From a0a39fc62b9e8cf093413b60cc3ad860bcf9e875 Mon Sep 17 00:00:00 2001 From: Shanshan Guo Date: Mon, 20 Jan 2020 10:27:21 +0800 Subject: [ALPS04978995] SEPolicy: Add neverallow rule for vendor_data_file [Detail] Do not allow access to the generic vendor_data_file label. This is too broad. Instead, if access to part of vendor_data_file is desired, it should have a more specific label. [Solution] 1.Add neverallow rule for vendor_data_file. 2.Remove the conflicting SEPolicies. Change-Id: Ib50df894093aa26b6e8517b4a6ebb24eb4ade6f4 CR-Id: ALPS04978995 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK --- non_plat/factory.te | 7 ------- non_plat/stp_dump3.te | 1 - non_plat/wlan_assistant.te | 4 ---- plat_public/domain.te | 43 ++++++++++++++++++++++++++++++++++++++++++- r_non_plat/factory.te | 7 ------- r_non_plat/stp_dump3.te | 2 -- r_non_plat/wlan_assistant.te | 4 ---- 7 files changed, 42 insertions(+), 26 deletions(-) diff --git a/non_plat/factory.te b/non_plat/factory.te index 8fdb03a..6ec8325 100644 --- a/non_plat/factory.te +++ b/non_plat/factory.te @@ -198,7 +198,6 @@ allow factory camera_wpe_device:chr_file rw_file_perms; allow factory camera_owe_device:chr_file rw_file_perms; allow factory camera_mfb_device:chr_file rw_file_perms; allow factory mtk_hal_power_hwservice:hwservice_manager find; -allow factory vendor_data_file:file getattr; allow factory mtk_hal_power:binder call; get_prop(factory,mediatek_prop); #Purpose: For FM test and headset test @@ -360,12 +359,6 @@ allow factory factory:capability { sys_module net_admin net_raw }; r_dir_file(factory, sysfs_batteryinfo) r_dir_file(factory, sysfs_switch) -# Date : WK18.27 -# Operation: P migration -# Purpose : Allow factory to save test report to /data/vendor -allow factory vendor_data_file:dir { add_name read write}; -allow factory vendor_data_file:file { create read write open }; - # Date : WK18.31 # Operation: P migration # Purpose : Refine policy diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te index a1f2937..6d0a65b 100644 --- a/non_plat/stp_dump3.te +++ b/non_plat/stp_dump3.te @@ -20,7 +20,6 @@ type stp_dump3, domain; # ============================================== # MTK Policy Rule # ============================================== -file_type_auto_trans(stp_dump3,vendor_data_file,stp_dump_data_file) allow stp_dump3 self:capability { net_admin fowner chown fsetid }; allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; diff --git a/non_plat/wlan_assistant.te b/non_plat/wlan_assistant.te index 9a440c7..830da67 100644 --- a/non_plat/wlan_assistant.te +++ b/non_plat/wlan_assistant.te @@ -36,10 +36,6 @@ allow wlan_assistant nvdata_file:dir { search read getattr open }; allow wlan_assistant nvdata_file:file { read getattr open }; allow wlan_assistant wmtWifi_device:chr_file { read write getattr open }; -# allow wlan_assistant to read file under /data/vendor -allow wlan_assistant vendor_data_file:dir { search read getattr open }; -allow wlan_assistant vendor_data_file:file { read getattr open }; - allow wlan_assistant mnt_vendor_file :dir search; allow wlan_assistant init:unix_stream_socket connectto; allow wlan_assistant property_socket:sock_file write; diff --git a/plat_public/domain.te b/plat_public/domain.te index c977593..fe16376 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -279,7 +279,48 @@ full_treble_only(` # too broad. # Instead, if access to part of vendor_data_file is desired, it should # have a more specific label. -#neverallow * vendor_data_file:dir_file_class_set *; +full_treble_only(` + neverallow ~{ + init + vendor_init + } vendor_data_file:file_class_set *; + + neverallow { + init + vendor_init + } vendor_data_file:{ chr_file blk_file } ~{ relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto }; + + neverallow ~{ + init + vendor_init + vold + vold_prepare_subdirs + } vendor_data_file:dir ~{ getattr search }; + + neverallow { + init + vendor_init + } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto }; + + neverallow vold vendor_data_file:dir ~create_dir_perms; + + neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom }; +') # Do not allow access to the generic app_data_file label. This is too broad. # Instead, if access to part of app_data_file is desired, it should have a diff --git a/r_non_plat/factory.te b/r_non_plat/factory.te index 30293c9..5695bf1 100644 --- a/r_non_plat/factory.te +++ b/r_non_plat/factory.te @@ -198,7 +198,6 @@ allow factory camera_wpe_device:chr_file rw_file_perms; allow factory camera_owe_device:chr_file rw_file_perms; allow factory camera_mfb_device:chr_file rw_file_perms; allow factory mtk_hal_power_hwservice:hwservice_manager find; -allow factory vendor_data_file:file getattr; allow factory mtk_hal_power:binder call; get_prop(factory,mediatek_prop); #Purpose: For FM test and headset test @@ -360,12 +359,6 @@ allow factory factory:capability { sys_module net_admin net_raw }; r_dir_file(factory, sysfs_batteryinfo) r_dir_file(factory, sysfs_switch) -# Date : WK18.27 -# Operation: P migration -# Purpose : Allow factory to save test report to /data/vendor -allow factory vendor_data_file:dir { add_name read write}; -allow factory vendor_data_file:file { create read write open }; - # Date : WK18.31 # Operation: P migration # Purpose : Refine policy diff --git a/r_non_plat/stp_dump3.te b/r_non_plat/stp_dump3.te index a26dd61..6d0a65b 100644 --- a/r_non_plat/stp_dump3.te +++ b/r_non_plat/stp_dump3.te @@ -20,7 +20,6 @@ type stp_dump3, domain; # ============================================== # MTK Policy Rule # ============================================== -file_type_auto_trans(stp_dump3,vendor_data_file,stp_dump_data_file) allow stp_dump3 self:capability { net_admin fowner chown fsetid }; allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; @@ -39,6 +38,5 @@ allow stp_dump3 stp_dump_data_file:dir create_dir_perms; allow stp_dump3 stp_dump_data_file:file create_file_perms; allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms; allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms; -allow stp_dump3 vendor_data_file:dir create_dir_perms; get_prop(stp_dump3, coredump_prop) init_daemon_domain(stp_dump3) diff --git a/r_non_plat/wlan_assistant.te b/r_non_plat/wlan_assistant.te index 9a440c7..830da67 100644 --- a/r_non_plat/wlan_assistant.te +++ b/r_non_plat/wlan_assistant.te @@ -36,10 +36,6 @@ allow wlan_assistant nvdata_file:dir { search read getattr open }; allow wlan_assistant nvdata_file:file { read getattr open }; allow wlan_assistant wmtWifi_device:chr_file { read write getattr open }; -# allow wlan_assistant to read file under /data/vendor -allow wlan_assistant vendor_data_file:dir { search read getattr open }; -allow wlan_assistant vendor_data_file:file { read getattr open }; - allow wlan_assistant mnt_vendor_file :dir search; allow wlan_assistant init:unix_stream_socket connectto; allow wlan_assistant property_socket:sock_file write; -- cgit v1.2.3