diff options
author | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-02-05 10:10:34 +0800 |
---|---|---|
committer | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-02-05 10:10:34 +0800 |
commit | 5e7187e3b9c3cf57d62ffdf28c4dbb34b268ec19 (patch) | |
tree | 07db0bb84f444a181cf79293dc802e31905a5c72 | |
parent | cf50b9ff23c93d266d2623ec638f1856baebbd8e (diff) | |
download | wembley-sepolicy-5e7187e3b9c3cf57d62ffdf28c4dbb34b268ec19.tar.gz |
[ALPS04974468] SEPolicy: Add neverallow rule for system_data_file
[Detail]
Do not allow access to the generic system_data_file label. This is too broad.
Instead, if access to part of system_data_file is desired, it should have a
more specific label.
[Solution]
1.Add neverallow rule for system_data_file.
2.Remove the conflicting SEPolicies.
MTK-Commit-Id: c35db1e5a50c311dfcca91618d7221bde6961e1b
Change-Id: Ifc5a87d55b7ca18a53dd6ffe1fbccaf63e03e263
CR-Id: ALPS04974468
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
42 files changed, 316 insertions, 157 deletions
diff --git a/non_plat/aee_aed.te b/non_plat/aee_aed.te index c845ce2..fb69ca2 100644 --- a/non_plat/aee_aed.te +++ b/non_plat/aee_aed.te @@ -66,5 +66,4 @@ hal_client_domain(aee_aed, mtk_hal_log) # Purpose: create /data/aee_exp at runtime allow aee_aed file_contexts_file:file r_file_perms; -allow aee_aed system_data_file:dir { relabelfrom setattr }; allow aee_aed aee_exp_data_file:dir relabelto; diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index 3e4cd58..af1e683 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -31,14 +31,11 @@ allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open allow atci_service ccu_device:chr_file { read write ioctl open }; allow atci_service vpu_device:chr_file { read write ioctl open }; allow atci_service MTK_SMI_device:chr_file { open read write ioctl }; -#allow atci_service system_server:binder call; -#allow atci_service system_data_file:dir { write remove_name add_name }; allow atci_service DW9714AF_device:chr_file { read write ioctl open }; allow atci_service devmap_device:chr_file { open read write ioctl }; allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr }; allow atci_service sdcard_type:file { setattr read create write getattr unlink open append }; allow atci_service mediaserver:binder call; -#allow atci_service system_server:unix_stream_socket { read write }; allow atci_service self:capability sys_boot; # Date : 2015/09/17 @@ -115,7 +112,6 @@ allow atci_service mtk_hal_power:binder call; allow atci_service mtk_hal_power_hwservice:hwservice_manager find; allow atci_service sysfs_batteryinfo:dir search; allow atci_service sysfs_batteryinfo:file { read getattr open }; -#allow atci_service system_data_file:lnk_file read; allow atci_service system_file:dir { read open }; allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; #allow atci_service media_rw_data_file:dir { read getattr open }; diff --git a/non_plat/biosensord_nvram.te b/non_plat/biosensord_nvram.te index dc1b19f..5fe181c 100644 --- a/non_plat/biosensord_nvram.te +++ b/non_plat/biosensord_nvram.te @@ -30,4 +30,3 @@ allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms}; allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; allow biosensord_nvram biometric_device:chr_file { open ioctl read write }; allow biosensord_nvram self:capability { chown fsetid }; -allow biosensord_nvram system_data_file:lnk_file read; diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index a0c9a3a..318cf2e 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -57,13 +57,6 @@ allow cameraserver mtkcam_prop:file { open read getattr }; # Purpose : VP/VR # allow cameraserver devmap_device:chr_file { ioctl }; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -# #allow cameraserver self:netlink_kobject_uevent_socket read; -# allow cameraserver system_data_file:file open; - # Date : WK14.36 # Operation : Migration # Purpose : media server and bt process communication for A2DP data.and other control flow @@ -236,14 +229,6 @@ allow cameraserver graphics_device:chr_file rw_file_perms; # Purpose : 3A algorithm need to access sensor service # allow cameraserver sensorservice_service:service_manager find; -# Date : WK15.34 -# Operation : Migration -# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -# allow cameraserver system_data_file:dir write; -# allow cameraserver storage_file:lnk_file {read write}; -# allow cameraserver mnt_user_file:dir {write read search}; -# allow cameraserver mnt_user_file:lnk_file {read write}; - # Date : WK15.35 # Operation : Migration # Purpose: Allow cameraserver to read binder from surfaceflinger @@ -271,13 +256,6 @@ allow cameraserver system_file:dir { read open }; allow cameraserver gpu_device:chr_file rw_file_perms; allow cameraserver gpu_device:dir search; -# Date : WK16.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) -# allow cameraserver property_socket:sock_file write; -# allow cameraserver shell_exec:file { execute read getattr open}; -# allow cameraserver init:unix_stream_socket connectto; - # Date : WK16.32 # Operation : Migration # Purpose : RSC Driver @@ -315,9 +293,6 @@ allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls }; # allow cameraserver aee_aed:unix_stream_socket connectto; # ') -# Purpose: Allow to access debugfs_ion dir. -allow cameraserver system_data_file:lnk_file read; - # Date : WK17.19 # Operation : Migration # Purpose : OWE Driver diff --git a/non_plat/ccci_fsd.te b/non_plat/ccci_fsd.te index a3cf5eb..889d1e8 100644 --- a/non_plat/ccci_fsd.te +++ b/non_plat/ccci_fsd.te @@ -22,7 +22,6 @@ allow ccci_fsd nvdata_file:lnk_file read; allow ccci_fsd nvdata_file:dir create_dir_perms; allow ccci_fsd nvdata_file:file create_file_perms; allow ccci_fsd nvram_device:chr_file rw_file_perms; -allow ccci_fsd system_data_file:lnk_file read; allow ccci_fsd vendor_configs_file:file r_file_perms; allow ccci_fsd vendor_configs_file:dir r_dir_perms; diff --git a/non_plat/ccci_mdinit.te b/non_plat/ccci_mdinit.te index dcbfa79..6fbe3ba 100644 --- a/non_plat/ccci_mdinit.te +++ b/non_plat/ccci_mdinit.te @@ -61,7 +61,6 @@ allow ccci_mdinit nvdata_file:lnk_file read; allow ccci_mdinit nvdata_file:dir rw_dir_perms; allow ccci_mdinit nvdata_file:file create_file_perms; allow ccci_mdinit nvram_device:chr_file rw_file_perms; -allow ccci_mdinit system_data_file:lnk_file read; #=============allow ccci_mdinit to access ccci config============== allow ccci_mdinit protect_f_data_file:dir rw_dir_perms; diff --git a/non_plat/connsyslogger.te b/non_plat/connsyslogger.te index 614e7c4..25cd310 100644 --- a/non_plat/connsyslogger.te +++ b/non_plat/connsyslogger.te @@ -18,7 +18,6 @@ allow connsyslogger fuse:file { create_file_perms }; allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto }; allow connsyslogger consyslog_data_file:fifo_file { create_file_perms }; allow connsyslogger consyslog_data_file:file { create_file_perms }; -allow connsyslogger system_data_file:dir { create_dir_perms relabelfrom}; #consys logger socket access #allow connsyslogger property_socket:sock_file write; diff --git a/non_plat/domain.te b/non_plat/domain.te index d98ce68..f9401fc 100644 --- a/non_plat/domain.te +++ b/non_plat/domain.te @@ -160,3 +160,71 @@ full_treble_only(` } proc:lnk_file ~r_file_perms; ') + +# Do not allow access to the generic system_data_file label. This is +# too broad. +# Instead, if access to part of system_data_file is desired, it should +# have a more specific label. +# TODO: Remove merged_hal_service and so on once there are no violations. +# +# allow hal_drm system_data_file:file { getattr read }; +# hal_server_domain(merged_hal_service, hal_drm) +# +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain + -hal_cas_default + -hal_drm_clearkey + -hal_drm_default + -hal_drm_widevine + -merged_hal_service + -tee + } system_data_file:file *; + + neverallow ~{ + appdomain + app_zygote + hal_drm_clearkey + hal_drm_default + hal_drm_widevine + init + installd + iorap_prefetcherd + mediadrmserver + mediaextractor + mediaserver + merged_hal_service + system_server + tee + toolbox + vold + vold_prepare_subdirs + } system_data_file:file ~r_file_perms; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + + neverallow { + hal_drm_clearkey + hal_drm_default + hal_drm_widevine + mediadrmserver + mediaextractor + mediaserver + merged_hal_service + tee + } system_data_file:file ~{ getattr read }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; +') diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te index 9200592..a026832 100644 --- a/non_plat/emdlogger.te +++ b/non_plat/emdlogger.te @@ -26,7 +26,6 @@ allow emdlogger sdcard_type:file { create_file_perms }; allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto }; allow emdlogger mdlog_data_file:fifo_file { create_file_perms }; allow emdlogger mdlog_data_file:file { create_file_perms }; -#allow emdlogger system_data_file:dir { create_dir_perms relabelfrom}; # modem logger control port access /dev/ttyC1 allow emdlogger mdlog_device:chr_file { rw_file_perms}; diff --git a/non_plat/factory.te b/non_plat/factory.te index e788f8b..8fdb03a 100644 --- a/non_plat/factory.te +++ b/non_plat/factory.te @@ -8,7 +8,6 @@ # ============================================== # MTK Policy Rule # ============================================== -#file_type_auto_trans(factory, system_data_file, factory_data_file) type factory, domain; type factory_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(factory) diff --git a/non_plat/kernel.te b/non_plat/kernel.te index 0b33f40..15b2430 100644 --- a/non_plat/kernel.te +++ b/non_plat/kernel.te @@ -13,11 +13,6 @@ allow kernel block_device:blk_file rw_file_perms; allow kernel loop_device:blk_file r_file_perms; allow kernel vold_device:blk_file rw_file_perms; -# Date : WK14.43 -# Operation : Migration -# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature) -allow kernel system_data_file:lnk_file r_file_perms; - # Date : WK15.35 # Operation : Migration # Purpose : grant fon_image_data_file read permission for loop device diff --git a/non_plat/mdlogger.te b/non_plat/mdlogger.te index 3913874..4d3cf3e 100644 --- a/non_plat/mdlogger.te +++ b/non_plat/mdlogger.te @@ -11,7 +11,6 @@ allow mdlogger ttyGS_device:chr_file { rw_file_perms}; allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto}; allow mdlogger mdlog_data_file:fifo_file { create_file_perms}; allow mdlogger mdlog_data_file:file { create_file_perms }; -allow mdlogger system_data_file:dir { create_dir_perms relabelfrom}; # modem logger control port access /dev/ttyC1 allow mdlogger mdlog_device:chr_file { rw_file_perms}; diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te index 56af7ad..ff75df1 100644 --- a/non_plat/mediaserver.te +++ b/non_plat/mediaserver.te @@ -38,11 +38,6 @@ allow mediaserver self:capability { net_admin }; # Purpose : VP/VR allow mediaserver devmap_device:chr_file { ioctl }; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -allow mediaserver system_data_file:file open; - # Date : WK14.36 # Operation : Migration # Purpose : media server and bt process communication for A2DP data.and other control flow @@ -234,7 +229,6 @@ allow mediaserver sensorservice_service:service_manager find; # Date : WK15.34 # Operation : Migration # Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -allow mediaserver system_data_file:dir write; allow mediaserver storage_file:lnk_file {read write}; allow mediaserver mnt_user_file:dir {write read search}; allow mediaserver mnt_user_file:lnk_file {read write}; diff --git a/non_plat/mtk_hal_bluetooth.te b/non_plat/mtk_hal_bluetooth.te index 340a908..d51b29b 100644 --- a/non_plat/mtk_hal_bluetooth.te +++ b/non_plat/mtk_hal_bluetooth.te @@ -43,8 +43,6 @@ get_prop(mtk_hal_bluetooth, hwservicemanager_prop) #add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice) allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find; -allow mtk_hal_bluetooth system_data_file:lnk_file read; - hal_server_domain(mtk_hal_bluetooth,hal_bluetooth); # Purpose: Allow BT Driver to insmod diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index 25e0bb4..489540a 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -252,12 +252,6 @@ allow mtk_hal_camera gpu_device:chr_file rw_file_perms; allow mtk_hal_camera proc_ged:file rw_file_perms; allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; -################################################################################ -# Date : WK17 -# Operation : O Migration -## Purpose: Allow to call hal_graphics_allocator binder. -allow mtk_hal_camera system_data_file:lnk_file read; - allow mtk_hal_camera debugfs_tracing:file { write open }; ## Purpose : camera3 IT/CTS @@ -332,9 +326,6 @@ allow mtk_hal_camera aee_dipdebug_vendor_file:file { create_file_perms }; allow mtk_hal_camera proc_isp_p2:dir search; allow mtk_hal_camera proc_isp_p2:file {create_file_perms}; -# Purpose : AINR/Thermal Boost -allow mtk_hal_camera system_data_file:dir { getattr }; - # Date: 2019/06/14 # Operation : Migration allow mtk_hal_camera sysfs_dt_firmware_android:dir search; diff --git a/non_plat/thermal_manager.te b/non_plat/thermal_manager.te index a33e4b4..3bdf75c 100644 --- a/non_plat/thermal_manager.te +++ b/non_plat/thermal_manager.te @@ -19,22 +19,16 @@ allow thermal_manager proc_mtkcooler:file rw_file_perms; allow thermal_manager proc_mtktz:file rw_file_perms; allow thermal_manager proc_thermal:file rw_file_perms; - -# Date : WK15.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) - allow thermal_manager thermal_manager_data_file:file create_file_perms; allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr }; - allow thermal_manager mediaserver:fd use; allow thermal_manager mediaserver:fifo_file { read write }; allow thermal_manager mediaserver:tcp_socket { read write }; # Date : WK16.30 # Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) +# Purpose : allow thermal_manager camera_isp_device:chr_file { read write }; allow thermal_manager cameraserver:fd use; allow thermal_manager kd_camera_hw_device:chr_file { read write }; diff --git a/non_plat/uncrypt.te b/non_plat/uncrypt.te index 24c08e9..c9b3acb 100644 --- a/non_plat/uncrypt.te +++ b/non_plat/uncrypt.te @@ -4,7 +4,6 @@ allow uncrypt mtd_device:chr_file { read write open ioctl }; allow uncrypt mtd_device:dir search; allow uncrypt misc_device:chr_file ~rename; -allow uncrypt system_data_file:file { open read }; allow uncrypt userdata_block_device:blk_file w_file_perms; allow uncrypt para_block_device:blk_file { write open }; allow uncrypt system_app_data_file:dir { getattr search }; diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index 6665088..bc3c436 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -45,12 +45,6 @@ allow aee_aed kernel:process getsched; # Purpose: For pagemap & pageflags information in NE DB userdebug_or_eng(`allow aee_aed self:capability sys_admin;') -# Date: W16.17 -# Operation: N0 Migeration -# Purpose: creat dir "aee_exp" under /data -allow aee_aed system_data_file:dir { write create add_name }; -allow aee_aed system_data_file:file r_file_perms; - # Purpose: allow aee_aed to access toolbox allow aee_aed toolbox_exec:file rx_file_perms; diff --git a/plat_private/audioserver.te b/plat_private/audioserver.te index 8bc8f17..3109661 100644 --- a/plat_private/audioserver.te +++ b/plat_private/audioserver.te @@ -10,11 +10,6 @@ allow audioserver sdcard_type:file create; allow audioserver sdcard_type:dir remove_name; allow audioserver sdcard_type:file unlink; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -allow audioserver system_data_file:file open; - # Data : WK14.38 # Operation : Migration # Purpose : for boot animation. diff --git a/plat_private/boot_logo_updater.te b/plat_private/boot_logo_updater.te index 069a9f0..7b537bb 100644 --- a/plat_private/boot_logo_updater.te +++ b/plat_private/boot_logo_updater.te @@ -38,7 +38,4 @@ allow boot_logo_updater sysfs:dir read; # for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14" allow boot_logo_updater mtd_device:blk_file read; allow boot_logo_updater sysfs:dir open; -allow boot_logo_updater system_data_file:dir write; allow boot_logo_updater mtd_device:blk_file open; - - diff --git a/plat_private/cmddumper.te b/plat_private/cmddumper.te index 3dc20b8..01b5dc5 100644 --- a/plat_private/cmddumper.te +++ b/plat_private/cmddumper.te @@ -8,12 +8,6 @@ typeattribute cmddumper coredomain; init_daemon_domain(cmddumper) -# cmddumper access on /data/mdlog -allow cmddumper system_data_file:dir { create_dir_perms relabelfrom relabelto}; - -# "mdl_serv_fifo" scontext=u:r:cmddumper:s0 tcontext=u:object_r:system_data_file -allow cmddumper system_data_file:fifo_file create_file_perms; - # for modem logging sdcard access allow cmddumper sdcard_type:dir create_dir_perms; @@ -36,4 +30,3 @@ allow cmddumper file_contexts_file:file { read getattr open }; ## Save C2K modem log into data allow cmddumper debuglog_data_file:dir {relabelto create_dir_perms}; allow cmddumper debuglog_data_file:file create_file_perms; -allow cmddumper system_data_file:dir create_dir_perms; diff --git a/plat_private/domain.te b/plat_private/domain.te new file mode 100644 index 0000000..3091c3c --- /dev/null +++ b/plat_private/domain.te @@ -0,0 +1,112 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Rules for all domains. + +# Do not allow access to the generic system_data_file label. This is +# too broad. +# Instead, if access to part of system_data_file is desired, it should +# have a more specific label. +# TODO: Remove merged_hal_service and so on once there are no violations. +# +# allow hal_drm system_data_file:file { getattr read }; +# hal_server_domain(merged_hal_service, hal_drm) +# +full_treble_only(` + neverallow { + coredomain + -appdomain + -app_zygote + -dumpstate + -init + -installd + -iorap_prefetcherd + -logd + -mediadrmserver + -mediaextractor + -mediaserver + -runas + -sdcardd + -simpleperf_app_runner + -storaged + -system_server + -toolbox + -vold + -vold_prepare_subdirs + -zygote + } system_data_file:file *; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow { + dumpstate + logd + runas + sdcardd + simpleperf_app_runner + storaged + zygote + } system_data_file:file ~r_file_perms; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + + neverallow { + mediadrmserver + mediaextractor + mediaserver + } system_data_file:file ~{ read getattr }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; + + neverallow ~{ + appdomain + app_zygote + dexoptanalyzer + init + installd + iorap_prefetcherd + logd + rs + runas + simpleperf_app_runner + system_server + tee + vold + webview_zygote + zygote + } system_data_file:lnk_file *; + + neverallow { + appdomain + app_zygote + logd + webview_zygote + } system_data_file:lnk_file ~r_file_perms; + + neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr; + + neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; + + neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; + + neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + + neverallow rs system_data_file:lnk_file ~{ read }; + + neverallow { + runas + simpleperf_app_runner + tee + } system_data_file:lnk_file ~{ read getattr }; + + neverallow system_server system_data_file:lnk_file ~create_file_perms; +') diff --git a/plat_private/emdlogger.te b/plat_private/emdlogger.te index 19f9119..47a3d9c 100644 --- a/plat_private/emdlogger.te +++ b/plat_private/emdlogger.te @@ -82,6 +82,5 @@ allow emdlogger mddb_filter_data_file:file { r_file_perms }; # save log into /data/debuglogger allow emdlogger debuglog_data_file:dir {relabelto create_dir_perms}; allow emdlogger debuglog_data_file:file create_file_perms; -#allow emdlogger system_data_file:dir create_dir_perms; # get persist.sys. proeprty get_prop(emdlogger, system_prop) diff --git a/plat_private/lbs_dbg.te b/plat_private/lbs_dbg.te index db46413..01bcdc8 100644 --- a/plat_private/lbs_dbg.te +++ b/plat_private/lbs_dbg.te @@ -8,7 +8,6 @@ type lbs_dbg, domain; # ============================================== # MTK Policy Rule # ============================================== -file_type_auto_trans(lbs_dbg, system_data_file, lbs_dbg_data_file); type lbs_dbg_exec, system_file_type, exec_type, file_type; typeattribute lbs_dbg coredomain; @@ -19,8 +18,6 @@ allow lbs_dbg storage_file:dir { write create add_name search mounton }; allow lbs_dbg storage_file:lnk_file read; allow lbs_dbg lbs_dbg_data_file:file create_file_perms; -allow lbs_dbg system_data_file:lnk_file read; - #allow lbs_dbg mnld_device:chr_file rw_file_perms; allow lbs_dbg media_rw_data_file:dir search; diff --git a/plat_private/mdlogger.te b/plat_private/mdlogger.te index 07de37d..afa04ea 100644 --- a/plat_private/mdlogger.te +++ b/plat_private/mdlogger.te @@ -54,4 +54,3 @@ allow mdlogger mddb_filter_data_file:file { r_file_perms }; ## Save modem log into data allow mdlogger debuglog_data_file:dir {relabelto create_dir_perms}; allow mdlogger debuglog_data_file:file create_file_perms; -allow mdlogger system_data_file:dir create_dir_perms; diff --git a/plat_private/system_app.te b/plat_private/system_app.te index 0dd6fc5..6d45fbe 100644 --- a/plat_private/system_app.te +++ b/plat_private/system_app.te @@ -12,9 +12,5 @@ allow system_app vfat:dir create; allow system_app media_rw_data_file:dir {r_dir_perms w_dir_perms}; allow system_app media_rw_data_file:file {r_file_perms w_file_perms}; -#Dat: 2017/07/13 -#Purpose: allow system app to read/open system data file -allow system_app system_data_file:dir { read open }; - # Purpose: receive dropbox message allow system_app aee_aed:unix_stream_socket connectto; diff --git a/plat_public/domain.te b/plat_public/domain.te index 1d964f7..c977593 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -115,7 +115,7 @@ full_treble_only(` dumpstate init vendor_init -} debugfs:file *; + } debugfs:file *; neverallow dumpstate debugfs:file ~r_file_perms; @@ -130,22 +130,150 @@ full_treble_only(` neverallow ~{ init vendor_init -} debugfs:dir ~{ search getattr }; + } debugfs:dir ~{ search getattr }; neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto }; neverallow vendor_init debugfs:dir ~{ search getattr read setattr open }; - ') - - # Do not allow access to the generic system_data_file label. This is # too broad. # Instead, if access to part of system_data_file is desired, it should # have a more specific label. -#neverallow * system_data_file:dir_file_class_set *; +# TODO: Remove merged_hal_service and so on once there are no violations. +# +# allow hal_drm system_data_file:file { getattr read }; +# hal_server_domain(merged_hal_service, hal_drm) +# +full_treble_only(` + neverallow ~{ + init + installd + system_server + } system_data_file:{ chr_file blk_file sock_file fifo_file } *; + + neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; + + neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; + + neverallow installd system_data_file:{ chr_file blk_file } *; + + neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; + + neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; + + neverallow { + coredomain + -appdomain + -app_zygote + -init + -installd + -iorap_prefetcherd + -system_server + -toolbox + -vold + -vold_prepare_subdirs + } system_data_file:file ~r_file_perms; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + + neverallow { + mediadrmserver + mediaextractor + mediaserver + } system_data_file:file ~{ read getattr }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; + + neverallow ~{ + appdomain + app_zygote + init + installd + iorap_prefetcherd + logd + rs + runas + simpleperf_app_runner + system_server + tee + vold + webview_zygote + zygote + } system_data_file:lnk_file ~getattr; + + neverallow { + appdomain + app_zygote + logd + webview_zygote + } system_data_file:lnk_file ~r_file_perms; + + neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; + + neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; + + neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + + neverallow rs system_data_file:lnk_file ~{ read }; + + neverallow { + runas + simpleperf_app_runner + tee + } system_data_file:lnk_file ~{ read getattr }; + + neverallow system_server system_data_file:lnk_file ~create_file_perms; + + neverallow ~{ + init + installd + iorap_prefetcherd + system_server + toolbox + traced_probes + vold + vold_prepare_subdirs + zygote + } system_data_file:dir ~{ search getattr }; + + neverallow init system_data_file:dir ~{ + create search getattr open read setattr ioctl + mounton + relabelto + write add_name remove_name rmdir relabelfrom + }; + + neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow { + iorap_prefetcherd + traced_probes + } system_data_file:dir ~{ open read search getattr }; + + neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; + + neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; + + neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; + + neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; + + neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; +') + # Do not allow access to the generic vendor_data_file label. This is # too broad. diff --git a/r_non_plat/aee_aed.te b/r_non_plat/aee_aed.te index c845ce2..fb69ca2 100644 --- a/r_non_plat/aee_aed.te +++ b/r_non_plat/aee_aed.te @@ -66,5 +66,4 @@ hal_client_domain(aee_aed, mtk_hal_log) # Purpose: create /data/aee_exp at runtime allow aee_aed file_contexts_file:file r_file_perms; -allow aee_aed system_data_file:dir { relabelfrom setattr }; allow aee_aed aee_exp_data_file:dir relabelto; diff --git a/r_non_plat/atci_service.te b/r_non_plat/atci_service.te index 3e4cd58..a10bc1d 100644 --- a/r_non_plat/atci_service.te +++ b/r_non_plat/atci_service.te @@ -31,8 +31,6 @@ allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open allow atci_service ccu_device:chr_file { read write ioctl open }; allow atci_service vpu_device:chr_file { read write ioctl open }; allow atci_service MTK_SMI_device:chr_file { open read write ioctl }; -#allow atci_service system_server:binder call; -#allow atci_service system_data_file:dir { write remove_name add_name }; allow atci_service DW9714AF_device:chr_file { read write ioctl open }; allow atci_service devmap_device:chr_file { open read write ioctl }; allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr }; @@ -115,13 +113,9 @@ allow atci_service mtk_hal_power:binder call; allow atci_service mtk_hal_power_hwservice:hwservice_manager find; allow atci_service sysfs_batteryinfo:dir search; allow atci_service sysfs_batteryinfo:file { read getattr open }; -#allow atci_service system_data_file:lnk_file read; allow atci_service system_file:dir { read open }; allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; -#allow atci_service media_rw_data_file:dir { read getattr open }; -#allow atci_service media_rw_data_file:file { getattr setattr }; allow atci_service mtkcam_prop:file { read getattr open }; -#allow atci_service hal_camera_hwservice:hwservice_manager find; allow atci_service mtk_hal_camera:binder call; allow atci_service debugfs_ion:dir search; allow atci_service sysfs_tpd_setting:file { read write open getattr }; diff --git a/r_non_plat/biosensord_nvram.te b/r_non_plat/biosensord_nvram.te index dc1b19f..5fe181c 100644 --- a/r_non_plat/biosensord_nvram.te +++ b/r_non_plat/biosensord_nvram.te @@ -30,4 +30,3 @@ allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms}; allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; allow biosensord_nvram biometric_device:chr_file { open ioctl read write }; allow biosensord_nvram self:capability { chown fsetid }; -allow biosensord_nvram system_data_file:lnk_file read; diff --git a/r_non_plat/cameraserver.te b/r_non_plat/cameraserver.te index ed076a5..727eef6 100644 --- a/r_non_plat/cameraserver.te +++ b/r_non_plat/cameraserver.te @@ -41,13 +41,6 @@ allow cameraserver mtkcam_prop:file { open read getattr }; # Purpose : VP/VR # allow cameraserver devmap_device:chr_file { ioctl }; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -# #allow cameraserver self:netlink_kobject_uevent_socket read; -# allow cameraserver system_data_file:file open; - # Date : WK14.36 # Operation : Migration # Purpose : media server and bt process communication for A2DP data.and other control flow @@ -223,7 +216,6 @@ allow cameraserver graphics_device:chr_file rw_file_perms; # Date : WK15.34 # Operation : Migration # Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -# allow cameraserver system_data_file:dir write; # allow cameraserver storage_file:lnk_file {read write}; # allow cameraserver mnt_user_file:dir {write read search}; # allow cameraserver mnt_user_file:lnk_file {read write}; @@ -292,9 +284,6 @@ allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls }; # allow cameraserver aee_aed:unix_stream_socket connectto; # ') -# Purpose: Allow to access debugfs_ion dir. -allow cameraserver system_data_file:lnk_file read; - # Date : WK17.19 # Operation : Migration # Purpose : OWE Driver diff --git a/r_non_plat/ccci_fsd.te b/r_non_plat/ccci_fsd.te index 1adab51..1b7dd94 100644 --- a/r_non_plat/ccci_fsd.te +++ b/r_non_plat/ccci_fsd.te @@ -22,7 +22,6 @@ allow ccci_fsd nvdata_file:lnk_file read; allow ccci_fsd nvdata_file:dir create_dir_perms; allow ccci_fsd nvdata_file:file create_file_perms; allow ccci_fsd nvram_device:chr_file rw_file_perms; -allow ccci_fsd system_data_file:lnk_file read; allow ccci_fsd vendor_configs_file:file r_file_perms; allow ccci_fsd vendor_configs_file:dir r_dir_perms; diff --git a/r_non_plat/ccci_mdinit.te b/r_non_plat/ccci_mdinit.te index dad124b..0c81c3a 100644 --- a/r_non_plat/ccci_mdinit.te +++ b/r_non_plat/ccci_mdinit.te @@ -61,7 +61,6 @@ allow ccci_mdinit nvdata_file:lnk_file read; allow ccci_mdinit nvdata_file:dir rw_dir_perms; allow ccci_mdinit nvdata_file:file create_file_perms; allow ccci_mdinit nvram_device:chr_file rw_file_perms; -allow ccci_mdinit system_data_file:lnk_file read; #=============allow ccci_mdinit to access ccci config============== allow ccci_mdinit protect_f_data_file:dir rw_dir_perms; diff --git a/r_non_plat/connsyslogger.te b/r_non_plat/connsyslogger.te index 36b700d..59f8f07 100644 --- a/r_non_plat/connsyslogger.te +++ b/r_non_plat/connsyslogger.te @@ -18,7 +18,6 @@ allow connsyslogger fuse:file { create_file_perms }; allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto }; allow connsyslogger consyslog_data_file:fifo_file { create_file_perms }; allow connsyslogger consyslog_data_file:file { create_file_perms }; -allow connsyslogger system_data_file:dir { create_dir_perms relabelfrom}; #consys logger socket access allow connsyslogger property_socket:sock_file write; diff --git a/r_non_plat/emdlogger.te b/r_non_plat/emdlogger.te index 6b1dbaf..28525e9 100644 --- a/r_non_plat/emdlogger.te +++ b/r_non_plat/emdlogger.te @@ -26,7 +26,6 @@ allow emdlogger sdcard_type:file { create_file_perms }; allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto }; allow emdlogger mdlog_data_file:fifo_file { create_file_perms }; allow emdlogger mdlog_data_file:file { create_file_perms }; -allow emdlogger system_data_file:dir { create_dir_perms relabelfrom}; # modem logger control port access /dev/ttyC1 allow emdlogger mdlog_device:chr_file { rw_file_perms}; diff --git a/r_non_plat/factory.te b/r_non_plat/factory.te index 2292369..30293c9 100644 --- a/r_non_plat/factory.te +++ b/r_non_plat/factory.te @@ -8,7 +8,6 @@ # ============================================== # MTK Policy Rule # ============================================== -#file_type_auto_trans(factory, system_data_file, factory_data_file) type factory, domain; type factory_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(factory) diff --git a/r_non_plat/kernel.te b/r_non_plat/kernel.te index 0b33f40..15b2430 100644 --- a/r_non_plat/kernel.te +++ b/r_non_plat/kernel.te @@ -13,11 +13,6 @@ allow kernel block_device:blk_file rw_file_perms; allow kernel loop_device:blk_file r_file_perms; allow kernel vold_device:blk_file rw_file_perms; -# Date : WK14.43 -# Operation : Migration -# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature) -allow kernel system_data_file:lnk_file r_file_perms; - # Date : WK15.35 # Operation : Migration # Purpose : grant fon_image_data_file read permission for loop device diff --git a/r_non_plat/mdlogger.te b/r_non_plat/mdlogger.te index cfda1d6..5c34491 100644 --- a/r_non_plat/mdlogger.te +++ b/r_non_plat/mdlogger.te @@ -12,7 +12,6 @@ allow mdlogger ttyGS_device:chr_file { rw_file_perms}; allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto}; allow mdlogger mdlog_data_file:fifo_file { create_file_perms}; allow mdlogger mdlog_data_file:file { create_file_perms }; -allow mdlogger system_data_file:dir { create_dir_perms relabelfrom}; # modem logger control port access /dev/ttyC1 allow mdlogger mdlog_device:chr_file { rw_file_perms}; diff --git a/r_non_plat/mediaserver.te b/r_non_plat/mediaserver.te index 56af7ad..ff75df1 100644 --- a/r_non_plat/mediaserver.te +++ b/r_non_plat/mediaserver.te @@ -38,11 +38,6 @@ allow mediaserver self:capability { net_admin }; # Purpose : VP/VR allow mediaserver devmap_device:chr_file { ioctl }; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -allow mediaserver system_data_file:file open; - # Date : WK14.36 # Operation : Migration # Purpose : media server and bt process communication for A2DP data.and other control flow @@ -234,7 +229,6 @@ allow mediaserver sensorservice_service:service_manager find; # Date : WK15.34 # Operation : Migration # Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -allow mediaserver system_data_file:dir write; allow mediaserver storage_file:lnk_file {read write}; allow mediaserver mnt_user_file:dir {write read search}; allow mediaserver mnt_user_file:lnk_file {read write}; diff --git a/r_non_plat/mtk_hal_bluetooth.te b/r_non_plat/mtk_hal_bluetooth.te index 340a908..d51b29b 100644 --- a/r_non_plat/mtk_hal_bluetooth.te +++ b/r_non_plat/mtk_hal_bluetooth.te @@ -43,8 +43,6 @@ get_prop(mtk_hal_bluetooth, hwservicemanager_prop) #add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice) allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find; -allow mtk_hal_bluetooth system_data_file:lnk_file read; - hal_server_domain(mtk_hal_bluetooth,hal_bluetooth); # Purpose: Allow BT Driver to insmod diff --git a/r_non_plat/mtk_hal_camera.te b/r_non_plat/mtk_hal_camera.te index d74aa64..f428efb 100644 --- a/r_non_plat/mtk_hal_camera.te +++ b/r_non_plat/mtk_hal_camera.te @@ -252,12 +252,6 @@ allow mtk_hal_camera gpu_device:chr_file rw_file_perms; allow mtk_hal_camera proc_ged:file rw_file_perms; allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; -################################################################################ -# Date : WK17 -# Operation : O Migration -## Purpose: Allow to call hal_graphics_allocator binder. -allow mtk_hal_camera system_data_file:lnk_file read; - allow mtk_hal_camera debugfs_tracing:file { write open }; ## Purpose : camera3 IT/CTS @@ -332,9 +326,6 @@ allow mtk_hal_camera aee_dipdebug_vendor_file:file { create_file_perms }; allow mtk_hal_camera proc_isp_p2:dir search; allow mtk_hal_camera proc_isp_p2:file {create_file_perms}; -# Purpose : AINR/Thermal Boost -allow mtk_hal_camera system_data_file:dir { getattr }; - # Date: 2019/06/14 # Operation : Migration allow mtk_hal_camera sysfs_dt_firmware_android:dir search; diff --git a/r_non_plat/thermal_manager.te b/r_non_plat/thermal_manager.te index a33e4b4..3bdf75c 100644 --- a/r_non_plat/thermal_manager.te +++ b/r_non_plat/thermal_manager.te @@ -19,22 +19,16 @@ allow thermal_manager proc_mtkcooler:file rw_file_perms; allow thermal_manager proc_mtktz:file rw_file_perms; allow thermal_manager proc_thermal:file rw_file_perms; - -# Date : WK15.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) - allow thermal_manager thermal_manager_data_file:file create_file_perms; allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr }; - allow thermal_manager mediaserver:fd use; allow thermal_manager mediaserver:fifo_file { read write }; allow thermal_manager mediaserver:tcp_socket { read write }; # Date : WK16.30 # Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) +# Purpose : allow thermal_manager camera_isp_device:chr_file { read write }; allow thermal_manager cameraserver:fd use; allow thermal_manager kd_camera_hw_device:chr_file { read write }; |