From d4785c37073b8d87a9caa1a3a053d4c05735751d Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 10 Nov 2017 10:49:23 -0800
Subject: [PATCH] Move platform/vendor data violations to device policy

Sharing data folders by path will be disallowed because it violates
the approved API between platform and vendor components tested by
VTS. Move all violating permissions from core selinux policy to
device specific policy so that we can exempt existing devices from
the ban and enforce it on new devices.

Bug: 34980020
Test: Move permissions. Build and test wifi, wifi AP, nfc, fingerprint
    and Play movies on Marlin and Taimen.
Test: build on Angler, Bullhead, Dragon, Fugu, Marlin, Walleye

Change-Id: Ib6fc9cf1403e74058aaae5a7b0784922f3172b4e
---
 public/domain.te              | 73 +++++++++++++++++++++++++++++++++++
 public/hal_drm.te             |  5 ---
 public/hal_fingerprint.te     |  6 ---
 public/hal_nfc.te             |  4 --
 public/hal_wifi_supplicant.te |  6 ---
 vendor/hostapd.te             | 10 -----
 6 files changed, 73 insertions(+), 31 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 6852d9d11..ab1684980 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -671,6 +671,79 @@ full_treble_only(`
   }:sock_file ~{ append getattr ioctl read write };
 ')
 
+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+  # only coredomains may only access core_data_file_type, particularly not
+  # /data/vendor
+  neverallow {
+    coredomain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -data_between_core_and_vendor_violators
+    -init
+    -vendor_init
+  } {
+    data_file_type
+    -core_data_file_type
+  }:file_class_set ~{ append getattr ioctl read write };
+  neverallow {
+    coredomain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -data_between_core_and_vendor_violators
+    -init
+    -vendor_init
+    } {
+      data_file_type
+      -core_data_file_type
+    }:dir *;
+
+')
+full_treble_only(`
+  # vendor domains may only access files in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+  } {
+    core_data_file_type
+    # libc includes functions like mktime and localtime which attempt to access
+    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
+    # vndk-stable and thus must be allowed for all processes.
+    -zoneinfo_data_file
+    }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators
+    } {
+      core_data_file_type
+      -system_data_file # default label for files on /data. Covered below...
+      -zoneinfo_data_file
+    }:dir *;
+')
+full_treble_only(`
+  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+  neverallow {
+    domain
+    -appdomain # TODO(b/34980020) remove exemption for appdomain
+    -coredomain
+    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    } {
+      system_data_file # default label for files on /data. Covered below
+    }:dir ~{ getattr search };
+')
+
 # On TREBLE devices, a limited set of files in /vendor are accessible to
 # only a few whitelisted coredomains to keep system/vendor separation.
 full_treble_only(`
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 666b1ba82..fbd90eb2d 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -33,11 +33,6 @@ allow hal_drm hal_graphics_allocator:fd use;
 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;
 
-# Allow access to app_data and media_data_files
-allow hal_drm media_data_file:dir create_dir_perms;
-allow hal_drm media_data_file:file create_file_perms;
-allow hal_drm media_data_file:file { getattr read };
-
 allow hal_drm sysfs:file r_file_perms;
 
 allow hal_drm tee_device:chr_file rw_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index bef9f556e..36de76191 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,12 +5,6 @@ binder_call(hal_fingerprint_server, hal_fingerprint_client)
 add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
 allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
 
-# allow HAL module to read dir contents
-allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
-
-# allow HAL module to read/write/unlink contents of this dir
-allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
 
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index a027c48be..3bcdf5ee1 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -10,7 +10,3 @@ set_prop(hal_nfc, nfc_prop)
 
 # NFC device access.
 allow hal_nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 82c9e7d7a..10db826dd 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -19,12 +19,6 @@ allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hal_wifi_supplicant self:packet_socket create_socket_perms;
 allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-
-# Create a socket for receiving info from wpa
-allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
 
 ###
 ### neverallow rules
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index 2c62cf035..62e4550a8 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -21,13 +21,3 @@ allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow hostapd self:packet_socket create_socket_perms_no_ioctl;
 allow hostapd self:netlink_route_socket nlmsg_write;
-
-# hostapd can read and write WiFi related data and configuration.
-# For example, the entropy file is periodically updated.
-allow hostapd wifi_data_file:file rw_file_perms;
-r_dir_file(hostapd, wifi_data_file)
-
-# hostapd wants to create the directory holding its control socket.
-allow hostapd hostapd_socket:dir create_dir_perms;
-# hostapd needs to create, bind to, read, and write its control socket.
-allow hostapd hostapd_socket:sock_file create_file_perms;
-- 
GitLab