type, mlstrustedobject; -type lmkd_socket, file_type; -type logd_socket, file_type, mlstrustedobject; -type logdr_socket, file_type, mlstrustedobject; -type logdw_socket, file_type, mlstrustedobject; -type mdns_socket, file_type; -type mdnsd_socket, file_type, mlstrustedobject; -type misc_logd_file, file_type; -type mtpd_socket, file_type; -type netd_socket, file_type; -type pdx_socket, file_type, mlstrustedobject; -type property_socket, file_type, mlstrustedobject; -type racoon_socket, file_type; +type adbd_socket, file_type, coredomain_socket; +type bluetooth_socket, file_type, coredomain_socket; +type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject; +type dumpstate_socket, file_type, coredomain_socket; +type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject; +type lmkd_socket, file_type, coredomain_socket; +type logd_socket, file_type, coredomain_socket, mlstrustedobject; +type logdr_socket, file_type, coredomain_socket, mlstrustedobject; +type logdw_socket, file_type, coredomain_socket, mlstrustedobject; +type mdns_socket, file_type, coredomain_socket; +type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject; +type misc_logd_file, coredomain_socket, file_type; +type mtpd_socket, file_type, coredomain_socket; +type netd_socket, file_type, coredomain_socket; +type pdx_socket, file_type, coredomain_socket, mlstrustedobject; +type property_socket, file_type, coredomain_socket, mlstrustedobject; +type racoon_socket, file_type, coredomain_socket; type rild_socket, file_type; type rild_debug_socket, file_type; -type system_wpa_socket, file_type; -type system_ndebug_socket, file_type, mlstrustedobject; -type tombstoned_crash_socket, file_type, mlstrustedobject; -type tombstoned_intercept_socket, file_type; -type uncrypt_socket, file_type; -type vold_socket, file_type; -type webview_zygote_socket, file_type; +type system_wpa_socket, file_type, coredomain_socket; +type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject; +type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject; +type tombstoned_intercept_socket, file_type, coredomain_socket; +type uncrypt_socket, file_type, coredomain_socket; +type vold_socket, file_type, coredomain_socket; +type webview_zygote_socket, file_type, coredomain_socket; type wpa_socket, file_type; -type zygote_socket, file_type; +type zygote_socket, file_type, coredomain_socket; type sap_uim_socket, file_type; # UART (for GPS) control proc file type gps_control, file_type; diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te index eb2bd818e..a906d977b 100644 --- a/vendor/hal_nfc_default.te +++ b/vendor/hal_nfc_default.te @@ -5,5 +5,7 @@ type hal_nfc_default_exec, exec_type, file_type; init_daemon_domain(hal_nfc_default) # TODO (b/36645109) Remove hal_nfc's access to the nfc app's -# data type. Remove coredata_in_vendor_violators attribute. +# data type. Remove coredata_in_vendor_violators and +# socket_between_core_and_vendor_violators attribute associations below. typeattribute hal_nfc_default coredata_in_vendor_violators; +typeattribute hal_nfc_default socket_between_core_and_vendor_violators;