am f7e98fe2: Merge "recovery.te: add /data neverallow rules"

* commit 'f7e98fe2': recovery.te: add /data neverallow rules

am f7e98fe2: Merge "recovery.te: add /data neverallow rules"
* commit 'f7e98fe2': recovery.te: add /data neverallow rules
39f92a83 · Nick Kralevich · Android Git Automerger · 57df7115 · f7e98fe2 · 39f92a83
Commit 39f92a83 authored 10 years ago by Nick Kralevich Committed by Android Git Automerger 10 years ago
--- a/Android.mk
+++ b/Android.mk
@@ -83,6 +83,7 @@ sepolicy_build_files := security_classes \
                        initial_sids \
                        access_vectors \
                        global_macros \
+                        neverallow_macros \
                        mls_macros \
                        mls \
                        policy_capabilities \

--- a/domain.te
+++ b/domain.te
@@ -291,8 +291,8 @@ neverallow {
 } { fs_type -rootfs }:file execute;
 # Only the init property service should write to /data/property.
-neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
+neverallow { domain -init } property_data_file:file no_w_file_perms;
 # Only recovery should be doing writes to /system
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set

--- a/neverallow_macros
+++ b/neverallow_macros
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
--- a/recovery.te
+++ b/recovery.te
@@ -98,3 +98,20 @@ recovery_only(`
  # set scheduling parameters for a kernel domain task.
  allow recovery kernel:process setsched;
 ')
+###
+### neverallow rules
+###
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
+neverallow recovery data_file_type:dir no_w_dir_perms;