08d4c8fa6e
This commit adds fake 31.0 prebuilt. The prebuilt is based on AOSP policy, but slightly modified so the set of types and attributes is a subset of real 31.0 prebuilt (sc-dev policy). Steps taken to make the fake prebuilt: 1) build plat_sepolicy.cil both on AOSP and sc-dev, with lunch target aosp_arm64-eng. 2) diff both outputs to find out which types and attributes don't exist. 3) remove all relevant files and statements. As a result, the following types are removed. artd artd_exec artd_service power_stats_service transformer_service virtualizationservice virtualizationservice_data_file virtualizationservice_exec Bug: 189161483 Test: N/A, will do after adding 31.0 mapping files. Change-Id: Ia957fc32b1838dae730d9dd7bd917d684d4a24cf Merged-In: Ia4ea2999f4bc8ae80f13e51d99fba3e98e293447
116 lines
5.1 KiB
Text
116 lines
5.1 KiB
Text
#################################################
|
|
# MLS policy constraints
|
|
#
|
|
|
|
#
|
|
# Process constraints
|
|
#
|
|
|
|
# Process transition: Require equivalence unless the subject is trusted.
|
|
mlsconstrain process { transition dyntransition }
|
|
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
|
|
|
|
# Process read operations: No read up unless trusted.
|
|
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
|
|
(l1 dom l2 or t1 == mlstrustedsubject);
|
|
|
|
# Process write operations: Require equivalence unless trusted.
|
|
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
|
|
(l1 eq l2 or t1 == mlstrustedsubject);
|
|
|
|
#
|
|
# Socket constraints
|
|
#
|
|
|
|
# Create/relabel operations: Subject must be equivalent to object unless
|
|
# the subject is trusted. Sockets inherit the range of their creator.
|
|
mlsconstrain socket_class_set { create relabelfrom relabelto }
|
|
((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
|
|
|
|
# Datagram send: Sender must be equivalent to the receiver unless one of them
|
|
# is trusted.
|
|
mlsconstrain unix_dgram_socket { sendto }
|
|
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
|
|
|
# Stream connect: Client must be equivalent to server unless one of them
|
|
# is trusted.
|
|
mlsconstrain unix_stream_socket { connectto }
|
|
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|
|
|
|
#
|
|
# Directory/file constraints
|
|
#
|
|
|
|
# Create/relabel operations: Subject must be equivalent to object unless
|
|
# the subject is trusted. Also, files should always be single-level.
|
|
# Do NOT exempt mlstrustedobject types from this constraint.
|
|
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
|
|
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
|
|
|
|
#
|
|
# Userfaultfd constraints
|
|
#
|
|
# To enforce that anonymous inodes are self contained in the application's process.
|
|
mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
|
|
(l1 eq l2);
|
|
|
|
#
|
|
# Constraints for app data files only.
|
|
#
|
|
|
|
# Only constrain open, not read/write, so already open fds can be used.
|
|
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
|
|
# Subject must dominate object unless the subject is trusted.
|
|
mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
|
|
(t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
|
|
mlsconstrain { file sock_file } { open setattr unlink link rename }
|
|
( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
|
|
|
|
# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
|
|
mlsconstrain { lnk_file } { open setattr unlink link rename read }
|
|
( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
|
|
# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
|
|
# TODO: Migrate to equivalence when it's no longer needed.
|
|
mlsconstrain { lnk_file } { open setattr unlink link rename read }
|
|
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
|
|
|
|
#
|
|
# Constraints for file types other than app data files.
|
|
#
|
|
|
|
# Read operations: Subject must dominate object unless the subject
|
|
# or the object is trusted.
|
|
mlsconstrain dir { read getattr search }
|
|
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
|
|
or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
|
|
|
|
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
|
|
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
|
|
|
# Write operations: Subject must be equivalent to the object unless the
|
|
# subject or the object is trusted.
|
|
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
|
|
(t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
|
|
|
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
|
|
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
|
|
|
|
# Special case for FIFOs.
|
|
# These can be unnamed pipes, in which case they will be labeled with the
|
|
# creating process' label. Thus we also have an exemption when the "object"
|
|
# is a domain type, so that processes can communicate via unnamed pipes
|
|
# passed by binder or local socket IPC.
|
|
mlsconstrain fifo_file { read getattr }
|
|
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
|
|
|
|
mlsconstrain fifo_file { write setattr append unlink link rename }
|
|
(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
|
|
|
|
#
|
|
# Binder IPC constraints
|
|
#
|
|
# Presently commented out, as apps are expected to call one another.
|
|
# This would only make sense if apps were assigned categories
|
|
# based on allowable communications rather than per-app categories.
|
|
#mlsconstrain binder call
|
|
# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
|