From 4a478c47f464f0f49f8802b3f49d03744450ac15 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 27 Mar 2017 22:44:40 -0700
Subject: [PATCH] Ban vendor components access to core data types

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open file:
stat/read/write/append.

This commit marks core data types as core_data_file_type and bans
access to non-core domains with an exemption for apps. A temporary
exemption is also granted to domains that currently rely on
access with TODOs and bug number for each exemption.

Bug: 34980020
Test: Build and boot Marlin. Make phone call, watch youtube video.
      No new denials observed.
Change-Id: I320dd30f9f0a5bf2f9bb218776b4bccdb529b197
---
 public/attributes                     |   6 ++
 public/domain.te                      |  42 +++++++-
 public/file.te                        | 132 +++++++++++++-------------
 public/perfprofd.te                   |   2 +-
 public/rild.te                        |   3 +
 public/tee.te                         |   1 -
 public/update_engine.te               |   1 -
 vendor/hal_audio_default.te           |   4 +
 vendor/hal_bluetooth_default.te       |   4 +
 vendor/hal_camera_default.te          |   5 +
 vendor/hal_drm_default.te             |   4 +
 vendor/hal_fingerprint_default.te     |   4 +
 vendor/hal_nfc_default.te             |   4 +
 vendor/hal_wifi_supplicant_default.te |   4 +
 vendor/hostapd.te                     |   4 +
 15 files changed, 149 insertions(+), 71 deletions(-)

diff --git a/public/attributes b/public/attributes
index bfd53a34a..d9d123fd0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -39,6 +39,12 @@ attribute exec_type;
 
 # All types used for /data files.
 attribute data_file_type;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+# All vendor domains which violate the requirement of not accessing
+# data outside /data/vendor.
+# TODO(b/34980020): Remove this once there are no violations
+attribute coredata_in_vendor_violators;
 
 # All types use for sysfs files.
 attribute sysfs_type;
diff --git a/public/domain.te b/public/domain.te
index b498cda4d..3ed451a15 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -106,7 +106,8 @@ allow domain system_file:lnk_file { getattr read };
 allow domain sysfs:lnk_file read;
 
 # libc references /data/misc/zoneinfo for timezone related information
-r_dir_file(domain, zoneinfo_data_file)
+not_full_treble(`r_dir_file(domain, zoneinfo_data_file)')
+r_dir_file({ coredomain appdomain }, zoneinfo_data_file)
 
 # Lots of processes access current CPU information
 r_dir_file(domain, sysfs_devices_system_cpu)
@@ -114,8 +115,11 @@ r_dir_file(domain, sysfs_devices_system_cpu)
 r_dir_file(domain, sysfs_usb);
 
 # files under /data.
-allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:lnk_file read;
+not_full_treble(`allow domain system_data_file:dir getattr;')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
 
 # required by the dynamic linker
 allow domain proc:lnk_file { getattr read };
@@ -444,6 +448,38 @@ full_treble_only(`
     -appdomain
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
   } servicemanager:binder { call transfer };
+
+  ##
+  # On full TREBLE devices core android components and vendor components may
+  # not directly access each other's data types. All communication must occur
+  # over HW binder. Open file descriptors may be passed and read/write/stat
+  # operations my be performed on those FDs. Disallow all other operations.
+  #
+  # do not allow vendor component access to coredomains' data types
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -coredata_in_vendor_violators
+  } core_data_file_type:{
+    file_class_set
+  } ~{ append getattr ioctl read write };
+  # do not allow vendor component access to coredomains' data directories.
+  # /data has the system_data_file type. Allow all domains to have dir
+  # search permissions which allows path traversal.
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -coredata_in_vendor_violators
+  } { core_data_file_type -system_data_file }:dir *;
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -coredata_in_vendor_violators
+  } system_data_file:dir ~search;
+
 ')
 
 # On full TREBLE devices, socket communications between core components and vendor components are
diff --git a/public/file.te b/public/file.te
index fd7b048ca..21d574468 100644
--- a/public/file.te
+++ b/public/file.te
@@ -87,54 +87,54 @@ type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
 type coredump_file, file_type;
 # Default type for anything under /data.
-type system_data_file, file_type, data_file_type;
+type system_data_file, file_type, data_file_type, core_data_file_type;
 # Unencrypted data
-type unencrypted_data_file, file_type, data_file_type;
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
 # /data/.layout_version or other installd-created files that
 # are created in a system_data_file directory.
-type install_data_file, file_type, data_file_type;
+type install_data_file, file_type, data_file_type, core_data_file_type;
 # /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type;
+type drm_data_file, file_type, data_file_type, core_data_file_type;
 # /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type;
+type adb_data_file, file_type, data_file_type, core_data_file_type;
 # /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, mlstrustedobject;
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, mlstrustedobject;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type;
-type apk_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type;
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
 # /data/ota
-type ota_data_file, file_type, data_file_type;
+type ota_data_file, file_type, data_file_type, core_data_file_type;
 # /data/ota_package
-type ota_package_file, file_type, data_file_type, mlstrustedobject;
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/misc/profiles
-type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type;
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
 # /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type;
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
 # /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/property
-type property_data_file, file_type, data_file_type;
+type property_data_file, file_type, data_file_type, core_data_file_type;
 # /data/bootchart
-type bootchart_data_file, file_type, data_file_type;
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
 # /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, mlstrustedobject;
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/nativetest
-type nativetest_data_file, file_type, data_file_type;
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
 # /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, mlstrustedobject;
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/preloads
-type preloads_data_file, file_type, data_file_type;
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
 # /data/preloads/media
-type preloads_media_file, file_type, data_file_type;
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
@@ -152,41 +152,43 @@ type postinstall_mnt_dir, file_type;
 type postinstall_file, file_type;
 
 # /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type;
-type audio_data_file, file_type, data_file_type;
-type audiohal_data_file, file_type, data_file_type;
-type audioserver_data_file, file_type, data_file_type;
-type bluetooth_data_file, file_type, data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type;
-type bootstat_data_file, file_type, data_file_type;
-type boottrace_data_file, file_type, data_file_type;
-type camera_data_file, file_type, data_file_type;
-type gatekeeper_data_file, file_type, data_file_type;
-type incident_data_file, file_type, data_file_type;
-type keychain_data_file, file_type, data_file_type;
-type keystore_data_file, file_type, data_file_type;
-type media_data_file, file_type, data_file_type;
-type media_rw_data_file, file_type, data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type;
-type net_data_file, file_type, data_file_type;
-type nfc_data_file, file_type, data_file_type;
-type radio_data_file, file_type, data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type;
-type recovery_data_file, file_type, data_file_type;
-type shared_relro_file, file_type, data_file_type;
-type systemkeys_data_file, file_type, data_file_type;
-type vpn_data_file, file_type, data_file_type;
-type wifi_data_file, file_type, data_file_type;
-type zoneinfo_data_file, file_type, data_file_type;
-type vold_data_file, file_type, data_file_type;
-type perfprofd_data_file, file_type, data_file_type, mlstrustedobject;
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type reboot_data_file, file_type, data_file_type, core_data_file_type;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, mlstrustedobject;
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type;
 # /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Compatibility with type name used in Android 4.3 and 4.4.
 # Default type for anything under /cache
 type cache_file, file_type, mlstrustedobject;
@@ -199,27 +201,27 @@ type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, mlstrustedobject;
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, mlstrustedobject;
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Type for user icon file.
-type icon_file, file_type, data_file_type;
+type icon_file, file_type, data_file_type, core_data_file_type;
 # /mnt/asec
-type asec_apk_file, file_type, data_file_type, mlstrustedobject;
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type;
+type asec_public_file, file_type, data_file_type, core_data_file_type;
 # /data/app-asec
-type asec_image_file, file_type, data_file_type;
+type asec_image_file, file_type, data_file_type, core_data_file_type;
 # /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, mlstrustedobject;
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
 # Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type;
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
 # Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, mlstrustedobject;
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # Socket types
 type adbd_socket, file_type;
diff --git a/public/perfprofd.te b/public/perfprofd.te
index eed7e5848..499e2a91f 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -3,7 +3,7 @@ type perfprofd_exec, exec_type, file_type;
 
 userdebug_or_eng(`
 
-  type perfprofd, domain, domain_deprecated, mlstrustedsubject;
+  type perfprofd, domain, domain_deprecated, mlstrustedsubject, coredomain;
 
   # perfprofd needs to control CPU hot-plug in order to avoid kernel
   # perfevents problems in cases where CPU goes on/off during measurement;
diff --git a/public/rild.te b/public/rild.te
index e4b018690..77f146ba5 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -19,6 +19,9 @@ allow rild efs_file:file create_file_perms;
 allow rild shell_exec:file rx_file_perms;
 allow rild bluetooth_efs_file:file r_file_perms;
 allow rild bluetooth_efs_file:dir r_dir_perms;
+# TODO (b/36601950) remove RILD's access to radio_data_file and
+# system_data_file. Remove coredata_in_vendor_violators attribute.
+typeattribute rild coredata_in_vendor_violators;
 allow rild radio_data_file:dir rw_dir_perms;
 allow rild radio_data_file:file create_file_perms;
 allow rild sdcard_type:dir r_dir_perms;
diff --git a/public/tee.te b/public/tee.te
index a95be8834..45242817c 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -4,7 +4,6 @@
 type tee, domain, domain_deprecated;
 type tee_exec, exec_type, file_type;
 type tee_device, dev_type;
-type tee_data_file, file_type, data_file_type;
 
 allow tee self:capability { dac_override };
 allow tee tee_device:chr_file rw_file_perms;
diff --git a/public/update_engine.te b/public/update_engine.te
index 33eb2a80e..69ee7c850 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,7 +1,6 @@
 # Domain for update_engine daemon.
 type update_engine, domain, domain_deprecated, update_engine_common;
 type update_engine_exec, exec_type, file_type;
-type update_engine_data_file, file_type, data_file_type;
 
 net_domain(update_engine);
 
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index d20063ffa..79c0814c7 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -7,3 +7,7 @@ init_daemon_domain(hal_audio_default)
 hal_client_domain(hal_audio_default, hal_allocator)
 
 typeattribute hal_audio_default socket_between_core_and_vendor_violators;
+# TODO (b/36601590) move hal_audio's data file to
+# /data/vendor/hardware/hal_audio. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_audio_default coredata_in_vendor_violators;
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index d22015b72..54f2abf40 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -7,3 +7,7 @@ init_daemon_domain(hal_bluetooth_default)
 # Logging for backward compatibility
 allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms;
 allow hal_bluetooth_default bluetooth_data_file:file create_file_perms;
+
+# TODO (b/36602160) Remove hal_bluetooth's access to the Bluetooth app's
+# data type. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_bluetooth_default coredata_in_vendor_violators;
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 8fdb4f009..449f15915 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -3,3 +3,8 @@ hal_server_domain(hal_camera_default, hal_camera)
 
 type hal_camera_default_exec, exec_type, file_type;
 init_daemon_domain(hal_camera_default)
+
+# TODO (b/36601397) move hal_camera's data file to
+# /data/vendor/hardware/hal_camera. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_camera_default coredata_in_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index 77e66095e..c779711c9 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -9,3 +9,7 @@ allow hal_drm_default { appdomain -isolated_app }:fd use;
 
 # TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
 typeattribute hal_drm_default socket_between_core_and_vendor_violators;
+# TODO (b/36601695) remove hal_drm's access to /data or move to
+# /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
+# attribute.
+typeattribute hal_drm_default coredata_in_vendor_violators;
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 2b9001ebd..5f5de7e70 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -3,3 +3,7 @@ hal_server_domain(hal_fingerprint_default, hal_fingerprint)
 
 type hal_fingerprint_default_exec, exec_type, file_type;
 init_daemon_domain(hal_fingerprint_default)
+
+# TODO (b/36644492) move hal_fingerprint's data file to
+# /data/vendor/. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_fingerprint_default coredata_in_vendor_violators;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index b155f27d3..eb2bd818e 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -3,3 +3,7 @@ hal_server_domain(hal_nfc_default, hal_nfc)
 
 type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
+
+# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
+# data type. Remove coredata_in_vendor_violators attribute.
+typeattribute hal_nfc_default coredata_in_vendor_violators;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 5e49605ff..1ee95bb3d 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -10,3 +10,7 @@ type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "socke
 
 # TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
 typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
+# TODO (b/36645291) Move hal_wifi_supplicant's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+# wpa supplicant or equivalent
+typeattribute hal_wifi_supplicant_default coredata_in_vendor_violators;
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index 02bafaa93..e7d83082e 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -31,3 +31,7 @@ r_dir_file(hostapd, wifi_data_file)
 allow hostapd hostapd_socket:dir create_dir_perms;
 # hostapd needs to create, bind to, read, and write its control socket.
 allow hostapd hostapd_socket:sock_file create_file_perms;
+
+# TODO (b/36646171) Move hostapd's data access to /data/vendor
+# Remove coredata_in_vendor_violators attribute.
+typeattribute hostapd coredata_in_vendor_violators;
-- 
GitLab