Fix CTS regressions

Commit 7688161c "hal_*_(client|server) => hal(client|server)domain" added neverallow rules on hal_*_client attributes while simultaneously expanding these attribute which causes them to fail CTS neverallow tests. Remove these neverallow rules as they do not impose specific security properties that we want to enforce. Modify Other neverallow failures which were imposed on hal_foo attributes and should have been enforced on hal_foo_server attributes instead. Bug: 69566734 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed remaining failure appears to be caused by b/68133473 Change-Id: I83dcb33c3a057f126428f88a90b95f3f129d9f0e

Fix CTS regressions
ed876a5e · Jeff Vander Stoep · Jeffrey Vander Stoep · b9ea282c · ed876a5e · ed876a5e
Commit ed876a5e authored 7 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -462,8 +462,8 @@ neverallow {
  domain
  -adbd
  -dumpstate
-  -hal_drm
+  -hal_drm_server
-  -hal_cas
+  -hal_cas_server
  -init
  -mediadrmserver
  -recovery
@@ -503,7 +503,7 @@ neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file
 neverallow {
  domain
  userdebug_or_eng(`-domain') # exclude debuggable builds
-  -hal_bootctl
+  -hal_bootctl_server
  -init
  -uncrypt
  -update_engine

--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -23,11 +23,11 @@ allow hal_audio dumpstate:fifo_file write;
 ###
 # Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
 # Should never need network access.
 # Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
 # Only audio HAL may directly access the audio hardware
 neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -23,10 +23,10 @@ allow hal_camera hal_allocator_server:fd use;
 # hal_camera should never execute any executable without a
 # domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
 # hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
 # Only camera HAL may directly access the camera hardware
 neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -7,7 +7,7 @@ allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 # Permit reading device's serial number from system properties
-get_prop(hal_cas, serialno_prop)
+get_prop(hal_cas_server, serialno_prop)
 # Read files already opened under /data
 allow hal_cas system_data_file:file { getattr read };
@@ -29,7 +29,7 @@ allow hal_cas tee_device:chr_file rw_file_perms;
 # hal_cas should never execute any executable without a
 # domain transition
-neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
 # do not allow privileged socket ioctl commands
-neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -47,7 +47,7 @@ allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
 # hal_drm should never execute any executable without a
 # domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
 # do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
--- a/public/te_macros
+++ b/public/te_macros
@@ -213,7 +213,6 @@ expandattribute hal_$1_client true;
 attribute hal_$1_server;
 expandattribute hal_$1_server false;
-neverallow { hal_$1_client -halclientdomain } domain:process fork;
 neverallow { hal_$1_server -halserverdomain } domain:process fork;
 ')

--- a/public/vold.te
+++ b/public/vold.te
@@ -210,7 +210,7 @@ neverallow { domain -vold -init } restorecon_prop:property_service set;
 neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
 neverallow vold {
  domain
-  -hal_keymaster
+  -hal_keymaster_server
  -healthd
  -hwservicemanager
  -servicemanager