Tighten restrictions on core <-> vendor socket comms
This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.
This has now effect on what domains are permitted to do. This only
changes neverallow rules.
Test: mmm system/sepolicy
Bug: 36577153
(cherry picked from commit cf2ffdf0d86f485dfff05a2f13819997bfd462e1)
Change-Id: Iffeee571a2ff61fb9515fa6849d060649636524e
diff --git a/private/drmserver.te b/private/drmserver.te
index 45663bb..afe4f0a 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/private/system_server.te b/private/system_server.te
index ddeeb1b..a731f5a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -190,6 +190,12 @@
binder_call(system_server, hal_vr)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_wifi)
+
+# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
+# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
+# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
+typeattribute system_server socket_between_core_and_vendor_violators;
+
hal_client_domain(system_server, hal_wifi_supplicant)
# Talk to tombstoned to get ANR traces.
diff --git a/private/wificond.te b/private/wificond.te
index 5476e33..b9e48b2 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,6 @@
typeattribute wificond coredomain;
init_daemon_domain(wificond)
+
+# TODO(b/36790991): Remove this once wificond is no longer permitted to touch wpa sockets
+typeattribute wificond socket_between_core_and_vendor_violators;
diff --git a/public/attributes b/public/attributes
index d9d123f..9f42c9a 100644
--- a/public/attributes
+++ b/public/attributes
@@ -124,6 +124,9 @@
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
diff --git a/public/domain.te b/public/domain.te
index bd5cb89..fc4db7e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -554,6 +554,42 @@
-netdomain
-socket_between_core_and_vendor_violators
}, netd);
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -socket_between_core_and_vendor_violators
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -pdx_socket # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/file.te b/public/file.te
index d7a82bc..1634e33 100644
--- a/public/file.te
+++ b/public/file.te
@@ -224,34 +224,34 @@
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type pdx_socket, file_type, mlstrustedobject;
-type property_socket, file_type, mlstrustedobject;
-type racoon_socket, file_type;
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type;
-type uncrypt_socket, file_type;
-type vold_socket, file_type;
-type webview_zygote_socket, file_type;
+type system_wpa_socket, file_type, coredomain_socket;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
type wpa_socket, file_type;
-type zygote_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
type sap_uim_socket, file_type;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index eb2bd81..a906d97 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -5,5 +5,7 @@
init_daemon_domain(hal_nfc_default)
# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
-# data type. Remove coredata_in_vendor_violators attribute.
+# data type. Remove coredata_in_vendor_violators and
+# socket_between_core_and_vendor_violators attribute associations below.
typeattribute hal_nfc_default coredata_in_vendor_violators;
+typeattribute hal_nfc_default socket_between_core_and_vendor_violators;