From cd97e71084b026b201f8d5a0bc08c283f8d673cd Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 29 Mar 2017 15:50:32 -0700
Subject: [PATCH] Ban core components from accessing vendor data types

Vendor and system components are only allowed to share files by
passing open FDs over HIDL. Ban all directory access and all file
accesses other than what can be applied to an open FD such as
ioctl/stat/read/write/append.

This commit asserts that core components marked with attribute
coredomain may only access core data types marked with attribute
core_data_file_type.

A temporary exemption is granted to domains that currently rely on
access.

Bug: 34980020
Test: build Marlin policy
Change-Id: I2f0442f2628fbac1f2f7aa5ddf2a13e16b2546cc
---
 public/attributes |  4 ++++
 public/dhcp.te    |  1 -
 public/domain.te  | 19 +++++++++++++++++++
 public/file.te    |  2 ++
 4 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/public/attributes b/public/attributes
index d9d123fd0..823155134 100644
--- a/public/attributes
+++ b/public/attributes
@@ -45,6 +45,10 @@ attribute core_data_file_type;
 # data outside /data/vendor.
 # TODO(b/34980020): Remove this once there are no violations
 attribute coredata_in_vendor_violators;
+# All core domains which violate the requirement of not accessing vendor
+# owned data.
+# TODO(b/34980020): Remove this once there are no violations
+attribute vendordata_in_core_violators;
 
 # All types use for sysfs files.
 attribute sysfs_type;
diff --git a/public/dhcp.te b/public/dhcp.te
index 6b9fb4ad1..c18b08d68 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -1,6 +1,5 @@
 type dhcp, domain, domain_deprecated;
 type dhcp_exec, exec_type, file_type;
-type dhcp_data_file, file_type, data_file_type;
 
 net_domain(dhcp)
 
diff --git a/public/domain.te b/public/domain.te
index bd5cb895c..5c8280f04 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -509,6 +509,25 @@ full_treble_only(`
     -appdomain
     -coredata_in_vendor_violators
   } system_data_file:dir ~search;
+  # do not allow coredomains to directly access vendor data. Exempt init
+  # because it is responsible for dir/file creation in init.rc scripts.
+  # Also exempt halclientdomain to exclude rules for passthrough mode.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  # do not allow coredomain to access vendor data directories.
+  neverallow {
+    coredomain
+    -halclientdomain
+    -init
+    -vendordata_in_core_violators
+    } { data_file_type -core_data_file_type }:dir *;
 ')
 
 # On full TREBLE devices, socket communications between core components and vendor components are
diff --git a/public/file.te b/public/file.te
index d7a82bc6c..32de73514 100644
--- a/public/file.te
+++ b/public/file.te
@@ -135,6 +135,8 @@ type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedob
 type preloads_data_file, file_type, data_file_type, core_data_file_type;
 # /data/preloads/media
 type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
-- 
GitLab