Skip to content
Snippets Groups Projects
Commit 72c16e32 authored by William Roberts's avatar William Roberts Committed by dcashman
Browse files

shell: enable hostside test: testAllCharacterDevicesAreSecure

Enable shell to have access to /dev for running the
world accessable mode test on /dev.

This approach adds shell to the list of excluded domains
on neverallows around chr_files, but locks down the access
for shell to only getattr.

It was done this lightly more complicated way to prevent
loosening the allow rules so that any domain would have
getattr permissions.

Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253
parent d41ad551
No related branches found
No related tags found
No related merge requests found
......@@ -198,15 +198,27 @@ neverallow * kernel:security setbool;
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
# Only init, ueventd and system_server should be able to access HW RNG
neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
# Only init, ueventd, shell and system_server should be able to access HW RNG
neverallow {
domain
-init
-shell # For CTS and is restricted to getattr in shell.te
-system_server
-ueventd
} hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
neverallow {
domain
-init
-kernel
-shell # For CTS and is restricted to getattr in shell.te
-ueventd
} kmem_device:chr_file *;
neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
......@@ -558,6 +570,7 @@ neverallow {
-priv_app
-recovery
-sdcardd
-shell # Restricted by shell.te to only getattr
-system_server
-ueventd
-vold
......
......@@ -123,6 +123,16 @@ allow shell sysfs:dir r_dir_perms;
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
###
### Neverallow rules
###
......@@ -134,3 +144,11 @@ allow shell ion_device:chr_file rw_file_perms;
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
fuse_device
hw_random_device
kmem_device
}:chr_file ~getattr;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment