commit 91d398d802b4fbd33c2b88da9f56ecee8bdc363c
author Dan Cashman <dcashman@google.com> Tue Sep 26 12:58:29 2017 -0700
committer Dan Cashman <dcashman@google.com> Tue Sep 26 14:38:47 2017 -0700
tree ae80a698d8f48b79a749eb9d0b1668402614c1d0
parent 6922dfe3661ca7c4043f6ef9c6c61fdb9c7fa89a

Sync internal master and AOSP sepolicy.

Bug: 37916906
Test: Builds 'n' boots.
Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668
Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb

public/hal_configstore.te

diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 4bf6cfd..d5f2ef6 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,7 +1,64 @@
 # HwBinder IPC from client to server
 binder_call(hal_configstore_client, hal_configstore_server)
 
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
 add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
 # As opposed to the rules of most other HALs, the different services exposed by
 # this HAL should be restricted to different clients. Thus, the allow rules for
 # clients are defined in the .te files of the clients.
+
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
+###
+### neverallow rules
+###
+
+# Should never execute an executable without a domain transition
+neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access. Disallow sockets except for
+# for unix stream/dgram sockets used for logging/debugging.
+neverallow hal_configstore_server domain:{
+  rawip_socket tcp_socket udp_socket
+  netlink_route_socket netlink_selinux_socket
+  socket netlink_socket packet_socket key_socket appletalk_socket
+  netlink_tcpdiag_socket netlink_nflog_socket
+  netlink_xfrm_socket netlink_audit_socket
+  netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+  netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+  netlink_rdma_socket netlink_crypto_socket
+} *;
+neverallow hal_configstore_server {
+  domain
+  -hal_configstore_server
+  -logd
+  userdebug_or_eng(`-su')
+  -tombstoned
+}:{ unix_dgram_socket unix_stream_socket } *;
+
+# Should never need access to anything on /data
+neverallow hal_configstore_server {
+  data_file_type
+  -anr_data_file # for crash dump collection
+  -tombstone_data_file # for crash dump collection
+  -zoneinfo_data_file # granted to domain
+}:{ file fifo_file sock_file } *;
+
+# Should never need sdcard access
+neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+
+# Do not permit access to service_manager and vndservice_manager
+neverallow hal_configstore_server *:service_manager *;
+
+# No privileged capabilities
+neverallow hal_configstore_server self:capability_class_set *;
+
+# No ptracing other processes
+neverallow hal_configstore_server *:process ptrace;
+
+# no relabeling
+neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };