6a28b68d54
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug
Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
224 lines
7.9 KiB
Text
224 lines
7.9 KiB
Text
# volume manager
|
|
type vold, domain;
|
|
type vold_exec, exec_type, file_type;
|
|
|
|
# Read already opened /cache files.
|
|
allow vold cache_file:dir r_dir_perms;
|
|
allow vold cache_file:file { getattr read };
|
|
allow vold cache_file:lnk_file r_file_perms;
|
|
|
|
# Read access to pseudo filesystems.
|
|
r_dir_file(vold, proc_net)
|
|
r_dir_file(vold, sysfs_type)
|
|
# XXX Label sysfs files with a specific type?
|
|
allow vold sysfs:file w_file_perms;
|
|
allow vold sysfs_dm:file w_file_perms;
|
|
allow vold sysfs_usb:file w_file_perms;
|
|
allow vold sysfs_zram_uevent:file w_file_perms;
|
|
|
|
r_dir_file(vold, rootfs)
|
|
allow vold {
|
|
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
|
|
proc_cmdline
|
|
proc_drop_caches
|
|
proc_filesystems
|
|
proc_meminfo
|
|
proc_mounts
|
|
proc_overflowuid
|
|
}:file r_file_perms;
|
|
|
|
#Get file contexts
|
|
allow vold file_contexts_file:file r_file_perms;
|
|
|
|
# Allow us to jump into execution domains of above tools
|
|
allow vold self:process setexec;
|
|
|
|
# For sgdisk launched through popen()
|
|
allow vold shell_exec:file rx_file_perms;
|
|
|
|
# For formatting adoptable storage devices
|
|
allow vold e2fs_exec:file rx_file_perms;
|
|
|
|
typeattribute vold mlstrustedsubject;
|
|
allow vold self:process setfscreate;
|
|
allow vold system_file:file x_file_perms;
|
|
not_full_treble(`allow vold vendor_file:file x_file_perms;')
|
|
allow vold block_device:dir create_dir_perms;
|
|
allow vold device:dir write;
|
|
allow vold devpts:chr_file rw_file_perms;
|
|
allow vold rootfs:dir mounton;
|
|
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
|
|
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
|
|
allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
|
|
allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
|
|
|
|
# Manage locations where storage is mounted
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
|
|
|
|
# Access to storage that backs emulated FUSE daemons for migration optimization
|
|
allow vold media_rw_data_file:dir create_dir_perms;
|
|
allow vold media_rw_data_file:file create_file_perms;
|
|
|
|
# Allow mounting of storage devices
|
|
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
|
|
|
|
# Manage per-user primary symlinks
|
|
allow vold mnt_user_file:dir create_dir_perms;
|
|
allow vold mnt_user_file:lnk_file create_file_perms;
|
|
|
|
# Allow to create and mount expanded storage
|
|
allow vold mnt_expand_file:dir { create_dir_perms mounton };
|
|
allow vold apk_data_file:dir { create getattr setattr };
|
|
allow vold shell_data_file:dir { create getattr setattr };
|
|
|
|
allow vold tmpfs:filesystem { mount unmount };
|
|
allow vold tmpfs:dir create_dir_perms;
|
|
allow vold tmpfs:dir mounton;
|
|
allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
|
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
allow vold app_data_file:dir search;
|
|
allow vold app_data_file:file rw_file_perms;
|
|
allow vold loop_control_device:chr_file rw_file_perms;
|
|
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
|
|
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
|
|
allow vold dm_device:chr_file rw_file_perms;
|
|
allow vold dm_device:blk_file rw_file_perms;
|
|
# For vold Process::killProcessesWithOpenFiles function.
|
|
allow vold domain:dir r_dir_perms;
|
|
allow vold domain:{ file lnk_file } r_file_perms;
|
|
allow vold domain:process { signal sigkill };
|
|
allow vold self:global_capability_class_set { sys_ptrace kill };
|
|
|
|
# XXX Label sysfs files with a specific type?
|
|
allow vold sysfs:file rw_file_perms;
|
|
|
|
allow vold kmsg_device:chr_file rw_file_perms;
|
|
|
|
# Run fsck in the fsck domain.
|
|
allow vold fsck_exec:file { r_file_perms execute };
|
|
|
|
# Log fsck results
|
|
allow vold fscklogs:dir rw_dir_perms;
|
|
allow vold fscklogs:file create_file_perms;
|
|
|
|
#
|
|
# Rules to support encrypted fs support.
|
|
#
|
|
|
|
# Unmount and mount the fs.
|
|
allow vold labeledfs:filesystem { mount unmount };
|
|
|
|
# Access /efs/userdata_footer.
|
|
# XXX Split into a separate type?
|
|
allow vold efs_file:file rw_file_perms;
|
|
|
|
# Create and mount on /data/tmp_mnt and management of expansion mounts
|
|
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
|
|
allow vold system_data_file:lnk_file getattr;
|
|
|
|
# for secdiscard
|
|
allow vold system_data_file:file read;
|
|
|
|
# Set scheduling policy of kernel processes
|
|
allow vold kernel:process setsched;
|
|
|
|
# Property Service
|
|
set_prop(vold, vold_prop)
|
|
set_prop(vold, powerctl_prop)
|
|
set_prop(vold, ctl_fuse_prop)
|
|
set_prop(vold, restorecon_prop)
|
|
|
|
# ASEC
|
|
allow vold asec_image_file:file create_file_perms;
|
|
allow vold asec_image_file:dir rw_dir_perms;
|
|
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
|
|
allow vold asec_public_file:dir { relabelto setattr };
|
|
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
|
|
allow vold asec_public_file:file { relabelto setattr };
|
|
# restorecon files in asec containers created on 4.2 or earlier.
|
|
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
|
|
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
|
|
|
|
# Handle wake locks (used for device encryption)
|
|
wakelock_use(vold)
|
|
|
|
# Allow vold to publish a binder service and make binder calls.
|
|
binder_use(vold)
|
|
add_service(vold, vold_service)
|
|
|
|
# Allow vold to call into the system server so it can check permissions.
|
|
binder_call(vold, system_server)
|
|
allow vold permission_service:service_manager find;
|
|
|
|
# talk to batteryservice
|
|
binder_call(vold, healthd)
|
|
|
|
# talk to keymaster
|
|
hal_client_domain(vold, hal_keymaster)
|
|
|
|
# Access userdata block device.
|
|
allow vold userdata_block_device:blk_file rw_file_perms;
|
|
|
|
# Access metadata block device used for encryption meta-data.
|
|
allow vold metadata_block_device:blk_file rw_file_perms;
|
|
|
|
# Allow vold to manipulate /data/unencrypted
|
|
allow vold unencrypted_data_file:{ file } create_file_perms;
|
|
allow vold unencrypted_data_file:dir create_dir_perms;
|
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
allow vold proc_drop_caches:file w_file_perms;
|
|
|
|
# Give vold a place where only vold can store files; everyone else is off limits
|
|
allow vold vold_data_file:dir create_dir_perms;
|
|
allow vold vold_data_file:file create_file_perms;
|
|
|
|
# linux keyring configuration
|
|
allow vold init:key { write search setattr };
|
|
allow vold vold:key { write search setattr };
|
|
|
|
# vold temporarily changes its priority when running benchmarks
|
|
allow vold self:global_capability_class_set sys_nice;
|
|
|
|
# vold needs to chroot into app namespaces to remount when runtime permissions change
|
|
allow vold self:global_capability_class_set sys_chroot;
|
|
allow vold storage_file:dir mounton;
|
|
|
|
# For AppFuse.
|
|
allow vold fuse_device:chr_file rw_file_perms;
|
|
allow vold fuse:filesystem { relabelfrom };
|
|
allow vold app_fusefs:filesystem { relabelfrom relabelto };
|
|
allow vold app_fusefs:filesystem { mount unmount };
|
|
|
|
# MoveTask.cpp executes cp and rm
|
|
allow vold toolbox_exec:file rx_file_perms;
|
|
|
|
# Prepare profile dir for users.
|
|
allow vold user_profile_data_file:dir create_dir_perms;
|
|
|
|
# Raw writes to misc block device
|
|
allow vold misc_block_device:blk_file w_file_perms;
|
|
|
|
neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
|
neverallow { domain -vold -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *;
|
|
neverallow { domain -vold -init -vold_prepare_subdirs -kernel } vold_data_file:notdevfile_class_set *;
|
|
neverallow { domain -vold -init } restorecon_prop:property_service set;
|
|
|
|
# Only system_server and vdc can interact with vold over binder
|
|
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
|
|
neverallow vold {
|
|
domain
|
|
-hal_keymaster_server
|
|
-healthd
|
|
-hwservicemanager
|
|
-servicemanager
|
|
-system_server
|
|
userdebug_or_eng(`-su')
|
|
}:binder call;
|
|
|
|
neverallow vold fsck_exec:file execute_no_trans;
|
|
neverallow { domain -init } vold:process { transition dyntransition };
|
|
neverallow vold *:process ptrace;
|
|
neverallow vold *:rawip_socket *;
|