From c855629ebd42e4aba64dea0a8a95fc5c465b911e Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Tue, 2 Oct 2018 18:03:31 -0700
Subject: [PATCH] Neverallow vendor code access to files on /system.

What changed:
- Tightening neverallow forbidding vendor execution access in /system.
In it's current form the neverallow is loose because not all executables
have exec_type attribute, e.g. almost everything in /system/bin/. This
change tightens up the neverallow by instead targeting system_file_type
attribute, which must be applied to all files in /system.
- Adding a general neverallow forbidding all access to files in /system
(bar exceptions)

TODOs:
- Remove loopholes once Treble violations are fixed across all internal
build targets.

Bug: 111243627
Test: m selinux_policy; build-only change
Change-Id: Ic8d71c8d139cad687ad7d7c9db7111240475f175
---
 public/domain.te | 43 ++++++++++++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 2bdc53c56..c34ef4f2e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1086,9 +1086,10 @@ full_treble_only(`
         -vendor_executes_system_violators
         -vendor_init
     } {
-        exec_type
+        system_file_type
+        -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+        -system_lib_file
         -system_linker_exec
-        -vendor_file_type
         -crash_dump_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
@@ -1151,17 +1152,33 @@ full_treble_only(`
   }:file *;
 ')
 
-# TODO(b/111243627): Uncomment once all violations are cleaned up.
-#full_treble_only(`
-#  # Do not allow vendor components access to /system files except for the
-#  # ones whitelisted here.
-#  neverallow {
-#    domain
-#    -appdomain
-#    -coredomain
-#    -vendor_executes_system_violators
-#  } system_file_type:file *;
-#')
+full_treble_only(`
+  # Do not allow vendor components access to /system files except for the
+  # ones whitelisted here.
+  neverallow {
+    domain
+    -appdomain
+    -coredomain
+    -vendor_executes_system_violators
+    # vendor_init needs access to init_exec for domain transition. vendor_init
+    # neverallows are covered in public/vendor_init.te
+    -vendor_init
+  } {
+    system_file_type
+    -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+    -crash_dump_exec
+    -file_contexts_file
+    -netutils_wrapper_exec
+    -property_contexts_file
+    -system_lib_file
+    -system_linker_exec
+    -system_linker_config_file
+    -system_seccomp_policy_file
+    -system_security_cacerts_file
+    -system_zoneinfo_file
+    userdebug_or_eng(`-tcpdump_exec')
+  }:file *;
+')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
-- 
GitLab