Merge "Ban core components from accessing vendor data types" into oc-dev

am: 814edf8c Change-Id: I9a8cd19a081ab7731f8caf098e406d0af9ce9c48

Merge "Ban core components from accessing vendor data types" into oc-dev
f9b6368a · Jeffrey Vander Stoep · android-build-merger · 99575587 · 814edf8c · f9b6368a
Commit f9b6368a authored 7 years ago by Jeffrey Vander Stoep Committed by android-build-merger 7 years ago
--- a/public/attributes
+++ b/public/attributes
@@ -45,6 +45,10 @@ attribute core_data_file_type;
 # data outside /data/vendor.
 # TODO(b/34980020): Remove this once there are no violations
 attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;

 # All types use for sysfs files.
 attribute sysfs_type;

--- a/public/dhcp.te
+++ b/public/dhcp.te
 type dhcp, domain, domain_deprecated;
 type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;

 net_domain(dhcp)


--- a/public/domain.te
+++ b/public/domain.te
@@ -516,6 +516,25 @@ full_treble_only(`
    -appdomain
    -coredata_in_vendor_violators
  } system_data_file:dir ~search;
+  # do not allow coredomains to directly access vendor data. Exempt init
+  # because it is responsible for dir/file creation in init.rc scripts.
+  # Also exempt halclientdomain to exclude rules for passthrough mode.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  # do not allow coredomain to access vendor data directories.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+    } { data_file_type -core_data_file_type }:dir *;
 ')

 # On full TREBLE devices, socket communications between core components and vendor components are

--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@ type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedob
 type preloads_data_file, file_type, data_file_type, core_data_file_type;
 # /data/preloads/media
 type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;

 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;