summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorShanshan Guo <Shanshan.Guo@mediatek.com>2020-01-20 10:27:21 +0800
committerShanshan Guo <Shanshan.Guo@mediatek.com>2020-01-20 10:46:29 +0800
commita0a39fc62b9e8cf093413b60cc3ad860bcf9e875 (patch)
treefcd36d00cf8d37aee24096b05f91518bcfe0363c
parentc35db1e5a50c311dfcca91618d7221bde6961e1b (diff)
downloaddevice_mediatek_wembley-sepolicy-a0a39fc62b9e8cf093413b60cc3ad860bcf9e875.tar.gz
device_mediatek_wembley-sepolicy-a0a39fc62b9e8cf093413b60cc3ad860bcf9e875.tar.bz2
device_mediatek_wembley-sepolicy-a0a39fc62b9e8cf093413b60cc3ad860bcf9e875.zip
[ALPS04978995] SEPolicy: Add neverallow rule for vendor_data_file
[Detail] Do not allow access to the generic vendor_data_file label. This is too broad. Instead, if access to part of vendor_data_file is desired, it should have a more specific label. [Solution] 1.Add neverallow rule for vendor_data_file. 2.Remove the conflicting SEPolicies. Change-Id: Ib50df894093aa26b6e8517b4a6ebb24eb4ade6f4 CR-Id: ALPS04978995 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Diffstat
-rw-r--r--non_plat/factory.te7
-rw-r--r--non_plat/stp_dump3.te1
-rw-r--r--non_plat/wlan_assistant.te4
-rw-r--r--plat_public/domain.te43
-rw-r--r--r_non_plat/factory.te7
-rw-r--r--r_non_plat/stp_dump3.te2
-rw-r--r--r_non_plat/wlan_assistant.te4
7 files changed, 42 insertions, 26 deletions
diff --git a/non_plat/factory.te b/non_plat/factory.te
index 8fdb03a..6ec8325 100644
--- a/non_plat/factory.te
+++ b/non_plat/factory.te
@@ -198,7 +198,6 @@ allow factory camera_wpe_device:chr_file rw_file_perms;
allow factory camera_owe_device:chr_file rw_file_perms;
allow factory camera_mfb_device:chr_file rw_file_perms;
allow factory mtk_hal_power_hwservice:hwservice_manager find;
-allow factory vendor_data_file:file getattr;
allow factory mtk_hal_power:binder call;
get_prop(factory,mediatek_prop);
#Purpose: For FM test and headset test
@@ -360,12 +359,6 @@ allow factory factory:capability { sys_module net_admin net_raw };
r_dir_file(factory, sysfs_batteryinfo)
r_dir_file(factory, sysfs_switch)
-# Date : WK18.27
-# Operation: P migration
-# Purpose : Allow factory to save test report to /data/vendor
-allow factory vendor_data_file:dir { add_name read write};
-allow factory vendor_data_file:file { create read write open };
-
# Date : WK18.31
# Operation: P migration
# Purpose : Refine policy
diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te
index a1f2937..6d0a65b 100644
--- a/non_plat/stp_dump3.te
+++ b/non_plat/stp_dump3.te
@@ -20,7 +20,6 @@ type stp_dump3, domain;
# ==============================================
# MTK Policy Rule
# ==============================================
-file_type_auto_trans(stp_dump3,vendor_data_file,stp_dump_data_file)
allow stp_dump3 self:capability { net_admin fowner chown fsetid };
allow stp_dump3 self:netlink_socket { read write getattr bind create setopt };
allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt };
diff --git a/non_plat/wlan_assistant.te b/non_plat/wlan_assistant.te
index 9a440c7..830da67 100644
--- a/non_plat/wlan_assistant.te
+++ b/non_plat/wlan_assistant.te
@@ -36,10 +36,6 @@ allow wlan_assistant nvdata_file:dir { search read getattr open };
allow wlan_assistant nvdata_file:file { read getattr open };
allow wlan_assistant wmtWifi_device:chr_file { read write getattr open };
-# allow wlan_assistant to read file under /data/vendor
-allow wlan_assistant vendor_data_file:dir { search read getattr open };
-allow wlan_assistant vendor_data_file:file { read getattr open };
-
allow wlan_assistant mnt_vendor_file :dir search;
allow wlan_assistant init:unix_stream_socket connectto;
allow wlan_assistant property_socket:sock_file write;
diff --git a/plat_public/domain.te b/plat_public/domain.te
index c977593..fe16376 100644
--- a/plat_public/domain.te
+++ b/plat_public/domain.te
@@ -279,7 +279,48 @@ full_treble_only(`
# too broad.
# Instead, if access to part of vendor_data_file is desired, it should
# have a more specific label.
-#neverallow * vendor_data_file:dir_file_class_set *;
+full_treble_only(`
+ neverallow ~{
+ init
+ vendor_init
+ } vendor_data_file:file_class_set *;
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:{ chr_file blk_file } ~{ relabelto };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto };
+
+ neverallow ~{
+ init
+ vendor_init
+ vold
+ vold_prepare_subdirs
+ } vendor_data_file:dir ~{ getattr search };
+
+ neverallow {
+ init
+ vendor_init
+ } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto };
+
+ neverallow vold vendor_data_file:dir ~create_dir_perms;
+
+ neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom };
+')
# Do not allow access to the generic app_data_file label. This is too broad.
# Instead, if access to part of app_data_file is desired, it should have a
diff --git a/r_non_plat/factory.te b/r_non_plat/factory.te
index 30293c9..5695bf1 100644
--- a/r_non_plat/factory.te
+++ b/r_non_plat/factory.te
@@ -198,7 +198,6 @@ allow factory camera_wpe_device:chr_file rw_file_perms;
allow factory camera_owe_device:chr_file rw_file_perms;
allow factory camera_mfb_device:chr_file rw_file_perms;
allow factory mtk_hal_power_hwservice:hwservice_manager find;
-allow factory vendor_data_file:file getattr;
allow factory mtk_hal_power:binder call;
get_prop(factory,mediatek_prop);
#Purpose: For FM test and headset test
@@ -360,12 +359,6 @@ allow factory factory:capability { sys_module net_admin net_raw };
r_dir_file(factory, sysfs_batteryinfo)
r_dir_file(factory, sysfs_switch)
-# Date : WK18.27
-# Operation: P migration
-# Purpose : Allow factory to save test report to /data/vendor
-allow factory vendor_data_file:dir { add_name read write};
-allow factory vendor_data_file:file { create read write open };
-
# Date : WK18.31
# Operation: P migration
# Purpose : Refine policy
diff --git a/r_non_plat/stp_dump3.te b/r_non_plat/stp_dump3.te
index a26dd61..6d0a65b 100644
--- a/r_non_plat/stp_dump3.te
+++ b/r_non_plat/stp_dump3.te
@@ -20,7 +20,6 @@ type stp_dump3, domain;
# ==============================================
# MTK Policy Rule
# ==============================================
-file_type_auto_trans(stp_dump3,vendor_data_file,stp_dump_data_file)
allow stp_dump3 self:capability { net_admin fowner chown fsetid };
allow stp_dump3 self:netlink_socket { read write getattr bind create setopt };
allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt };
@@ -39,6 +38,5 @@ allow stp_dump3 stp_dump_data_file:dir create_dir_perms;
allow stp_dump3 stp_dump_data_file:file create_file_perms;
allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms;
allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms;
-allow stp_dump3 vendor_data_file:dir create_dir_perms;
get_prop(stp_dump3, coredump_prop)
init_daemon_domain(stp_dump3)
diff --git a/r_non_plat/wlan_assistant.te b/r_non_plat/wlan_assistant.te
index 9a440c7..830da67 100644
--- a/r_non_plat/wlan_assistant.te
+++ b/r_non_plat/wlan_assistant.te
@@ -36,10 +36,6 @@ allow wlan_assistant nvdata_file:dir { search read getattr open };
allow wlan_assistant nvdata_file:file { read getattr open };
allow wlan_assistant wmtWifi_device:chr_file { read write getattr open };
-# allow wlan_assistant to read file under /data/vendor
-allow wlan_assistant vendor_data_file:dir { search read getattr open };
-allow wlan_assistant vendor_data_file:file { read getattr open };
-
allow wlan_assistant mnt_vendor_file :dir search;
allow wlan_assistant init:unix_stream_socket connectto;
allow wlan_assistant property_socket:sock_file write;
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 06:38:41 +0000