From 96b1c9ca6f72f3adfa7f6051568efeb450c3756c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 17 Dec 2015 16:38:21 -0800
Subject: [PATCH] neverallow debugfs access

Don't allow access to the generic debugfs label. Instead, force
relabeling to a more specific type. system_server and dumpstate
are excluded from this until I have time to fix them.

Tighten up the neverallow rules for untrusted_app. It should never
be reading any file on /sys/kernel/debug, regardless of the label.

Change-Id: Ic7feff9ba3aca450f1e0b6f253f0b56c7918d0fa
---
 domain.te        | 6 ++++++
 untrusted_app.te | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index b60e5e048..15594ef6a 100644
--- a/domain.te
+++ b/domain.te
@@ -508,3 +508,9 @@ neverallow domain ~property_type:property_service set;
 # $ grep mydaemon file_contexts
 # /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
 neverallow domain domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix system_server and dumpstate
+neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 9d80bd8ea..12a629de8 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -112,7 +112,7 @@ neverallow untrusted_app domain:netlink_socket *;
 
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow untrusted_app debugfs:file read;
+neverallow untrusted_app debugfs_type:file read;
 
 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering
-- 
GitLab