sepolicy: relabel /vendor
The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.
Following directories will remain world readable
/vendor/etc
/vendor/lib(64)/hw/
Following are currently world readable but their scope
will be minimized to platform processes that require access
/vendor/app
/vendor/framework/
/vendor/overlay
Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.
Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803
All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
current location, take pictures and record video in camera,
playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass
Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/private/file_contexts b/private/file_contexts
index 00d0e4c..9feeef9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -259,7 +259,20 @@
#############################
# Vendor files
#
-/vendor(/.*)? u:object_r:system_file:s0
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 6f19e38..4302343 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -294,6 +294,9 @@
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
# Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms;
diff --git a/public/attributes b/public/attributes
index b7f0701..852dcd7 100644
--- a/public/attributes
+++ b/public/attributes
@@ -41,6 +41,9 @@
attribute data_file_type;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
+
# All vendor domains which violate the requirement of not accessing
# data outside /data/vendor.
# TODO(b/34980020): Remove this once there are no violations
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a..ee617a1 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -34,6 +34,9 @@
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/domain.te b/public/domain.te
index 4a0ee76..4fc3bc0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -102,6 +102,61 @@
allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file { getattr read };
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+# TODO: (b/36681074) - Remove after this is resolved
+# TODO: (b/36680116, b/36656392, b/36681210) All need directory
+# lookup to find / open their libraries
+full_treble_only(`
+ # Everyone needs to lookup libraries in /vendor/lib(64)
+ # through linker/loader.
+ allow domain vendor_file:dir { getattr search };
+
+ # TODO: b/36681210, find out who needs access and only allow
+ # specific domains for Treble
+ allow domain vendor_app_file:dir r_dir_perms;
+ allow domain vendor_app_file:file { read open getattr };
+
+ # Some apps (com.android.phone) need to be able to open
+ # symlinked libraries
+ # TODO: b/36806861
+ allow domain vendor_app_file:lnk_file { open read };
+
+ # TODO: b/36656392, find out who needs access and only allow
+ # specific domains.
+ allow domain vendor_overlay_file:dir r_dir_perms;
+ allow domain vendor_overlay_file:file { read open getattr };
+
+ # TODO: b/36680116, find out who neeeds access and only allow
+ # specific domains
+ allow domain vendor_framework_file:dir r_dir_perms;
+ allow domain vendor_framework_file:file { read open getattr };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
# read any sysfs symlinks
allow domain sysfs:lnk_file read;
@@ -307,7 +362,14 @@
-system_server
-webview_zygote
-zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
neverallow {
domain
-appdomain # for oemfs
@@ -336,14 +398,22 @@
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-# Only recovery should be doing writes to /system
-neverallow { domain -recovery with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set
- { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file exec_type }:dir_file_class_set relabelto;
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+ domain
+ -recovery
+ with_asan(`-asan_extract')
+} {
+ system_file
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } system_file:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -897,7 +967,7 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
# vendor, and boot partitions.
-neverallow * ~{ system_file rootfs }:system module_load;
+neverallow * ~{ system_file vendor_file_type rootfs }:system module_load;
# Only allow filesystem caps to be set at build time or
# during upgrade by recovery.
diff --git a/public/file.te b/public/file.te
index 0ee1500..6468d16 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,27 @@
# File types
type unlabeled, file_type;
+
# Default type for anything under /system.
type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
diff --git a/public/init.te b/public/init.te
index 4af41ec..0deb8cd 100644
--- a/public/init.te
+++ b/public/init.te
@@ -60,7 +60,7 @@
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -127,6 +127,7 @@
-misc_logd_file
-system_app_data_file
-system_file
+ -vendor_file_type
}:dir { create search getattr open read setattr ioctl };
allow init {
@@ -138,6 +139,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:dir { write add_name remove_name rmdir relabelfrom };
@@ -151,6 +153,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:file { create getattr open read write setattr relabelfrom unlink };
@@ -163,6 +166,7 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -175,12 +179,13 @@
-shell_data_file
-system_app_data_file
-system_file
+ -vendor_file_type
-vold_data_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
@@ -384,6 +389,7 @@
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
allow init proc_meminfo:file r_file_perms;
allow init system_data_file:file { getattr read };
diff --git a/public/te_macros b/public/te_macros
index bf75690..bc67278 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -181,6 +181,8 @@
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
')
#####################################
@@ -197,6 +199,8 @@
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute };
')
#####################################
diff --git a/public/ueventd.te b/public/ueventd.te
index 512b019..8ec667e 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@
# Get SELinux enforcing status.
r_dir_file(ueventd, selinuxfs)
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, vendor_file)
+
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index ea0ef29..5ccfab4 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -33,6 +33,13 @@
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+
+#############################
+# Same process HALs installed by platform into /vendor
+#
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/hw/android\.hardware\.renderscript@1\.0-impl\.so u:object_r:same_process_hal_file:s0
+
#############################
# Data files
#