From b0db712bf048dc634363b658a647b1f1897d8433 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 6 Mar 2014 16:03:48 -0500
Subject: [PATCH] Clean up, unify, and deduplicate app domain rules.

Coalesce a number of allow rules replicated among multiple
app domains.

Get rid of duplicated rules already covered by domain, appdomain,
or platformappdomain rules.

Split the platformappdomain rules to their own platformappdomain.te
file, document them more fully, and note the inheritance in each
of the relevant *_app.te files.

Generalize isolated app unix_stream_socket rules to all app domains
to resolve denials such as:

avc:  denied  { read write } for  pid=11897 comm="Binder_2" path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[203881]" dev="sockfs" ino=203881 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:untrusted_app:s0 tclass=unix_stream_socket

avc:  denied  { read write } for  pid=6890 comm="Binder_10" path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getattr } for  pid=11990 comm=4173796E635461736B202334 path="socket:[205010]" dev="sockfs" ino=205010 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

avc:  denied  { getopt } for  pid=11990 comm=4173796E635461736B202334 scontext=u:r:release_app:s0 tcontext=u:r:media_app:s0 tclass=unix_stream_socket

Change-Id: I770d7d51d498b15447219083739153265d951fe5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te               | 13 +++++++------
 bluetooth.te         |  4 ----
 isolated_app.te      |  9 ---------
 media_app.te         | 11 +++--------
 nfc.te               |  3 ---
 platform_app.te      | 22 ++--------------------
 platformappdomain.te | 21 +++++++++++++++++++++
 release_app.te       |  4 +---
 shared_app.te        |  2 ++
 shelldomain.te       | 14 --------------
 system_app.te        |  6 ------
 untrusted_app.te     |  8 --------
 12 files changed, 36 insertions(+), 81 deletions(-)
 create mode 100644 platformappdomain.te

diff --git a/app.te b/app.te
index 9adb86a80..2589f660b 100644
--- a/app.te
+++ b/app.te
@@ -42,7 +42,7 @@ allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 allow appdomain appdomain:fifo_file rw_file_perms;
 
 # Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
@@ -69,7 +69,7 @@ allow appdomain anr_data_file:file { open append };
 
 # Allow apps to send dump information to dumpstate
 allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr };
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
@@ -89,14 +89,11 @@ binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
 # are examined.
-allow appdomain isolated_app:unix_stream_socket { read write };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
@@ -112,6 +109,10 @@ allow appdomain download_file:file r_file_perms;
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow appdomain media_rw_data_file:file { read getattr };
 
+# Access SDcard.
+allow appdomain sdcard_type:dir create_dir_perms;
+allow appdomain sdcard_type:file create_file_perms;
+
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
diff --git a/bluetooth.te b/bluetooth.te
index c63dc02e1..75b0c9759 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -43,10 +43,6 @@ unix_socket_connect(bluetooth, property, init)
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 
-# bluetooth file transfers
-allow bluetooth sdcard_internal:dir create_dir_perms;
-allow bluetooth sdcard_internal:file create_file_perms;
-
 # Allow write access to bluetooth specific properties
 allow bluetooth bluetooth_prop:property_service set;
 
diff --git a/isolated_app.te b/isolated_app.te
index 7e51d309c..4745d7e39 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,12 +12,3 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow isolated_app appdomain:unix_stream_socket { read write };
-
-allow isolated_app dalvikcache_data_file:file execute;
-allow isolated_app apk_data_file:dir getattr;
diff --git a/media_app.te b/media_app.te
index 65f38636b..099e0a6ff 100644
--- a/media_app.te
+++ b/media_app.te
@@ -10,20 +10,15 @@ binder_service(media_app)
 net_domain(media_app)
 # Access /dev/mtp_usb.
 allow media_app mtp_device:chr_file rw_file_perms;
-# Write to /cache.
-allow media_app cache_file:dir rw_dir_perms;
-allow media_app cache_file:file create_file_perms;
-# Stat /cache/lost+found
-allow media_app unlabeled:file getattr;
-allow media_app unlabeled:dir getattr;
 # Stat /cache/backup
 allow media_app cache_backup_file:file getattr;
 allow media_app cache_backup_file:dir getattr;
-# Read files in the rootdir (in particular, file_contexts for restorecon).
-allow media_app rootfs:file r_file_perms;
+# Create download files.
 allow media_app download_file:dir rw_dir_perms;
 allow media_app download_file:file create_file_perms;
 # Allow platform apps to mark platform app data files as download files
 relabelto_domain(media_app)
 allow media_app platform_app_data_file:dir relabelfrom;
 allow media_app download_file:dir relabelto;
+
+# inherits from platformappdomain.te
diff --git a/nfc.te b/nfc.te
index 0522c52a9..0968c3513 100644
--- a/nfc.te
+++ b/nfc.te
@@ -13,6 +13,3 @@ allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 
 allow nfc sysfs_nfc_power_writable:file rw_file_perms;
 allow nfc sysfs:file write;
-
-allow nfc sdcard_type:dir create_dir_perms;
-allow nfc sdcard_type:file create_file_perms;
diff --git a/platform_app.te b/platform_app.te
index bbbc0f7e6..ea49c00c2 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -10,10 +10,7 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Write to /cache.
-allow platform_app cache_file:dir rw_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-# Read from /data/local.
+# Read from /data/local/tmp or /data/data/com.android.shell.
 allow platform_app shell_data_file:dir search;
 allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
@@ -26,20 +23,5 @@ allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
 # Access download files.
 allow platform_app download_file:file rw_file_perms;
-# Allow BackupManagerService to backup all app domains
-allow platform_app appdomain:fifo_file write;
 
-#
-# Rules for all platform app domains.
-#
-
-# App sandbox file accesses.
-allow platformappdomain platform_app_data_file:dir create_dir_perms;
-allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
-allow platformappdomain platform_app_data_file:file execute;
-# App sdcard file accesses
-allow platformappdomain sdcard_type:dir create_dir_perms;
-allow platformappdomain sdcard_type:file create_file_perms;
-# Access to /data/media.
-allow platformappdomain media_rw_data_file:dir create_dir_perms;
-allow platformappdomain media_rw_data_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/platformappdomain.te b/platformappdomain.te
new file mode 100644
index 000000000..701a63694
--- /dev/null
+++ b/platformappdomain.te
@@ -0,0 +1,21 @@
+#
+# Rules for all platform app domains.
+# These rules are inherited by any domain that includes platform_app_domain().
+# Presently this consists of the four app domains corresponding to apps
+# signed by one of the four build keys: platform_app, shared_app, media_app,
+# release_app.  These app domains use platform_app_data_file rather
+# than app_data_file for their /data/data directories (as specified via
+# type= in seapp_contexts) and have greater permissions to specific
+# directories owned by groups that are restricted to apps with
+# Android permissions that are signature|system.
+
+# App sandbox file accesses.
+allow platformappdomain platform_app_data_file:dir create_dir_perms;
+allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_perms;
+allow platformappdomain platform_app_data_file:file execute;
+# Access to /data/media.
+allow platformappdomain media_rw_data_file:dir create_dir_perms;
+allow platformappdomain media_rw_data_file:file create_file_perms;
+# Write to /cache.
+allow platformappdomain cache_file:dir create_dir_perms;
+allow platformappdomain cache_file:file create_file_perms;
diff --git a/release_app.te b/release_app.te
index 69cff196d..4dc78e738 100644
--- a/release_app.te
+++ b/release_app.te
@@ -11,6 +11,4 @@ net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
 
-# Write to /cache.
-allow release_app cache_file:dir rw_dir_perms;
-allow release_app cache_file:file create_file_perms;
+# inherits from platformappdomain.te
diff --git a/shared_app.te b/shared_app.te
index 22238824e..ef7273529 100644
--- a/shared_app.te
+++ b/shared_app.te
@@ -10,3 +10,5 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
+
+# inherits from platformappdomain.te
diff --git a/shelldomain.te b/shelldomain.te
index d4bb019e7..e894d9daf 100644
--- a/shelldomain.te
+++ b/shelldomain.te
@@ -5,10 +5,6 @@ allow shelldomain shell_data_file:dir create_dir_perms;
 allow shelldomain shell_data_file:file create_file_perms;
 allow shelldomain shell_data_file:file rx_file_perms;
 
-# Access sdcard.
-allow shelldomain sdcard_type:dir create_dir_perms;
-allow shelldomain sdcard_type:file create_file_perms;
-
 # adb bugreport
 unix_socket_connect(shelldomain, dumpstate, dumpstate)
 
@@ -29,13 +25,3 @@ allow shelldomain shell_prop:property_service set;
 allow shelldomain ctl_dumpstate_prop:property_service set;
 allow shelldomain debug_prop:property_service set;
 allow shelldomain powerctl_prop:property_service set;
-
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shelldomain, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shelldomain app_data_file:dir search;
-
-# ps and ps -Z output for app processes.
-r_dir_file(shelldomain, appdomain)
-allow shelldomain appdomain:process getattr;
diff --git a/system_app.te b/system_app.te
index dc0211883..60398a2e8 100644
--- a/system_app.te
+++ b/system_app.te
@@ -20,12 +20,6 @@ allow system_app wallpaper_file:file r_file_perms;
 # Write to dalvikcache.
 allow system_app dalvikcache_data_file:file { write setattr };
 
-# Read SELinux enforcing status.
-selinux_getenforce(system_app)
-
-# Settings app reads sdcard for storage stats
-allow system_app sdcard_type:dir r_dir_perms;
-
 # Write to properties
 unix_socket_connect(system_app, property, init)
 allow system_app debug_prop:property_service set;
diff --git a/untrusted_app.te b/untrusted_app.te
index 85cf79e51..e60bfff57 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -32,14 +32,6 @@ allow untrusted_app app_data_file:file rx_file_perms;
 
 allow untrusted_app tun_device:chr_file rw_file_perms;
 
-# Internal SDCard rw access.
-allow untrusted_app sdcard_internal:dir create_dir_perms;
-allow untrusted_app sdcard_internal:file create_file_perms;
-
-# External SDCard rw access.
-allow untrusted_app sdcard_external:dir create_dir_perms;
-allow untrusted_app sdcard_external:file create_file_perms;
-
 # ASEC
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
-- 
GitLab