Ban vendor components access to core data types

am: 4a478c47

Change-Id: I67c6e600524a45bf98ae9c00888d0932c0b9f12e

public/attributes

@@ -39,6 +39,12 @@ attribute exec_type;
 
 # All types used for /data files.
 attribute data_file_type;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+# All vendor domains which violate the requirement of not accessing
+# data outside /data/vendor.
+# TODO(b/34980020): Remove this once there are no violations
+attribute coredata_in_vendor_violators;
 
 # All types use for sysfs files.
 attribute sysfs_type;

public/domain.te

@@ -106,7 +106,8 @@ allow domain system_file:lnk_file { getattr read };
 allow domain sysfs:lnk_file read;
 
 # libc references /data/misc/zoneinfo for timezone related information
-r_dir_file(domain, zoneinfo_data_file)
+not_full_treble(`r_dir_file(domain, zoneinfo_data_file)')
+r_dir_file({ coredomain appdomain }, zoneinfo_data_file)
 
 # Lots of processes access current CPU information
 r_dir_file(domain, sysfs_devices_system_cpu)
@@ -114,8 +115,11 @@ r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, sysfs_usb);
 
 # files under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:lnk_file read;
+not_full_treble(`allow domain system_data_file:dir getattr;')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
 
 # required by the dynamic linker
 allow domain proc:lnk_file { getattr read };
@@ -444,6 +448,38 @@ full_treble_only(`
     -appdomain
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } servicemanager:binder { call transfer };
+
+  ##
+  # On full TREBLE devices core android components and vendor components may
+  # not directly access each other's data types. All communication must occur
+  # over HW binder. Open file descriptors may be passed and read/write/stat
+  # operations my be performed on those FDs. Disallow all other operations.
+  #
+  # do not allow vendor component access to coredomains' data types
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -coredata_in_vendor_violators
+  } core_data_file_type:{
+    file_class_set
+  } ~{ append getattr ioctl read write };
+  # do not allow vendor component access to coredomains' data directories.
+  # /data has the system_data_file type. Allow all domains to have dir
+  # search permissions which allows path traversal.
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -coredata_in_vendor_violators
+  } { core_data_file_type -system_data_file }:dir *;
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -coredata_in_vendor_violators
+  } system_data_file:dir ~search;
+
 ')
 
 # On full TREBLE devices, socket communications between core components and vendor components are

public/file.te

@@ -87,54 +87,54 @@ type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
 type coredump_file, file_type;
 # Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
 # Unencrypted data
-type unencrypted_data_file, file_type, data_file_type;
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
 # /data/.layout_version or other installd-created files that
 # are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type;
+type install_data_file, file_type, data_file_type, core_data_file_type;
 # /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
+type drm_data_file, file_type, data_file_type, core_data_file_type;
 # /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type;
+type adb_data_file, file_type, data_file_type, core_data_file_type;
 # /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
 # /data/ota
-type ota_data_file, file_type, data_file_type;
+type ota_data_file, file_type, data_file_type, core_data_file_type;
 # /data/ota_package
-type ota_package_file, file_type, data_file_type, mlstrustedobject;
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type;
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
 # /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type;
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
 # /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/property
-type property_data_file, file_type, data_file_type;
+type property_data_file, file_type, data_file_type, core_data_file_type;
 # /data/bootchart
-type bootchart_data_file, file_type, data_file_type;
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
 # /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/nativetest
-type nativetest_data_file, file_type, data_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
 # /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, mlstrustedobject;
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/preloads
-type preloads_data_file, file_type, data_file_type;
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
 # /data/preloads/media
-type preloads_media_file, file_type, data_file_type;
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
@@ -152,41 +152,43 @@ type postinstall_mnt_dir, file_type;
 type postinstall_file, file_type;
 
 # /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type audiohal_data_file, file_type, data_file_type;
-type audioserver_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type;
-type bootstat_data_file, file_type, data_file_type;
-type boottrace_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type gatekeeper_data_file, file_type, data_file_type;
-type incident_data_file, file_type, data_file_type;
-type keychain_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type;
-type net_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type;
-type recovery_data_file, file_type, data_file_type;
-type shared_relro_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-type vold_data_file, file_type, data_file_type;
-type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type reboot_data_file, file_type, data_file_type, core_data_file_type;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type;
 # /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
@@ -199,27 +201,27 @@ type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Type for user icon file.
-type icon_file, file_type, data_file_type;
+type icon_file, file_type, data_file_type, core_data_file_type;
 # /mnt/asec
-type asec_apk_file, file_type, data_file_type, mlstrustedobject;
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
+type asec_public_file, file_type, data_file_type, core_data_file_type;
 # /data/app-asec
-type asec_image_file, file_type, data_file_type;
+type asec_image_file, file_type, data_file_type, core_data_file_type;
 # /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
 # Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type;
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
 # Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, mlstrustedobject;
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # Socket types
 type adbd_socket, file_type;

public/perfprofd.te

@@ -3,7 +3,7 @@ type perfprofd_exec, exec_type, file_type;
 
 userdebug_or_eng(`
 
-  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
+  type perfprofd, domain, domain_deprecated, mlstrustedsubject, coredomain;
 
   # perfprofd needs to control CPU hot-plug in order to avoid kernel
   # perfevents problems in cases where CPU goes on/off during measurement;

public/rild.te

@@ -19,6 +19,9 @@ allow rild efs_file:file create_file_perms;
 allow rild shell_exec:file rx_file_perms;
 allow rild bluetooth_efs_file:file r_file_perms;
 allow rild bluetooth_efs_file:dir r_dir_perms;
+# TODO (b/36601950) remove RILD's access to radio_data_file and
+# system_data_file. Remove coredata_in_vendor_violators attribute.
+typeattribute rild coredata_in_vendor_violators;
 allow rild radio_data_file:dir rw_dir_perms;
 allow rild radio_data_file:file create_file_perms;
 allow rild sdcard_type:dir r_dir_perms;

public/tee.te

@@ -4,7 +4,6 @@
 type tee, domain, domain_deprecated;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
 
 allow tee self:capability { dac_override };
 allow tee tee_device:chr_file rw_file_perms;

public/update_engine.te

 # Domain for update_engine daemon.
 type update_engine, domain, domain_deprecated, update_engine_common;
 type update_engine_exec, exec_type, file_type;
-type update_engine_data_file, file_type, data_file_type;
 
 net_domain(update_engine);
 

vendor/hal_audio_default.te

@@ -7,3 +7,7 @@ init_daemon_domain(hal_audio_default)
 hal_client_domain(hal_audio_default, hal_allocator)
 
 typeattribute hal_audio_default socket_between_core_and_vendor_violators;
+# TODO (b/36601590) move hal_audio's data file to
+# /data/vendor/hardware/hal_audio. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_audio_default coredata_in_vendor_violators;

vendor/hal_bluetooth_default.te

@@ -7,3 +7,7 @@ init_daemon_domain(hal_bluetooth_default)
 # Logging for backward compatibility
 allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
 allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
+
+# TODO (b/36602160) Remove hal_bluetooth's access to the Bluetooth app's
+# data type. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_bluetooth_default coredata_in_vendor_violators;

vendor/hal_camera_default.te

@@ -3,3 +3,8 @@ hal_server_domain(hal_camera_default, hal_camera)
 
 type hal_camera_default_exec, exec_type, file_type;
 init_daemon_domain(hal_camera_default)
+
+# TODO (b/36601397) move hal_camera's data file to
+# /data/vendor/hardware/hal_camera. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_camera_default coredata_in_vendor_violators;

vendor/hal_drm_default.te

@@ -9,3 +9,7 @@ allow hal_drm_default { appdomain -isolated_app }:fd use;
 
 # TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
 typeattribute hal_drm_default socket_between_core_and_vendor_violators;
+# TODO (b/36601695) remove hal_drm's access to /data or move to
+# /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_drm_default coredata_in_vendor_violators;

vendor/hal_fingerprint_default.te

@@ -3,3 +3,7 @@ hal_server_domain(hal_fingerprint_default, hal_fingerprint)
 
 type hal_fingerprint_default_exec, exec_type, file_type;
 init_daemon_domain(hal_fingerprint_default)
+
+# TODO (b/36644492) move hal_fingerprint's data file to
+# /data/vendor/. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_fingerprint_default coredata_in_vendor_violators;

vendor/hal_nfc_default.te

@@ -3,3 +3,7 @@ hal_server_domain(hal_nfc_default, hal_nfc)
 
 type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
+
+# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
+# data type. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_nfc_default coredata_in_vendor_violators;

vendor/hal_wifi_supplicant_default.te

@@ -10,3 +10,7 @@ type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "socke
 
 # TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
 typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+# wpa supplicant or equivalent
+typeattribute hal_wifi_supplicant_default coredata_in_vendor_violators;

vendor/hostapd.te

@@ -31,3 +31,7 @@ r_dir_file(hostapd, wifi_data_file)
 allow hostapd hostapd_socket:dir create_dir_perms;
 # hostapd needs to create, bind to, read, and write its control socket.
 allow hostapd hostapd_socket:sock_file create_file_perms;
+
+# TODO (b/36646171) Move hostapd's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+typeattribute hostapd coredata_in_vendor_violators;