Introduce system_file_type

system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

Introduce system_file_type
system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
5e37271d · Nick Kralevich · ff1c765f · 5e37271d · 5e37271d · 5e37271d
Commit 5e37271d authored 6 years ago by Nick Kralevich
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -2,7 +2,7 @@
 # It is spawned either by traced_probes or by init for the boottrace service.

 type atrace, domain, coredomain;
-type atrace_exec, exec_type, file_type;
+type atrace_exec, exec_type, file_type, system_file_type;

 # boottrace services uses /data/misc/boottrace/categories
 allow atrace boottrace_data_file:dir search;

--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -2,7 +2,7 @@

 typeattribute audioserver coredomain;

-type audioserver_exec, exec_type, file_type;
+type audioserver_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(audioserver)

 r_dir_file(audioserver, sdcard_type)

--- a/private/blank_screen.te
+++ b/private/blank_screen.te
 type blank_screen, domain, coredomain;
-type blank_screen_exec, exec_type, file_type;
+type blank_screen_exec, exec_type, file_type, system_file_type;

 init_daemon_domain(blank_screen)


--- a/private/blkid.te
+++ b/private/blkid.te
@@ -2,7 +2,7 @@

 typeattribute blkid coredomain;

-type blkid_exec, exec_type, file_type;
+type blkid_exec, system_file_type, exec_type, file_type;

 # Allowed read-only access to encrypted devices to extract UUID/label
 allow blkid block_device:dir search;

--- a/private/bpfloader.te
+++ b/private/bpfloader.te
 # bpf program loader
 type bpfloader, domain;
-type bpfloader_exec, exec_type, file_type;
+type bpfloader_exec, system_file_type, exec_type, file_type;
 typeattribute bpfloader coredomain;

 # Process need CAP_NET_ADMIN to run bpf programs as cgroup filter

--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
 # dexoptanalyzer
 type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, exec_type, file_type;
+type dexoptanalyzer_exec, system_file_type, exec_type, file_type;

 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their

--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
 type hal_allocator_default, domain, coredomain;
 hal_server_domain(hal_allocator_default, hal_allocator)

-type hal_allocator_default_exec, exec_type, file_type;
+type hal_allocator_default_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_allocator_default)
--- a/private/hal_system_suspend_default.te
+++ b/private/hal_system_suspend_default.te
 type hal_system_suspend_default, domain, coredomain;
 hal_server_domain(hal_system_suspend_default, hal_system_suspend)

-type hal_system_suspend_default_exec, exec_type, file_type;
+type hal_system_suspend_default_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_system_suspend_default)
--- a/private/incident.te
+++ b/private/incident.te
 typeattribute incident coredomain;

-type incident_exec, exec_type, file_type;
+type incident_exec, system_file_type, exec_type, file_type;

 # switch to incident domain for incident command
 domain_auto_trans(shell, incident_exec, incident)

--- a/private/incident_helper.te
+++ b/private/incident_helper.te
 typeattribute incident_helper coredomain;

-type incident_helper_exec, exec_type, file_type;
+type incident_helper_exec, system_file_type, exec_type, file_type;

 # switch to incident_helper domain for incident_helper command
 domain_auto_trans(incidentd, incident_helper_exec, incident_helper)

--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -2,7 +2,7 @@ typeattribute incidentd coredomain;
 typeattribute incidentd mlstrustedsubject;

 init_daemon_domain(incidentd)
-type incidentd_exec, exec_type, file_type;
+type incidentd_exec, system_file_type, exec_type, file_type;
 binder_use(incidentd)
 wakelock_use(incidentd)


--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -3,7 +3,7 @@
 typeattribute mdnsd coredomain;
 typeattribute mdnsd mlstrustedsubject;

-type mdnsd_exec, exec_type, file_type;
+type mdnsd_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(mdnsd)

 net_domain(mdnsd)

--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -4,7 +4,7 @@
 # daemon.

 type perfetto, domain, coredomain;
-type perfetto_exec, exec_type, file_type;
+type perfetto_exec, system_file_type, exec_type, file_type;

 tmpfs_domain(perfetto);


--- a/private/stats.te
+++ b/private/stats.te
 type stats, domain;
 typeattribute stats coredomain;
-type stats_exec, exec_type, file_type;
+type stats_exec, system_file_type, exec_type, file_type;

 # switch to stats domain for stats command
 domain_auto_trans(shell, stats_exec, stats)

--- a/private/storaged.te
+++ b/private/storaged.te
 # storaged daemon
 type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, exec_type, file_type;
+type storaged_exec, system_file_type, exec_type, file_type;

 init_daemon_domain(storaged)


--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -2,7 +2,7 @@

 typeattribute surfaceflinger coredomain;

-type surfaceflinger_exec, exec_type, file_type;
+type surfaceflinger_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(surfaceflinger)

 typeattribute surfaceflinger mlstrustedsubject;

--- a/private/traced.te
+++ b/private/traced.te
 # Perfetto user-space tracing daemon (unprivileged)
 type traced, domain, coredomain, mlstrustedsubject;
-type traced_exec, exec_type, file_type;
+type traced_exec, system_file_type, exec_type, file_type;

 # Allow init to exec the daemon.
 init_daemon_domain(traced)

--- a/private/traced_probes.te
+++ b/private/traced_probes.te
 # Perfetto tracing probes, has tracefs access.
-type traced_probes_exec, exec_type, file_type;
+type traced_probes_exec, system_file_type, exec_type, file_type;

 # Allow init to exec the daemon.
 init_daemon_domain(traced_probes)

--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
 # wait_for_keymaster service
 type wait_for_keymaster, domain, coredomain;
-type wait_for_keymaster_exec, exec_type, file_type;
+type wait_for_keymaster_exec, system_file_type, exec_type, file_type;

 init_daemon_domain(wait_for_keymaster)


--- a/public/adbd.te
+++ b/public/adbd.te
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
-type adbd_exec, exec_type, file_type;
+type adbd_exec, exec_type, file_type, system_file_type;

 # Only init is allowed to enter the adbd domain via exec()
 neverallow { domain -init } adbd:process transition;