From 0d08d4721a8c18b7d5f7dccde467c3840c03b9a8 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 21 Oct 2014 10:09:33 -0400
Subject: [PATCH] Remove -unconfineddomain from neverallow rules.

With the sepolicy-analyze neverallow checking, attribute
expansion is performed against the device policy and therefore
we do not want our neverallow rules to exempt domains from
consideration based on an attribute (e.g. -unconfineddomain).
Otherwise, device policy could pass the neverallow check just
by adding more domains to unconfineddomain.  We could of course
add a CTS test to check the list of unconfineddomains against
a whitelist, but it seems desirable regardless to narrow these
neverallow rules to only the specific domains required.

There are three such neverallow rules in current policy: one
on creating unlabeled files, one on accessing /dev/hw_random, and
one on accessing a character device without a specific type.  The
only domain in unconfineddomain that appears to have a legitimate
need for any of these permissions is the init domain.  Replace
-unconfineddomain with -init in these neverallow rules, exclude these
permissions from unconfineddomain, and add these permissions to init if
not already explicitly allowed.  auditallow accesses by init to files
and character devices left in the generic device type so we can monitor
what is being left there, although it is not necessarily a problem unless
the file or device should be accessible to others.

Change-Id: If6ee1b1a337c834971c6eb21dada5810608babcf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te     | 11 ++++++-----
 init.te       | 18 ++++++++++++++++++
 unconfined.te |  5 ++++-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/domain.te b/domain.te
index fcb813af5..385150694 100644
--- a/domain.te
+++ b/domain.te
@@ -170,8 +170,8 @@ auditallow { domain -service_manager_local_audit } service_manager_type:service_
 ### neverallow rules
 ###
 
-# Do not allow any confined domain to create new unlabeled files.
-neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set create;
+# Do not allow any domain other than init or recovery to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
@@ -231,7 +231,7 @@ neverallow domain kernel:security setbool;
 neverallow { domain -init } kernel:security setsecparam;
 
 # Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
+neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
 
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
@@ -258,8 +258,9 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
-# ueventd is exempt from this, as its managing these devices.
-neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+# init is exempt from this as there are character devices that only it uses.
+# ueventd is exempt from this, as it is managing these devices.
+neverallow { domain -init -ueventd } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
diff --git a/init.te b/init.te
index d12cc230c..cce2e418c 100644
--- a/init.te
+++ b/init.te
@@ -106,6 +106,24 @@ allow init kernel:process setsched;
 # system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
 allow init swap_block_device:blk_file rw_file_perms;
 
+# Read from /dev/hw_random if present.
+# system/core/init/init.c - mix_hwrng_into_linux_rng_action
+allow init hw_random_device:chr_file r_file_perms;
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done.
+# TODO:  Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+auditallow init device:file create_file_perms;
+
+# Access character devices without a specific type,
+# e.g. /dev/keychord.
+# TODO: Move these devices into their own type unless they
+# are only ever accessed by init.
+allow init device:chr_file { rw_file_perms setattr };
+auditallow init device:chr_file { rw_file_perms setattr };
+
 ###
 ### neverallow rules
 ###
diff --git a/unconfined.te b/unconfined.te
index a76c3d8a9..1a5194232 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -55,6 +55,7 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
     -app_data_file
+    -unlabeled
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:dir r_dir_perms;
 allow unconfineddomain exec_type:file { r_file_perms execute };
@@ -69,8 +70,9 @@ allow unconfineddomain {
     -contextmount_type
     -rootfs
     -sdcard_type
+    -device
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
-allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
+allow unconfineddomain {dev_type -device -kmem_device -hw_random_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {
     file_type
     -keystore_data_file
@@ -80,6 +82,7 @@ allow unconfineddomain {
     -security_file
     -shell_data_file
     -app_data_file
+    -unlabeled
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;
-- 
GitLab