From a289d523ea6bbf4cf41fb82bf4e5d738fa81a4ea Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 14 Nov 2018 14:59:22 -0800
Subject: [PATCH] Move coredomains rules from private/domain.te to
private/coredomain.te
We lose git history with this, but imo the rules being moved don't have
much reference material. Also, as we write more neverallow rules for
CKI, I'd like to consolidate them in private/coredomain.te
Test: m selinux_policy
Change-Id: I6d0c3d2af0c4dfe7dd3cb1d8836b4b5e00db37a4
---
private/coredomain.te | 92 +++++++++++++++++++++++++++++++++++++++++++
private/domain.te | 92 -------------------------------------------
2 files changed, 92 insertions(+), 92 deletions(-)
diff --git a/private/coredomain.te b/private/coredomain.te
index 23224c323..cf3930be2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -13,3 +13,95 @@ neverallow {
-vold
} sysfs_leds:file *;
')
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+ # /proc
+ neverallow {
+ coredomain
+ -vold
+ } proc:file no_rw_file_perms;
+
+ # /sys
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ } sysfs:file no_rw_file_perms;
+
+ # /dev
+ neverallow {
+ coredomain
+ -fsck
+ -init
+ -ueventd
+ } device:{ blk_file file } no_rw_file_perms;
+
+ # debugfs
+ neverallow {
+ coredomain
+ -dumpstate
+ -init
+ -system_server
+ } debugfs:file no_rw_file_perms;
+
+ # tracefs
+ neverallow {
+ coredomain
+ -atrace
+ -dumpstate
+ -init
+ userdebug_or_eng(`-perfprofd')
+ -traced_probes
+ -shell
+ -traceur_app
+ } debugfs_tracing:file no_rw_file_perms;
+
+ # inotifyfs
+ neverallow {
+ coredomain
+ -init
+ } inotify:file no_rw_file_perms;
+
+ # pstorefs
+ neverallow {
+ coredomain
+ -bootstat
+ -charger
+ -dumpstate
+ -healthd
+ userdebug_or_eng(`-incidentd')
+ -init
+ -logd
+ -logpersist
+ -recovery_persist
+ -recovery_refresh
+ -shell
+ -system_server
+ } pstorefs:file no_rw_file_perms;
+
+ # configfs
+ neverallow {
+ coredomain
+ -init
+ -system_server
+ } configfs:file no_rw_file_perms;
+
+ # functionfs
+ neverallow {
+ coredomain
+ -adbd
+ -init
+ -mediaprovider
+ -system_server
+ } functionfs:file no_rw_file_perms;
+
+ # usbfs and binfmt_miscfs
+ neverallow {
+ coredomain
+ -init
+ }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')
diff --git a/private/domain.te b/private/domain.te
index 8e3c4e6d7..c03da55ee 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -28,98 +28,6 @@ neverallow {
userdebug_or_eng(`-domain')
} debugfs_tracing_debug:file no_rw_file_perms;
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
- # /proc
- neverallow {
- coredomain
- -vold
- } proc:file no_rw_file_perms;
-
- # /sys
- neverallow {
- coredomain
- -init
- -ueventd
- -vold
- } sysfs:file no_rw_file_perms;
-
- # /dev
- neverallow {
- coredomain
- -fsck
- -init
- -ueventd
- } device:{ blk_file file } no_rw_file_perms;
-
- # debugfs
- neverallow {
- coredomain
- -dumpstate
- -init
- -system_server
- } debugfs:file no_rw_file_perms;
-
- # tracefs
- neverallow {
- coredomain
- -atrace
- -dumpstate
- -init
- userdebug_or_eng(`-perfprofd')
- -traced_probes
- -shell
- -traceur_app
- } debugfs_tracing:file no_rw_file_perms;
-
- # inotifyfs
- neverallow {
- coredomain
- -init
- } inotify:file no_rw_file_perms;
-
- # pstorefs
- neverallow {
- coredomain
- -bootstat
- -charger
- -dumpstate
- -healthd
- userdebug_or_eng(`-incidentd')
- -init
- -logd
- -logpersist
- -recovery_persist
- -recovery_refresh
- -shell
- -system_server
- } pstorefs:file no_rw_file_perms;
-
- # configfs
- neverallow {
- coredomain
- -init
- -system_server
- } configfs:file no_rw_file_perms;
-
- # functionfs
- neverallow {
- coredomain
- -adbd
- -init
- -mediaprovider
- -system_server
- } functionfs:file no_rw_file_perms;
-
- # usbfs and binfmt_miscfs
- neverallow {
- coredomain
- -init
- }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-')
-
# System_server owns dropbox data, and init creates/restorecons the directory
# Disallow direct access by other processes.
neverallow { domain -init -system_server } dropbox_data_file:dir *;
--
GitLab