Move platform/vendor data violations to device policy

Sharing data folders by path will be disallowed because it violates the approved API between platform and vendor components tested by VTS. Move all violating permissions from core selinux policy to device specific policy so that we can exempt existing devices from the ban and enforce it on new devices. Bug: 34980020 Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint and Play movies on Marlin and Taimen. Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e

Move platform/vendor data violations to device policy
d4785c37 · Jeff Vander Stoep · Jeffrey Vander Stoep · 0f5ad4e5 · d4785c37 · d4785c37
Commit d4785c37 authored 7 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -671,6 +671,79 @@ full_treble_only(`
  }:sock_file ~{ append getattr ioctl read write };
 ')

+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+  # only coredomains may only access core_data_file_type, particularly not
+  # /data/vendor
+  neverallow {
+    coredomain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -data_between_core_and_vendor_violators
+    -init
+    -vendor_init
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  neverallow {
+    coredomain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -data_between_core_and_vendor_violators
+    -init
+    -vendor_init
+    } {
+      data_file_type
+      -core_data_file_type
+    }:dir *;
+
+')
+full_treble_only(`
+  # vendor domains may only access files in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+  } {
+    core_data_file_type
+    # libc includes functions like mktime and localtime which attempt to access
+    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
+    # vndk-stable and thus must be allowed for all processes.
+    -zoneinfo_data_file
+    }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators
+    } {
+      core_data_file_type
+      -system_data_file # default label for files on /data. Covered below...
+      -zoneinfo_data_file
+    }:dir *;
+')
+full_treble_only(`
+  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    } {
+      system_data_file # default label for files on /data. Covered below
+    }:dir ~{ getattr search };
+')
+
 # On TREBLE devices, a limited set of files in /vendor are accessible to
 # only a few whitelisted coredomains to keep system/vendor separation.
 full_treble_only(`

--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -33,11 +33,6 @@ allow hal_drm hal_graphics_allocator:fd use;
 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;

-# Allow access to app_data and media_data_files
-allow hal_drm media_data_file:dir create_dir_perms;
-allow hal_drm media_data_file:file create_file_perms;
-allow hal_drm media_data_file:file { getattr read };
-
 allow hal_drm sysfs:file r_file_perms;

 allow hal_drm tee_device:chr_file rw_file_perms;

--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,12 +5,6 @@ binder_call(hal_fingerprint_server, hal_fingerprint_client)
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
 allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;

-# allow HAL module to read dir contents
-allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
-
-# allow HAL module to read/write/unlink contents of this dir
-allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;


--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -10,7 +10,3 @@ set_prop(hal_nfc, nfc_prop)

 # NFC device access.
 allow hal_nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,12 +19,6 @@ allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-
-# Create a socket for receiving info from wpa
-allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;

 ###
 ### neverallow rules

--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -21,13 +21,3 @@ allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hostapd self:packet_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_route_socket nlmsg_write;
-
-# hostapd can read and write WiFi related data and configuration.
-# For example, the entropy file is periodically updated.
-allow hostapd wifi_data_file:file rw_file_perms;
-r_dir_file(hostapd, wifi_data_file)
-
-# hostapd wants to create the directory holding its control socket.
-allow hostapd hostapd_socket:dir create_dir_perms;
-# hostapd needs to create, bind to, read, and write its control socket.
-allow hostapd hostapd_socket:sock_file create_file_perms;