Merge "init: lock down access to keychord_device" into pi-dev
diff --git a/private/statsd.te b/private/statsd.te
index fec10a4..06d6e01 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -73,6 +73,7 @@
# Allow access to with hardware layer and process stats.
allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
hal_client_domain(statsd, hal_power)
hal_client_domain(statsd, hal_thermal)
diff --git a/public/domain.te b/public/domain.te
index 2620611..cccc651 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -843,13 +843,25 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
} {
core_data_file_type
# libc includes functions like mktime and localtime which attempt to access
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -858,12 +870,26 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -vendor_data_file
- -zoneinfo_data_file
- }:dir *;
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
diff --git a/public/vendor_init.te b/public/vendor_init.te
index e2b7ec4..c53d200 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,10 @@
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
allow vendor_init {
file_type
-core_data_file_type