commit 4c110ff19b751c237819ac5fed3471277a74c07d
author Inseob Kim <inseob@google.com> Thu Nov 26 21:50:23 2020 +0900
committer Inseob Kim <inseob@google.com> Mon Nov 30 18:34:30 2020 +0900
tree 52727b117e8c8a6f8f8a49be93d40a6851575ac7
parent aff923a4697b2109b8a887d5db1fc3be7c5c3c5d

Use attributes for exclusive property owners

tests/sepolicy_tests.py has been checking whether the property owner
attributes are mutually exclusive. This is because current policy
language can't express the following snippet:

    neverallow domain {
        system_property_type && vendor_property_type
    }:file no_rw_file_perms;

    neverallow domain {
        system_property_type && vendor_property_type
    }:property_service set;

This uses technical_debt.cil to workaround this.

Bug: 171437654
Test: Try to compile a type having both system_property_type and
      vendor_property_type
Change-Id: Ic65f2d00aa0f2fb7f5d78331b0a26e733fcd128e

private/attributes

diff --git a/private/attributes b/private/attributes
index 3d18d71..cf1c307 100644
--- a/private/attributes
+++ b/private/attributes
@@ -4,3 +4,8 @@
 # to exempt them from recent mls changes. It must not be applied
 # to any domain on newer system or vendor image.
 attribute mlsvendorcompat;
+
+# Attributes for property types having both system_property_type
+# and vendor_property_type. Such types are ill-formed because
+# property owner attributes must be exclusive.
+attribute system_and_vendor_property_type;

private/property.te

diff --git a/private/property.te b/private/property.te
index 480d3e3..1163a3c 100644
--- a/private/property.te
+++ b/private/property.te
@@ -537,3 +537,7 @@
   -coredomain
   -appdomain
 } sqlite_log_prop:file no_rw_file_perms;
+
+# Only one of system_property_type and vendor_property_type can be assigned.
+# Property types having both attributes won't be accessible from anywhere.
+neverallow domain system_and_vendor_property_type:{file property_service} *;

private/technical_debt.cil

diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index fdcd0a3..9b3e3c6 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -63,3 +63,9 @@
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute { appdomain -isolated_app } hal_cas_client;
 (typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
+
+; Properties having both system_property_type and vendor_property_type are illegal
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
+(typeattribute system_and_vendor_property_type)
+(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))