tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/vold.te
Jeff Vander Stoep ab82125fc8 Improve tests protecting private app data 
In particular, add assertions limiting which processes may
directly open files owned by apps. Reduce this to just apps, init,
and installd. App data is protected by a combination of selinux
permissions and Unix permissions, so limiting the open permission to
just apps (which are not allowed to have CAP_DAC_OVERRIDE or
CAP_DAC_READ_SEARCH) ensures that only installd and init have
complete access an app's private directory.

In addition to apps/init/installd, other processes currently granted
open are mediaserver, uncrypt, and vold. Uncrypt's access appears to
be deprecated (b/80299612). Uncrypt now uses /data/ota_package
instead. b/80418809 and b/80300620 track removal for vold and
mediaserver.

Test: build/boot aosp_taimen-userdebug. Verify no "granted" audit
messages in the logs.
Bug: 80190017
Bug: 80300620
Bug: 80418809
Fixes: 80299612
Change-Id: I153bc7b62294b36ccd596254a5976dd887fed046
2018-05-29 13:47:49 -07:00

276 lines
8.8 KiB
Text
Raw Blame History

# volume manager
type vold, domain;
type vold_exec, exec_type, file_type;
# Read already opened /cache files.
allow vold cache_file:dir r_dir_perms;
allow vold cache_file:file { getattr read };
allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
r_dir_file(vold, proc_net_type)
userdebug_or_eng(`
auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
')
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
r_dir_file(vold, metadata_file)
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline
proc_drop_caches
proc_filesystems
proc_meminfo
proc_mounts
}:file r_file_perms;
#Get file contexts
allow vold file_contexts_file:file r_file_perms;
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
# For sgdisk launched through popen()
allow vold shell_exec:file rx_file_perms;
# For formatting adoptable storage devices
allow vold e2fs_exec:file rx_file_perms;
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
not_full_treble(`allow vold vendor_file:file x_file_perms;')
allow vold block_device:dir create_dir_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
# Manage locations where storage is mounted
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir create_dir_perms;
allow vold media_rw_data_file:file create_file_perms;
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
# Manage per-user primary symlinks
allow vold mnt_user_file:dir create_dir_perms;
allow vold mnt_user_file:lnk_file create_file_perms;
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# TODO(b/80418809): remove direct access to private app data
userdebug_or_eng(`auditallow vold app_data_file:dir search;')
allow vold app_data_file:dir search;
userdebug_or_eng(`auditallow vold app_data_file:file rw_file_perms;')
allow vold app_data_file:file rw_file_perms;
allow vold loop_control_device:chr_file rw_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
allow vold self:global_capability_class_set { sys_ptrace kill };
allow vold kmsg_device:chr_file rw_file_perms;
# Run fsck in the fsck domain.
allow vold fsck_exec:file { r_file_perms execute };
# Log fsck results
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
#
# Rules to support encrypted fs support.
#
# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
# Vold create users in /data/vendor_{ce,de}/[0-9]+
allow vold vendor_data_file:dir create_dir_perms;
# for secdiscard
allow vold system_data_file:file read;
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
# Property Service
set_prop(vold, vold_prop)
set_prop(vold, exported_vold_prop)
set_prop(vold, exported2_vold_prop)
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
allow vold asec_public_file:file { relabelto setattr };
# restorecon files in asec containers created on 4.2 or earlier.
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
# Handle wake locks (used for device encryption)
wakelock_use(vold)
# Allow vold to publish a binder service and make binder calls.
binder_use(vold)
add_service(vold, vold_service)
# Allow vold to call into the system server so it can check permissions.
binder_call(vold, system_server)
allow vold permission_service:service_manager find;
# talk to batteryservice
binder_call(vold, healthd)
# talk to keymaster
hal_client_domain(vold, hal_keymaster)
# Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms;
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
# Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms;
# Write to /proc/sys/vm/drop_caches
allow vold proc_drop_caches:file w_file_perms;
# Give vold a place where only vold can store files; everyone else is off limits
allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
# And a similar place in the metadata partition
allow vold vold_metadata_file:dir create_dir_perms;
allow vold vold_metadata_file:file create_file_perms;
# linux keyring configuration
allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
# vold temporarily changes its priority when running benchmarks
allow vold self:global_capability_class_set sys_nice;
# vold needs to chroot into app namespaces to remount when runtime permissions change
allow vold self:global_capability_class_set sys_chroot;
allow vold storage_file:dir mounton;
# For AppFuse.
allow vold fuse_device:chr_file rw_file_perms;
allow vold fuse:filesystem { relabelfrom };
allow vold app_fusefs:filesystem { relabelfrom relabelto };
allow vold app_fusefs:filesystem { mount unmount };
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
allow vold user_profile_data_file:dir create_dir_perms;
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
neverallow {
domain
-vold
-vold_prepare_subdirs
} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow {
domain
-init
-vold
-vold_prepare_subdirs
} vold_data_file:dir *;
neverallow {
domain
-init
-vendor_init
-vold
} vold_metadata_file:dir *;
neverallow {
domain
-kernel
-vold
-vold_prepare_subdirs
} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow {
domain
-init
-vold
-vold_prepare_subdirs
} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow {
domain
-init
-kernel
-vendor_init
-vold
-vold_prepare_subdirs
} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
neverallow { domain -vold -init } restorecon_prop:property_service set;
# Only system_server and vdc can interact with vold over binder
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
-hal_keymaster_server
-healthd
-hwservicemanager
-servicemanager
-system_server
userdebug_or_eng(`-su')
}:binder call;
neverallow vold fsck_exec:file execute_no_trans;
neverallow { domain -init } vold:process { transition dyntransition };
neverallow vold *:process ptrace;
neverallow vold *:rawip_socket *;
Reference in a new issue View git blame Copy permalink