Merge "Track untrusted_app SELinux denial."
diff --git a/private/coredomain.te b/private/coredomain.te
index 84d7a8f..23224c3 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -10,7 +10,6 @@
# generic access to sysfs_type
-ueventd
- -vendor_init
-vold
} sysfs_leds:file *;
')
diff --git a/private/domain.te b/private/domain.te
index dae40d2..46d3189 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@
neverallow {
coredomain
-vold
- -vendor_init
} proc:file no_rw_file_perms;
# /sys
@@ -34,7 +33,6 @@
-init
-ueventd
-vold
- -vendor_init
} sysfs:file no_rw_file_perms;
# /dev
@@ -43,7 +41,6 @@
-fsck
-init
-ueventd
- -vendor_init
} device:{ blk_file file } no_rw_file_perms;
# debugfs
@@ -52,7 +49,6 @@
-dumpstate
-init
-system_server
- -vendor_init
} debugfs:file no_rw_file_perms;
# tracefs
@@ -65,14 +61,12 @@
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
- -vendor_init
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
- -vendor_init
} inotify:file no_rw_file_perms;
# pstorefs
@@ -89,7 +83,6 @@
-recovery_refresh
-shell
-system_server
- -vendor_init
} pstorefs:file no_rw_file_perms;
# configfs
@@ -97,7 +90,6 @@
coredomain
-init
-system_server
- -vendor_init
} configfs:file no_rw_file_perms;
# functionfs
@@ -106,13 +98,11 @@
-adbd
-init
-mediaprovider
- -vendor_init
}functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
- -vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 5d97f72..50efc22 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,5 +1,3 @@
-typeattribute vendor_init coredomain;
-
# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
diff --git a/public/domain.te b/public/domain.te
index 5879e26..308311c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -718,6 +718,7 @@
-coredomain
-appdomain # appdomain restrictions below
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
coredomain_socket
core_data_file_type
@@ -741,7 +742,6 @@
-init
-ueventd
-socket_between_core_and_vendor_violators
- -vendor_init
} {
file_type
dev_type
@@ -767,7 +767,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -777,7 +776,6 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
} {
data_file_type
-core_data_file_type
@@ -838,7 +836,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -851,7 +848,6 @@
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -863,7 +859,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -874,7 +869,6 @@
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -882,7 +876,6 @@
neverallow {
coredomain
-init
- -vendor_init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
@@ -908,7 +901,6 @@
coredomain
-init
-system_executes_vendor_violators
- -vendor_init
} {
vendor_file_type
-same_process_hal_file
@@ -1040,7 +1032,6 @@
-system_server
-system_app
-init
- -vendor_init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
@@ -1218,6 +1209,5 @@
-ueventd
-crash_dump
-perfprofd
- -vendor_init
} vendor_file:file { create_file_perms x_file_perms };
')
diff --git a/public/property.te b/public/property.te
index 0578ed6..f5ca4d8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -116,6 +116,7 @@
}:file no_rw_file_perms;
compatible_property_only(`
+# Prevent properties from being set
neverallow {
domain
-coredomain
@@ -129,23 +130,47 @@
exported_dumpstate_prop
exported_ffs_prop
exported_fingerprint_prop
- exported_radio_prop
exported_system_prop
exported_system_radio_prop
exported_vold_prop
exported2_config_prop
exported2_default_prop
- exported2_radio_prop
exported2_system_prop
exported2_vold_prop
exported3_default_prop
exported3_system_prop
- }:file no_w_file_perms;
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
neverallow {
domain
-coredomain
-appdomain
+ -hal_nfc
+ -vendor_init
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
-vendor_init
} {
core_property_type
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 3c5c535..2f9e994 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -38,6 +38,7 @@
'postinstall_dexopt',
'recovery',
'system_server',
+ 'vendor_init',
}
coredomainWhitelist |= coreAppdomain