Tighten restrictions on core <-> vendor socket comms

This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I633163cf67d60677c4725b754e01097dd5790aed

Tighten restrictions on core <-> vendor socket comms
This futher restricts neverallows for sockets which may be exposed as filesystem nodes. This is achieved by labelling all such sockets created by core/non-vendor domains using the new coredomain_socket attribute, and then adding neverallow rules targeting that attribute. This has now effect on what domains are permitted to do. This only changes neverallow rules. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I633163cf67d60677c4725b754e01097dd5790aed
cf2ffdf0 · Alex Klyubin · 6953b867 · cf2ffdf0 · cf2ffdf0 · cf2ffdf0
Commit cf2ffdf0 authored 7 years ago by Alex Klyubin
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@ typeattribute drmserver coredomain;
 init_daemon_domain(drmserver)
 type_transition drmserver apk_data_file:sock_file drmserver_socket;
+typeattribute drmserver_socket coredomain_socket;
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -190,6 +190,12 @@ hal_client_domain(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
+# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
+# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
+# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
+typeattribute system_server socket_between_core_and_vendor_violators;
 hal_client_domain(system_server, hal_wifi_supplicant)
 # Talk to tombstoned to get ANR traces.

--- a/private/wificond.te
+++ b/private/wificond.te
 typeattribute wificond coredomain;
 init_daemon_domain(wificond)
+# TODO(b/36790991): Remove this once wificond is no longer permitted to touch wpa sockets
+typeattribute wificond socket_between_core_and_vendor_violators;
--- a/public/attributes
+++ b/public/attributes
@@ -124,6 +124,9 @@ attribute update_engine_common;
 # All core domains (as opposed to vendor/device-specific domains)
 attribute coredomain;
+# All socket devices owned by core domain components
+attribute coredomain_socket;
 # All vendor domains which violate the requirement of not using Binder
 # TODO(b/35870313): Remove this once there are no violations
 attribute binder_in_vendor_violators;

--- a/public/domain.te
+++ b/public/domain.te
@@ -554,6 +554,42 @@ full_treble_only(`
    -netdomain
    -socket_between_core_and_vendor_violators
  }, netd);
+  # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+  neverallow {
+    domain
+    -coredomain
+    -appdomain # appdomain restrictions below
+    -socket_between_core_and_vendor_violators
+  } {
+    coredomain_socket
+    core_data_file_type
+    unlabeled # used only by core domains
+  }:sock_file ~{ append getattr ioctl read write };
+  neverallow {
+    appdomain
+    -coredomain
+  } {
+    coredomain_socket
+    unlabeled # used only by core domains
+    core_data_file_type
+    -app_data_file
+    -pdx_socket # used by VR layer
+  }:sock_file ~{ append getattr ioctl read write };
+  # Core domains are not permitted to create/open sockets owned by vendor domains
+  neverallow {
+    coredomain
+    -init
+    -ueventd
+    -socket_between_core_and_vendor_violators
+  } {
+    file_type
+    dev_type
+    -coredomain_socket
+    -core_data_file_type
+    -unlabeled
+  }:sock_file ~{ append getattr ioctl read write };
 ')
 # Only authorized processes should be writing to files in /data/dalvik-cache

--- a/public/file.te
+++ b/public/file.te
@@ -224,34 +224,34 @@ type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
 type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # Socket types
-type adbd_socket, file_type;
+type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type;
+type bluetooth_socket, file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, mlstrustedobject;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type;
+type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, mlstrustedobject;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type;
+type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, mlstrustedobject;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type;
+type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, mlstrustedobject;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, file_type;
+type misc_logd_file, coredomain_socket, file_type;
-type mtpd_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
-type netd_socket, file_type;
+type netd_socket, file_type, coredomain_socket;
-type pdx_socket, file_type, mlstrustedobject;
+type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
-type property_socket, file_type, mlstrustedobject;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type;
+type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
+type system_wpa_socket, file_type, coredomain_socket;
-type system_ndebug_socket, file_type, mlstrustedobject;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_intercept_socket, file_type;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
-type uncrypt_socket, file_type;
+type uncrypt_socket, file_type, coredomain_socket;
-type vold_socket, file_type;
+type vold_socket, file_type, coredomain_socket;
-type webview_zygote_socket, file_type;
+type webview_zygote_socket, file_type, coredomain_socket;
 type wpa_socket, file_type;
-type zygote_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
 type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;

--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -5,5 +5,7 @@ type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
 # TODO (b/36645109) Remove hal_nfc's access to the nfc app's
-# data type. Remove coredata_in_vendor_violators attribute.
+# data type. Remove coredata_in_vendor_violators and
+# socket_between_core_and_vendor_violators attribute associations below.
 typeattribute hal_nfc_default coredata_in_vendor_violators;
+typeattribute hal_nfc_default socket_between_core_and_vendor_violators;