From cf2ffdf0d86f485dfff05a2f13819997bfd462e1 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 30 Mar 2017 17:39:00 -0700
Subject: [PATCH] Tighten restrictions on core <-> vendor socket comms

This futher restricts neverallows for sockets which may be exposed as
filesystem nodes. This is achieved by labelling all such sockets
created by core/non-vendor domains using the new coredomain_socket
attribute, and then adding neverallow rules targeting that attribute.

This has now effect on what domains are permitted to do. This only
changes neverallow rules.

Test: mmm system/sepolicy
Bug: 36577153
Change-Id: I633163cf67d60677c4725b754e01097dd5790aed
---
 private/drmserver.te      |  2 ++
 private/system_server.te  |  6 +++++
 private/wificond.te       |  3 +++
 public/attributes         |  3 +++
 public/domain.te          | 36 ++++++++++++++++++++++++++++
 public/file.te            | 50 +++++++++++++++++++--------------------
 vendor/hal_nfc_default.te |  4 +++-
 7 files changed, 78 insertions(+), 26 deletions(-)

diff --git a/private/drmserver.te b/private/drmserver.te
index 45663bbe1..afe4f0aae 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@ typeattribute drmserver coredomain;
 init_daemon_domain(drmserver)
 
 type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/private/system_server.te b/private/system_server.te
index ddeeb1b97..a731f5a48 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -190,6 +190,12 @@ hal_client_domain(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
+
+# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
+# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
+# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
+typeattribute system_server socket_between_core_and_vendor_violators;
+
 hal_client_domain(system_server, hal_wifi_supplicant)
 
 # Talk to tombstoned to get ANR traces.
diff --git a/private/wificond.te b/private/wificond.te
index 5476e3385..b9e48b2b5 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,6 @@
 typeattribute wificond coredomain;
 
 init_daemon_domain(wificond)
+
+# TODO(b/36790991): Remove this once wificond is no longer permitted to touch wpa sockets
+typeattribute wificond socket_between_core_and_vendor_violators;
diff --git a/public/attributes b/public/attributes
index d9d123fd0..9f42c9ab7 100644
--- a/public/attributes
+++ b/public/attributes
@@ -124,6 +124,9 @@ attribute update_engine_common;
 # All core domains (as opposed to vendor/device-specific domains)
 attribute coredomain;
 
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
 # All vendor domains which violate the requirement of not using Binder
 # TODO(b/35870313): Remove this once there are no violations
 attribute binder_in_vendor_violators;
diff --git a/public/domain.te b/public/domain.te
index bd5cb895c..fc4db7e2b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -554,6 +554,42 @@ full_treble_only(`
     -netdomain
     -socket_between_core_and_vendor_violators
   }, netd);
+
+  # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+  neverallow {
+    domain
+    -coredomain
+    -appdomain # appdomain restrictions below
+    -socket_between_core_and_vendor_violators
+  } {
+    coredomain_socket
+    core_data_file_type
+    unlabeled # used only by core domains
+  }:sock_file ~{ append getattr ioctl read write };
+  neverallow {
+    appdomain
+    -coredomain
+  } {
+    coredomain_socket
+    unlabeled # used only by core domains
+    core_data_file_type
+    -app_data_file
+    -pdx_socket # used by VR layer
+  }:sock_file ~{ append getattr ioctl read write };
+
+  # Core domains are not permitted to create/open sockets owned by vendor domains
+  neverallow {
+    coredomain
+    -init
+    -ueventd
+    -socket_between_core_and_vendor_violators
+  } {
+    file_type
+    dev_type
+    -coredomain_socket
+    -core_data_file_type
+    -unlabeled
+  }:sock_file ~{ append getattr ioctl read write };
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/file.te b/public/file.te
index d7a82bc6c..1634e3361 100644
--- a/public/file.te
+++ b/public/file.te
@@ -224,34 +224,34 @@ type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
 type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type pdx_socket, file_type, mlstrustedobject;
-type property_socket, file_type, mlstrustedobject;
-type racoon_socket, file_type;
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type;
-type uncrypt_socket, file_type;
-type vold_socket, file_type;
-type webview_zygote_socket, file_type;
+type system_wpa_socket, file_type, coredomain_socket;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
 type wpa_socket, file_type;
-type zygote_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
 type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index eb2bd818e..a906d977b 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -5,5 +5,7 @@ type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
 
 # TODO (b/36645109) Remove hal_nfc's access to the nfc app's
-# data type. Remove coredata_in_vendor_violators attribute.
+# data type. Remove coredata_in_vendor_violators and
+# socket_between_core_and_vendor_violators attribute associations below.
 typeattribute hal_nfc_default coredata_in_vendor_violators;
+typeattribute hal_nfc_default socket_between_core_and_vendor_violators;
-- 
GitLab