sepolicy: add version_policy tool and version non-platform policy.
In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split. In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.
This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.
Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
diff --git a/private/app.te b/private/app.te
new file mode 100644
index 0000000..9c4461c
--- /dev/null
+++ b/private/app.te
@@ -0,0 +1,3 @@
+# TODO: deal with tmpfs_domain pub/priv split properly
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0abaee6..e8c0e76 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -2,3 +2,8 @@
# public, but conceptually should go with this
# Socket creation under /data/misc/bluedroid.
type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+
+# app_domain macro fallout
+tmpfs_domain(bluetooth)
+# Map with PROT_EXEC.
+allow bluetooth bluetooth_tmpfs:file execute;
diff --git a/private/domain.te b/private/domain.te
new file mode 100644
index 0000000..c975ce6
--- /dev/null
+++ b/private/domain.te
@@ -0,0 +1,10 @@
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow {
+ domain
+ -debuggerd
+ -vold
+ -dumpstate
+ -system_server
+ userdebug_or_eng(`-perfprofd')
+} self:capability sys_ptrace;
diff --git a/private/drmserver.te b/private/drmserver.te
index 340c454..cc96afd 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -1,3 +1,5 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(drmserver)
+
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index ad646f4..a54591d 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -4,3 +4,12 @@
# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+allow dumpstate dumpstate_tmpfs:file execute;
+
+# systrace support - allow atrace to run
+allow dumpstate debugfs_tracing:dir r_dir_perms;
+allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_trace_marker:file getattr;
+allow dumpstate atrace_exec:file rx_file_perms;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 939737b..3375bc9 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -3,3 +3,9 @@
# Define and allow access to our own type for ashmem regions.
# Label ashmem objects with our own unique type.
tmpfs_domain(ephemeral_app)
+# TODO: deal with tmpfs_domain pub/priv split properly
+# Map with PROT_EXEC.
+allow ephemeral_app ephemeral_app_tmpfs:file execute;
+
+# Read system properties managed by zygote.
+allow ephemeral_app zygote_tmpfs:file read;
diff --git a/private/file.te b/private/file.te
new file mode 100644
index 0000000..818a53d
--- /dev/null
+++ b/private/file.te
@@ -0,0 +1,4 @@
+# Compatibility with type names used in vanilla Android 4.3 and 4.4.
+typealias audio_data_file alias audio_firmware_file;
+typealias app_data_file alias platform_app_data_file;
+typealias app_data_file alias download_file;
diff --git a/private/installd.te b/private/installd.te
index 50b3821..9e6fc1e 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -10,3 +10,6 @@
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
+
+# Create /data/.layout_version.* file
+type_transition installd system_data_file:file install_data_file;
diff --git a/private/isolated_app.te b/private/isolated_app.te
new file mode 100644
index 0000000..0a9901a
--- /dev/null
+++ b/private/isolated_app.te
@@ -0,0 +1,7 @@
+# app_domain fallout
+tmpfs_domain(isolated_app)
+# Map with PROT_EXEC.
+allow isolated_app isolated_app_tmpfs:file execute;
+
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
diff --git a/private/logd.te b/private/logd.te
index 52600ac..fcdd6a1 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -1,3 +1,8 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(logd)
+
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
+# only on userdebug or eng builds
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file { create write append };
diff --git a/private/mls b/private/mls
index 5589b4b..a561de1 100644
--- a/private/mls
+++ b/private/mls
@@ -1,15 +1,3 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
-
-
#################################################
# MLS policy constraints
#
diff --git a/private/mls_decl b/private/mls_decl
new file mode 100644
index 0000000..dd53bea
--- /dev/null
+++ b/private/mls_decl
@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
diff --git a/private/nfc.te b/private/nfc.te
new file mode 100644
index 0000000..33b5477
--- /dev/null
+++ b/private/nfc.te
@@ -0,0 +1,4 @@
+# app_domain_fallout
+tmpfs_domain(nfc)
+# Map with PROT_EXEC.
+allow nfc nfc_tmpfs:file execute;
diff --git a/private/platform_app.te b/private/platform_app.te
new file mode 100644
index 0000000..e478039
--- /dev/null
+++ b/private/platform_app.te
@@ -0,0 +1,4 @@
+# app_domain fallout
+tmpfs_domain(platform_app)
+# Map with PROT_EXEC.
+allow platform_app platform_app_tmpfs:file execute;
diff --git a/private/priv_app.te b/private/priv_app.te
new file mode 100644
index 0000000..9a535d9
--- /dev/null
+++ b/private/priv_app.te
@@ -0,0 +1,8 @@
+# app_domain fallout
+tmpfs_domain(priv_app)
+# Map with PROT_EXEC.
+allow priv_app priv_app_tmpfs:file execute;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
+create_pty(priv_app)
diff --git a/private/radio.te b/private/radio.te
new file mode 100644
index 0000000..7218b23
--- /dev/null
+++ b/private/radio.te
@@ -0,0 +1,4 @@
+# app_domain fallout
+tmpfs_domain(radio)
+# Map with PROT_EXEC.
+allow radio radio_tmpfs:file execute;
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 3b74629..3c37d2b 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -1,3 +1,7 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(recovery_persist)
+
+# recovery_persist is not allowed to write anywhere other than recovery_data_file
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index 8204465..d1cfbfe 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -1,3 +1,7 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(recovery_refresh)
+
+# recovery_refresh is not allowed to write anywhere
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/roles b/private/roles
deleted file mode 100644
index af5fe8b..0000000
--- a/private/roles
+++ /dev/null
@@ -1,2 +0,0 @@
-role r;
-role r types domain;
diff --git a/private/roles_decl b/private/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/private/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/private/shared_relro.te b/private/shared_relro.te
new file mode 100644
index 0000000..c3c43ab
--- /dev/null
+++ b/private/shared_relro.te
@@ -0,0 +1,4 @@
+# app_domain fallout
+tmpfs_domain(shared_relro)
+# Map with PROT_EXEC.
+allow shared_relro shared_relro_tmpfs:file execute;
diff --git a/private/shell.te b/private/shell.te
new file mode 100644
index 0000000..802ffc0
--- /dev/null
+++ b/private/shell.te
@@ -0,0 +1,10 @@
+# systrace support - allow atrace to run
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file rw_file_perms;
+allow shell debugfs_trace_marker:file getattr;
+allow shell atrace_exec:file rx_file_perms;
+
+# app_domain fallout
+tmpfs_domain(shell)
+# Map with PROT_EXEC.
+allow shell shell_tmpfs:file execute;
diff --git a/private/su.te b/private/su.te
index 5c98258..3dda00f 100644
--- a/private/su.te
+++ b/private/su.te
@@ -1,13 +1,5 @@
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
- type su, domain, mlstrustedsubject;
domain_auto_trans(shell, su_exec, su)
-
# Allow dumpstate to call su on userdebug / eng builds to collect
# additional information.
domain_auto_trans(dumpstate, su_exec, su)
@@ -16,41 +8,11 @@
# from the "init" domain.
domain_auto_trans(su, dumpstate_exec, dumpstate)
- # su is also permissive to permit setenforce.
+# su is also permissive to permit setenforce.
permissive su;
- # Add su to various domains
- net_domain(su)
- app_domain(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su kernel:security *;
- dontaudit su kernel:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:process *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su domain:debuggerd *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
+ # app_domain fallout
+ tmpfs_domain(su)
+ # Map with PROT_EXEC.
+ allow su su_tmpfs:file execute;
')
diff --git a/private/system_app.te b/private/system_app.te
new file mode 100644
index 0000000..4319c97
--- /dev/null
+++ b/private/system_app.te
@@ -0,0 +1,4 @@
+# app_domain fallout
+tmpfs_domain(system_app)
+# Map with PROT_EXEC.
+allow system_app system_app_tmpfs:file execute;
diff --git a/private/system_server.te b/private/system_server.te
index bab3d72..5859ca4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -4,3 +4,12 @@
tmpfs_domain(system_server)
# Create a socket for connections from debuggerd.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+
+allow system_server zygote_tmpfs:file read;
+
+# Create a socket for receiving info from wpa.
+type_transition system_server wifi_data_file:sock_file system_wpa_socket;
+type_transition system_server wpa_socket:sock_file system_wpa_socket;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow system_server system_server_tmpfs:file execute;
\ No newline at end of file
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
new file mode 100644
index 0000000..c9ed000
--- /dev/null
+++ b/private/untrusted_app.te
@@ -0,0 +1,8 @@
+# app_domain fallout
+tmpfs_domain(untrusted_app)
+# Map with PROT_EXEC.
+allow untrusted_app untrusted_app_tmpfs:file execute;
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app)