tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

remove init/vendor_init access to bpffs_type am: ebb45f9dea

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2323317

Change-Id: I6648a7a444f4b865d74345a03e2b3f6d0fb12922
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Maciej Żenczykowski 2022-12-02 14:49:23 +00:00 committed by Automerger Merge Worker
commit e000271a3c
4 changed files with 44 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
private/bpfloader.te
View file

@ -26,21 +26,20 @@ allow bpfloader bpfloader_exec:file execute_no_trans;
### Neverallow rules
###
# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
neverallow { domain -init -vendor_init } bpffs_type:dir { open read setattr };
# Note: we don't care about getattr/mounton/search
neverallow { domain } bpffs_type:dir { open read setattr };
neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name write };
neverallow domain bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
# TODO: get rid of init & vendor_init
neverallow { domain -bpfloader -init -vendor_init } bpffs_type:file { map open setattr };
neverallow { domain -bpfloader } bpffs_type:file { map open setattr };
neverallow { domain -bpfloader } bpffs_type:file { create getattr rename };
neverallow { domain -bpfloader -gpuservice -init -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server -vendor_init } fs_bpf:file read;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file read;
neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file read;
neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file read;
neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file read;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -netutils_wrapper -system_server } fs_bpf:file read;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file read;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file read;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file read;
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file read;
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file read;
neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { bpffs_type -fs_bpf_vendor }:file write;
neverallow domain bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
@ -62,7 +61,7 @@ neverallow {
neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -init } fs_bpf_vendor:file *;
neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;

37
private/network_stack.te
View file

@ -75,44 +75,27 @@ allowxperm network_stack tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF TUNSETL
# This place is as good as any for these rules,
# and it is probably the most appropriate because
# network_stack itself is entirely mainline code.
#
# Unfortunately init/vendor_init have all sorts of extra privs
# T+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_net_private' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_net_private:file *;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~{ getattr open read search setattr };
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file ~{ map open read setattr };
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:dir ~getattr;
neverallow { domain -bpfloader -network_stack } fs_bpf_net_private:file *;
# T+: Only the bpfloader, network_stack and system_server should ever touch 'fs_bpf_net_shared' programs/maps.
neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -system_server -vendor_init } fs_bpf_net_shared:file *;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~{ getattr open read search setattr };
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file ~{ map open read setattr };
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:dir ~getattr;
neverallow { domain -bpfloader -network_stack -system_server } fs_bpf_net_shared:file *;
# T+: Only the bpfloader, netd, network_stack and system_server should ever touch 'fs_bpf_netd_readonly' programs/maps.
# netd's access should be readonly
neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:dir ~getattr;
neverallow { domain -bpfloader -init -netd -network_stack -system_server -vendor_init } fs_bpf_netd_readonly:file *;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~getattr;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file *;
neverallow netd fs_bpf_netd_readonly:file write;
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:dir ~{ getattr open read search setattr };
neverallow { domain -bpfloader -netd -network_stack -system_server } fs_bpf_netd_readonly:file ~{ map open read setattr };
# T+: Only the bpfloader, netd, netutils_wrapper, network_stack and system_server should ever touch 'fs_bpf_netd_shared' programs/maps.
# netutils_wrapper requires access to be able to run iptables and only needs readonly access
neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:dir ~getattr;
neverallow { domain -bpfloader -init -netd -netutils_wrapper -network_stack -system_server -vendor_init } fs_bpf_netd_shared:file *;
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~getattr;
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file *;
neverallow netutils_wrapper fs_bpf_netd_shared:file write;
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:dir ~{ getattr open read search setattr };
neverallow { domain -bpfloader -netd -netutils_wrapper -network_stack -system_server } fs_bpf_netd_shared:file ~{ map open read setattr };
# S+: Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~getattr;
neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file *;

16
public/init.te
View file

@ -199,6 +199,7 @@ allow init self:global_capability_class_set { chown fowner fsetid };
allow init {
file_type
-app_data_file
-bpffs_type
-exec_type
-misc_logd_file
-nativetest_data_file
@ -212,6 +213,7 @@ allow init {
allow init {
file_type
-app_data_file
-bpffs_type
-credstore_data_file
-exec_type
-keystore_data_file
@ -233,6 +235,7 @@ allow init {
file_type
-apex_info_file
-app_data_file
-bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@ -259,6 +262,7 @@ allow init apex_info_file:file r_file_perms;
allow init {
file_type
-app_data_file
-bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@ -278,6 +282,7 @@ allow init {
file_type
-apex_mnt_dir
-app_data_file
-bpffs_type
-exec_type
-gsi_data_file
-credstore_data_file
@ -297,6 +302,7 @@ allow init cache_file:lnk_file r_file_perms;
allow init {
file_type
-bpffs_type
-system_dlkm_file_type
-system_file_type
-vendor_file_type
@ -321,6 +327,7 @@ allow init debugfs_wifi_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow init {
fs_type
-bpffs_type
-contextmount_type
-keychord_device
-proc_type
@ -330,7 +337,14 @@ allow init {
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
fs_type
-bpffs_type
-contextmount_type
-sdcard_type
-fusefs_type
-rootfs
}:dir { open read setattr search };
allow init {
binder_device

9
public/vendor_init.te
View file

@ -48,6 +48,7 @@ allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-system_dlkm_file_type
@ -67,6 +68,7 @@ allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom }
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@ -86,6 +88,7 @@ allow vendor_init {
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@ -103,6 +106,7 @@ allow vendor_init {
allow vendor_init {
file_type
-apex_mnt_dir
-bpffs_type
-core_data_file_type
-exec_type
-password_slot_metadata_file
@ -119,6 +123,7 @@ allow vendor_init {
allow vendor_init {
file_type
-bpffs_type
-core_data_file_type
-exec_type
-mnt_product_file
@ -142,6 +147,7 @@ allow vendor_init debugfs_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
-bpffs_type
-contextmount_type
-keychord_device
-sdcard_type
@ -157,6 +163,7 @@ allow vendor_init tracefs_type:file { open read setattr map };
allow vendor_init {
fs_type
-bpffs_type
-contextmount_type
-sdcard_type
-fusefs_type
@ -164,7 +171,7 @@ allow vendor_init {
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
}:dir { open read setattr search };
allow vendor_init dev_type:blk_file getattr;