Merge "recovery.te: add /data neverallow rules"

commit: f7e98fe2c988d88a4a98a1fdfd07561cef013e5c [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Nov 06 18:58:35 2014 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Nov 06 18:58:35 2014 +0000
tree: 58455c4c90fdf0a77e90af8092d0e37069b96724
parent: 35a4ed80a68d71df2cf138d17ea09fd782a1d73e [diff]
parent: a17a266e7e466d281f0730449c492de46390fc76 [diff]
diff --git a/Android.mk b/Android.mk
index 351e81a..eae860b 100644
--- a/Android.mk
+++ b/Android.mk

@@ -83,6 +83,7 @@
                         initial_sids \
                         access_vectors \
                         global_macros \
+                        neverallow_macros \
                         mls_macros \
                         mls \
                         policy_capabilities \

diff --git a/domain.te b/domain.te
index 5ed79c1..48e2d1a 100644
--- a/domain.te
+++ b/domain.te

@@ -291,8 +291,8 @@
 } { fs_type -rootfs }:file execute;
 
 # Only the init property service should write to /data/property.
-neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
-neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
+neverallow { domain -init } property_data_file:file no_w_file_perms;
 
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set

diff --git a/neverallow_macros b/neverallow_macros
new file mode 100644
index 0000000..3593dd1
--- /dev/null
+++ b/neverallow_macros

@@ -0,0 +1,5 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')

diff --git a/recovery.te b/recovery.te
index 204c096..61c42b1 100644
--- a/recovery.te
+++ b/recovery.te

@@ -98,3 +98,20 @@
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
 ')
+
+###
+### neverallow rules
+###
+
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
+neverallow recovery data_file_type:dir no_w_dir_perms;
commit	f7e98fe2c988d88a4a98a1fdfd07561cef013e5c	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Nov 06 18:58:35 2014 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Nov 06 18:58:35 2014 +0000
tree	58455c4c90fdf0a77e90af8092d0e37069b96724
parent	35a4ed80a68d71df2cf138d17ea09fd782a1d73e [diff]
parent	a17a266e7e466d281f0730449c492de46390fc76 [diff]