Preserve attributes needed for CTS

Change fb889f23 "Force expand all hal_* attributes" annotated all hal_* attributes to be expanded to their associated types. However some of these attributes are used in CTS for neverallow checking. Mark these attributes to be preserved. In addition, remove the hacky workaround introduced in oc-dev for b/62658302 where extraneous neverallow rules were introduced to prevent unused or negated attributes from being auto-expanded from policy. Bug: 62658302 Bug: 63135903 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest armeabi-v7a CtsSecurityHostTestCases completed in 4s. 501 passed, 0 failed, 0 not executed Change-Id: I989def70a16f66e7a18bef1191510793fbe9cb8c

Preserve attributes needed for CTS
bf8ed096 · Jeff Vander Stoep · 371a4375 · bf8ed096 · bf8ed096 · bf8ed096
Commit bf8ed096 authored 7 years ago by Jeff Vander Stoep
--- a/public/attributes
+++ b/public/attributes
@@ -134,21 +134,26 @@ attribute coredomain_socket;
 # All vendor domains which violate the requirement of not using Binder
 # TODO(b/35870313): Remove this once there are no violations
 attribute binder_in_vendor_violators;
+expandattribute binder_in_vendor_violators false;

 # All vendor domains which violate the requirement of not using sockets for
 # communicating with core components
 # TODO(b/36577153): Remove this once there are no violations
 attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;

 # All vendor domains which violate the requirement of not executing
 # system processes
 # TODO(b/36463595)
 attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;

 # PDX services
 attribute pdx_endpoint_dir_type;
 attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
 attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;

 pdx_service_attributes(display_client)
 pdx_service_attributes(display_manager)
@@ -169,45 +174,45 @@ expandattribute hal_allocator true;
 attribute hal_allocator_client;
 expandattribute hal_allocator_client true;
 attribute hal_allocator_server;
-expandattribute hal_allocator_server true;
+expandattribute hal_allocator_server false;
 attribute hal_audio;
 expandattribute hal_audio true;
 attribute hal_audio_client;
-expandattribute hal_audio_client true;
+expandattribute hal_audio_client false;
 attribute hal_audio_server;
-expandattribute hal_audio_server true;
+expandattribute hal_audio_server false;
 attribute hal_bluetooth;
 expandattribute hal_bluetooth true;
 attribute hal_bluetooth_client;
 expandattribute hal_bluetooth_client true;
 attribute hal_bluetooth_server;
-expandattribute hal_bluetooth_server true;
+expandattribute hal_bluetooth_server false;
 attribute hal_bootctl;
-expandattribute hal_bootctl true;
+expandattribute hal_bootctl false;
 attribute hal_bootctl_client;
 expandattribute hal_bootctl_client true;
 attribute hal_bootctl_server;
-expandattribute hal_bootctl_server true;
+expandattribute hal_bootctl_server false;
 attribute hal_camera;
-expandattribute hal_camera true;
+expandattribute hal_camera false;
 attribute hal_camera_client;
 expandattribute hal_camera_client true;
 attribute hal_camera_server;
-expandattribute hal_camera_server true;
+expandattribute hal_camera_server false;
 attribute hal_configstore;
 expandattribute hal_configstore true;
 attribute hal_configstore_client;
 expandattribute hal_configstore_client true;
 attribute hal_configstore_server;
-expandattribute hal_configstore_server true;
+expandattribute hal_configstore_server false;
 attribute hal_contexthub;
 expandattribute hal_contexthub true;
 attribute hal_contexthub_client;
 expandattribute hal_contexthub_client true;
 attribute hal_contexthub_server;
-expandattribute hal_contexthub_server true;
+expandattribute hal_contexthub_server false;
 attribute hal_drm;
-expandattribute hal_drm true;
+expandattribute hal_drm false;
 attribute hal_drm_client;
 expandattribute hal_drm_client true;
 attribute hal_drm_server;
@@ -223,163 +228,163 @@ expandattribute hal_dumpstate true;
 attribute hal_dumpstate_client;
 expandattribute hal_dumpstate_client true;
 attribute hal_dumpstate_server;
-expandattribute hal_dumpstate_server true;
+expandattribute hal_dumpstate_server false;
 attribute hal_fingerprint;
 expandattribute hal_fingerprint true;
 attribute hal_fingerprint_client;
 expandattribute hal_fingerprint_client true;
 attribute hal_fingerprint_server;
-expandattribute hal_fingerprint_server true;
+expandattribute hal_fingerprint_server false;
 attribute hal_gatekeeper;
 expandattribute hal_gatekeeper true;
 attribute hal_gatekeeper_client;
 expandattribute hal_gatekeeper_client true;
 attribute hal_gatekeeper_server;
-expandattribute hal_gatekeeper_server true;
+expandattribute hal_gatekeeper_server false;
 attribute hal_gnss;
 expandattribute hal_gnss true;
 attribute hal_gnss_client;
 expandattribute hal_gnss_client true;
 attribute hal_gnss_server;
-expandattribute hal_gnss_server true;
+expandattribute hal_gnss_server false;
 attribute hal_graphics_allocator;
 expandattribute hal_graphics_allocator true;
 attribute hal_graphics_allocator_client;
 expandattribute hal_graphics_allocator_client true;
 attribute hal_graphics_allocator_server;
-expandattribute hal_graphics_allocator_server true;
+expandattribute hal_graphics_allocator_server false;
 attribute hal_graphics_composer;
 expandattribute hal_graphics_composer true;
 attribute hal_graphics_composer_client;
 expandattribute hal_graphics_composer_client true;
 attribute hal_graphics_composer_server;
-expandattribute hal_graphics_composer_server true;
+expandattribute hal_graphics_composer_server false;
 attribute hal_health;
 expandattribute hal_health true;
 attribute hal_health_client;
 expandattribute hal_health_client true;
 attribute hal_health_server;
-expandattribute hal_health_server true;
+expandattribute hal_health_server false;
 attribute hal_ir;
 expandattribute hal_ir true;
 attribute hal_ir_client;
 expandattribute hal_ir_client true;
 attribute hal_ir_server;
-expandattribute hal_ir_server true;
+expandattribute hal_ir_server false;
 attribute hal_keymaster;
 expandattribute hal_keymaster true;
 attribute hal_keymaster_client;
 expandattribute hal_keymaster_client true;
 attribute hal_keymaster_server;
-expandattribute hal_keymaster_server true;
+expandattribute hal_keymaster_server false;
 attribute hal_light;
 expandattribute hal_light true;
 attribute hal_light_client;
 expandattribute hal_light_client true;
 attribute hal_light_server;
-expandattribute hal_light_server true;
+expandattribute hal_light_server false;
 attribute hal_memtrack;
 expandattribute hal_memtrack true;
 attribute hal_memtrack_client;
 expandattribute hal_memtrack_client true;
 attribute hal_memtrack_server;
-expandattribute hal_memtrack_server true;
+expandattribute hal_memtrack_server false;
 attribute hal_nfc;
 expandattribute hal_nfc true;
 attribute hal_nfc_client;
 expandattribute hal_nfc_client true;
 attribute hal_nfc_server;
-expandattribute hal_nfc_server true;
+expandattribute hal_nfc_server false;
 attribute hal_oemlock;
 expandattribute hal_oemlock true;
 attribute hal_oemlock_client;
 expandattribute hal_oemlock_client true;
 attribute hal_oemlock_server;
-expandattribute hal_oemlock_server true;
+expandattribute hal_oemlock_server false;
 attribute hal_power;
 expandattribute hal_power true;
 attribute hal_power_client;
 expandattribute hal_power_client true;
 attribute hal_power_server;
-expandattribute hal_power_server true;
+expandattribute hal_power_server false;
 attribute hal_sensors;
 expandattribute hal_sensors true;
 attribute hal_sensors_client;
 expandattribute hal_sensors_client true;
 attribute hal_sensors_server;
-expandattribute hal_sensors_server true;
+expandattribute hal_sensors_server false;
 attribute hal_telephony;
 expandattribute hal_telephony true;
 attribute hal_telephony_client;
 expandattribute hal_telephony_client true;
 attribute hal_telephony_server;
-expandattribute hal_telephony_server true;
+expandattribute hal_telephony_server false;
 attribute hal_tetheroffload;
 expandattribute hal_tetheroffload true;
 attribute hal_tetheroffload_client;
 expandattribute hal_tetheroffload_client true;
 attribute hal_tetheroffload_server;
-expandattribute hal_tetheroffload_server true;
+expandattribute hal_tetheroffload_server false;
 attribute hal_thermal;
 expandattribute hal_thermal true;
 attribute hal_thermal_client;
 expandattribute hal_thermal_client true;
 attribute hal_thermal_server;
-expandattribute hal_thermal_server true;
+expandattribute hal_thermal_server false;
 attribute hal_tv_cec;
 expandattribute hal_tv_cec true;
 attribute hal_tv_cec_client;
 expandattribute hal_tv_cec_client true;
 attribute hal_tv_cec_server;
-expandattribute hal_tv_cec_server true;
+expandattribute hal_tv_cec_server false;
 attribute hal_tv_input;
 expandattribute hal_tv_input true;
 attribute hal_tv_input_client;
 expandattribute hal_tv_input_client true;
 attribute hal_tv_input_server;
-expandattribute hal_tv_input_server true;
+expandattribute hal_tv_input_server false;
 attribute hal_usb;
 expandattribute hal_usb true;
 attribute hal_usb_client;
 expandattribute hal_usb_client true;
 attribute hal_usb_server;
-expandattribute hal_usb_server true;
+expandattribute hal_usb_server false;
 attribute hal_vibrator;
 expandattribute hal_vibrator true;
 attribute hal_vibrator_client;
 expandattribute hal_vibrator_client true;
 attribute hal_vibrator_server;
-expandattribute hal_vibrator_server true;
+expandattribute hal_vibrator_server false;
 attribute hal_vr;
 expandattribute hal_vr true;
 attribute hal_vr_client;
 expandattribute hal_vr_client true;
 attribute hal_vr_server;
-expandattribute hal_vr_server true;
+expandattribute hal_vr_server false;
 attribute hal_weaver;
 expandattribute hal_weaver true;
 attribute hal_weaver_client;
 expandattribute hal_weaver_client true;
 attribute hal_weaver_server;
-expandattribute hal_weaver_server true;
+expandattribute hal_weaver_server false;
 attribute hal_wifi;
 expandattribute hal_wifi true;
 attribute hal_wifi_client;
 expandattribute hal_wifi_client true;
 attribute hal_wifi_server;
-expandattribute hal_wifi_server true;
+expandattribute hal_wifi_server false;
 attribute hal_wifi_offload;
 expandattribute hal_wifi_offload true;
 attribute hal_wifi_offload_client;
 expandattribute hal_wifi_offload_client true;
 attribute hal_wifi_offload_server;
-expandattribute hal_wifi_offload_server true;
+expandattribute hal_wifi_offload_server false;
 attribute hal_wifi_supplicant;
 expandattribute hal_wifi_supplicant true;
 attribute hal_wifi_supplicant_client;
 expandattribute hal_wifi_supplicant_client true;
 attribute hal_wifi_supplicant_server;
-expandattribute hal_wifi_supplicant_server true;
+expandattribute hal_wifi_supplicant_server false;

 # HwBinder services offered across the core-vendor boundary
 #

--- a/public/domain.te
+++ b/public/domain.te
@@ -504,7 +504,6 @@ neverallow {
  -recovery
  -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302

 # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
 neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -562,7 +561,6 @@ full_treble_only(`
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } servicemanager:binder { call transfer };
-  neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
 ')

 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
@@ -621,7 +619,6 @@ full_treble_only(`
    -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
    -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
  });
-  neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302

  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
  neverallow_establish_socket_comms({
@@ -653,10 +650,6 @@ full_treble_only(`
    -pdx_endpoint_socket_type # used by VR layer
    -pdx_channel_socket_type # used by VR layer
  }:sock_file ~{ append getattr ioctl read write };
-  neverallow {
-    pdx_endpoint_socket_type
-    pdx_channel_socket_type
-  } unlabeled:service_manager list; #TODO: b/62658302

  # Core domains are not permitted to create/open sockets owned by vendor domains
  neverallow {
@@ -741,7 +734,6 @@ full_treble_only(`
        -crash_dump_exec
        -netutils_wrapper_exec
    }:file { entrypoint execute execute_no_trans };
-    neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
 ')

 # Only authorized processes should be writing to files in /data/dalvik-cache

--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -17,7 +17,6 @@ neverallow {
  -hal_wifi_supplicant_server
  -rild
 } domain:{ tcp_socket udp_socket rawip_socket } *;
-neverallow hal_tetheroffload_server unlabeled:service_manager list; #TODO: b/62658302

 ###
 # HALs are defined as an attribute and so a given domain could hypothetically

--- a/public/te_macros
+++ b/public/te_macros
@@ -554,7 +554,6 @@ define(`use_drmservice', `
 define(`add_service', `
  allow $1 $2:service_manager { add find };
  neverallow { domain -$1 } $2:service_manager add;
-  neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
 ')

 ###########################################
@@ -566,7 +565,6 @@ define(`add_hwservice', `
  allow $1 $2:hwservice_manager { add find };
  allow $1 hidl_base_hwservice:hwservice_manager add;
  neverallow { domain -$1 } $2:hwservice_manager add;
-  neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
 ')

 ##########################################