From d8b864cb4106e951f570fcc6a11f0d217abc3408 Mon Sep 17 00:00:00 2001
From: Michael Wright <michaelwr@google.com>
Date: Wed, 22 Nov 2017 13:59:17 +0000
Subject: [PATCH] Revert "Move platform/vendor data violations to device
 policy"

This reverts commit ba2130a882549bbd5cbd22f3859020e4e6db1607.

Test: lunch elfin-userdebug && m -j
Change-Id: I83e8a37cac97e2f994fd2defb94888ec73b41f3b
---
 public/domain.te              | 73 -----------------------------------
 public/hal_drm.te             |  5 +++
 public/hal_fingerprint.te     |  6 +++
 public/hal_nfc.te             |  4 ++
 public/hal_wifi_supplicant.te |  6 +++
 vendor/hostapd.te             | 10 +++++
 6 files changed, 31 insertions(+), 73 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 0d50c38f9..92ea561d9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -678,79 +678,6 @@ full_treble_only(`
   }:sock_file ~{ append getattr ioctl read write };
 ')
 
-# On TREBLE devices, vendor and system components are only allowed to share
-# files by passing open FDs over hwbinder. Ban all directory access and all file
-# accesses other than what can be applied to an open FD such as
-# ioctl/stat/read/write/append. This is enforced by segregating /data.
-# Vendor domains may directly access file in /data/vendor by path, but may only
-# access files outside of /data/vendor via an open FD passed over hwbinder.
-# Likewise, core domains may only directly access files outside /data/vendor by
-# path and files in /data/vendor by open FD.
-full_treble_only(`
-  # only coredomains may only access core_data_file_type, particularly not
-  # /data/vendor
-  neverallow {
-    coredomain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -data_between_core_and_vendor_violators
-    -init
-    -vendor_init
-  } {
-    data_file_type
-    -core_data_file_type
-  }:file_class_set ~{ append getattr ioctl read write };
-  neverallow {
-    coredomain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -data_between_core_and_vendor_violators
-    -init
-    -vendor_init
-    } {
-      data_file_type
-      -core_data_file_type
-    }:dir *;
-
-')
-full_treble_only(`
-  # vendor domains may only access files in /data/vendor, never core_data_file_types
-  neverallow {
-    domain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -coredomain
-    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
-  } {
-    core_data_file_type
-    # libc includes functions like mktime and localtime which attempt to access
-    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
-    # vndk-stable and thus must be allowed for all processes.
-    -zoneinfo_data_file
-    }:file_class_set ~{ append getattr ioctl read write };
-')
-full_treble_only(`
-  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
-  neverallow {
-    domain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -coredomain
-    -data_between_core_and_vendor_violators
-    } {
-      core_data_file_type
-      -system_data_file # default label for files on /data. Covered below...
-      -zoneinfo_data_file
-    }:dir *;
-')
-full_treble_only(`
-  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
-  neverallow {
-    domain
-    -appdomain # TODO(b/34980020) remove exemption for appdomain
-    -coredomain
-    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
-    } {
-      system_data_file # default label for files on /data. Covered below
-    }:dir ~{ getattr search };
-')
-
 # On TREBLE devices, a limited set of files in /vendor are accessible to
 # only a few whitelisted coredomains to keep system/vendor separation.
 full_treble_only(`
diff --git a/public/hal_drm.te b/public/hal_drm.te
index a46dd9116..30742d7c7 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -33,6 +33,11 @@ allow hal_drm hal_graphics_allocator:fd use;
 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;
 
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
+allow hal_drm media_data_file:file { getattr read };
+
 allow hal_drm sysfs:file r_file_perms;
 
 allow hal_drm tee_device:chr_file rw_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 36de76191..bef9f556e 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,6 +5,12 @@ binder_call(hal_fingerprint_server, hal_fingerprint_client)
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
 allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
 
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
 
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index 3bcdf5ee1..a027c48be 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -10,3 +10,7 @@ set_prop(hal_nfc, nfc_prop)
 
 # NFC device access.
 allow hal_nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow hal_nfc nfc_data_file:dir create_dir_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 6bf0d3265..a4f041f58 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,6 +19,12 @@ allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
 
 ###
 ### neverallow rules
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index 9f9937821..ab0545df5 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -21,3 +21,13 @@ allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hostapd self:packet_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_route_socket nlmsg_write;
+
+# hostapd can read and write WiFi related data and configuration.
+# For example, the entropy file is periodically updated.
+allow hostapd wifi_data_file:file rw_file_perms;
+r_dir_file(hostapd, wifi_data_file)
+
+# hostapd wants to create the directory holding its control socket.
+allow hostapd hostapd_socket:dir create_dir_perms;
+# hostapd needs to create, bind to, read, and write its control socket.
+allow hostapd hostapd_socket:sock_file create_file_perms;
-- 
GitLab