commit 45766d4178e443b29fee8cd9c8917847ea3a4cf1
author Nick Kralevich <nnk@google.com> Wed Apr 26 11:40:48 2017 -0700
committer Nick Kralevich <nnk@google.com> Wed Apr 26 11:43:40 2017 -0700
tree 27b7a6532d43ff19f77409f0d4e072ca532a566f
parent 53b2c80949cae87f7407445c04c8f8471b4085ef

relax fuse_device neverallow rules

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0f0f577..bb37ceb 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -87,6 +87,9 @@
   ')
 }:dir_file_class_set { create unlink };
 
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
 # Do not allow untrusted apps to directly open tun_device
 neverallow all_untrusted_apps tun_device:chr_file open;
 

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..fd4634a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@
 allow platform_app preloads_media_file:dir r_dir_perms;
 
 read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 02e6101..7950044 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index f634336..188c560 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -965,26 +965,6 @@
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
 
-neverallow {
-  domain
-  -init
-  -recovery
-  -sdcardd
-  -vold
-} fuse_device:chr_file open;
-neverallow {
-  domain
-  -dumpstate
-  -init
-  -priv_app
-  -recovery
-  -sdcardd
-  -shell # Restricted by shell.te to only getattr
-  -system_server
-  -ueventd
-  -vold
-} fuse_device:chr_file *;
-
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
 neverallow {