More neverallow rules
When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.
Process:
- Paste in all the neverallow rules from public/domain.te in Android
policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,
I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)
And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.
Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 2329a1d..ad2c645 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -282,3 +282,351 @@
# No executable memory unless backed by an unmodified file
neverallow * self:process { execmem execheap execstack };
neverallow * *:file execmod;
+
+# All ioctls on file-like objects (except chr_file and blk_file) and
+# sockets must be restricted to an allowlist.
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
+
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init to create unlabeled files.
+neverallow { domain -init } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these allowed domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+} self:global_capability_class_set mknod;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:global_capability2_class_set mac_override;
+
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only the kernel hwrng thread should be able to read from the HW RNG.
+neverallow {
+ domain
+ -shell # For CTS, restricted to just getattr in shell.te
+ -ueventd # To create the /dev/hw_random file
+} hw_random_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type.
+neverallow * { file_type -exec_type }:file entrypoint;
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+neverallow * vendor_init:binder *;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
+neverallow {
+ domain
+ with_asan(`-asan_extract')
+} {
+ system_file_type
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+ { create relabelfrom relabelto append link rename };
+neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager *;
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
+neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+
+neverallow { domain -init } build_prop:property_service set;
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
+
+neverallow {
+ domain
+ -tombstoned
+ -crash_dump
+
+ # Processes that can't exec crash_dump
+ -hal_codec2_server
+ -hal_omx_server
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
+# Never allow anyone to connect or write to
+# the tombstoned intercept socket.
+neverallow { domain } tombstoned_intercept_socket:sock_file write;
+neverallow { domain } tombstoned_intercept_socket:unix_stream_socket connectto;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
+
+neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -toolbox # TODO(b/141108496) We want to remove toolbox
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+} shell:process { transition dyntransition };
+
+# Minimize read access to shell-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -shell
+} shell_data_file:lnk_file read;
+
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-allowed domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -init
+ -vendor_init
+ -shell
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -init
+ -vendor_init
+ -shell
+} shell_data_file:dir { open search };
+
+# servicemanager is the only process which handles the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+neverallow { domain -init -vendor_init } debugfs:{ file lnk_file } no_rw_file_perms;
+
+# Do not allow executable files in debugfs.
+neverallow domain debugfs_type:file { execute execute_no_trans };
+
+# Don't allow access to the FUSE control filesystem, except to init's
+neverallow { domain -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
+
+# If an already existing file is opened with O_CREAT, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+neverallow domain cgroup_v2:file create;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+} ashmem_device:chr_file open;
+
+neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
+
+# Linux lockdown "integrity" level is enforced for user builds.
+neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 5419f52..2fa101f 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -31,7 +31,7 @@
neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };
+allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow microdroid_payload to ioctl /dev/vsock.
# TODO(b/199259751): remove the below rules
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 50c2c81..6479c55 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -195,12 +195,6 @@
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
-# All domains used for apps.
-attribute appdomain;
-
-# All third party apps (except isolated_app and ephemeral_app)
-attribute untrusted_app_all;
-
# All domains used for apps with network access.
attribute netdomain;
@@ -260,27 +254,6 @@
attribute system_writes_mnt_vendor_violators;
expandattribute system_writes_mnt_vendor_violators false;
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary. It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice_violators;
-expandattribute untrusted_app_visible_hwservice_violators false;
-
-# halserver domains that are accessible to untrusted applications. These
-# domains are typically those hosting hwservices attributed by the
-# untrusted_app_visible_hwservice_violators.
-# WARNING: Use of this attribute should be avoided unless absolutely necessary.
-# It is a temporary allowance to aid the transition to treble and will be
-# removed in the future platform version, requiring all halserver domains that
-# are labeled with this attribute to be submitted to AOSP in order to maintain
-# their app-visibility.
-attribute untrusted_app_visible_halserver_violators;
-expandattribute untrusted_app_visible_halserver_violators false;
-
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;