Merge changes from topic 'add_vendor_shell_toybox' into oc-dev

am: e9e11a79 Change-Id: I4afe3e0fbd9fd17d19f2e498162c9f68234a8fb5

Merge changes from topic 'add_vendor_shell_toybox' into oc-dev
am: e9e11a79 Change-Id: I4afe3e0fbd9fd17d19f2e498162c9f68234a8fb5
ff2febc0 · Sandeep Patil · android-build-merger · b4aa5da9 · e9e11a79 · ff2febc0
Commit ff2febc0 authored 7 years ago by Sandeep Patil Committed by android-build-merger 7 years ago
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -265,6 +265,8 @@
 # Vendor files
 #
 /(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh                 u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor      u:object_r:vendor_toolbox_exec:s0
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -73,9 +73,6 @@ userdebug_or_eng(`
  allow priv_app perfprofd_data_file:dir r_dir_perms;
 ')
-# Allow GMS core to scan executables on the system partition
-allow priv_app exec_type:file { getattr read open };
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };

--- a/public/domain.te
+++ b/public/domain.te
@@ -657,7 +657,7 @@ full_treble_only(`
        coredomain
        -appdomain
        -idmap
-	-init
+        -init
        -system_server
        -zygote
    } vendor_overlay_file:dir { getattr open read search };
@@ -666,10 +666,33 @@ full_treble_only(`
        coredomain
        -appdomain
        -idmap
-	-init
+        -init
        -system_server
        -zygote
    } vendor_overlay_file:{ file lnk_file } r_file_perms;
+    # Non-vendor domains are not allowed to file execute shell
+    # from vendor
+    neverallow {
+        coredomain
+        -init
+    } vendor_shell_exec:file { execute execute_no_trans };
+    # Do not allow vendor components to execute files from system
+    # except for the ones whitelist here.
+    # TODO:(b/36463595) Make this a neverallow
+    userdebug_or_eng(`
+        auditallow {
+            domain
+            -coredomain
+            -appdomain
+            -rild
+        } {
+            exec_type
+            -vendor_file_type
+            -crash_dump_exec
+        }:file { entrypoint execute execute_no_trans };
+    ')
 ')
 # Only authorized processes should be writing to files in /data/dalvik-cache

--- a/public/init.te
+++ b/public/init.te
@@ -400,6 +400,8 @@ allow init proc_meminfo:file r_file_perms;
 allow init system_data_file:file { getattr read };
 allow init system_data_file:lnk_file r_file_perms;
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
 ###
 ### neverallow rules

--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
+# vendor shell MUST never run as interactive or login shell.
+# vendor shell CAN never be traisitioned to by any process, so it is
+# only intended by shell script interpreter.
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+    # Do not allow non-vendor domains to transition
+    # to vendor toolbox
+    neverallow coredomain vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')