Neverallow coredomain to kernel interface files.

Core domains should not be allowed access to kernel interfaces, which are not explicitly labeled. These interfaces include (but are not limited to): 1. /proc 2. /sys 3. /dev 4. debugfs 5. tracefs 6. inotifyfs 7. pstorefs 8. configfs 9. functionfs 10. usbfs 11. binfmt_miscfs We keep a lists of exceptions to the rule, which we will be gradually shrinking. This will help us prevent accidental regressions in our efforts to label kernel interfaces. Bug: 68159582 Test: bullhead, sailfish can build Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5

Neverallow coredomain to kernel interface files.
Core domains should not be allowed access to kernel interfaces, which are not explicitly labeled. These interfaces include (but are not limited to): 1. /proc 2. /sys 3. /dev 4. debugfs 5. tracefs 6. inotifyfs 7. pstorefs 8. configfs 9. functionfs 10. usbfs 11. binfmt_miscfs We keep a lists of exceptions to the rule, which we will be gradually shrinking. This will help us prevent accidental regressions in our efforts to label kernel interfaces. Bug: 68159582 Test: bullhead, sailfish can build Change-Id: I8e466843e1856720f30964546c5c2c32989fa3a5
502e43f7 · Tri Vo · 61dc5fb2 · 502e43f7
Commit 502e43f7 authored 7 years ago by Tri Vo
--- a/private/domain.te
+++ b/private/domain.te
@@ -16,3 +16,119 @@ neverallow {
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+  # /proc
+  neverallow {
+    coredomain
+    -dumpstate
+    -init
+    -platform_app
+    -priv_app
+    -radio
+    -shell
+    -system_app
+    -vold
+    -vendor_init
+  } proc:file no_rw_file_perms;
+  # /sys
+  neverallow {
+    coredomain
+    -charger
+    -dumpstate
+    -healthd
+    -init
+    -mediaserver
+    -priv_app
+    -radio
+    -storaged
+    -system_app
+    -system_server
+    -ueventd
+    -update_verifier
+    -vold
+    -vendor_init
+  } sysfs:file no_rw_file_perms;
+  # /dev
+  neverallow {
+    coredomain
+    -fsck
+    -init
+    -shell
+    -ueventd
+    -vendor_init
+  } device:{ blk_file file } no_rw_file_perms;
+  # debugfs
+  neverallow {
+    coredomain
+    -dumpstate
+    -init
+    -system_server
+    -vendor_init
+  } debugfs:file no_rw_file_perms;
+  # tracefs
+  neverallow {
+    coredomain
+    -atrace
+    -dumpstate
+    -init
+    -perfprofd
+    -shell
+    -vendor_init
+  } debugfs_tracing:file no_rw_file_perms;
+  # inotifyfs
+  neverallow {
+    coredomain
+    -init
+    -vendor_init
+  } inotify:file no_rw_file_perms;
+  # pstorefs
+  neverallow {
+    coredomain
+    -bootstat
+    -charger
+    -dumpstate
+    -healthd
+    -init
+    -logd
+    -logpersist
+    -recovery_persist
+    -recovery_refresh
+    -shell
+    -system_server
+    -vendor_init
+  } pstorefs:file no_rw_file_perms;
+  # configfs
+  neverallow {
+    coredomain
+    -init
+    -system_server
+    -vendor_init
+  } configfs:file no_rw_file_perms;
+  # functionfs
+  neverallow {
+    coredomain
+    -adbd
+    -init
+    -mediaprovider
+    -vendor_init
+  }functionfs:file no_rw_file_perms;
+  # usbfs and binfmt_miscfs
+  neverallow {
+    coredomain
+    -init
+    -vendor_init
+  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')