From 7a4638096916b729af479710660a3e14bb5358fc Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 11 Aug 2017 09:48:30 -0700
Subject: [PATCH] Validate no-cross-domain /proc/PID access

Android uses hidepid=2 to restrict visibility to other /proc entries on
the system. This helps preserve user, application, and system
confidentiality by preventing unauthorized access to application metadata,
and addresses attacks such as
http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf

Ensure the SELinux (weaker) equivalent is being enforced by adding
neverallow compile time assertions.

TODO: The "shell" user runs as both an Android application, as well as
spawned via adb shell. This was a mistake. We should separate out the
"shell" Android app into it's own SELinux domain. For now, exclude the
shell from this assertion. (The shell Android app is covered by
hidepid=2, so there's no leaking of data, but still, it's over
privileged today and should be cleaned up.

Bug: 23310674
Test: policy compiles. Compile time assertion only.
Change-Id: I0e1a6506b2719aabf7eb8127f046c4ada947ba90
---
 private/app.te   | 6 ++++--
 public/te_macros | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/private/app.te b/private/app.te
index 28895a3fa..b3bb5165a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -367,8 +367,10 @@ neverallow appdomain zygote_socket:sock_file write;
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;
 
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
 
 # signal access to non-app domains.
 # sigchld allowed for parent death notification.
diff --git a/public/te_macros b/public/te_macros
index 582cf3389..3efbe325a 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
 ')
 
 #####################################
-- 
GitLab