More granular vendor access to /system files.
This change limits global access to /system files down to:
/system/bin/linker*
/system/lib[64]/*
/system/etc/ld.config*
/system/etc/seccomp_policy/*
/system/etc/security/cacerts/*
/system/usr/share/zoneinfo/*
Bug: 111243627
Test: boot device, browse internet without denials to system_* types.
Test: VtsHalDrmV1_{1, 0}TargetTest without denials
Change-Id: I69894b29733979c2bc944ac80229e84de5d519f4
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 4f3546b..c9f09b9 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -652,7 +652,13 @@
( system_data_file
dropbox_data_file
vendor_data_file))
-(typeattributeset system_file_26_0 (system_file))
+(typeattributeset system_file_26_0
+ ( system_file
+ system_lib_file
+ system_linker_config_file
+ system_linker_exec
+ system_seccomp_policy_file
+ system_security_cacerts_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
(typeattributeset system_prop_26_0 (system_prop))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index d99b499..c596d3f 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1369,7 +1369,13 @@
( system_data_file
dropbox_data_file
vendor_data_file))
-(typeattributeset system_file_27_0 (system_file))
+(typeattributeset system_file_27_0
+ ( system_file
+ system_lib_file
+ system_linker_config_file
+ system_linker_exec
+ system_seccomp_policy_file
+ system_security_cacerts_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index c69a111..2348b19 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1567,7 +1567,13 @@
(typeattributeset system_data_file_28_0
( dropbox_data_file
system_data_file))
-(typeattributeset system_file_28_0 (system_file))
+(typeattributeset system_file_28_0
+ ( system_file
+ system_lib_file
+ system_linker_config_file
+ system_linker_exec
+ system_seccomp_policy_file
+ system_security_cacerts_file))
(typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
(typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))
diff --git a/private/file_contexts b/private/file_contexts
index 61eab1d..d26f17a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -186,6 +186,7 @@
# System files
#
/system(/.*)? u:object_r:system_file:s0
+/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
@@ -249,6 +250,7 @@
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
+/system/bin/linker(_asan)?(64)? u:object_r:system_linker_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -281,6 +283,9 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:hal_system_suspend_default_exec:s0
+/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
+/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
+/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
@@ -439,6 +444,7 @@
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+/system/usr/share/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
diff --git a/public/domain.te b/public/domain.te
index 1f38b73..2396d4a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -152,14 +152,30 @@
# logd access
write_logd(domain)
-# System file accesses.
-allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr map };
+# Directory/link file access for path resolution.
+allow domain {
+ system_file
+ system_lib_file
+ system_seccomp_policy_file
+ system_security_cacerts_file
+}:dir r_dir_perms;
allow domain system_file:lnk_file { getattr read };
+# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
+# linker and its config.
+allow domain system_seccomp_policy_file:file r_file_perms;
+# cacerts are accessible from public Java API.
+allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_linker_exec:file { execute read open getattr map };
+allow domain system_linker_config_file:file r_file_perms;
+allow domain system_lib_file:file { execute read open getattr map };
+
+allow { appdomain coredomain } system_file:file { execute read open getattr map };
+
# Make sure system/vendor split doesn not affect non-treble
# devices
not_full_treble(`
+ allow domain system_file:file { execute read open getattr map };
allow domain vendor_file_type:dir { search getattr };
allow domain vendor_file_type:file { execute read open getattr map };
allow domain vendor_file_type:lnk_file { getattr read };
@@ -202,7 +218,8 @@
# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };
-# libc references /data/misc/zoneinfo for timezone related information
+# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
+# timezone related information.
# This directory is considered to be a VNDK-stable
allow domain zoneinfo_data_file:file r_file_perms;
allow domain zoneinfo_data_file:dir r_dir_perms;
@@ -438,6 +455,8 @@
} {
file_type
-system_file
+ -system_lib_file
+ -system_linker_exec
-vendor_file_type
-exec_type
-postinstall_file
@@ -859,8 +878,9 @@
} {
core_data_file_type
# libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata file. These functions are considered
- # vndk-stable and thus must be allowed for all processes.
+ # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
+ # These functions are considered vndk-stable and thus must be allowed for
+ # all processes.
-zoneinfo_data_file
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
@@ -1019,6 +1039,7 @@
-vendor_init
} {
exec_type
+ -system_linker_exec
-vendor_file_type
-crash_dump_exec
-netutils_wrapper_exec
@@ -1079,6 +1100,18 @@
}:file *;
')
+# TODO(b/111243627): Uncomment once all violations are cleaned up.
+#full_treble_only(`
+# # Do not allow vendor components access to /system files except for the
+# # ones whitelisted here.
+# neverallow {
+# domain
+# -appdomain
+# -coredomain
+# -vendor_executes_system_violators
+# } system_file:file *;
+#')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
diff --git a/public/file.te b/public/file.te
index b70c4e2..0f12f51 100644
--- a/public/file.te
+++ b/public/file.te
@@ -132,6 +132,16 @@
# Default type for anything under /system.
type system_file, file_type;
+# Default type for anything under /system/lib[64].
+type system_lib_file, file_type;
+# Default type for linker executable /system/bin/linker[64].
+type system_linker_exec, exec_type, file_type;
+# Default type for linker config /system/etc/ld.config.*.
+type system_linker_config_file, file_type;
+# Default type for linker config /system/etc/seccomp_policy/*.
+type system_seccomp_policy_file, file_type;
+# Default type for cacerts in /system/etc/security/cacerts/*.
+type system_security_cacerts_file, file_type;
# Default type for directories search for
# HAL implementations
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 339af52..bfee2d3 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -12,11 +12,6 @@
# Permit reading device's serial number from system properties
get_prop(hal_drm, serialno_prop)
-# System file accesses
-allow hal_drm system_file:dir r_dir_perms;
-allow hal_drm system_file:file r_file_perms;
-allow hal_drm system_file:lnk_file r_file_perms;
-
# Read files already opened under /data
allow hal_drm system_data_file:file { getattr read };
diff --git a/public/hal_health.te b/public/hal_health.te
index 32afcad..76efdef 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -4,11 +4,6 @@
hal_attribute_hwservice(hal_health, hal_health_hwservice)
-# Read access to system files for HALs in
-# /{system,vendor,odm}/lib[64]/hw/ in order
-# to be able to open the hal implementation .so files
-r_dir_file(hal_health, system_file)
-
# Common rules for a health service.
# Allow to listen to uevents for updates
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index a7c687d..7e6212c 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -39,7 +39,6 @@
r_dir_file(hal_telephony_server, proc_net_type)
r_dir_file(hal_telephony_server, sysfs_type)
-r_dir_file(hal_telephony_server, system_file)
# granting the ioctl permission for hal_telephony_server should be device specific
allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/public/healthd.te b/public/healthd.te
index c6aecdf..a3dd58b 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -12,10 +12,6 @@
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
-# Read access to system files for passthrough HALs in
-# /{system,vendor,odm}/lib[64]/hw/
-r_dir_file(healthd, system_file)
-
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 4c40617..92af53b 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -3,8 +3,3 @@
type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gnss_default)
-
-# Read access to system files for HALs in
-# /{system,vendor,odm}/lib[64]/hw/ in order
-# to be able to open the hal implementation .so files
-r_dir_file(hal_gnss, system_file)