commit 1e5021c450a06eb738209948d1522747d3f327fa
author Nick Kralevich <nnk@google.com> Wed Nov 28 17:50:24 2018 -0800
committer Nick Kralevich <nnk@google.com> Wed Nov 28 17:55:21 2018 -0800
tree 3966effe22e92da326f8bd3a1454afc09e29514c
parent b1dad0967902c26212bae77e83c09a9cf9ab8568

Move some rules around

Move rules / neverallow assertions from public to private policy. This
change, by itself, is a no-op, but will make future patches easier to
read. The only downside of this change is that it will make git blame
less effective.

Motivation: When rules are placed into the public directory, they cannot
reference a private type. A future change will modify these rules to
reference a private type.

Test: compiles
Bug: 112357170
Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5

private/app.te

diff --git a/private/app.te b/private/app.te
index 7d9bc89..b2c1be3 100644
--- a/private/app.te
+++ b/private/app.te
@@ -13,3 +13,11 @@
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+    { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+    { dyntransition };

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index 2fbbbfd..78ffb27 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -14,6 +14,69 @@
 } sysfs_leds:file *;
 ')
 
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+    # Limit access to /vendor/app
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        userdebug_or_eng(`-perfprofd')
+        userdebug_or_eng(`-heapprofd')
+        -postinstall_dexopt
+        -system_server
+    } vendor_app_file:dir { open read getattr search };
+')
+
+full_treble_only(`
+    neverallow {
+        coredomain
+        -appdomain
+        -dex2oat
+        -idmap
+        -init
+        -installd
+        userdebug_or_eng(`-perfprofd')
+        userdebug_or_eng(`-heapprofd')
+        -postinstall_dexopt
+        -system_server
+        -mediaserver
+    } vendor_app_file:file r_file_perms;
+')
+
+full_treble_only(`
+    # Limit access to /vendor/overlay
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+        -init
+        -installd
+        -system_server
+        -webview_zygote
+        -zygote
+        userdebug_or_eng(`-heapprofd')
+    } vendor_overlay_file:dir { getattr open read search };
+')
+
+full_treble_only(`
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+        -init
+        -installd
+        -system_server
+        -webview_zygote
+        -zygote
+        userdebug_or_eng(`-heapprofd')
+    } vendor_overlay_file:file r_file_perms;
+')
+
 # Core domains are not permitted to use kernel interfaces which are not
 # explicitly labeled.
 # TODO(b/65643247): Apply these neverallow rules to all coredomain.

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 65688b2..7a41ab2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -23,6 +23,42 @@
   -vold
 })')
 
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { domain -appdomain } cgroup:dir w_dir_perms;
+allow { domain -appdomain } cgroup:file w_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+    get_prop(domain, core_property_type)
+    get_prop(domain, exported_dalvik_prop)
+    get_prop(domain, exported_ffs_prop)
+    get_prop(domain, exported_system_radio_prop)
+    get_prop(domain, exported2_config_prop)
+    get_prop(domain, exported2_radio_prop)
+    get_prop(domain, exported2_system_prop)
+    get_prop(domain, exported2_vold_prop)
+    get_prop(domain, exported3_default_prop)
+    get_prop(domain, exported3_radio_prop)
+    get_prop(domain, exported3_system_prop)
+    get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+    get_prop({coredomain appdomain shell}, core_property_type)
+    get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+    get_prop({coredomain appdomain shell}, exported_ffs_prop)
+    get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+    get_prop({coredomain appdomain shell}, exported2_config_prop)
+    get_prop({coredomain appdomain shell}, exported2_radio_prop)
+    get_prop({coredomain appdomain shell}, exported2_system_prop)
+    get_prop({coredomain appdomain shell}, exported2_vold_prop)
+    get_prop({coredomain appdomain shell}, exported3_default_prop)
+    get_prop({coredomain appdomain shell}, exported3_radio_prop)
+    get_prop({coredomain appdomain shell}, exported3_system_prop)
+    get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {