Reland "Neverallow vendor code access to files on /system."

What changed: - Tightening neverallow forbidding vendor execution access in /system. In it's current form the neverallow is loose because not all executables have exec_type attribute, e.g. almost everything in /system/bin/. This change tightens up the neverallow by instead targeting system_file_type attribute, which must be applied to all files in /system. - Adding a general neverallow forbidding all access to files in /system (bar exceptions) TODOs: - Remove loopholes once Treble violations are fixed across all internal build targets. Bug: 111243627 Test: m selinux_policy; build-only change Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229

Reland "Neverallow vendor code access to files on /system."
What changed: - Tightening neverallow forbidding vendor execution access in /system. In it's current form the neverallow is loose because not all executables have exec_type attribute, e.g. almost everything in /system/bin/. This change tightens up the neverallow by instead targeting system_file_type attribute, which must be applied to all files in /system. - Adding a general neverallow forbidding all access to files in /system (bar exceptions) TODOs: - Remove loopholes once Treble violations are fixed across all internal build targets. Bug: 111243627 Test: m selinux_policy; build-only change Change-Id: I150195756c0c3258904c3da0812bbd942ea2f229
e6b1a4ca · Tri Vo · 368c7c08 · e6b1a4ca
Commit e6b1a4ca authored 6 years ago by Tri Vo
--- a/public/domain.te
+++ b/public/domain.te
@@ -1091,9 +1091,10 @@ full_treble_only(`
        -vendor_executes_system_violators
        -vendor_init
    } {
-        exec_type
+        system_file_type
+        -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+        -system_lib_file
        -system_linker_exec
-        -vendor_file_type
        -crash_dump_exec
        -netutils_wrapper_exec
        userdebug_or_eng(`-tcpdump_exec')
@@ -1156,17 +1157,33 @@ full_treble_only(`
  }:file *;
 ')

-# TODO(b/111243627): Uncomment once all violations are cleaned up.
-#full_treble_only(`
-#  # Do not allow vendor components access to /system files except for the
-#  # ones whitelisted here.
-#  neverallow {
-#    domain
-#    -appdomain
-#    -coredomain
-#    -vendor_executes_system_violators
-#  } system_file_type:file *;
-#')
+full_treble_only(`
+  # Do not allow vendor components access to /system files except for the
+  # ones whitelisted here.
+  neverallow {
+    domain
+    -appdomain
+    -coredomain
+    -vendor_executes_system_violators
+    # vendor_init needs access to init_exec for domain transition. vendor_init
+    # neverallows are covered in public/vendor_init.te
+    -vendor_init
+  } {
+    system_file_type
+    -system_file # TODO(b/111243627): remove once Treble violations are fixed.
+    -crash_dump_exec
+    -file_contexts_file
+    -netutils_wrapper_exec
+    -property_contexts_file
+    -system_lib_file
+    -system_linker_exec
+    -system_linker_config_file
+    -system_seccomp_policy_file
+    -system_security_cacerts_file
+    -system_zoneinfo_file
+    userdebug_or_eng(`-tcpdump_exec')
+  }:file *;
+')

 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {