More granular vendor access to /system files.

This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*

Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4

private/compat/26.0/26.0.cil

@@ -652,7 +652,13 @@
   ( system_data_file
     dropbox_data_file
     vendor_data_file))
-(typeattributeset system_file_26_0 (system_file))
+(typeattributeset system_file_26_0
+  ( system_file
+    system_lib_file
+    system_linker_config_file
+    system_linker_exec
+    system_seccomp_policy_file
+    system_security_cacerts_file))
 (typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
 (typeattributeset system_prop_26_0 (system_prop))

private/compat/27.0/27.0.cil

@@ -1369,7 +1369,13 @@
   ( system_data_file
     dropbox_data_file
     vendor_data_file))
-(typeattributeset system_file_27_0 (system_file))
+(typeattributeset system_file_27_0
+  ( system_file
+    system_lib_file
+    system_linker_config_file
+    system_linker_exec
+    system_seccomp_policy_file
+    system_security_cacerts_file))
 (typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))

private/compat/28.0/28.0.cil

@@ -1567,7 +1567,13 @@
 (typeattributeset system_data_file_28_0
   ( dropbox_data_file
     system_data_file))
-(typeattributeset system_file_28_0 (system_file))
+(typeattributeset system_file_28_0
+  ( system_file
+    system_lib_file
+    system_linker_config_file
+    system_linker_exec
+    system_seccomp_policy_file
+    system_security_cacerts_file))
 (typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))

private/file_contexts

@@ -186,6 +186,7 @@
 # System files
 #
 /system(/.*)?		u:object_r:system_file:s0
+/system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
@@ -249,6 +250,7 @@
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/healthd     u:object_r:healthd_exec:s0
 /system/bin/clatd	u:object_r:clatd_exec:s0
+/system/bin/linker(_asan)?(64)? u:object_r:system_linker_exec:s0
 /system/bin/llkd        u:object_r:llkd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/usbd   u:object_r:usbd_exec:s0
@@ -281,6 +283,9 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0
+/system/etc/seccomp_policy(/.*)?        u:object_r:system_seccomp_policy_file:s0
+/system/etc/security/cacerts(/.*)?      u:object_r:system_security_cacerts_file:s0
 /system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
@@ -439,6 +444,7 @@
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
+/system/usr/share/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0

public/domain.te

@@ -152,14 +152,30 @@ allow domain vold:key search;
 # logd access
 write_logd(domain)
 
-# System file accesses.
-allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr map };
+# Directory/link file access for path resolution.
+allow domain {
+    system_file
+    system_lib_file
+    system_seccomp_policy_file
+    system_security_cacerts_file
+}:dir r_dir_perms;
 allow domain system_file:lnk_file { getattr read };
 
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+
+allow { appdomain coredomain } system_file:file { execute read open getattr map };
+
 # Make sure system/vendor split doesn not affect non-treble
 # devices
 not_full_treble(`
+    allow domain system_file:file { execute read open getattr map };
     allow domain vendor_file_type:dir { search getattr };
     allow domain vendor_file_type:file { execute read open getattr map };
     allow domain vendor_file_type:lnk_file { getattr read };
@@ -202,7 +218,8 @@ full_treble_only(`
 # read and stat any sysfs symlinks
 allow domain sysfs:lnk_file { getattr read };
 
-# libc references /data/misc/zoneinfo for timezone related information
+# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
+# timezone related information.
 # This directory is considered to be a VNDK-stable
 allow domain zoneinfo_data_file:file r_file_perms;
 allow domain zoneinfo_data_file:dir r_dir_perms;
@@ -438,6 +455,8 @@ neverallow {
 } {
     file_type
     -system_file
+    -system_lib_file
+    -system_linker_exec
     -vendor_file_type
     -exec_type
     -postinstall_file
@@ -859,8 +878,9 @@ full_treble_only(`
   } {
     core_data_file_type
     # libc includes functions like mktime and localtime which attempt to access
-    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
-    # vndk-stable and thus must be allowed for all processes.
+    # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
+    # These functions are considered vndk-stable and thus must be allowed for
+    # all processes.
     -zoneinfo_data_file
   }:file_class_set ~{ append getattr ioctl read write map };
   neverallow {
@@ -1019,6 +1039,7 @@ full_treble_only(`
         -vendor_init
     } {
         exec_type
+        -system_linker_exec
         -vendor_file_type
         -crash_dump_exec
         -netutils_wrapper_exec
@@ -1079,6 +1100,18 @@ full_treble_only(`
   }:file *;
 ')
 
+# TODO(b/111243627): Uncomment once all violations are cleaned up.
+#full_treble_only(`
+#  # Do not allow vendor components access to /system files except for the
+#  # ones whitelisted here.
+#  neverallow {
+#    domain
+#    -appdomain
+#    -coredomain
+#    -vendor_executes_system_violators
+#  } system_file:file *;
+#')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
   domain

public/file.te

@@ -132,6 +132,16 @@ type unlabeled, file_type;
 
 # Default type for anything under /system.
 type system_file, file_type;
+# Default type for anything under /system/lib[64].
+type system_lib_file, file_type;
+# Default type for linker executable /system/bin/linker[64].
+type system_linker_exec, exec_type, file_type;
+# Default type for linker config /system/etc/ld.config.*.
+type system_linker_config_file, file_type;
+# Default type for linker config /system/etc/seccomp_policy/*.
+type system_seccomp_policy_file, file_type;
+# Default type for cacerts in /system/etc/security/cacerts/*.
+type system_security_cacerts_file, file_type;
 
 # Default type for directories search for
 # HAL implementations

public/hal_drm.te

@@ -12,11 +12,6 @@ allow hal_drm self:process execmem;
 # Permit reading device's serial number from system properties
 get_prop(hal_drm, serialno_prop)
 
-# System file accesses
-allow hal_drm system_file:dir r_dir_perms;
-allow hal_drm system_file:file r_file_perms;
-allow hal_drm system_file:lnk_file r_file_perms;
-
 # Read files already opened under /data
 allow hal_drm system_data_file:file { getattr read };
 

public/hal_health.te

@@ -4,11 +4,6 @@ binder_call(hal_health_server, hal_health_client)
 
 hal_attribute_hwservice(hal_health, hal_health_hwservice)
 
-# Read access to system files for HALs in
-# /{system,vendor,odm}/lib[64]/hw/ in order
-# to be able to open the hal implementation .so files
-r_dir_file(hal_health, system_file)
-
 # Common rules for a health service.
 
 # Allow to listen to uevents for updates

public/hal_telephony.te

@@ -39,7 +39,6 @@ wakelock_use(hal_telephony_server)
 
 r_dir_file(hal_telephony_server, proc_net_type)
 r_dir_file(hal_telephony_server, sysfs_type)
-r_dir_file(hal_telephony_server, system_file)
 
 # granting the ioctl permission for hal_telephony_server should be device specific
 allow hal_telephony_server self:socket create_socket_perms_no_ioctl;

public/healthd.te

@@ -12,10 +12,6 @@ allow healthd sysfs:dir r_dir_perms;
 r_dir_file(healthd, rootfs)
 r_dir_file(healthd, cgroup)
 
-# Read access to system files for passthrough HALs in
-# /{system,vendor,odm}/lib[64]/hw/
-r_dir_file(healthd, system_file)
-
 allow healthd self:global_capability_class_set { sys_tty_config };
 allow healthd self:global_capability_class_set sys_boot;
 

vendor/hal_gnss_default.te

@@ -3,8 +3,3 @@ hal_server_domain(hal_gnss_default, hal_gnss)
 
 type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_gnss_default)
-
-# Read access to system files for HALs in
-# /{system,vendor,odm}/lib[64]/hw/ in order
-# to be able to open the hal implementation .so files
-r_dir_file(hal_gnss, system_file)