commit 1be8dfacfd0ae865523bfe6937077bc66177f254
author Yi Kong <yikong@google.com> Mon Aug 31 21:38:04 2020 +0800
committer Yi Kong <yikong@google.com> Mon Aug 31 13:55:41 2020 +0000
tree 2273096449762bac77436be90c75ccc3c1ab064c
parent cdacc620b79df7cea68006e1847a9be95d69c024

Move a couple of treble policies to private

We need to add an exception for a private type, it can only be
recognised if these are private policies.

Bug: 79161490
Test: TreeHugger
Change-Id: Icc902389e545f1ff4c92d2ab81c0617a3439f466

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index a4abe53..7f73b5b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -365,3 +365,76 @@
 
 # Kprobes should only be used by adb root
 neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+  neverallow {
+    coredomain
+    -appdomain
+    -bootanim
+    -crash_dump
+    -heapprofd
+    -init
+    -iorap_inode2filename
+    -iorap_prefetcherd
+    -kernel
+    -traced_perf
+    -ueventd
+  } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
+# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
+  neverallow_establish_socket_comms({
+    domain
+    -coredomain
+    -appdomain
+    -socket_between_core_and_vendor_violators
+  }, {
+    coredomain
+    -logd # Logging by writing to logd Unix domain socket is public API
+    -netd # netdomain needs this
+    -mdnsd # netdomain needs this
+    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+    -init
+    -tombstoned # linker to tombstoned
+    userdebug_or_eng(`-heapprofd')
+    userdebug_or_eng(`-traced_perf')
+  });
+')
+
+full_treble_only(`
+  # Do not allow system components access to /vendor files except for the
+  # ones allowed here.
+  neverallow {
+    coredomain
+    # TODO(b/37168747): clean up fwk access to /vendor
+    -crash_dump
+    -init # starts vendor executables
+    -iorap_inode2filename
+    -iorap_prefetcherd
+    -kernel # loads /vendor/firmware
+    userdebug_or_eng(`-heapprofd')
+    -shell
+    -system_executes_vendor_violators
+    -traced_perf # library/binary access for symbolization
+    -ueventd # reads /vendor/ueventd.rc
+    -vold # loads incremental fs driver
+  } {
+    vendor_file_type
+    -same_process_hal_file
+    -vendor_app_file
+    -vendor_apex_file
+    -vendor_configs_file
+    -vendor_service_contexts_file
+    -vendor_framework_file
+    -vendor_idc_file
+    -vendor_keychars_file
+    -vendor_keylayout_file
+    -vendor_overlay_file
+    -vendor_public_lib_file
+    -vendor_task_profiles_file
+    -vndk_sp_file
+  }:file *;
+')

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 58b2d98..745bb25 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -725,25 +725,6 @@
     -socket_between_core_and_vendor_violators
   });
 ')
-  # Vendor domains are not permitted to initiate communications to core domain sockets
-full_treble_only(`
-  neverallow_establish_socket_comms({
-    domain
-    -coredomain
-    -appdomain
-    -socket_between_core_and_vendor_violators
-  }, {
-    coredomain
-    -logd # Logging by writing to logd Unix domain socket is public API
-    -netd # netdomain needs this
-    -mdnsd # netdomain needs this
-    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
-    -init
-    -tombstoned # linker to tombstoned
-    userdebug_or_eng(`-heapprofd')
-    userdebug_or_eng(`-traced_perf')
-  });
-')
 
   # Vendor domains are not permitted to initiate create/open sockets owned by core domains
 full_treble_only(`
@@ -1006,41 +987,6 @@
 ')
 
 full_treble_only(`
-  # Do not allow system components access to /vendor files except for the
-  # ones allowed here.
-  neverallow {
-    coredomain
-    # TODO(b/37168747): clean up fwk access to /vendor
-    -crash_dump
-    -init # starts vendor executables
-    -iorap_inode2filename
-    -iorap_prefetcherd
-    -kernel # loads /vendor/firmware
-    userdebug_or_eng(`-heapprofd')
-    -shell
-    -system_executes_vendor_violators
-    -traced_perf # library/binary access for symbolization
-    -ueventd # reads /vendor/ueventd.rc
-    -vold # loads incremental fs driver
-  } {
-    vendor_file_type
-    -same_process_hal_file
-    -vendor_app_file
-    -vendor_apex_file
-    -vendor_configs_file
-    -vendor_service_contexts_file
-    -vendor_framework_file
-    -vendor_idc_file
-    -vendor_keychars_file
-    -vendor_keylayout_file
-    -vendor_overlay_file
-    -vendor_public_lib_file
-    -vendor_task_profiles_file
-    -vndk_sp_file
-  }:file *;
-')
-
-full_treble_only(`
   # Do not allow vendor components access to /system files except for the
   # ones allowed here.
   neverallow {
@@ -1342,24 +1288,6 @@
 # separate server process).
 neverallow * same_process_hwservice:hwservice_manager add;
 
-# On TREBLE devices, most coredomains should not access vendor_files.
-# TODO(b/71553434): Remove exceptions here.
-full_treble_only(`
-  neverallow {
-    coredomain
-    -appdomain
-    -bootanim
-    -crash_dump
-    -heapprofd
-    -init
-    -iorap_inode2filename
-    -iorap_prefetcherd
-    -kernel
-    -traced_perf
-    -ueventd
-  } vendor_file:file { no_w_file_perms no_x_file_perms open };
-')
-
 # If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that
 # inappropriate permissions are not granted.