commit 0432e19f4437ced9cba3292a76c34d4c5c4e01b4
author Treehugger Robot <treehugger-gerrit@google.com> Tue Jan 16 18:59:25 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jan 16 18:59:25 2018 +0000
tree 3cd6c51855f39e810a7417fa221652c9a26d5cec
parent 00ab5d86beef4a70b8ed32240587af08002e56d8
parent 5988b5659a49c92afa62935527c86b1cd4e60cda

Merge "Improve neverallow error messages and allow disabling them on userdebug builds."

private/app.te

diff --git a/private/app.te b/private/app.te
index 9c4461c..7dceaaa 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,3 +1,7 @@
 # TODO: deal with tmpfs_domain pub/priv split properly
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
+
+neverallow appdomain system_server:udp_socket {
+        accept append bind create getopt ioctl listen lock name_bind
+        relabelfrom relabelto setattr setopt shutdown };

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1d3e27b..ca7f1fa 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -84,6 +84,7 @@
     update_engine_log_data_file
     vendor_default_prop
     vendor_init
+    vendor_shell
     vold_prepare_subdirs
     vold_prepare_subdirs_exec
     vold_service

private/ephemeral_app.te

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index dbfbcf9..e0547b6 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -41,6 +41,10 @@
 allow ephemeral_app traced_tmpfs:file { read write getattr map };
 unix_socket_connect(ephemeral_app, traced_producer, traced)
 
+# allow ephemeral apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### neverallow rules
 ###

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index de959d4..4abd8d8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -290,6 +290,7 @@
 /(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
 /(vendor|system/vendor)/bin/sh                 u:object_r:vendor_shell_exec:s0
 /(vendor|system/vendor)/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/bin/toolbox            u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
 
 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index ee0590c..2596a8e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,10 @@
 
 read_runtime_log_tags(platform_app)
 
+# allow platform apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow platform_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### Neverallow rules
 ###

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 92bfc57..9909e06 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -128,6 +128,10 @@
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
 
+# allow privileged apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### neverallow rules
 ###

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index a3c49db..ded9d1f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -36,3 +36,5 @@
 allow shell traced:fd use;
 allow shell traced_tmpfs:file { read write getattr map };
 unix_socket_connect(shell, traced_producer, traced)
+
+domain_auto_trans(shell, vendor_shell_exec, vendor_shell)

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 7b8f3bf..c849aea 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -114,6 +114,10 @@
 control_logd(system_app)
 read_runtime_log_tags(system_app)
 
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 ###
 ### Neverallow rules
 ###

private/untrusted_app.te

diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 93a73f1..68c1a41 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,14 +24,6 @@
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
-
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)
-
-neverallow untrusted_app system_server:udp_socket {
-        accept append bind create getopt ioctl listen lock name_bind
-        relabelfrom relabelto setattr setopt shutdown };

private/untrusted_app_all.te

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index e76407b..a43f04c 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -111,3 +111,7 @@
 allow untrusted_app_all traced:fd use;
 allow untrusted_app_all traced_tmpfs:file { read write getattr map };
 unix_socket_connect(untrusted_app_all, traced_producer, traced)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket { connect getattr read recvfrom sendto write };

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index e64b644..2222b88 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -874,6 +874,7 @@
         coredomain
         -init
         -vendor_init
+        -shell
     } vendor_shell_exec:file { execute execute_no_trans };
 
     # Do not allow vendor components to execute files from system

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index 916af1c..496d472 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -185,6 +185,9 @@
 allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
 
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
 ###
 ### Neverallow rules
 ###

public/vendor_shell.te

diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index b330542..7d30acb 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -1,4 +1,19 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
+type vendor_shell, domain;
 type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;