Test that /data is properly labeled
Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.
Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.
Test: build sepolicy for all targets in master (this is a build time
test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d52719f3b8b1fe8c3fd08cb13a393f1)
diff --git a/public/attributes b/public/attributes
index 8138a3f..77823cf 100644
--- a/public/attributes
+++ b/public/attributes
@@ -32,6 +32,7 @@
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
+expandattribute core_data_file_type false;
# All types in /vendor
attribute vendor_file_type;
@@ -130,6 +131,7 @@
# All socket devices owned by core domain components
attribute coredomain_socket;
+expandattribute coredomain_socket false;
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
diff --git a/public/domain.te b/public/domain.te
index 308311c..c09ee50 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -670,7 +670,6 @@
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
-full_treble_only(`
# Most general rules first, more specific rules below.
# Core domains are not permitted to initiate communications to vendor domain sockets.
@@ -678,6 +677,7 @@
# to obtain an already established socket via some public/official/stable API and then exchange
# data with its peer over that socket. The wire format in this scenario is dicatated by the API
# and thus does not break the core-vendor separation.
+full_treble_only(`
neverallow_establish_socket_comms({
coredomain
-init
@@ -687,7 +687,9 @@
-coredomain
-socket_between_core_and_vendor_violators
});
+')
# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
@@ -703,20 +705,25 @@
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
+')
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-netdomain
-socket_between_core_and_vendor_violators
}, netd);
+')
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
-socket_between_core_and_vendor_violators
-vendor_init
} {
@@ -724,6 +731,8 @@
core_data_file_type
unlabeled # used only by core domains
}:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
neverallow {
appdomain
-coredomain
@@ -735,8 +744,10 @@
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
+')
# Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
neverallow {
coredomain
-init
diff --git a/public/file.te b/public/file.te
index 02a4360..932ecbf 100644
--- a/public/file.te
+++ b/public/file.te
@@ -317,7 +317,7 @@
type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
@@ -327,7 +327,7 @@
type uncrypt_socket, file_type, coredomain_socket;
type vold_socket, file_type, coredomain_socket;
type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 275debb..ea9ba10 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -23,6 +23,10 @@
def TestVendorTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+def TestCoreDataTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor/",
+ "/data/vendor_ce/", "/data/vendor_de/"], "core_data_file_type")
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -40,7 +44,9 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["TestDataTypeViolators"]
+Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
+ "TestDebugfsTypeViolations", "TestVendorTypeViolations",
+ "TestCoreDataTypeViolations"]
if __name__ == '__main__':
usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +93,8 @@
results += TestDebugfsTypeViolations(pol)
if options.test is None or "TestVendorTypeViolations" in options.test:
results += TestVendorTypeViolations(pol)
+ if options.test is None or "TestCoreDataTypeViolations" in options.test:
+ results += TestCoreDataTypeViolations(pol)
if len(results) > 0:
sys.exit(results)