platform_system_sepolicy/public/neverallow_macros
Alex Klyubin 2746ae6822 Ban socket connections between core and vendor
On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.

This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "socket_between_core_and_vendor_violators" attribute. The attribute
  is needed because the types corresponding to violators are not
  exposed to the public policy where the neverallow rules are.

Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
2017-03-27 08:49:13 -07:00

15 lines
681 B
Text

#
# Common neverallow permissions
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
#####################################
# neverallow_establish_socket_comms(src, dst)
# neverallow src domain establishing socket connections to dst domain.
#
define(`neverallow_establish_socket_comms', `
neverallow $1 $2:socket_class_set { connect sendto };
neverallow $1 $2:unix_stream_socket connectto;
')