Skip to content
Snippets Groups Projects
Commit ed3458c2 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge changes from topic 'sspatil_vendor_rules_cleanup' into oc-dev

* changes:
  sepolicy: fix comments around 'domain' access to search in /vendor
  sepolicy: remove redudant rule for symlinks in /vendor/app
  sepolicy: restrict access for /vendor/framework.
  sepolicy: restrict /vendor/overlay from most coredomains
  sepolicy: restrict /vendor/app from most coredomains
parents 38416182 54189c53
No related branches found
No related tags found
No related merge requests found
...@@ -94,6 +94,13 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p ...@@ -94,6 +94,13 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p
allow appdomain system_file:dir r_dir_perms; allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read }; allow appdomain system_file:lnk_file { getattr open read };
# Allow apps access to /vendor/app except for privileged
# apps which cannot be in /vendor.
r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
# Allow apps access to /vendor/overlay
r_dir_file(appdomain, vendor_overlay_file)
# Execute dex2oat when apps call dexclassloader # Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms; allow appdomain dex2oat_exec:file rx_file_perms;
......
...@@ -297,6 +297,9 @@ allow system_server apk_tmp_file:file create_file_perms; ...@@ -297,6 +297,9 @@ allow system_server apk_tmp_file:file create_file_perms;
# Access /vendor/app # Access /vendor/app
r_dir_file(system_server, vendor_app_file) r_dir_file(system_server, vendor_app_file)
# Access /vendor/app
r_dir_file(system_server, vendor_overlay_file)
# Manage /data/app-private. # Manage /data/app-private.
allow system_server apk_private_data_file:dir create_dir_perms; allow system_server apk_private_data_file:dir create_dir_perms;
allow system_server apk_private_data_file:file create_file_perms; allow system_server apk_private_data_file:file create_file_perms;
......
...@@ -51,6 +51,10 @@ allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute; ...@@ -51,6 +51,10 @@ allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
allow zygote idmap_exec:file rx_file_perms; allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms; allow zygote dex2oat_exec:file rx_file_perms;
# /vendor/overlay existence is checked before
# passing it on as an argument to idmap in AssetManager
allow zygote vendor_overlay_file:dir { getattr open read search };
# Control cgroups. # Control cgroups.
allow zygote cgroup:dir create_dir_perms; allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms; allow zygote cgroup:{ file lnk_file } r_file_perms;
......
...@@ -3,6 +3,11 @@ type dex2oat, domain, domain_deprecated; ...@@ -3,6 +3,11 @@ type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type; type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file) r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
# Access /vendor/framework
allow dex2oat vendor_framework_file:dir { getattr search };
allow dex2oat vendor_framework_file:file { getattr open read };
allow dex2oat tmpfs:file { read getattr }; allow dex2oat tmpfs:file { read getattr };
......
...@@ -123,34 +123,11 @@ allow domain same_process_hal_file:file { execute read open getattr }; ...@@ -123,34 +123,11 @@ allow domain same_process_hal_file:file { execute read open getattr };
allow domain vendor_configs_file:dir r_dir_perms; allow domain vendor_configs_file:dir r_dir_perms;
allow domain vendor_configs_file:file { read open getattr }; allow domain vendor_configs_file:file { read open getattr };
# TODO: (b/36681074) - Remove after this is resolved
# TODO: (b/36680116, b/36656392, b/36681210) All need directory
# lookup to find / open their libraries
full_treble_only(` full_treble_only(`
# Everyone needs to lookup libraries in /vendor/lib(64) # This is required "most likely" for LD_LIBRARY_PATH
# through linker/loader. # (b/36681074)
allow domain vendor_file:dir { getattr search }; allow domain vendor_file:dir { getattr search };
# TODO: b/36681210, find out who needs access and only allow
# specific domains for Treble
allow domain vendor_app_file:dir r_dir_perms;
allow domain vendor_app_file:file { read open getattr };
# Some apps (com.android.phone) need to be able to open
# symlinked libraries
# TODO: b/36806861
allow domain vendor_app_file:lnk_file { open read };
# TODO: b/36656392, find out who needs access and only allow
# specific domains.
allow domain vendor_overlay_file:dir r_dir_perms;
allow domain vendor_overlay_file:file { read open getattr };
# TODO: b/36680116, find out who neeeds access and only allow
# specific domains
allow domain vendor_framework_file:dir r_dir_perms;
allow domain vendor_framework_file:file { read open getattr };
# Allow reading and executing out of /vendor to all vendor domains # Allow reading and executing out of /vendor to all vendor domains
allow { domain -coredomain } vendor_file_type:dir r_dir_perms; allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
allow { domain -coredomain } vendor_file_type:file { read open getattr execute }; allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
...@@ -689,6 +666,50 @@ full_treble_only(` ...@@ -689,6 +666,50 @@ full_treble_only(`
}:sock_file ~{ append getattr ioctl read write }; }:sock_file ~{ append getattr ioctl read write };
') ')
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
-system_server
} vendor_app_file:dir { open read getattr search };
neverallow {
coredomain
-appdomain
-dex2oat
-idmap
-init
-installd
-system_server
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
neverallow {
coredomain
-appdomain
-idmap
-init
-system_server
-zygote
} vendor_overlay_file:dir { getattr open read search };
neverallow {
coredomain
-appdomain
-idmap
-init
-system_server
-zygote
} vendor_overlay_file:{ file lnk_file } r_file_perms;
')
# Only authorized processes should be writing to files in /data/dalvik-cache # Only authorized processes should be writing to files in /data/dalvik-cache
neverallow { neverallow {
domain domain
...@@ -908,6 +929,7 @@ neverallow { ...@@ -908,6 +929,7 @@ neverallow {
userdebug_or_eng(`-uncrypt') userdebug_or_eng(`-uncrypt')
} shell_data_file:file open; } shell_data_file:file open;
# servicemanager is the only process which handles list request # servicemanager is the only process which handles list request
neverallow * ~servicemanager:service_manager list; neverallow * ~servicemanager:service_manager list;
......
...@@ -9,3 +9,9 @@ allow idmap resourcecache_data_file:file { getattr read write }; ...@@ -9,3 +9,9 @@ allow idmap resourcecache_data_file:file { getattr read write };
# Open and read from target and overlay apk files passed by argument. # Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms; allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search; allow idmap apk_data_file:dir search;
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)
...@@ -27,6 +27,8 @@ selinux_check_context(installd) ...@@ -27,6 +27,8 @@ selinux_check_context(installd)
r_dir_file(installd, rootfs) r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app # Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file) r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
# Get file context # Get file context
allow installd file_contexts_file:file r_file_perms; allow installd file_contexts_file:file r_file_perms;
# Get seapp_context # Get seapp_context
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment