Revert "More neverallow rules"
This reverts commit 72c013438443e0ed273a24e9b5126ccf9455c129.
Reason for revert: Looks like this may have broken ComposHostTestCases
Bug: 204853211
Change-Id: I83816a49d3be056e4c9a718ea02911ca022cb984
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ad2c645..2329a1d 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -282,351 +282,3 @@
# No executable memory unless backed by an unmodified file
neverallow * self:process { execmem execheap execstack };
neverallow * *:file execmod;
-
-# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to an allowlist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
-
-# b/68014825 and https://android-review.googlesource.com/516535
-# rfc6093 says that processes should not use the TCP urgent mechanism
-neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowed domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
-} self:global_capability_class_set mknod;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:global_capability2_class_set mac_override;
-
-# Disallow attempts to set contexts not defined in current policy
-# This helps guarantee that unknown or dangerous contents will not ever
-# be set.
-neverallow * self:global_capability2_class_set mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only the kernel hwrng thread should be able to read from the HW RNG.
-neverallow {
- domain
- -shell # For CTS, restricted to just getattr in shell.te
- -ueventd # To create the /dev/hw_random file
-} hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type.
-neverallow * { file_type -exec_type }:file entrypoint;
-
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-neverallow * vendor_init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Nobody should be doing writes to /system & /vendor
-# These partitions are intended to be read-only and must never be
-# modified. Doing so would violate important Android security guarantees
-# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
-} {
- system_file_type
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
- { create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
-
-neverallow { domain -init } build_prop:property_service set;
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-neverallow {
- domain
- -tombstoned
- -crash_dump
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
-# Never allow anyone to connect or write to
-# the tombstoned intercept socket.
-neverallow { domain } tombstoned_intercept_socket:sock_file write;
-neverallow { domain } tombstoned_intercept_socket:unix_stream_socket connectto;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -init
- -vendor_init
- -toolbox # TODO(b/141108496) We want to remove toolbox
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
-} shell:process { transition dyntransition };
-
-# Minimize read access to shell-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -shell
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -init
- -vendor_init
- -shell
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -init
- -vendor_init
- -shell
-} shell_data_file:dir { open search };
-
-# servicemanager is the only process which handles the
-# service_manager list request
-neverallow * ~{
- servicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-neverallow { domain -init -vendor_init } debugfs:{ file lnk_file } no_rw_file_perms;
-
-# Do not allow executable files in debugfs.
-neverallow domain debugfs_type:file { execute execute_no_trans };
-
-# Don't allow access to the FUSE control filesystem, except to init's
-neverallow { domain -init -vendor_init } fusectlfs:file no_rw_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time. Runtime changes
-# to filesystem capabilities are not permitted.
-neverallow * self:global_capability_class_set setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
-# If an already existing file is opened with O_CREAT, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-
-# These filesystems don't allow files or directories to be created, so the permission
-# to do so should never be granted.
-neverallow domain {
- proc_type
- sysfs_type
-}:dir { add_name create link remove_name rename reparent rmdir write };
-
-# cgroupfs directories can be created, but not files within them.
-neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
-
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
-} ashmem_device:chr_file open;
-
-neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 2fa101f..5419f52 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -31,7 +31,7 @@
neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };
# Allow microdroid_payload to ioctl /dev/vsock.
# TODO(b/199259751): remove the below rules
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 6479c55..50c2c81 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -195,6 +195,12 @@
# i.e. files that can be read by lower and written by higher
attribute mlstrustedobject;
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps (except isolated_app and ephemeral_app)
+attribute untrusted_app_all;
+
# All domains used for apps with network access.
attribute netdomain;
@@ -254,6 +260,27 @@
attribute system_writes_mnt_vendor_violators;
expandattribute system_writes_mnt_vendor_violators false;
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice_violators;
+expandattribute untrusted_app_visible_hwservice_violators false;
+
+# halserver domains that are accessible to untrusted applications. These
+# domains are typically those hosting hwservices attributed by the
+# untrusted_app_visible_hwservice_violators.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver_violators;
+expandattribute untrusted_app_visible_halserver_violators false;
+
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;