From 7636d6071a2381fd21f13304b7dda4432cabc54a Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 22 Feb 2018 21:51:24 -0800
Subject: [PATCH] Useful neverallow errors
Neverallow errors include the file name and line number of the
violated rule. However, if multiple neverallow rules are included
within a single macro, then the line number is for the entire macro,
not the individual neverallow rule that is violated. To fix this,
only include one neverallow rule per macro.
This changes nothing on device, nor does it change the results of
compilation, it only makes the printed errors more useful.
Bug: 69139821
Test: build aosp_taimen-userdebug (neverallow rules are build time
tests)
Change-Id: Id0fc5906431db20e71265c7e9d55fbee4bdf53db
---
public/domain.te | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/public/domain.te b/public/domain.te
index beb091cc4..dc967f3df 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -619,12 +619,16 @@ full_treble_only(`
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # restrictions for vendor apps are declared lower down
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} service_manager_type:service_manager find;
+')
+full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
neverallow {
@@ -648,6 +652,8 @@ full_treble_only(`
-vr_hwc_service
-vr_manager_service
}:service_manager find;
+')
+full_treble_only(`
neverallow {
domain
-coredomain
@@ -664,12 +670,18 @@ full_treble_only(`
userdebug_or_eng(`-su')
-ueventd # uevent is granted create for this device, but we still neverallow I/O below
} vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
neverallow {
coredomain
-shell
userdebug_or_eng(`-su')
} vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
neverallow {
coredomain
-shell
@@ -791,6 +803,8 @@ full_treble_only(`
data_file_type
-core_data_file_type
}:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain # TODO(b/34980020) remove exemption for appdomain
@@ -885,7 +899,9 @@ full_treble_only(`
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain
@@ -897,7 +913,9 @@ full_treble_only(`
-postinstall_dexopt
-system_server
} vendor_app_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
@@ -909,7 +927,9 @@ full_treble_only(`
-webview_zygote
-zygote
} vendor_overlay_file:dir { getattr open read search };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain
@@ -920,7 +940,9 @@ full_treble_only(`
-webview_zygote
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
+')
+full_treble_only(`
# Non-vendor domains are not allowed to file execute shell
# from vendor
neverallow {
@@ -928,7 +950,9 @@ full_treble_only(`
-init
-shell
} vendor_shell_exec:file { execute execute_no_trans };
+')
+full_treble_only(`
# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
neverallow {
@@ -944,7 +968,9 @@ full_treble_only(`
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+')
+full_treble_only(`
# Do not allow system components to execute files from vendor
# except for the ones whitelisted here.
neverallow {
@@ -958,7 +984,9 @@ full_treble_only(`
-vndk_sp_file
-vendor_app_file
}:file execute;
+')
+full_treble_only(`
neverallow {
coredomain
-shell
--
GitLab