Move some rules around
Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.
Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.
Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5
diff --git a/private/app.te b/private/app.te
index 7d9bc89..b2c1be3 100644
--- a/private/app.te
+++ b/private/app.te
@@ -13,3 +13,11 @@
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+ { dyntransition };
diff --git a/private/coredomain.te b/private/coredomain.te
index 2fbbbfd..78ffb27 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,69 @@
} sysfs_leds:file *;
')
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ userdebug_or_eng(`-perfprofd')
+ userdebug_or_eng(`-heapprofd')
+ -postinstall_dexopt
+ -system_server
+ -mediaserver
+ } vendor_app_file:file r_file_perms;
+')
+
+full_treble_only(`
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-heapprofd')
+ } vendor_overlay_file:dir { getattr open read search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-heapprofd')
+ } vendor_overlay_file:file r_file_perms;
+')
+
# Core domains are not permitted to use kernel interfaces which are not
# explicitly labeled.
# TODO(b/65643247): Apply these neverallow rules to all coredomain.
diff --git a/private/domain.te b/private/domain.te
index 65688b2..7a41ab2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -23,6 +23,42 @@
-vold
})')
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain -appdomain } cgroup:dir w_dir_perms;
+allow { domain -appdomain } cgroup:file w_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+ get_prop(domain, core_property_type)
+ get_prop(domain, exported_dalvik_prop)
+ get_prop(domain, exported_ffs_prop)
+ get_prop(domain, exported_system_radio_prop)
+ get_prop(domain, exported2_config_prop)
+ get_prop(domain, exported2_radio_prop)
+ get_prop(domain, exported2_system_prop)
+ get_prop(domain, exported2_vold_prop)
+ get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_radio_prop)
+ get_prop(domain, exported3_system_prop)
+ get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+ get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+ get_prop({coredomain appdomain shell}, exported_ffs_prop)
+ get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_config_prop)
+ get_prop({coredomain appdomain shell}, exported2_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_system_prop)
+ get_prop({coredomain appdomain shell}, exported2_vold_prop)
+ get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_radio_prop)
+ get_prop({coredomain appdomain shell}, exported3_system_prop)
+ get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these whitelisted domains.
neverallow {
diff --git a/public/app.te b/public/app.te
index 40dee5d..aa735b4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -435,14 +435,6 @@
neverallow appdomain { domain -appdomain }:process
{ sigkill sigstop signal };
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
- { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { dyntransition };
-
# Write to rootfs.
neverallow appdomain rootfs:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
diff --git a/public/domain.te b/public/domain.te
index 67002c9..c536c12 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -83,37 +83,6 @@
allow domain properties_serial:file r_file_perms;
allow domain property_info:file r_file_perms;
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-not_compatible_property(`
- get_prop(domain, core_property_type)
- get_prop(domain, exported_dalvik_prop)
- get_prop(domain, exported_ffs_prop)
- get_prop(domain, exported_system_radio_prop)
- get_prop(domain, exported2_config_prop)
- get_prop(domain, exported2_radio_prop)
- get_prop(domain, exported2_system_prop)
- get_prop(domain, exported2_vold_prop)
- get_prop(domain, exported3_default_prop)
- get_prop(domain, exported3_radio_prop)
- get_prop(domain, exported3_system_prop)
- get_prop(domain, vendor_default_prop)
-')
-compatible_property_only(`
- get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported_dalvik_prop)
- get_prop({coredomain appdomain shell}, exported_ffs_prop)
- get_prop({coredomain appdomain shell}, exported_system_radio_prop)
- get_prop({coredomain appdomain shell}, exported2_config_prop)
- get_prop({coredomain appdomain shell}, exported2_radio_prop)
- get_prop({coredomain appdomain shell}, exported2_system_prop)
- get_prop({coredomain appdomain shell}, exported2_vold_prop)
- get_prop({coredomain appdomain shell}, exported3_default_prop)
- get_prop({coredomain appdomain shell}, exported3_radio_prop)
- get_prop({coredomain appdomain shell}, exported3_system_prop)
- get_prop({domain -coredomain -appdomain}, vendor_default_prop)
-')
-
# Public readable properties
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
@@ -251,11 +220,6 @@
allow domain sysfs:dir search;
allow domain selinuxfs:filesystem getattr;
-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { domain -appdomain } cgroup:dir w_dir_perms;
-allow { domain -appdomain } cgroup:file w_file_perms;
-
# Almost all processes log tracing information to
# /sys/kernel/debug/tracing/trace_marker
# The reason behind this is documented in b/6513400
@@ -966,69 +930,6 @@
}:file_class_set ~{ append getattr ioctl read write map };
')
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few whitelisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-heapprofd')
- -postinstall_dexopt
- -system_server
- } vendor_app_file:dir { open read getattr search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -idmap
- -init
- -installd
- userdebug_or_eng(`-perfprofd')
- userdebug_or_eng(`-heapprofd')
- -postinstall_dexopt
- -system_server
- -mediaserver
- } vendor_app_file:file r_file_perms;
-')
-
-full_treble_only(`
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -webview_zygote
- -zygote
- userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:dir { getattr open read search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -system_server
- -webview_zygote
- -zygote
- userdebug_or_eng(`-heapprofd')
- } vendor_overlay_file:file r_file_perms;
-')
-
full_treble_only(`
# Non-vendor domains are not allowed to file execute shell
# from vendor