Ban core components from accessing vendor data types

Vendor and system components are only allowed to share files by passing open FDs over HIDL. Ban all directory access and all file accesses other than what can be applied to an open FD such as ioctl/stat/read/write/append. This commit asserts that core components marked with attribute coredomain may only access core data types marked with attribute core_data_file_type. A temporary exemption is granted to domains that currently rely on access. Bug: 34980020 Test: build Marlin policy Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc

Ban core components from accessing vendor data types
Vendor and system components are only allowed to share files by passing open FDs over HIDL. Ban all directory access and all file accesses other than what can be applied to an open FD such as ioctl/stat/read/write/append. This commit asserts that core components marked with attribute coredomain may only access core data types marked with attribute core_data_file_type. A temporary exemption is granted to domains that currently rely on access. Bug: 34980020 Test: build Marlin policy Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc
cd97e710 · Jeff Vander Stoep · 6953b867 · cd97e710 · cd97e710 · cd97e710
Commit cd97e710 authored 7 years ago by Jeff Vander Stoep
--- a/public/attributes
+++ b/public/attributes
@@ -45,6 +45,10 @@ attribute core_data_file_type;
 # data outside /data/vendor.
 # TODO(b/34980020): Remove this once there are no violations
 attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;

 # All types use for sysfs files.
 attribute sysfs_type;

--- a/public/dhcp.te
+++ b/public/dhcp.te
 type dhcp, domain, domain_deprecated;
 type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;

 net_domain(dhcp)


--- a/public/domain.te
+++ b/public/domain.te
@@ -509,6 +509,25 @@ full_treble_only(`
    -appdomain
    -coredata_in_vendor_violators
  } system_data_file:dir ~search;
+  # do not allow coredomains to directly access vendor data. Exempt init
+  # because it is responsible for dir/file creation in init.rc scripts.
+  # Also exempt halclientdomain to exclude rules for passthrough mode.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  # do not allow coredomain to access vendor data directories.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+    } { data_file_type -core_data_file_type }:dir *;
 ')

 # On full TREBLE devices, socket communications between core components and vendor components are

--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@ type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedob
 type preloads_data_file, file_type, data_file_type, core_data_file_type;
 # /data/preloads/media
 type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;

 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;