From d25ccabd24339938b6b3bb93cb3cb96b4aa55958 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 7 Feb 2018 16:29:06 -0800
Subject: [PATCH] label /data/vendor{_ce,_de}
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.
Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
No new denials.
Change-Id: I65f904bb28952d4776aab947515947e14befbe34
---
private/compat/26.0/26.0.cil | 4 +++-
private/compat/27.0/27.0.cil | 4 +++-
private/file_contexts | 3 +++
private/perfetto.te | 10 +++++++++-
private/traced.te | 11 +++++++++--
private/traced_probes.te | 9 ++++++++-
private/vold_prepare_subdirs.te | 5 ++++-
public/domain.te | 34 ++++++++++++++++++++++++++++++++-
public/file.te | 2 ++
public/vold.te | 3 +++
10 files changed, 77 insertions(+), 8 deletions(-)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9dd2ee73f..fb4a9e6c8 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -634,7 +634,9 @@
(typeattributeset system_app_data_file_26_0 (system_app_data_file))
(typeattributeset system_app_service_26_0 (system_app_service))
(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_data_file_26_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 06f4c9122..2272903e6 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1351,7 +1351,9 @@
(typeattributeset system_app_data_file_27_0 (system_app_data_file))
(typeattributeset system_app_service_27_0 (system_app_service))
(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0 (system_data_file))
+(typeattributeset system_data_file_27_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
diff --git a/private/file_contexts b/private/file_contexts
index 25d0d9d70..321cfbe72 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -425,6 +425,9 @@
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index 389fdf4f9..9ac5d8761 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -53,7 +53,15 @@ neverallow perfetto dev_type:blk_file { read write };
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
-neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
diff --git a/private/traced.te b/private/traced.te
index bb7a09191..531ecc29c 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -27,8 +27,15 @@ neverallow traced domain:process ptrace;
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 15c51d4cd..26e005100 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -44,7 +44,14 @@ neverallow traced_probes dev_type:blk_file { read write };
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
neverallow traced system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 58e510ed8..af1f44232 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -9,7 +9,10 @@ allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 67eafc286..6f5055219 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -208,11 +208,15 @@ r_dir_file(domain, sysfs_devices_system_cpu)
r_dir_file(domain, sysfs_usb);
# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -791,6 +795,9 @@ full_treble_only(`
} {
data_file_type
-core_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
}:dir *;
')
@@ -819,6 +826,7 @@ full_treble_only(`
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
-zoneinfo_data_file
}:dir *;
')
@@ -834,6 +842,30 @@ full_treble_only(`
}:dir ~{ getattr search };
')
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
diff --git a/public/file.te b/public/file.te
index d1feb3ace..0aa7ece23 100644
--- a/public/file.te
+++ b/public/file.te
@@ -160,6 +160,8 @@ type logcat_exec, exec_type, file_type;
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
diff --git a/public/vold.te b/public/vold.te
index 0107ebd4c..95847cf64 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -113,6 +113,9 @@ allow vold efs_file:file rw_file_perms;
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
# for secdiscard
allow vold system_data_file:file read;
--
GitLab