remove overly permissive rules from domain

Move to domain_deprecated Bug: 25433265 Change-Id: Ib21876e450d8146ef9363d6430f6c7f00ab0c7f3
CyanogenMod · Nov 9, 2015 · 6e3506e · 6e3506e
1 parent d22987b
commit 6e3506e
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 80 deletions.
diff --git a/domain.te b/domain.te
@@ -3,14 +3,6 @@
 # Allow reaping by init.
 allow domain init:process sigchld;
 
-# Read access to properties mapping.
-allow domain kernel:fd use;
-allow domain tmpfs:file { read getattr };
-allow domain tmpfs:lnk_file { read getattr };
-
-# Search /storage/emulated tmpfs mount.
-allow domain tmpfs:dir r_dir_perms;
-
 # Intra-domain accesses.
 allow domain self:process {
     fork
@@ -38,13 +30,6 @@ allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
 
 # Inherit or receive open files from others.
 allow domain init:fd use;
-allow domain system_server:fd use;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow domain adbd:unix_stream_socket connectto;
-allow domain adbd:fd use;
-allow domain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
 userdebug_or_eng(`
   # Same as adbd rules above, except allow su to do the same thing
@@ -73,15 +58,13 @@ allow domain debuggerd:process sigchld;
 allow domain debuggerd:unix_stream_socket connectto;
 
 # Root fs.
-allow domain rootfs:dir r_dir_perms;
-allow domain rootfs:file r_file_perms;
-allow domain rootfs:lnk_file r_file_perms;
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file read;
 
 # Device accesses.
 allow domain device:dir search;
 allow domain dev_type:lnk_file r_file_perms;
 allow domain devpts:dir search;
-allow domain device:file read;
 allow domain socket_device:dir r_dir_perms;
 allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
@@ -99,70 +82,20 @@ allow domain vold:key search;
 # logd access
 write_logd(domain)
 
-# Filesystem accesses.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
 # System file accesses.
-allow domain system_file:dir r_dir_perms;
-allow domain system_file:file r_file_perms;
-allow domain system_file:file execute;
-allow domain system_file:lnk_file r_file_perms;
+allow domain system_file:dir search;
+allow domain system_file:file { execute read open getattr };
+allow domain system_file:lnk_file read;
 
-# Read files already opened under /data.
+# files under /data.
 allow domain system_data_file:dir { search getattr };
-allow domain system_data_file:file { getattr read };
-allow domain system_data_file:lnk_file r_file_perms;
-
-# Read apk files under /data/app.
-allow domain apk_data_file:dir { getattr search };
-allow domain apk_data_file:file r_file_perms;
-allow domain apk_data_file:lnk_file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow domain dalvikcache_data_file:dir { search getattr };
-allow domain dalvikcache_data_file:file r_file_perms;
-
-# Read already opened /cache files.
-allow domain cache_file:dir r_dir_perms;
-allow domain cache_file:file { getattr read };
-allow domain cache_file:lnk_file r_file_perms;
-
-# Read timezone related information
-r_dir_file(domain, zoneinfo_data_file)
-
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
-
-#Allow access to ion memory allocation device
-allow domain ion_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(domain, proc)
-r_dir_file(domain, sysfs)
-r_dir_file(domain, sysfs_devices_system_cpu)
-r_dir_file(domain, inotify)
-r_dir_file(domain, cgroup)
-r_dir_file(domain, proc_net)
-allow domain proc_cpuinfo:file r_file_perms;
-
-# debugfs access
-allow domain debugfs:dir r_dir_perms;
-allow domain debugfs:file w_file_perms;
-
-# Get SELinux enforcing status.
-allow domain selinuxfs:dir r_dir_perms;
-allow domain selinuxfs:file r_file_perms;
-
-# /data/security files
-allow domain security_file:dir { search getattr };
-allow domain security_file:file getattr;
-allow domain security_file:lnk_file r_file_perms;
-
-# World readable asec image contents
-allow domain asec_public_file:file r_file_perms;
-allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
+
+# required by the dynamic linker
+allow domain proc:lnk_file read;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
 
 ###
 ### neverallow rules

diff --git a/domain_deprecated.te b/domain_deprecated.te
@@ -1 +1,90 @@
 # rules removed from the domain attribute
+
+# Read access to properties mapping.
+allow domain_deprecated kernel:fd use;
+allow domain_deprecated tmpfs:file { read getattr };
+allow domain_deprecated tmpfs:lnk_file { read getattr };
+
+# Search /storage/emulated tmpfs mount.
+allow domain_deprecated tmpfs:dir r_dir_perms;
+
+# Inherit or receive open files from others.
+allow domain_deprecated system_server:fd use;
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow domain_deprecated adbd:unix_stream_socket connectto;
+allow domain_deprecated adbd:fd use;
+allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# Root fs.
+allow domain_deprecated rootfs:dir r_dir_perms;
+allow domain_deprecated rootfs:file r_file_perms;
+allow domain_deprecated rootfs:lnk_file r_file_perms;
+
+# Device accesses.
+allow domain_deprecated device:file read;
+
+# Filesystem accesses.
+allow domain_deprecated fs_type:filesystem getattr;
+allow domain_deprecated fs_type:dir getattr;
+
+# System file accesses.
+allow domain_deprecated system_file:dir r_dir_perms;
+allow domain_deprecated system_file:file r_file_perms;
+allow domain_deprecated system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data.
+allow domain_deprecated system_data_file:dir { search getattr };
+allow domain_deprecated system_data_file:file { getattr read };
+allow domain_deprecated system_data_file:lnk_file r_file_perms;
+
+# Read apk files under /data/app.
+allow domain_deprecated apk_data_file:dir { getattr search };
+allow domain_deprecated apk_data_file:file r_file_perms;
+allow domain_deprecated apk_data_file:lnk_file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow domain_deprecated dalvikcache_data_file:dir { search getattr };
+allow domain_deprecated dalvikcache_data_file:file r_file_perms;
+
+# Read already opened /cache files.
+allow domain_deprecated cache_file:dir r_dir_perms;
+allow domain_deprecated cache_file:file { getattr read };
+allow domain_deprecated cache_file:lnk_file r_file_perms;
+
+# Read timezone related information
+r_dir_file(domain_deprecated, zoneinfo_data_file)
+
+# For /acct/uid/*/tasks.
+allow domain_deprecated cgroup:dir { search write };
+allow domain_deprecated cgroup:file w_file_perms;
+
+#Allow access to ion memory allocation device
+allow domain_deprecated ion_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(domain_deprecated, proc)
+r_dir_file(domain_deprecated, sysfs)
+r_dir_file(domain_deprecated, sysfs_devices_system_cpu)
+r_dir_file(domain_deprecated, inotify)
+r_dir_file(domain_deprecated, cgroup)
+r_dir_file(domain_deprecated, proc_net)
+allow domain_deprecated proc_cpuinfo:file r_file_perms;
+
+# debugfs access
+allow domain_deprecated debugfs:dir r_dir_perms;
+allow domain_deprecated debugfs:file w_file_perms;
+
+# Get SELinux enforcing status.
+allow domain_deprecated selinuxfs:dir r_dir_perms;
+allow domain_deprecated selinuxfs:file r_file_perms;
+
+# /data/security files
+allow domain_deprecated security_file:dir { search getattr };
+allow domain_deprecated security_file:file getattr;
+allow domain_deprecated security_file:lnk_file r_file_perms;
+
+# World readable asec image contents
+allow domain_deprecated asec_public_file:file r_file_perms;
+allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;