Remove redundant sepolicy
We don't use MLS in Microdroid, so we don't need MLS rules, nor
mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy
checkpolicy.)
A lot of attributes are unused in Microdroid, so we can remove their
declarations and any references to them. (That may not make the
compiled policy smaller, since hopefully they get optimised out
anyway, but it means there is less policy for humans to deal with.)
Remove labels that relate only to apps, which we don't have - MAC
permissions, run-as, seapp_contexts.
In passing, fix a comment snafu in both system & microdroid policy.
Bug: 223596375
Test: Run staged-apex-compile & compos_verify, no denials
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 116c74d..ed74ddd 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -1,5 +1,4 @@
typeattribute adbd coredomain;
-typeattribute adbd mlstrustedsubject;
init_daemon_domain(adbd)
diff --git a/microdroid/system/private/attributes b/microdroid/system/private/attributes
index 991bac1..792d600 100644
--- a/microdroid/system/private/attributes
+++ b/microdroid/system/private/attributes
@@ -1,12 +1 @@
-hal_attribute(lazy_test);
-
-# This is applied to apps on vendor images with SDK <=30 only,
-# to exempt them from recent mls changes. It must not be applied
-# to any domain on newer system or vendor image.
-attribute mlsvendorcompat;
-
-# Attributes for property types having both system_property_type
-# and vendor_property_type. Such types are ill-formed because
-# property owner attributes must be exclusive.
-attribute system_and_vendor_property_type;
-expandattribute system_and_vendor_property_type false;
+#
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ab655aa..a7a53f1 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -182,7 +182,7 @@
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
# default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
# Restrict PTYs to only allowed ioctls.
@@ -427,10 +427,6 @@
domain
-tombstoned
-crash_dump
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
} tombstoned_crash_socket:unix_stream_socket connectto;
# Never allow anyone to connect or write to
@@ -500,7 +496,6 @@
domain
-adbd
-init
- -runas
} shell:process { transition dyntransition };
# Minimize read access to shell-writable symlinks.
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 50558f8..4f7a0ff 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -112,7 +112,6 @@
/system/bin/init u:object_r:init_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
@@ -132,11 +131,9 @@
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 2938be4..e81173d 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -90,9 +90,7 @@
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
dontaudit kernel {
file_contexts_file
- mac_perms_file
property_contexts_file
- seapp_contexts_file
sepolicy_test_file
service_contexts_file
}:file relabelto;
diff --git a/microdroid/system/private/mls b/microdroid/system/private/mls
index 303df81..cee6675 100644
--- a/microdroid/system/private/mls
+++ b/microdroid/system/private/mls
@@ -2,88 +2,11 @@
# MLS policy constraints
#
-#
-# Process constraints
-#
+# We aren't using MLS in Microdroid. But the policy grammar requires
+# at least one MLS declaration, and checkpolicy enforces this. We
+# don't want to disable MLS, since we share some file labels with the
+# host (e.g. files in APEXes) which does have MLS. So we include this
+# fairly harmless constraint.
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and t2 == system_data_file) );
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+# Process transition: Require equivalence.
+mlsconstrain process { transition dyntransition } (h1 eq h2 and l1 eq l2);
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index aaebf68..c93b488 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -1,4 +1,4 @@
-typeattribute shell coredomain, mlstrustedsubject;
+typeattribute shell coredomain;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;