From 621c24cbab278416d8a17eeb26188cc0a3f38418 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Thu, 28 Sep 2017 14:34:36 -0700
Subject: [PATCH] add vendor_init.te
First pass at adding vendor_init.te
Bug: 62875318
Test: boot sailfish with vendor_init
Change-Id: I35cc9be324075d8baae866d6de4166c37fddac68
---
private/compat/26.0/26.0.ignore.cil | 1 +
private/init.te | 1 +
private/vendor_init.te | 2 +
public/domain.te | 13 +-
public/vendor_init.te | 210 ++++++++++++++++++++++++++++
5 files changed, 225 insertions(+), 2 deletions(-)
create mode 100644 private/vendor_init.te
create mode 100644 public/vendor_init.te
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 23b829977..1d8351d99 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -34,6 +34,7 @@
thermalserviced_tmpfs
timezone_service
tombstoned_java_trace_socket
+ vendor_init
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
diff --git a/private/init.te b/private/init.te
index 5c23f66f1..546486508 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,6 +14,7 @@ recovery_only(`
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
+domain_trans(init, init_exec, vendor_init)
domain_trans(init, { rootfs toolbox_exec }, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
diff --git a/private/vendor_init.te b/private/vendor_init.te
new file mode 100644
index 000000000..c99d96f81
--- /dev/null
+++ b/private/vendor_init.te
@@ -0,0 +1,2 @@
+typeattribute vendor_init coredomain;
+
diff --git a/public/domain.te b/public/domain.te
index 4b771dce7..914ef9776 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -321,7 +321,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append open read write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
@@ -464,6 +464,7 @@ neverallow {
-recovery
-shell
-system_server
+ -vendor_init
} serialno_prop:file r_file_perms;
# Do not allow reading the last boot timestamp from system properties
@@ -658,6 +659,7 @@ full_treble_only(`
-init
-ueventd
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
file_type
dev_type
@@ -680,6 +682,7 @@ full_treble_only(`
-installd
-postinstall_dexopt
-system_server
+ -vendor_init
} vendor_app_file:dir { open read getattr search };
neverallow {
@@ -691,6 +694,7 @@ full_treble_only(`
-installd
-postinstall_dexopt
-system_server
+ -vendor_init
} vendor_app_file:{ file lnk_file } r_file_perms;
# Limit access to /vendor/overlay
@@ -702,6 +706,7 @@ full_treble_only(`
-installd
-system_server
-zygote
+ -vendor_init
} vendor_overlay_file:dir { getattr open read search };
neverallow {
@@ -712,6 +717,7 @@ full_treble_only(`
-installd
-system_server
-zygote
+ -vendor_init
} vendor_overlay_file:{ file lnk_file } r_file_perms;
# Non-vendor domains are not allowed to file execute shell
@@ -719,6 +725,7 @@ full_treble_only(`
neverallow {
coredomain
-init
+ -vendor_init
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
@@ -729,6 +736,7 @@ full_treble_only(`
-appdomain
-rild
-vendor_executes_system_violators
+ -vendor_init
} {
exec_type
-vendor_file_type
@@ -855,6 +863,7 @@ neverallow {
-system_server
-system_app
-init
+ -vendor_init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
@@ -990,7 +999,7 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
diff --git a/public/vendor_init.te b/public/vendor_init.te
new file mode 100644
index 000000000..16d283fad
--- /dev/null
+++ b/public/vendor_init.te
@@ -0,0 +1,210 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:capability dac_override;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:capability { chown fowner fsetid };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:dir { create search getattr open read setattr ioctl };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -runtime_event_log_tags_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -app_data_file
+ -bluetooth_data_file
+ -dalvikcache_data_file
+ -exec_type
+ -incident_data_file
+ -keystore_data_file
+ -misc_logd_file
+ -nfc_data_file
+ -property_data_file
+ -radio_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -system_ndebug_socket
+ -unlabeled
+ -vendor_file_type
+ -vold_data_file
+ -zoneinfo_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -vold_data_file
+ -keystore_data_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+}:file { open read setattr };
+
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+}:dir { open read setattr search };
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kmem_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net)
+allow vendor_init proc_net:file w_file_perms;
+allow vendor_init self:capability net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:capability sys_admin;
--
GitLab