diff options
author | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-02-05 10:10:20 +0800 |
---|---|---|
committer | Shanshan Guo <Shanshan.Guo@mediatek.com> | 2020-02-05 10:10:20 +0800 |
commit | cf50b9ff23c93d266d2623ec638f1856baebbd8e (patch) | |
tree | b026dfa340a188b121f39afde2a9ca810e395fd8 | |
parent | 8bc4f38e708e31c4472906d24b0638504e03477e (diff) | |
download | wembley-sepolicy-cf50b9ff23c93d266d2623ec638f1856baebbd8e.tar.gz |
[ALPS04970566] SEPolicy: Add neverallow rule for debugfs
[Detail]
Do not allow access to the generic debugfs label. This is too broad.
Instead, if access to part of debugfs is desired, it should have a
more specific label.
[Solution]
1.Add neverallow rule for debugfs.
2.Remove the conflicting SEPolicies.
MTK-Commit-Id: 7f582164a310fdb9517192d2512d2168313650fa
Change-Id: Ib4dc4f57448ad52459f5d62a4ddedab94412cc96
CR-Id: ALPS04970566
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
-rw-r--r-- | non_plat/aee_aedv.te | 1 | ||||
-rw-r--r-- | non_plat/dumpstate.te | 2 | ||||
-rw-r--r-- | non_plat/init.te | 5 | ||||
-rw-r--r-- | non_plat/system_server.te | 3 | ||||
-rw-r--r-- | plat_public/domain.te | 36 | ||||
-rw-r--r-- | r_non_plat/aee_aedv.te | 1 | ||||
-rw-r--r-- | r_non_plat/dumpstate.te | 2 | ||||
-rw-r--r-- | r_non_plat/init.te | 5 | ||||
-rw-r--r-- | r_non_plat/system_server.te | 5 |
9 files changed, 33 insertions, 27 deletions
diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index c23e20d..1231a55 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -118,7 +118,6 @@ allow aee_aedv crash_dump:file r_file_perms; allow aee_aedv vendor_file:file execute_no_trans; # Purpose: debugfs files -# allow aee_aedv debugfs:lnk_file read; allow aee_aedv debugfs_binder:dir { read open }; allow aee_aedv debugfs_binder:file { read open }; allow aee_aedv debugfs_blockio:file { read open }; diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index 3c3d81f..01343a5 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -17,7 +17,6 @@ allow dumpstate aee_exp_data_file:dir { w_dir_perms }; allow dumpstate aee_exp_data_file:file { create_file_perms }; # Purpose: debugfs files -allow dumpstate debugfs:lnk_file read; allow dumpstate debugfs_binder:dir { read open }; allow dumpstate debugfs_binder:file { read open }; allow dumpstate debugfs_blockio:file { read open }; @@ -155,7 +154,6 @@ allow dumpstate proc_isp_p2:file r_file_perms; # Date : W19.26 # Operation : Migration # Purpose : fix google dumpstate avc error in xTS -allow dumpstate debugfs:dir r_dir_perms; allow dumpstate debugfs_mmc:dir search; allow dumpstate mnt_media_rw_file:dir getattr; diff --git a/non_plat/init.te b/non_plat/init.te index 9844687..6ccdd74 100644 --- a/non_plat/init.te +++ b/non_plat/init.te @@ -66,10 +66,6 @@ allow init tmpfs:lnk_file create; # Purpose : bt hal interface permission allow init mtk_hal_bluetooth_exec:file getattr; -# Date : WK17.12 -# Purpose: Fix bootup fail -allow init debugfs:file w_file_perms; - # Date : WK17.02 # Purpose: Fix audio hal service fail allow init mtk_hal_audio_exec:file getattr; @@ -88,7 +84,6 @@ allow init debugfs_tracing_instances:file relabelfrom; # Date: W17.22 # Operation : New Feature # Purpose : Add for A/B system -allow init debugfs:file write; allow init kernel:system module_request; allow init nvdata_file:dir mounton; allow init oemfs:dir mounton; diff --git a/non_plat/system_server.te b/non_plat/system_server.te index 16be4fe..beeb30a 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -15,9 +15,6 @@ allow system_server proc_bootprof:file rw_file_perms; # /data/core access. allow system_server aee_core_data_file:dir r_dir_perms; -# /sys/kernel/debug/ion/clients access -allow system_server debugfs:dir r_dir_perms; - # Perform Binder IPC. allow system_server zygote:binder impersonate; diff --git a/plat_public/domain.te b/plat_public/domain.te index 32af4d4..1d964f7 100644 --- a/plat_public/domain.te +++ b/plat_public/domain.te @@ -105,13 +105,41 @@ full_treble_only(` ') - - - # Do not allow access to the generic debugfs label. This is too broad. # Instead, if access to part of debugfs is desired, it should have a # more specific label. -#neverallow * debugfs:dir_file_class_set *; +full_treble_only(` + neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *; + + neverallow ~{ + dumpstate + init + vendor_init +} debugfs:file *; + + neverallow dumpstate debugfs:file ~r_file_perms; + + neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto }; + + neverallow vendor_init debugfs:file ~{ read setattr open map }; + + neverallow ~init debugfs:lnk_file *; + + neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto }; + + neverallow ~{ + init + vendor_init +} debugfs:dir ~{ search getattr }; + + neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto }; + + neverallow vendor_init debugfs:dir ~{ search getattr read setattr open }; + +') + + + # Do not allow access to the generic system_data_file label. This is # too broad. diff --git a/r_non_plat/aee_aedv.te b/r_non_plat/aee_aedv.te index 289162e..7a13c5a 100644 --- a/r_non_plat/aee_aedv.te +++ b/r_non_plat/aee_aedv.te @@ -117,7 +117,6 @@ allow aee_aedv crash_dump:file r_file_perms; allow aee_aedv vendor_file:file execute_no_trans; # Purpose: debugfs files -# allow aee_aedv debugfs:lnk_file read; allow aee_aedv debugfs_binder:dir { read open }; allow aee_aedv debugfs_binder:file { read open }; allow aee_aedv debugfs_blockio:file { read open }; diff --git a/r_non_plat/dumpstate.te b/r_non_plat/dumpstate.te index 3c3d81f..01343a5 100644 --- a/r_non_plat/dumpstate.te +++ b/r_non_plat/dumpstate.te @@ -17,7 +17,6 @@ allow dumpstate aee_exp_data_file:dir { w_dir_perms }; allow dumpstate aee_exp_data_file:file { create_file_perms }; # Purpose: debugfs files -allow dumpstate debugfs:lnk_file read; allow dumpstate debugfs_binder:dir { read open }; allow dumpstate debugfs_binder:file { read open }; allow dumpstate debugfs_blockio:file { read open }; @@ -155,7 +154,6 @@ allow dumpstate proc_isp_p2:file r_file_perms; # Date : W19.26 # Operation : Migration # Purpose : fix google dumpstate avc error in xTS -allow dumpstate debugfs:dir r_dir_perms; allow dumpstate debugfs_mmc:dir search; allow dumpstate mnt_media_rw_file:dir getattr; diff --git a/r_non_plat/init.te b/r_non_plat/init.te index 9844687..6ccdd74 100644 --- a/r_non_plat/init.te +++ b/r_non_plat/init.te @@ -66,10 +66,6 @@ allow init tmpfs:lnk_file create; # Purpose : bt hal interface permission allow init mtk_hal_bluetooth_exec:file getattr; -# Date : WK17.12 -# Purpose: Fix bootup fail -allow init debugfs:file w_file_perms; - # Date : WK17.02 # Purpose: Fix audio hal service fail allow init mtk_hal_audio_exec:file getattr; @@ -88,7 +84,6 @@ allow init debugfs_tracing_instances:file relabelfrom; # Date: W17.22 # Operation : New Feature # Purpose : Add for A/B system -allow init debugfs:file write; allow init kernel:system module_request; allow init nvdata_file:dir mounton; allow init oemfs:dir mounton; diff --git a/r_non_plat/system_server.te b/r_non_plat/system_server.te index 427103a..d79c56f 100644 --- a/r_non_plat/system_server.te +++ b/r_non_plat/system_server.te @@ -15,9 +15,6 @@ allow system_server proc_bootprof:file rw_file_perms; # /data/core access. allow system_server aee_core_data_file:dir r_dir_perms; -# /sys/kernel/debug/ion/clients access -allow system_server debugfs:dir r_dir_perms; - # Perform Binder IPC. allow system_server zygote:binder impersonate; @@ -211,4 +208,4 @@ get_prop(system_server, vendor_default_prop) # Date: 2019/06/14 # Operation : when WFD turnning on, turn off hdmi allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find; -allow system_server mtk_hal_hdmi:binder call;
\ No newline at end of file +allow system_server mtk_hal_hdmi:binder call; |