From 7c34e83fcdd792ca49fdae76c5bc88974740b7e3 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 15 May 2017 13:19:03 -0700
Subject: [PATCH] Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Merged-In: I31beeb5bdf3885195310b086c1af3432dc6a349b
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
(cherry picked from commit 76aab82cb3a7560d3d78f93c7f2d00ed381192c4)
---
private/attributes | 9 +++++++++
private/clatd.te | 1 +
private/dex2oat.te | 1 +
private/dhcp.te | 1 +
{public => private}/domain_deprecated.te | 5 -----
private/dumpstate.te | 1 +
private/fingerprintd.te | 1 +
private/fsck.te | 1 +
private/fsck_untrusted.te | 1 +
private/installd.te | 1 +
private/keystore.te | 1 +
private/mtp.te | 1 +
private/netd.te | 1 +
private/perfprofd.te | 1 +
private/ppp.te | 1 +
private/radio.te | 1 +
private/recovery.te | 1 +
private/runas.te | 1 +
private/sdcardd.te | 1 +
private/shared_relro.te | 1 +
private/ueventd.te | 1 +
private/uncrypt.te | 1 +
private/update_engine.te | 1 +
private/vold.te | 1 +
public/attributes | 10 ----------
public/clatd.te | 2 +-
public/dex2oat.te | 2 +-
public/dhcp.te | 2 +-
public/fingerprintd.te | 2 +-
public/fsck.te | 2 +-
public/fsck_untrusted.te | 2 +-
public/installd.te | 2 +-
public/keystore.te | 2 +-
public/mtp.te | 2 +-
public/netd.te | 2 +-
public/perfprofd.te | 1 -
public/ppp.te | 2 +-
public/radio.te | 2 +-
public/recovery.te | 2 +-
public/rild.te | 2 +-
public/runas.te | 2 +-
public/sdcardd.te | 2 +-
public/shared_relro.te | 2 +-
public/tee.te | 2 +-
public/ueventd.te | 2 +-
public/uncrypt.te | 2 +-
public/update_engine.te | 2 +-
public/vold.te | 2 +-
48 files changed, 53 insertions(+), 38 deletions(-)
create mode 100644 private/attributes
rename {public => private}/domain_deprecated.te (97%)
diff --git a/private/attributes b/private/attributes
new file mode 100644
index 000000000..fcbfecfb2
--- /dev/null
+++ b/private/attributes
@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
diff --git a/private/clatd.te b/private/clatd.te
index 5ba0fc5cd..c09398ddd 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -1 +1,2 @@
typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index fd45484f4..89c3970af 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1 +1,2 @@
typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;
diff --git a/private/dhcp.te b/private/dhcp.te
index b2f8ac7c7..6a6a139e2 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,5 @@
typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/public/domain_deprecated.te b/private/domain_deprecated.te
similarity index 97%
rename from public/domain_deprecated.te
rename to private/domain_deprecated.te
index a17c105c6..fc77b11a1 100644
--- a/public/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -37,7 +37,6 @@ auditallow {
domain_deprecated
-fsck
-fsck_untrusted
- -rild
-sdcardd
-system_server
-update_engine
@@ -47,7 +46,6 @@ auditallow {
domain_deprecated
-fsck
-fsck_untrusted
- -rild
-system_server
-vold
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -56,7 +54,6 @@ auditallow {
-fingerprintd
-healthd
-netd
- -rild
-recovery
-system_app
-surfaceflinger
@@ -70,7 +67,6 @@ auditallow {
-fingerprintd
-healthd
-netd
- -rild
-recovery
-system_app
-surfaceflinger
@@ -84,7 +80,6 @@ auditallow {
-fingerprintd
-healthd
-netd
- -rild
-recovery
-system_app
-surfaceflinger
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f81526c..0fe2adfc6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,4 +1,5 @@
typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
init_daemon_domain(dumpstate)
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index eb73ef8cc..0c1dfaa37 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,4 @@
typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329f7..e8467972f 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,4 @@
typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 9a57bf027..2a1a39f46 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1 +1,2 @@
typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;
diff --git a/private/installd.te b/private/installd.te
index f74843dd1..d726e7df2 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,4 +1,5 @@
typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
init_daemon_domain(installd)
diff --git a/private/keystore.te b/private/keystore.te
index 6aa888429..76aa02de3 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,4 @@
typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
init_daemon_domain(keystore)
diff --git a/private/mtp.te b/private/mtp.te
index 732e111ed..3cfda0b1a 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,4 @@
typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index f501f25e9..3a824af13 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
init_daemon_domain(netd)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 9c249fd9a..a655f1d34 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,4 +1,5 @@
userdebug_or_eng(`
typeattribute perfprofd coredomain;
+ typeattribute perfprofd domain_deprecated;
init_daemon_domain(perfprofd)
')
diff --git a/private/ppp.te b/private/ppp.te
index 968b221b6..9b301f475 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,4 @@
typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/radio.te b/private/radio.te
index b4f539048..83b5b416b 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1,5 @@
typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
app_domain(radio)
diff --git a/private/recovery.te b/private/recovery.te
index 2a7fdc7e1..b7b2847ec 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1 +1,2 @@
typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;
diff --git a/private/runas.te b/private/runas.te
index ef31aac34..73a91ffd6 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,5 @@
typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 126d64349..ac6bb4e2c 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,4 @@
typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f720682..8d06294d9 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,4 +1,5 @@
typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
diff --git a/private/ueventd.te b/private/ueventd.te
index 1bd67735e..0df587fff 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,4 @@
typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e4e9224d9..fde686be9 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,4 @@
typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db681..f460272d1 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,4 @@
typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
init_daemon_domain(update_engine);
diff --git a/private/vold.te b/private/vold.te
index a6d1001d1..f2416f895 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,4 +1,5 @@
typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
init_daemon_domain(vold)
diff --git a/public/attributes b/public/attributes
index d729a7b63..43c240bd7 100644
--- a/public/attributes
+++ b/public/attributes
@@ -10,16 +10,6 @@ attribute dev_type;
# All types used for processes.
attribute domain;
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
-
# All types used for filesystems.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/clatd.te b/public/clatd.te
index 8632087a1..212b76ede 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -1,5 +1,5 @@
# 464xlat daemon
-type clatd, domain, domain_deprecated;
+type clatd, domain;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 4ae45ca29..113a86f6d 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, domain_deprecated;
+type dex2oat, domain;
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4ad1..a2cfcdf90 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,4 +1,4 @@
-type dhcp, domain, domain_deprecated;
+type dhcp, domain;
type dhcp_exec, exec_type, file_type;
type dhcp_data_file, file_type, data_file_type;
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 57cde1db0..5dd18a352 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,4 +1,4 @@
-type fingerprintd, domain, domain_deprecated;
+type fingerprintd, domain;
type fingerprintd_exec, exec_type, file_type;
binder_use(fingerprintd)
diff --git a/public/fsck.te b/public/fsck.te
index 8f3b17a4a..b682a877f 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
type fsck_exec, exec_type, file_type;
# /dev/__null__ created by init prior to policy load,
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index a9dd8055a..e2aceb87b 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/public/installd.te b/public/installd.te
index df14956c0..1292e824a 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -1,5 +1,5 @@
# installer daemon
-type installd, domain, domain_deprecated;
+type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
diff --git a/public/keystore.te b/public/keystore.te
index 55cafc541..22d86be57 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain, domain_deprecated;
+type keystore, domain;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/public/mtp.te b/public/mtp.te
index 0ca7cea35..a77624064 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,5 +1,5 @@
# vpn tunneling protocol manager
-type mtp, domain, domain_deprecated;
+type mtp, domain;
type mtp_exec, exec_type, file_type;
net_domain(mtp)
diff --git a/public/netd.te b/public/netd.te
index 1442be7cf..2d72eeb33 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -1,5 +1,5 @@
# network manager
-type netd, domain, domain_deprecated, mlstrustedsubject;
+type netd, domain, mlstrustedsubject;
type netd_exec, exec_type, file_type;
net_domain(netd)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f0df6a0aa..bfb8693fa 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -4,7 +4,6 @@ type perfprofd_exec, exec_type, file_type;
userdebug_or_eng(`
- typeattribute perfprofd domain_deprecated;
typeattribute perfprofd coredomain;
typeattribute perfprofd mlstrustedsubject;
diff --git a/public/ppp.te b/public/ppp.te
index 7a5eada59..069452163 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,5 +1,5 @@
# Point to Point Protocol daemon
-type ppp, domain, domain_deprecated;
+type ppp, domain;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
diff --git a/public/radio.te b/public/radio.te
index a8966599b..e8ceb8bc8 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,5 +1,5 @@
# phone subsystem
-type radio, domain, domain_deprecated, mlstrustedsubject;
+type radio, domain, mlstrustedsubject;
net_domain(radio)
bluetooth_domain(radio)
diff --git a/public/recovery.te b/public/recovery.te
index fe02a0810..eefd7665e 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -2,7 +2,7 @@
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
-type recovery, domain, domain_deprecated;
+type recovery, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
diff --git a/public/rild.te b/public/rild.te
index e4b018690..14420dffb 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,5 +1,5 @@
# rild - radio interface layer daemon
-type rild, domain, domain_deprecated;
+type rild, domain;
hal_server_domain(rild, hal_telephony)
net_domain(rild)
diff --git a/public/runas.te b/public/runas.te
index 44e8e3ab1..25184092c 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,4 +1,4 @@
-type runas, domain, domain_deprecated, mlstrustedsubject;
+type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;
allow runas adbd:fd use;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 3cb69be63..47a2f8061 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 9794b0b8a..91cf44d02 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,5 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
+type shared_relro, domain;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/tee.te b/public/tee.te
index a95be8834..31ce541c8 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -1,7 +1,7 @@
##
# trusted execution environment (tee) daemon
#
-type tee, domain, domain_deprecated;
+type tee, domain;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c895..8cfd643e0 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -1,6 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
+type ueventd, domain;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 6d3ee106d..d10eb3916 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -1,5 +1,5 @@
# uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
+type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
allow uncrypt self:capability dac_override;
diff --git a/public/update_engine.te b/public/update_engine.te
index 33eb2a80e..f32eb303d 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,5 +1,5 @@
# Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated, update_engine_common;
+type update_engine, domain, update_engine_common;
type update_engine_exec, exec_type, file_type;
type update_engine_data_file, file_type, data_file_type;
diff --git a/public/vold.te b/public/vold.te
index 7503d8f4f..56a9370c4 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -1,5 +1,5 @@
# volume manager
-type vold, domain, domain_deprecated;
+type vold, domain;
type vold_exec, exec_type, file_type;
# Read already opened /cache files.
--
GitLab