From 45766d4178e443b29fee8cd9c8917847ea3a4cf1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 26 Apr 2017 11:40:48 -0700
Subject: [PATCH] relax fuse_device neverallow rules

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.

Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
---
 private/app_neverallows.te |  3 +++
 private/platform_app.te    |  7 +++++++
 private/system_app.te      |  7 +++++++
 public/domain.te           | 20 --------------------
 4 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0f0f57766..bb37ceb62 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -87,6 +87,9 @@ neverallow all_untrusted_apps {
   ')
 }:dir_file_class_set { create unlink };
 
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
 # Do not allow untrusted apps to directly open tun_device
 neverallow all_untrusted_apps tun_device:chr_file open;
 
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b4f..fd4634a30 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@ allow platform_app preloads_media_file:file r_file_perms;
 allow platform_app preloads_media_file:dir r_dir_perms;
 
 read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101e4..7950044ba 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@ r_dir_file(system_app, sysfs_type)
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/public/domain.te b/public/domain.te
index f63433624..188c560a0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -965,26 +965,6 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
 
-neverallow {
-  domain
-  -init
-  -recovery
-  -sdcardd
-  -vold
-} fuse_device:chr_file open;
-neverallow {
-  domain
-  -dumpstate
-  -init
-  -priv_app
-  -recovery
-  -sdcardd
-  -shell # Restricted by shell.te to only getattr
-  -system_server
-  -ueventd
-  -vold
-} fuse_device:chr_file *;
-
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
 neverallow {
-- 
GitLab