Merge "system_app: suppress denials for disallowed services"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7638d36..53638f7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -57,6 +57,9 @@
# Do not allow untrusted apps to access network MAC address file
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file no_w_file_perms;
+
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index c60b2e6..a791009 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -7,6 +7,7 @@
(type asan_reboot_prop)
(type log_device)
(type mediacasserver_service)
+(type reboot_data_file)
(type tracing_shell_writable)
(type tracing_shell_writable_debug)
@@ -563,7 +564,15 @@
(typeattributeset surfaceflinger_26_0 (surfaceflinger))
(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs))
+(typeattributeset sysfs_26_0
+ ( sysfs
+ sysfs_android_usb
+ sysfs_dm
+ sysfs_ipv4
+ sysfs_power
+ sysfs_rtc
+ sysfs_switch
+ sysfs_wakeup_reasons))
(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6a95ffb..2cc6f70 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -60,17 +60,27 @@
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 951a0df..30253af 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -103,3 +103,11 @@
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Limit the /sys files which isolated_app can access. This is important
+# for controlling isolated_app attack surface.
+neverallow isolated_app {
+ sysfs_type
+ -sysfs_devices_system_cpu
+ -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+}:file no_rw_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 8f9091d..260d6ce 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -273,11 +273,20 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
+r_dir_file(system_server, sysfs_android_usb)
+allow system_server sysfs_android_usb:file w_file_perms;
+
+r_dir_file(system_server, sysfs_ipv4)
+allow system_server sysfs_ipv4:file w_file_perms;
+
+r_dir_file(system_server, sysfs_rtc)
+r_dir_file(system_server, sysfs_switch)
+r_dir_file(system_server, sysfs_wakeup_reasons)
+
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
allow system_server sysfs_devices_system_cpu:file w_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
@@ -683,7 +692,6 @@
r_dir_file(system_server, proc_version)
r_dir_file(system_server, proc_vmallocinfo)
r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
### Rules needed when Light HAL runs inside system_server process.
### These rules should eventually be granted only when needed.
diff --git a/public/file.te b/public/file.te
index 79435e5..435b852 100644
--- a/public/file.te
+++ b/public/file.te
@@ -44,15 +44,22 @@
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
@@ -208,7 +215,6 @@
type net_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type, core_data_file_type;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index fd5d63b..b4801c5 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -10,9 +10,7 @@
get_prop(hal_cas, serialno_prop)
# Read files already opened under /data
-allow hal_cas system_data_file:dir { search getattr };
allow hal_cas system_data_file:file { getattr read };
-allow hal_cas system_data_file:lnk_file r_file_perms;
# Read access to pseudo filesystems
r_dir_file(hal_cas, cgroup)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5a6bf5c..666b1ba 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -19,9 +19,7 @@
allow hal_drm system_file:lnk_file r_file_perms;
# Read files already opened under /data
-allow hal_drm system_data_file:dir { search getattr };
allow hal_drm system_data_file:file { getattr read };
-allow hal_drm system_data_file:lnk_file r_file_perms;
# Read access to pseudo filesystems
r_dir_file(hal_drm, cgroup)
diff --git a/public/kernel.te b/public/kernel.te
index 64111b0..74c77a9 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -5,7 +5,6 @@
# Root fs.
r_dir_file(kernel, rootfs)
-r_dir_file(kernel, proc)
allow kernel proc_cmdline:file r_file_perms;
# Get SELinux enforcing status.
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 6bba17b..5d20eca 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -9,7 +9,16 @@
allow update_verifier ota_package_file:dir r_dir_perms;
allow update_verifier ota_package_file:file r_file_perms;
-# Read all blocks in dm wrapped system partition.
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
# Write to kernel message.
diff --git a/public/vold.te b/public/vold.te
index a569f9e..71932df 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -12,6 +12,7 @@
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms;
+allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
diff --git a/vendor/hal_cas_default.te b/vendor/hal_cas_default.te
index c7a858c..fc548bf 100644
--- a/vendor/hal_cas_default.te
+++ b/vendor/hal_cas_default.te
@@ -4,3 +4,5 @@
type hal_cas_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_cas_default)
+# Allow CAS HAL's default implementation to use vendor-binder service
+vndbinder_use(hal_cas_default);