tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/mls
Alan Stokes 8bf8a262e5 Exempt older vendor images from recent mls changes. 
We no longer allow apps with mlstrustedsubject access to app_data_file
or privapp_data_file. For compatibility we grant access to all apps on
vendor images for SDK <= 30, whether mlstrustedsubject or not. (The
ones that are not already have access, but that is harmless.)

Additionally we have started adding categories to system_data_file
etc. We treat these older vendor apps as trusted for those types only.

The result is that apps on older vendor images still have all the
access they used to but no new access.

We add a neverallow to prevent the compatibility attribute being
abused.

Test: builds
Change-Id: I10a885b6a122292f1163961b4a3cf3ddcf6230ad
2020-11-17 17:30:10 +00:00

109 lines
4.8 KiB
Text
Raw Blame History

#################################################
# MLS policy constraints
#
#
# Process constraints
#
# Process transition: Require equivalence unless the subject is trusted.
mlsconstrain process { transition dyntransition }
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
# Process read operations: No read up unless trusted.
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(l1 dom l2 or t1 == mlstrustedsubject);
# Process write operations: Require equivalence unless trusted.
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
(l1 eq l2 or t1 == mlstrustedsubject);
#
# Socket constraints
#
# Create/relabel operations: Subject must be equivalent to object unless
# the subject is trusted. Sockets inherit the range of their creator.
mlsconstrain socket_class_set { create relabelfrom relabelto }
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
# Datagram send: Sender must be equivalent to the receiver unless one of them
# is trusted.
mlsconstrain unix_dgram_socket { sendto }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
# Stream connect: Client must be equivalent to server unless one of them
# is trusted.
mlsconstrain unix_stream_socket { connectto }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
#
# Directory/file constraints
#
# Create/relabel operations: Subject must be equivalent to object unless
# the subject is trusted. Also, files should always be single-level.
# Do NOT exempt mlstrustedobject types from this constraint.
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
# Constraints for app data files only.
#
# Only constrain open, not read/write, so already open fds can be used.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
(t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
#
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
# is a domain type, so that processes can communicate via unnamed pipes
# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr }
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
mlsconstrain fifo_file { write setattr append unlink link rename }
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
#
# Binder IPC constraints
#
# Presently commented out, as apps are expected to call one another.
# This would only make sense if apps were assigned categories
# based on allowable communications rather than per-app categories.
#mlsconstrain binder call
# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
Reference in a new issue View git blame Copy permalink