From 2208f96e9e6264553fcc8a58b86f4f21a092468c Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Thu, 3 May 2018 17:00:16 -0700
Subject: [PATCH] Finer grained permissions for ctl. properties

Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.

This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it.  This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.

Bug: 78511553
Test: see appropriate successes and failures based on permissions

Change-Id: Ibe0cc0d6028fb0ed7d6bcba626721e0d84cc20fa
---
 .../api/28.0/private/compat/26.0/26.0.cil     |  2 +-
 .../28.0/private/compat/26.0/26.0.ignore.cil  |  4 +++
 .../api/28.0/private/compat/27.0/27.0.cil     |  2 +-
 .../28.0/private/compat/27.0/27.0.ignore.cil  |  4 +++
 .../api/28.0/private/hwservicemanager.te      |  3 +-
 prebuilts/api/28.0/private/property_contexts  | 10 ++++++
 prebuilts/api/28.0/public/property.te         | 35 +++++++++++++++++++
 private/compat/26.0/26.0.cil                  |  2 +-
 private/compat/26.0/26.0.ignore.cil           |  4 +++
 private/compat/27.0/27.0.cil                  |  2 +-
 private/compat/27.0/27.0.ignore.cil           |  4 +++
 private/hwservicemanager.te                   |  3 +-
 private/property_contexts                     | 10 ++++++
 public/property.te                            | 35 +++++++++++++++++++
 14 files changed, 112 insertions(+), 8 deletions(-)

diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
index 06befe0bf..0478a56b1 100644
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
@@ -118,7 +118,7 @@
 (typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
 (typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
 (typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
 (typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
 (typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
 (typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
index 9b28ab451..c8edf9f7d 100644
--- a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
@@ -16,6 +16,10 @@
     broadcastradio_service
     cgroup_bpf
     crossprofileapps_service
+    ctl_interface_restart_prop
+    ctl_interface_start_prop
+    ctl_interface_stop_prop
+    ctl_sigstop_prop
     e2fs
     e2fs_exec
     exfat
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
index 52760f791..dbe3e885b 100644
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
@@ -822,7 +822,7 @@
 (typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
 (typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
 (typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
 (typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
 (typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
 (typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
index 5a6509e0b..610674830 100644
--- a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,10 @@
     bpfloader_exec
     cgroup_bpf
     crossprofileapps_service
+    ctl_interface_restart_prop
+    ctl_interface_start_prop
+    ctl_interface_stop_prop
+    ctl_sigstop_prop
     exfat
     exported2_config_prop
     exported2_default_prop
diff --git a/prebuilts/api/28.0/private/hwservicemanager.te b/prebuilts/api/28.0/private/hwservicemanager.te
index 45b62d075..0705cc711 100644
--- a/prebuilts/api/28.0/private/hwservicemanager.te
+++ b/prebuilts/api/28.0/private/hwservicemanager.te
@@ -5,5 +5,4 @@ init_daemon_domain(hwservicemanager)
 add_hwservice(hwservicemanager, hidl_manager_hwservice)
 add_hwservice(hwservicemanager, hidl_token_hwservice)
 
-set_prop(hwservicemanager, ctl_default_prop)
-set_prop(hwservicemanager, ctl_dumpstate_prop)
+set_prop(hwservicemanager, ctl_interface_start_prop)
diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
index 1b2743284..32be0b377 100644
--- a/prebuilts/api/28.0/private/property_contexts
+++ b/prebuilts/api/28.0/private/property_contexts
@@ -104,6 +104,16 @@ ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
 ctl.console             u:object_r:ctl_console_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0
 
+# Don't allow blind access to all services
+ctl.sigstop_on$         u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$        u:object_r:ctl_sigstop_prop:s0
+ctl.start$              u:object_r:ctl_start_prop:s0
+ctl.stop$               u:object_r:ctl_stop_prop:s0
+ctl.restart$            u:object_r:ctl_restart_prop:s0
+ctl.interface_start$    u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$     u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$  u:object_r:ctl_interface_restart_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
index c31210c0b..c9bcb8657 100644
--- a/prebuilts/api/28.0/public/property.te
+++ b/prebuilts/api/28.0/public/property.te
@@ -11,8 +11,15 @@ type ctl_console_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
 type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
 type ctl_mdnsd_prop, property_type;
+type ctl_restart_prop, property_type;
 type ctl_rildaemon_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
 type dalvik_prop, property_type, core_property_type;
 type debuggerd_prop, property_type, core_property_type;
 type debug_prop, property_type, core_property_type;
@@ -123,6 +130,27 @@ neverallow * {
   -vold_prop
 }:file no_rw_file_perms;
 
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+  domain
+  -init
+  -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+  ctl_bootanim_prop
+  ctl_bugreport_prop
+  ctl_console_prop
+  ctl_default_prop
+  ctl_dumpstate_prop
+  ctl_fuse_prop
+  ctl_mdnsd_prop
+  ctl_rildaemon_prop
+}:property_service set;
+
 compatible_property_only(`
 # Prevent properties from being set
   neverallow {
@@ -301,8 +329,15 @@ compatible_property_only(`
     -ctl_default_prop
     -ctl_dumpstate_prop
     -ctl_fuse_prop
+    -ctl_interface_restart_prop
+    -ctl_interface_start_prop
+    -ctl_interface_stop_prop
     -ctl_mdnsd_prop
+    -ctl_restart_prop
     -ctl_rildaemon_prop
+    -ctl_sigstop_prop
+    -ctl_start_prop
+    -ctl_stop_prop
     -dalvik_prop
     -debug_prop
     -debuggerd_prop
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 06befe0bf..0478a56b1 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -118,7 +118,7 @@
 (typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
 (typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
 (typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
 (typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
 (typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
 (typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9b28ab451..c8edf9f7d 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -16,6 +16,10 @@
     broadcastradio_service
     cgroup_bpf
     crossprofileapps_service
+    ctl_interface_restart_prop
+    ctl_interface_start_prop
+    ctl_interface_stop_prop
+    ctl_sigstop_prop
     e2fs
     e2fs_exec
     exfat
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 52760f791..dbe3e885b 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -822,7 +822,7 @@
 (typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
 (typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
 (typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
 (typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
 (typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
 (typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 5a6509e0b..610674830 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -14,6 +14,10 @@
     bpfloader_exec
     cgroup_bpf
     crossprofileapps_service
+    ctl_interface_restart_prop
+    ctl_interface_start_prop
+    ctl_interface_stop_prop
+    ctl_sigstop_prop
     exfat
     exported2_config_prop
     exported2_default_prop
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 45b62d075..0705cc711 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -5,5 +5,4 @@ init_daemon_domain(hwservicemanager)
 add_hwservice(hwservicemanager, hidl_manager_hwservice)
 add_hwservice(hwservicemanager, hidl_token_hwservice)
 
-set_prop(hwservicemanager, ctl_default_prop)
-set_prop(hwservicemanager, ctl_dumpstate_prop)
+set_prop(hwservicemanager, ctl_interface_start_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 1b2743284..32be0b377 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -104,6 +104,16 @@ ctl.bugreport           u:object_r:ctl_bugreport_prop:s0
 ctl.console             u:object_r:ctl_console_prop:s0
 ctl.                    u:object_r:ctl_default_prop:s0
 
+# Don't allow blind access to all services
+ctl.sigstop_on$         u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$        u:object_r:ctl_sigstop_prop:s0
+ctl.start$              u:object_r:ctl_start_prop:s0
+ctl.stop$               u:object_r:ctl_stop_prop:s0
+ctl.restart$            u:object_r:ctl_restart_prop:s0
+ctl.interface_start$    u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$     u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$  u:object_r:ctl_interface_restart_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 
diff --git a/public/property.te b/public/property.te
index c31210c0b..c9bcb8657 100644
--- a/public/property.te
+++ b/public/property.te
@@ -11,8 +11,15 @@ type ctl_console_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_dumpstate_prop, property_type;
 type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
 type ctl_mdnsd_prop, property_type;
+type ctl_restart_prop, property_type;
 type ctl_rildaemon_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
 type dalvik_prop, property_type, core_property_type;
 type debuggerd_prop, property_type, core_property_type;
 type debug_prop, property_type, core_property_type;
@@ -123,6 +130,27 @@ neverallow * {
   -vold_prop
 }:file no_rw_file_perms;
 
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+  domain
+  -init
+  -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling.  We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+  ctl_bootanim_prop
+  ctl_bugreport_prop
+  ctl_console_prop
+  ctl_default_prop
+  ctl_dumpstate_prop
+  ctl_fuse_prop
+  ctl_mdnsd_prop
+  ctl_rildaemon_prop
+}:property_service set;
+
 compatible_property_only(`
 # Prevent properties from being set
   neverallow {
@@ -301,8 +329,15 @@ compatible_property_only(`
     -ctl_default_prop
     -ctl_dumpstate_prop
     -ctl_fuse_prop
+    -ctl_interface_restart_prop
+    -ctl_interface_start_prop
+    -ctl_interface_stop_prop
     -ctl_mdnsd_prop
+    -ctl_restart_prop
     -ctl_rildaemon_prop
+    -ctl_sigstop_prop
+    -ctl_start_prop
+    -ctl_stop_prop
     -dalvik_prop
     -debug_prop
     -debuggerd_prop
-- 
GitLab