From 70e8f4214f7899bf8df47dc4fa961bedc88e636f Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Thu, 25 Jan 2018 11:31:09 -0800
Subject: [PATCH] Remove vendor_init from coredomain
vendor_init exists on the system partition, but it is meant to be an
extention of init that runs with vendor permissions for executing
vendor scripts, therefore it is not meant to be in coredomain.
Bug: 62875318
Test: boot walleye
Change-Id: I01af5c9f8b198674b15b90620d02725a6e7c1da6
---
private/coredomain.te | 1 -
private/domain.te | 10 ----------
private/vendor_init.te | 2 --
public/domain.te | 11 +----------
tests/treble_sepolicy_tests.py | 1 +
5 files changed, 2 insertions(+), 23 deletions(-)
diff --git a/private/coredomain.te b/private/coredomain.te
index 84d7a8f36..23224c323 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -10,7 +10,6 @@ neverallow {
# generic access to sysfs_type
-ueventd
- -vendor_init
-vold
} sysfs_leds:file *;
')
diff --git a/private/domain.te b/private/domain.te
index dae40d25a..46d318913 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -25,7 +25,6 @@ full_treble_only(`
neverallow {
coredomain
-vold
- -vendor_init
} proc:file no_rw_file_perms;
# /sys
@@ -34,7 +33,6 @@ full_treble_only(`
-init
-ueventd
-vold
- -vendor_init
} sysfs:file no_rw_file_perms;
# /dev
@@ -43,7 +41,6 @@ full_treble_only(`
-fsck
-init
-ueventd
- -vendor_init
} device:{ blk_file file } no_rw_file_perms;
# debugfs
@@ -52,7 +49,6 @@ full_treble_only(`
-dumpstate
-init
-system_server
- -vendor_init
} debugfs:file no_rw_file_perms;
# tracefs
@@ -65,14 +61,12 @@ full_treble_only(`
userdebug_or_eng(`-traced_probes')
-shell
userdebug_or_eng(`-traceur_app')
- -vendor_init
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
neverallow {
coredomain
-init
- -vendor_init
} inotify:file no_rw_file_perms;
# pstorefs
@@ -89,7 +83,6 @@ full_treble_only(`
-recovery_refresh
-shell
-system_server
- -vendor_init
} pstorefs:file no_rw_file_perms;
# configfs
@@ -97,7 +90,6 @@ full_treble_only(`
coredomain
-init
-system_server
- -vendor_init
} configfs:file no_rw_file_perms;
# functionfs
@@ -106,13 +98,11 @@ full_treble_only(`
-adbd
-init
-mediaprovider
- -vendor_init
}functionfs:file no_rw_file_perms;
# usbfs and binfmt_miscfs
neverallow {
coredomain
-init
- -vendor_init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
')
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 5d97f7269..50efc22d6 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,5 +1,3 @@
-typeattribute vendor_init coredomain;
-
# Creating files on sysfs is impossible so this isn't a threat
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
diff --git a/public/domain.te b/public/domain.te
index 98691d1cb..ed8c2844c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -725,6 +725,7 @@ full_treble_only(`
-appdomain # appdomain restrictions below
-data_between_core_and_vendor_violators # b/70393317
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
coredomain_socket
core_data_file_type
@@ -752,7 +753,6 @@ full_treble_only(`
-init
-ueventd
-socket_between_core_and_vendor_violators
- -vendor_init
} {
file_type
dev_type
@@ -778,7 +778,6 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
-vold_prepare_subdirs
} {
data_file_type
@@ -789,7 +788,6 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
- -vendor_init
-vold_prepare_subdirs
} {
data_file_type
@@ -851,7 +849,6 @@ full_treble_only(`
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -864,7 +861,6 @@ full_treble_only(`
userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -876,7 +872,6 @@ full_treble_only(`
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -887,7 +882,6 @@ full_treble_only(`
-installd
-system_server
-zygote
- -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -895,7 +889,6 @@ full_treble_only(`
neverallow {
coredomain
-init
- -vendor_init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
@@ -921,7 +914,6 @@ full_treble_only(`
coredomain
-init
-system_executes_vendor_violators
- -vendor_init
} {
vendor_file_type
-same_process_hal_file
@@ -1231,6 +1223,5 @@ full_treble_only(`
-ueventd
-crash_dump
-perfprofd
- -vendor_init
} vendor_file:file { create_file_perms x_file_perms };
')
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 3c5c53512..2f9e9948b 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -38,6 +38,7 @@ coredomainWhitelist = {
'postinstall_dexopt',
'recovery',
'system_server',
+ 'vendor_init',
}
coredomainWhitelist |= coreAppdomain
--
GitLab