Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 502e43f7d9f8ed2ccdd0c2d2c7aa2bc84d9c02e7^! / .
commit502e43f7d9f8ed2ccdd0c2d2c7aa2bc84d9c02e7[log] [tgz]
authorTri Vo <trong@google.com>Fri Oct 13 12:45:59 2017 -0700
committerTri Vo <trong@google.com>Tue Oct 31 16:20:58 2017 -0700
tree47e6b477b568bb2185277a8864bed198a33c9170
parent61dc5fb26c1687c24321742d8fa53b2c391729bb [diff]
Neverallow coredomain to kernel interface files.

Core domains should not be allowed access to kernel interfaces,
which are not explicitly labeled. These interfaces include
(but are not limited to):

1. /proc
2. /sys
3. /dev
4. debugfs
5. tracefs
6. inotifyfs
7. pstorefs
8. configfs
9. functionfs
10. usbfs
11. binfmt_miscfs

We keep a lists of exceptions to the rule, which we will be gradually shrinking.
This will help us prevent accidental regressions in our efforts to label
kernel interfaces.

Bug: 68159582
Test: bullhead, sailfish can build
Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5

diff --git a/private/domain.te b/private/domain.te
index d37a0bd..b80064e 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -16,3 +16,119 @@
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+  # /proc
+  neverallow {
+    coredomain
+    -dumpstate
+    -init
+    -platform_app
+    -priv_app
+    -radio
+    -shell
+    -system_app
+    -vold
+    -vendor_init
+  } proc:file no_rw_file_perms;
+
+  # /sys
+  neverallow {
+    coredomain
+    -charger
+    -dumpstate
+    -healthd
+    -init
+    -mediaserver
+    -priv_app
+    -radio
+    -storaged
+    -system_app
+    -system_server
+    -ueventd
+    -update_verifier
+    -vold
+    -vendor_init
+  } sysfs:file no_rw_file_perms;
+
+  # /dev
+  neverallow {
+    coredomain
+    -fsck
+    -init
+    -shell
+    -ueventd
+    -vendor_init
+  } device:{ blk_file file } no_rw_file_perms;
+
+  # debugfs
+  neverallow {
+    coredomain
+    -dumpstate
+    -init
+    -system_server
+    -vendor_init
+  } debugfs:file no_rw_file_perms;
+
+  # tracefs
+  neverallow {
+    coredomain
+    -atrace
+    -dumpstate
+    -init
+    -perfprofd
+    -shell
+    -vendor_init
+  } debugfs_tracing:file no_rw_file_perms;
+
+  # inotifyfs
+  neverallow {
+    coredomain
+    -init
+    -vendor_init
+  } inotify:file no_rw_file_perms;
+
+  # pstorefs
+  neverallow {
+    coredomain
+    -bootstat
+    -charger
+    -dumpstate
+    -healthd
+    -init
+    -logd
+    -logpersist
+    -recovery_persist
+    -recovery_refresh
+    -shell
+    -system_server
+    -vendor_init
+  } pstorefs:file no_rw_file_perms;
+
+  # configfs
+  neverallow {
+    coredomain
+    -init
+    -system_server
+    -vendor_init
+  } configfs:file no_rw_file_perms;
+
+  # functionfs
+  neverallow {
+    coredomain
+    -adbd
+    -init
+    -mediaprovider
+    -vendor_init
+  }functionfs:file no_rw_file_perms;
+
+  # usbfs and binfmt_miscfs
+  neverallow {
+    coredomain
+    -init
+    -vendor_init
+  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')