From ccf965e9ca37b4bf063c9c573cb4900d70d9025c Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 24 Jan 2018 07:01:13 -0800
Subject: [PATCH] Test that /data is properly labeled

Data outside of /data/vendor should have the core_data_file_type.
Exempt data_between_core_and_vendor for some types.

Ensure core_data_file_type and coredomain_socket do not get expanded
to their underlying types.

Test: build sepolicy for all targets in master (this is a build time
    test)
Bug: 34980020
Change-Id: I59387a87875f4603a001fb03f22fa31cae84bf5a
(cherry picked from commit bdd454792d52719f3b8b1fe8c3fd08cb13a393f1)
---
 public/attributes       |  2 ++
 public/domain.te        | 13 ++++++++++++-
 public/file.te          |  4 ++--
 tests/sepolicy_tests.py | 10 +++++++++-
 4 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/public/attributes b/public/attributes
index 8138a3fa2..77823cfa6 100644
--- a/public/attributes
+++ b/public/attributes
@@ -32,6 +32,7 @@ attribute data_file_type;
 expandattribute data_file_type false;
 # All types in /data, not in /data/vendor
 attribute core_data_file_type;
+expandattribute core_data_file_type false;
 # All types in /vendor
 attribute vendor_file_type;
 
@@ -130,6 +131,7 @@ attribute coredomain;
 
 # All socket devices owned by core domain components
 attribute coredomain_socket;
+expandattribute coredomain_socket false;
 
 # All vendor domains which violate the requirement of not using Binder
 # TODO(b/35870313): Remove this once there are no violations
diff --git a/public/domain.te b/public/domain.te
index 308311c18..c09ee505f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -670,7 +670,6 @@ full_treble_only(`
 
 # On full TREBLE devices, socket communications between core components and vendor components are
 # not permitted.
-full_treble_only(`
   # Most general rules first, more specific rules below.
 
   # Core domains are not permitted to initiate communications to vendor domain sockets.
@@ -678,6 +677,7 @@ full_treble_only(`
   # to obtain an already established socket via some public/official/stable API and then exchange
   # data with its peer over that socket. The wire format in this scenario is dicatated by the API
   # and thus does not break the core-vendor separation.
+full_treble_only(`
   neverallow_establish_socket_comms({
     coredomain
     -init
@@ -687,7 +687,9 @@ full_treble_only(`
     -coredomain
     -socket_between_core_and_vendor_violators
   });
+')
   # Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
   neverallow_establish_socket_comms({
     domain
     -coredomain
@@ -703,20 +705,25 @@ full_treble_only(`
     -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
     -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
   });
+')
 
   # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
   neverallow_establish_socket_comms({
     domain
     -coredomain
     -netdomain
     -socket_between_core_and_vendor_violators
   }, netd);
+')
 
   # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
   neverallow {
     domain
     -coredomain
     -appdomain # appdomain restrictions below
+    -data_between_core_and_vendor_violators # b/70393317
     -socket_between_core_and_vendor_violators
     -vendor_init
   } {
@@ -724,6 +731,8 @@ full_treble_only(`
     core_data_file_type
     unlabeled # used only by core domains
   }:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
   neverallow {
     appdomain
     -coredomain
@@ -735,8 +744,10 @@ full_treble_only(`
     -pdx_endpoint_socket_type # used by VR layer
     -pdx_channel_socket_type # used by VR layer
   }:sock_file ~{ append getattr ioctl read write };
+')
 
   # Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
   neverallow {
     coredomain
     -init
diff --git a/public/file.te b/public/file.te
index 02a43608e..932ecbf8b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -317,7 +317,7 @@ type property_socket, file_type, coredomain_socket, mlstrustedobject;
 type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
 type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
@@ -327,7 +327,7 @@ type traced_consumer_socket, file_type, coredomain_socket;
 type uncrypt_socket, file_type, coredomain_socket;
 type vold_socket, file_type, coredomain_socket;
 type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
 type zygote_socket, file_type, coredomain_socket;
 # UART (for GPS) control proc file
 type gps_control, file_type;
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 275debb0b..ea9ba10f3 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -23,6 +23,10 @@ def TestDebugfsTypeViolations(pol):
 def TestVendorTypeViolations(pol):
     return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
 
+def TestCoreDataTypeViolations(pol):
+    return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor/",
+            "/data/vendor_ce/", "/data/vendor_de/"], "core_data_file_type")
+
 ###
 # extend OptionParser to allow the same option flag to be used multiple times.
 # This is used to allow multiple file_contexts files and tests to be
@@ -40,7 +44,9 @@ class MultipleOption(Option):
         else:
             Option.take_action(self, action, dest, opt, value, values, parser)
 
-Tests = ["TestDataTypeViolators"]
+Tests = ["TestDataTypeViolators", "TestSysfsTypeViolations",
+        "TestDebugfsTypeViolations", "TestVendorTypeViolations",
+        "TestCoreDataTypeViolations"]
 
 if __name__ == '__main__':
     usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
@@ -87,6 +93,8 @@ if __name__ == '__main__':
         results += TestDebugfsTypeViolations(pol)
     if options.test is None or "TestVendorTypeViolations" in options.test:
         results += TestVendorTypeViolations(pol)
+    if options.test is None or "TestCoreDataTypeViolations" in options.test:
+        results += TestCoreDataTypeViolations(pol)
 
     if len(results) > 0:
         sys.exit(results)
-- 
GitLab