Fix CTS regressions
Commit 7688161 "hal_*_(client|server) => hal(client|server)domain"
added neverallow rules on hal_*_client attributes while simultaneously
expanding these attribute which causes them to fail CTS neverallow
tests. Remove these neverallow rules as they do not impose specific
security properties that we want to enforce.
Modify Other neverallow failures which were imposed on hal_foo
attributes and should have been enforced on hal_foo_server attributes
instead.
Bug: 69566734
Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \
android.cts.security.SELinuxNeverallowRulesTest
CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed
remaining failure appears to be caused by b/68133473
Test: build taimen-user/userdebug
Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc
diff --git a/public/domain.te b/public/domain.te
index f544cd1..0d50c38 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -467,8 +467,8 @@
domain
-adbd
-dumpstate
- -hal_drm
- -hal_cas
+ -hal_drm_server
+ -hal_cas_server
-init
-mediadrmserver
-recovery
@@ -508,7 +508,7 @@
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
- -hal_bootctl
+ -hal_bootctl_server
-init
-uncrypt
-update_engine
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 0665e26..dd7b140 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,11 +23,11 @@
###
# Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
# Should never need network access.
# Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index d0824c3..4265b8a 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -23,10 +23,10 @@
# hal_camera should never execute any executable without a
# domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index b4801c5..7f65358 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -7,7 +7,7 @@
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
-get_prop(hal_cas, serialno_prop)
+get_prop(hal_cas_server, serialno_prop)
# Read files already opened under /data
allow hal_cas system_data_file:file { getattr read };
@@ -29,7 +29,7 @@
# hal_cas should never execute any executable without a
# domain transition
-neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index fbd90eb..a46dd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -47,7 +47,7 @@
# hal_drm should never execute any executable without a
# domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/te_macros b/public/te_macros
index aad2949..18e5e61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,6 @@
attribute hal_$1_server;
expandattribute hal_$1_server false;
-neverallow { hal_$1_client -halclientdomain } domain:process fork;
neverallow { hal_$1_server -halserverdomain } domain:process fork;
')
diff --git a/public/vold.te b/public/vold.te
index b446915..9dbf8dd 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -210,7 +210,7 @@
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
neverallow vold {
domain
- -hal_keymaster
+ -hal_keymaster_server
-healthd
-hwservicemanager
-servicemanager