Merge changes from topic 'add_vendor_shell_toybox' into oc-dev

* changes: suppress audit logs from rild's access to core domain through system() sepolicy: auditallow vendor components to execute files from /system vendor_shell: add sepolicy for vendor shell toolbox: add sepolicy for vendor toybox Do not allow priv_apps to scan all exec files

Merge changes from topic 'add_vendor_shell_toybox' into oc-dev
* changes: suppress audit logs from rild's access to core domain through system() sepolicy: auditallow vendor components to execute files from /system vendor_shell: add sepolicy for vendor shell toolbox: add sepolicy for vendor toybox Do not allow priv_apps to scan all exec files
e9e11a79 · TreeHugger Robot · Android (Google) Code Review · a8c0b2d9 · 7bbf7a6e · e9e11a79
Commit e9e11a79 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -265,6 +265,8 @@
 # Vendor files
 #
 /(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh                 u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0

 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -73,9 +73,6 @@ userdebug_or_eng(`
  allow priv_app perfprofd_data_file:dir r_dir_perms;
 ')

-# Allow GMS core to scan executables on the system partition
-allow priv_app exec_type:file { getattr read open };
-
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };

--- a/public/domain.te
+++ b/public/domain.te
@@ -657,7 +657,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -idmap
-	-init
+        -init
        -system_server
        -zygote
    } vendor_overlay_file:dir { getattr open read search };
@@ -666,10 +666,33 @@ full_treble_only(`
        coredomain
        -appdomain
        -idmap
-	-init
+        -init
        -system_server
        -zygote
    } vendor_overlay_file:{ file lnk_file } r_file_perms;
+
+    # Non-vendor domains are not allowed to file execute shell
+    # from vendor
+    neverallow {
+        coredomain
+        -init
+    } vendor_shell_exec:file { execute execute_no_trans };
+
+    # Do not allow vendor components to execute files from system
+    # except for the ones whitelist here.
+    # TODO:(b/36463595) Make this a neverallow
+    userdebug_or_eng(`
+        auditallow {
+            domain
+            -coredomain
+            -appdomain
+            -rild
+        } {
+            exec_type
+            -vendor_file_type
+            -crash_dump_exec
+        }:file { entrypoint execute execute_no_trans };
+    ')
 ')

 # Only authorized processes should be writing to files in /data/dalvik-cache

--- a/public/init.te
+++ b/public/init.te
@@ -395,6 +395,8 @@ allow init proc_meminfo:file r_file_perms;
 allow init system_data_file:file { getattr read };
 allow init system_data_file:lnk_file r_file_perms;

+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;

 ###
 ### neverallow rules

--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
+# vendor shell MUST never run as interactive or login shell.
+# vendor shell CAN never be traisitioned to by any process, so it is
+# only intended by shell script interpreter.
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+    # Do not allow non-vendor domains to transition
+    # to vendor toolbox
+    neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')