From 76aab82cb3a7560d3d78f93c7f2d00ed381192c4 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 15 May 2017 13:19:03 -0700
Subject: [PATCH] Move domain_deprecated into private policy
This attribute is being actively removed from policy. Since
attributes are not being versioned, partners must not be able to
access and use this attribute. Move it from private and verify in
the logs that rild and tee are not using these permissions.
Bug: 38316109
Test: build and boot Marlin
Test: Verify that rild and tee are not being granted any of these
permissions.
Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b
---
private/attributes | 9 +++++++++
private/clatd.te | 1 +
private/dex2oat.te | 1 +
private/dhcp.te | 1 +
{public => private}/domain_deprecated.te | 8 --------
private/dumpstate.te | 1 +
private/fingerprintd.te | 1 +
private/fsck.te | 1 +
private/fsck_untrusted.te | 1 +
private/installd.te | 1 +
private/keystore.te | 1 +
private/mtp.te | 1 +
private/netd.te | 1 +
private/perfprofd.te | 1 +
private/ppp.te | 1 +
private/radio.te | 1 +
private/recovery.te | 1 +
private/runas.te | 1 +
private/sdcardd.te | 1 +
private/shared_relro.te | 1 +
private/ueventd.te | 1 +
private/uncrypt.te | 1 +
private/update_engine.te | 1 +
private/vold.te | 1 +
public/attributes | 10 ----------
public/clatd.te | 2 +-
public/dex2oat.te | 2 +-
public/dhcp.te | 2 +-
public/dumpstate.te | 2 +-
public/fingerprintd.te | 2 +-
public/fsck.te | 2 +-
public/fsck_untrusted.te | 2 +-
public/installd.te | 2 +-
public/keystore.te | 2 +-
public/mtp.te | 2 +-
public/netd.te | 2 +-
public/perfprofd.te | 1 -
public/ppp.te | 2 +-
public/radio.te | 2 +-
public/recovery.te | 2 +-
public/rild.te | 2 +-
public/runas.te | 2 +-
public/sdcardd.te | 2 +-
public/shared_relro.te | 2 +-
public/ueventd.te | 2 +-
public/uncrypt.te | 2 +-
public/update_engine.te | 2 +-
public/vold.te | 2 +-
vendor/tee.te | 2 --
49 files changed, 53 insertions(+), 43 deletions(-)
create mode 100644 private/attributes
rename {public => private}/domain_deprecated.te (98%)
diff --git a/private/attributes b/private/attributes
new file mode 100644
index 000000000..fcbfecfb2
--- /dev/null
+++ b/private/attributes
@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
diff --git a/private/clatd.te b/private/clatd.te
index 5ba0fc5cd..c09398ddd 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -1 +1,2 @@
typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index fd45484f4..89c3970af 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1 +1,2 @@
typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;
diff --git a/private/dhcp.te b/private/dhcp.te
index b2f8ac7c7..6a6a139e2 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,5 @@
typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/public/domain_deprecated.te b/private/domain_deprecated.te
similarity index 98%
rename from public/domain_deprecated.te
rename to private/domain_deprecated.te
index 7a26becdc..aefb724f7 100644
--- a/public/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -79,7 +79,6 @@ auditallow {
-fingerprintd
-installd
-keystore
- -rild
-surfaceflinger
-system_server
-update_engine
@@ -193,7 +192,6 @@ auditallow {
domain_deprecated
-fsck
-fsck_untrusted
- -rild
-sdcardd
-system_server
-update_engine
@@ -203,7 +201,6 @@ auditallow {
domain_deprecated
-fsck
-fsck_untrusted
- -rild
-system_server
-vold
} proc:lnk_file { open ioctl lock }; # getattr read granted in domain
@@ -213,7 +210,6 @@ auditallow {
-fingerprintd
-healthd
-netd
- -rild
-system_app
-surfaceflinger
-system_server
@@ -227,7 +223,6 @@ auditallow {
-fingerprintd
-healthd
-netd
- -rild
-system_app
-surfaceflinger
-system_server
@@ -241,7 +236,6 @@ auditallow {
-fingerprintd
-healthd
-netd
- -rild
-system_app
-surfaceflinger
-system_server
@@ -259,7 +253,6 @@ auditallow {
-installd
-keystore
-netd
- -rild
-surfaceflinger
-system_server
-zygote
@@ -274,7 +267,6 @@ auditallow {
-installd
-keystore
-netd
- -rild
-surfaceflinger
-system_server
-zygote
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f81526c..0fe2adfc6 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,4 +1,5 @@
typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
init_daemon_domain(dumpstate)
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index eb73ef8cc..0c1dfaa37 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,4 @@
typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index 3a36329f7..e8467972f 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,4 @@
typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 9a57bf027..2a1a39f46 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1 +1,2 @@
typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;
diff --git a/private/installd.te b/private/installd.te
index f74843dd1..d726e7df2 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,4 +1,5 @@
typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
init_daemon_domain(installd)
diff --git a/private/keystore.te b/private/keystore.te
index a9647c631..1e563389e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,4 +1,5 @@
typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
init_daemon_domain(keystore)
diff --git a/private/mtp.te b/private/mtp.te
index 732e111ed..3cfda0b1a 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,4 @@
typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index f501f25e9..3a824af13 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
init_daemon_domain(netd)
diff --git a/private/perfprofd.te b/private/perfprofd.te
index 9c249fd9a..a655f1d34 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,4 +1,5 @@
userdebug_or_eng(`
typeattribute perfprofd coredomain;
+ typeattribute perfprofd domain_deprecated;
init_daemon_domain(perfprofd)
')
diff --git a/private/ppp.te b/private/ppp.te
index 968b221b6..9b301f475 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,4 @@
typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/radio.te b/private/radio.te
index b4f539048..83b5b416b 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,4 +1,5 @@
typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
app_domain(radio)
diff --git a/private/recovery.te b/private/recovery.te
index 2a7fdc7e1..b7b2847ec 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1 +1,2 @@
typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;
diff --git a/private/runas.te b/private/runas.te
index ef31aac34..73a91ffd6 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,5 @@
typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 126d64349..ac6bb4e2c 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,4 @@
typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 02f720682..8d06294d9 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,4 +1,5 @@
typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
diff --git a/private/ueventd.te b/private/ueventd.te
index 1bd67735e..0df587fff 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,4 @@
typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e4e9224d9..fde686be9 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,4 @@
typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
init_daemon_domain(uncrypt)
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db681..f460272d1 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,4 @@
typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
init_daemon_domain(update_engine);
diff --git a/private/vold.te b/private/vold.te
index a6d1001d1..f2416f895 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,4 +1,5 @@
typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
init_daemon_domain(vold)
diff --git a/public/attributes b/public/attributes
index c449a08db..c1c1c0b63 100644
--- a/public/attributes
+++ b/public/attributes
@@ -10,16 +10,6 @@ attribute dev_type;
# All types used for processes.
attribute domain;
-# Temporary attribute used for migrating permissions out of domain.
-# Motivation: Domain is overly permissive. Start removing permissions
-# from domain and assign them to the domain_deprecated attribute.
-# Domain_deprecated and domain can initially be assigned to all
-# domains. The goal is to not assign domain_deprecated to new domains
-# and to start removing domain_deprecated where it's not required or
-# reassigning the appropriate permissions to the inheriting domain
-# when necessary.
-attribute domain_deprecated;
-
# All types used for filesystems.
# On change, update CHECK_FC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/clatd.te b/public/clatd.te
index 8632087a1..212b76ede 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -1,5 +1,5 @@
# 464xlat daemon
-type clatd, domain, domain_deprecated;
+type clatd, domain;
type clatd_exec, exec_type, file_type;
net_domain(clatd)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index cc8111fdc..47f3bcb60 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, domain_deprecated;
+type dex2oat, domain;
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
diff --git a/public/dhcp.te b/public/dhcp.te
index 22351edcc..2b54b7f88 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,4 +1,4 @@
-type dhcp, domain, domain_deprecated;
+type dhcp, domain;
type dhcp_exec, exec_type, file_type;
net_domain(dhcp)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 503f35962..4f66ffb4a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -1,5 +1,5 @@
# dumpstate
-type dumpstate, domain, domain_deprecated, mlstrustedsubject;
+type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;
net_domain(dumpstate)
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 57cde1db0..5dd18a352 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -1,4 +1,4 @@
-type fingerprintd, domain, domain_deprecated;
+type fingerprintd, domain;
type fingerprintd_exec, exec_type, file_type;
binder_use(fingerprintd)
diff --git a/public/fsck.te b/public/fsck.te
index 8f3b17a4a..b682a877f 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
type fsck_exec, exec_type, file_type;
# /dev/__null__ created by init prior to policy load,
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index a9dd8055a..e2aceb87b 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/public/installd.te b/public/installd.te
index 359356aa3..939a4810a 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -1,5 +1,5 @@
# installer daemon
-type installd, domain, domain_deprecated;
+type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
diff --git a/public/keystore.te b/public/keystore.te
index 2c3118510..ee5e67574 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain, domain_deprecated;
+type keystore, domain;
type keystore_exec, exec_type, file_type;
# keystore daemon
diff --git a/public/mtp.te b/public/mtp.te
index 0ca7cea35..a77624064 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -1,5 +1,5 @@
# vpn tunneling protocol manager
-type mtp, domain, domain_deprecated;
+type mtp, domain;
type mtp_exec, exec_type, file_type;
net_domain(mtp)
diff --git a/public/netd.te b/public/netd.te
index 1694aecdf..691887fcd 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -1,5 +1,5 @@
# network manager
-type netd, domain, domain_deprecated, mlstrustedsubject;
+type netd, domain, mlstrustedsubject;
type netd_exec, exec_type, file_type;
net_domain(netd)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index f0df6a0aa..bfb8693fa 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -4,7 +4,6 @@ type perfprofd_exec, exec_type, file_type;
userdebug_or_eng(`
- typeattribute perfprofd domain_deprecated;
typeattribute perfprofd coredomain;
typeattribute perfprofd mlstrustedsubject;
diff --git a/public/ppp.te b/public/ppp.te
index 918ef5e7f..04e17f57a 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -1,5 +1,5 @@
# Point to Point Protocol daemon
-type ppp, domain, domain_deprecated;
+type ppp, domain;
type ppp_device, dev_type;
type ppp_exec, exec_type, file_type;
diff --git a/public/radio.te b/public/radio.te
index f5604fd43..87329d913 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,5 +1,5 @@
# phone subsystem
-type radio, domain, domain_deprecated, mlstrustedsubject;
+type radio, domain, mlstrustedsubject;
net_domain(radio)
bluetooth_domain(radio)
diff --git a/public/recovery.te b/public/recovery.te
index f0ac97dc4..f55dc8a5d 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -2,7 +2,7 @@
# Declare the domain unconditionally so we can always reference it
# in neverallow rules.
-type recovery, domain, domain_deprecated;
+type recovery, domain;
# But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules.
diff --git a/public/rild.te b/public/rild.te
index e4b018690..14420dffb 100644
--- a/public/rild.te
+++ b/public/rild.te
@@ -1,5 +1,5 @@
# rild - radio interface layer daemon
-type rild, domain, domain_deprecated;
+type rild, domain;
hal_server_domain(rild, hal_telephony)
net_domain(rild)
diff --git a/public/runas.te b/public/runas.te
index 046165d4b..cda02efab 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,4 +1,4 @@
-type runas, domain, domain_deprecated, mlstrustedsubject;
+type runas, domain, mlstrustedsubject;
type runas_exec, exec_type, file_type;
allow runas adbd:process sigchld;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 3cb69be63..47a2f8061 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 9794b0b8a..91cf44d02 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,5 +1,5 @@
# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain, domain_deprecated;
+type shared_relro, domain;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/ueventd.te b/public/ueventd.te
index 8ec667e04..4c77e11ea 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -1,6 +1,6 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
-type ueventd, domain, domain_deprecated;
+type ueventd, domain;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index ef1289c32..7ae7d396e 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -1,5 +1,5 @@
# uncrypt
-type uncrypt, domain, domain_deprecated, mlstrustedsubject;
+type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
allow uncrypt self:capability dac_override;
diff --git a/public/update_engine.te b/public/update_engine.te
index 69ee7c850..b8f0035bd 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,5 +1,5 @@
# Domain for update_engine daemon.
-type update_engine, domain, domain_deprecated, update_engine_common;
+type update_engine, domain, update_engine_common;
type update_engine_exec, exec_type, file_type;
net_domain(update_engine);
diff --git a/public/vold.te b/public/vold.te
index 20181d113..81ee28c47 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -1,5 +1,5 @@
# volume manager
-type vold, domain, domain_deprecated;
+type vold, domain;
type vold_exec, exec_type, file_type;
# Read already opened /cache files.
diff --git a/vendor/tee.te b/vendor/tee.te
index f7c2cb59f..348d71587 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -1,8 +1,6 @@
##
# trusted execution environment (tee) daemon
#
-typeattribute tee domain_deprecated;
-
type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)
--
GitLab