Ban core components from accessing vendor data types
Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.
This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.
A temporary exemption is granted to domains that currently rely on
access.
(cherry picked from commit cd97e71084b026b201f8d5a0bc08c283f8d673cd)
Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc
diff --git a/public/attributes b/public/attributes
index d9d123f..8231551 100644
--- a/public/attributes
+++ b/public/attributes
@@ -45,6 +45,10 @@
# data outside /data/vendor.
# TODO(b/34980020): Remove this once there are no violations
attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;
# All types use for sysfs files.
attribute sysfs_type;
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4a..c18b08d 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,6 +1,5 @@
type dhcp, domain, domain_deprecated;
type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
net_domain(dhcp)
diff --git a/public/domain.te b/public/domain.te
index bd5cb89..5c8280f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -509,6 +509,25 @@
-appdomain
-coredata_in_vendor_violators
} system_data_file:dir ~search;
+ # do not allow coredomains to directly access vendor data. Exempt init
+ # because it is responsible for dir/file creation in init.rc scripts.
+ # Also exempt halclientdomain to exclude rules for passthrough mode.
+ neverallow {
+ coredomain
+ -halclientdomain
+ -init
+ -vendordata_in_core_violators
+ } {
+ data_file_type
+ -core_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write };
+ # do not allow coredomain to access vendor data directories.
+ neverallow {
+ coredomain
+ -halclientdomain
+ -init
+ -vendordata_in_core_violators
+ } { data_file_type -core_data_file_type }:dir *;
')
# On full TREBLE devices, socket communications between core components and vendor components are
diff --git a/public/file.te b/public/file.te
index d7a82bc..32de735 100644
--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@
type preloads_data_file, file_type, data_file_type, core_data_file_type;
# /data/preloads/media
type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;