deny_new_usb sysctl and system property policy

GrapheneOS · Sep 10, 2020 · 73c1e10 · 73c1e10
1 parent 35f8935
commit 73c1e10
Show file tree

Hide file tree

Showing 16 changed files with 24 additions and 3 deletions.
diff --git a/prebuilts/api/28.0/plat_pub_versioned.cil b/prebuilts/api/28.0/plat_pub_versioned.cil
@@ -4,7 +4,7 @@
 (typeattribute domain)
 (typeattributeset domain (adbd_28_0 audioserver_28_0 blkid_28_0 blkid_untrusted_28_0 bluetooth_28_0 bootanim_28_0 bootstat_28_0 bufferhubd_28_0 cameraserver_28_0 charger_28_0 clatd_28_0 cppreopts_28_0 crash_dump_28_0 dex2oat_28_0 dhcp_28_0 dnsmasq_28_0 drmserver_28_0 dumpstate_28_0 e2fs_28_0 ephemeral_app_28_0 fingerprintd_28_0 fsck_28_0 fsck_untrusted_28_0 gatekeeperd_28_0 healthd_28_0 hwservicemanager_28_0 idmap_28_0 incident_28_0 incident_helper_28_0 incidentd_28_0 init_28_0 inputflinger_28_0 install_recovery_28_0 installd_28_0 isolated_app_28_0 kernel_28_0 keystore_28_0 lmkd_28_0 logd_28_0 logpersist_28_0 mdnsd_28_0 mediacodec_28_0 mediadrmserver_28_0 mediaextractor_28_0 mediametrics_28_0 mediaprovider_28_0 mediaserver_28_0 modprobe_28_0 mtp_28_0 netd_28_0 netutils_wrapper_28_0 nfc_28_0 otapreopt_chroot_28_0 otapreopt_slot_28_0 performanced_28_0 perfprofd_28_0 platform_app_28_0 postinstall_28_0 postinstall_dexopt_28_0 ppp_28_0 preopt2cachename_28_0 priv_app_28_0 profman_28_0 racoon_28_0 radio_28_0 recovery_28_0 recovery_persist_28_0 recovery_refresh_28_0 runas_28_0 sdcardd_28_0 secure_element_28_0 servicemanager_28_0 sgdisk_28_0 shared_relro_28_0 shell_28_0 slideshow_28_0 su_28_0 surfaceflinger_28_0 system_app_28_0 system_server_28_0 tee_28_0 thermalserviced_28_0 tombstoned_28_0 toolbox_28_0 traced_probes_28_0 traceur_app_28_0 tzdatacheck_28_0 ueventd_28_0 uncrypt_28_0 untrusted_app_28_0 untrusted_app_27_28_0 untrusted_app_25_28_0 untrusted_v2_app_28_0 update_engine_28_0 update_verifier_28_0 usbd_28_0 vdc_28_0 vendor_init_28_0 vendor_shell_28_0 virtual_touchpad_28_0 vndservicemanager_28_0 vold_28_0 vold_prepare_subdirs_28_0 vr_hwc_28_0 watchdogd_28_0 webview_zygote_28_0 wificond_28_0 wpantund_28_0 zygote_28_0))
 (typeattribute fs_type)
-(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0))
+(typeattributeset fs_type (device_28_0 labeledfs_28_0 pipefs_28_0 sockfs_28_0 rootfs_28_0 proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 sysfs_usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_deny_new_usb_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0 selinuxfs_28_0 cgroup_28_0 cgroup_bpf_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 fs_bpf_28_0 configfs_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0 inotify_28_0 devpts_28_0 tmpfs_28_0 shm_28_0 mqueue_28_0 fuse_28_0 sdcardfs_28_0 vfat_28_0 exfat_28_0 debugfs_28_0 debugfs_mmc_28_0 debugfs_trace_marker_28_0 debugfs_tracing_28_0 debugfs_tracing_debug_28_0 debugfs_tracing_instances_28_0 debugfs_wakeup_sources_28_0 debugfs_wifi_tracing_28_0 pstorefs_28_0 functionfs_28_0 oemfs_28_0 usbfs_28_0 binfmt_miscfs_28_0 app_fusefs_28_0))
 (typeattribute contextmount_type)
 (typeattributeset contextmount_type (oemfs_28_0 app_fusefs_28_0))
 (typeattribute file_type)
@@ -21,7 +21,7 @@
 (typeattributeset vendor_file_type (vendor_hal_file_28_0 vendor_file_28_0 vendor_app_file_28_0 vendor_configs_file_28_0 same_process_hal_file_28_0 vndk_sp_file_28_0 vendor_framework_file_28_0 vendor_overlay_file_28_0 mediacodec_exec_28_0 vendor_shell_exec_28_0 vendor_toolbox_exec_28_0))
 (typeattribute proc_type)
 (expandtypeattribute (proc_type) false)
-(typeattributeset proc_type (proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0))
+(typeattributeset proc_type (proc_28_0 proc_security_28_0 proc_drop_caches_28_0 proc_overcommit_memory_28_0 proc_min_free_order_shift_28_0 usermodehelper_28_0 qtaguid_proc_28_0 proc_qtaguid_stat_28_0 proc_bluetooth_writable_28_0 proc_abi_28_0 proc_asound_28_0 proc_buddyinfo_28_0 proc_cmdline_28_0 proc_cpuinfo_28_0 proc_deny_new_usb_28_0 proc_dirty_28_0 proc_diskstats_28_0 proc_extra_free_kbytes_28_0 proc_filesystems_28_0 proc_hostname_28_0 proc_hung_task_28_0 proc_interrupts_28_0 proc_iomem_28_0 proc_kmsg_28_0 proc_loadavg_28_0 proc_max_map_count_28_0 proc_meminfo_28_0 proc_misc_28_0 proc_modules_28_0 proc_mounts_28_0 proc_net_28_0 proc_page_cluster_28_0 proc_pagetypeinfo_28_0 proc_panic_28_0 proc_perf_28_0 proc_pid_max_28_0 proc_pipe_conf_28_0 proc_random_28_0 proc_sched_28_0 proc_stat_28_0 proc_swaps_28_0 proc_sysrq_28_0 proc_timer_28_0 proc_tty_drivers_28_0 proc_uid_cputime_showstat_28_0 proc_uid_cputime_removeuid_28_0 proc_uid_io_stats_28_0 proc_uid_procstat_set_28_0 proc_uid_time_in_state_28_0 proc_uid_concurrent_active_time_28_0 proc_uid_concurrent_policy_time_28_0 proc_uid_cpupower_28_0 proc_uptime_28_0 proc_version_28_0 proc_vmallocinfo_28_0 proc_vmstat_28_0 proc_zoneinfo_28_0))
 (typeattribute sysfs_type)
 (typeattributeset sysfs_type (sysfs_usermodehelper_28_0 sysfs_28_0 sysfs_android_usb_28_0 sysfs_uio_28_0 sysfs_batteryinfo_28_0 sysfs_bluetooth_writable_28_0 sysfs_dm_28_0 sysfs_dt_firmware_android_28_0 sysfs_ipv4_28_0 sysfs_kernel_notes_28_0 sysfs_leds_28_0 sysfs_hwrandom_28_0 sysfs_nfc_power_writable_28_0 sysfs_wake_lock_28_0 sysfs_mac_address_28_0 sysfs_net_28_0 sysfs_power_28_0 sysfs_rtc_28_0 sysfs_switch_28_0 sysfs_usb_28_0 sysfs_wakeup_reasons_28_0 sysfs_fs_ext4_features_28_0 sysfs_devices_system_cpu_28_0 sysfs_lowmemorykiller_28_0 sysfs_wlan_fwpath_28_0 sysfs_vibrator_28_0 sysfs_thermal_28_0 sysfs_zram_28_0 sysfs_zram_uevent_28_0))
 (typeattribute debugfs_type)
@@ -856,6 +856,9 @@
 (type proc_cpuinfo)
 (typeattribute proc_cpuinfo_28_0)
 (roletype object_r proc_cpuinfo_28_0)
+(type proc_deny_new_usb)
+(typeattribute proc_deny_new_usb_28_0)
+(roletype object_r proc_deny_new_usb_28_0)
 (type proc_dirty)
 (typeattribute proc_dirty_28_0)
 (roletype object_r proc_dirty_28_0)

diff --git a/prebuilts/api/28.0/vendor_sepolicy.cil b/prebuilts/api/28.0/vendor_sepolicy.cil
diff --git a/prebuilts/api/29.0/private/compat/26.0/26.0.cil b/prebuilts/api/29.0/private/compat/26.0/26.0.cil
@@ -466,6 +466,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes

diff --git a/prebuilts/api/29.0/private/compat/27.0/27.0.cil b/prebuilts/api/29.0/private/compat/27.0/27.0.cil
@@ -1181,6 +1181,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes

diff --git a/prebuilts/api/29.0/private/compat/28.0/28.0.cil b/prebuilts/api/29.0/private/compat/28.0/28.0.cil
@@ -541,6 +541,7 @@
 (expandtypeattribute (proc_buddyinfo_28_0) true)
 (expandtypeattribute (proc_cmdline_28_0) true)
 (expandtypeattribute (proc_cpuinfo_28_0) true)
+(expandtypeattribute (proc_deny_new_usb_28_0) true)
 (expandtypeattribute (proc_dirty_28_0) true)
 (expandtypeattribute (proc_diskstats_28_0) true)
 (expandtypeattribute (proc_drop_caches_28_0) true)
@@ -1391,6 +1392,7 @@
 (typeattributeset proc_buddyinfo_28_0 (proc_buddyinfo))
 (typeattributeset proc_cmdline_28_0 (proc_cmdline))
 (typeattributeset proc_cpuinfo_28_0 (proc_cpuinfo))
+(typeattributeset proc_deny_new_usb_28_0 (proc_deny_new_usb))
 (typeattributeset proc_dirty_28_0 (proc_dirty))
 (typeattributeset proc_diskstats_28_0 (proc_diskstats))
 (typeattributeset proc_drop_caches_28_0 (proc_drop_caches))

diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
@@ -40,6 +40,7 @@ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/deny_new_usb u:object_r:proc_deny_new_usb:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0

diff --git a/prebuilts/api/29.0/private/property_contexts b/prebuilts/api/29.0/private/property_contexts
@@ -86,6 +86,8 @@ test.sys.boot.reason    u:object_r:test_boot_reason_prop:s0
 sys.lmk.                u:object_r:system_lmk_prop:s0
 sys.trace.              u:object_r:system_trace_prop:s0
 
+security.deny_new_usb   u:object_r:system_prop:s0
+
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
 ro.device_owner         u:object_r:device_logging_prop:s0

diff --git a/prebuilts/api/29.0/public/file.te b/prebuilts/api/29.0/public/file.te
@@ -20,6 +20,7 @@ type proc_asound, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
 type proc_cmdline, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;
+type proc_deny_new_usb, fs_type, proc_type;
 type proc_dirty, fs_type, proc_type;
 type proc_diskstats, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;

diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
@@ -327,6 +327,7 @@ allow init {
 
 allow init {
   proc_abi
+  proc_deny_new_usb
   proc_dirty
   proc_hostname
   proc_hung_task

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
@@ -466,6 +466,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes

diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
@@ -1181,6 +1181,7 @@
     proc_asound
     proc_buddyinfo
     proc_cmdline
+    proc_deny_new_usb
     proc_dirty
     proc_diskstats
     proc_extra_free_kbytes

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
@@ -541,6 +541,7 @@
 (expandtypeattribute (proc_buddyinfo_28_0) true)
 (expandtypeattribute (proc_cmdline_28_0) true)
 (expandtypeattribute (proc_cpuinfo_28_0) true)
+(expandtypeattribute (proc_deny_new_usb_28_0) true)
 (expandtypeattribute (proc_dirty_28_0) true)
 (expandtypeattribute (proc_diskstats_28_0) true)
 (expandtypeattribute (proc_drop_caches_28_0) true)
@@ -1391,6 +1392,7 @@
 (typeattributeset proc_buddyinfo_28_0 (proc_buddyinfo))
 (typeattributeset proc_cmdline_28_0 (proc_cmdline))
 (typeattributeset proc_cpuinfo_28_0 (proc_cpuinfo))
+(typeattributeset proc_deny_new_usb_28_0 (proc_deny_new_usb))
 (typeattributeset proc_dirty_28_0 (proc_dirty))
 (typeattributeset proc_diskstats_28_0 (proc_diskstats))
 (typeattributeset proc_drop_caches_28_0 (proc_drop_caches))

diff --git a/private/genfs_contexts b/private/genfs_contexts
@@ -40,6 +40,7 @@ genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
 genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
 genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/deny_new_usb u:object_r:proc_deny_new_usb:s0
 genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
 genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
 genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0

diff --git a/private/property_contexts b/private/property_contexts
@@ -86,6 +86,8 @@ test.sys.boot.reason    u:object_r:test_boot_reason_prop:s0
 sys.lmk.                u:object_r:system_lmk_prop:s0
 sys.trace.              u:object_r:system_trace_prop:s0
 
+security.deny_new_usb   u:object_r:system_prop:s0
+
 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
 ro.device_owner         u:object_r:device_logging_prop:s0

diff --git a/public/file.te b/public/file.te
@@ -20,6 +20,7 @@ type proc_asound, fs_type, proc_type;
 type proc_buddyinfo, fs_type, proc_type;
 type proc_cmdline, fs_type, proc_type;
 type proc_cpuinfo, fs_type, proc_type;
+type proc_deny_new_usb, fs_type, proc_type;
 type proc_dirty, fs_type, proc_type;
 type proc_diskstats, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;

diff --git a/public/init.te b/public/init.te
@@ -327,6 +327,7 @@ allow init {
 
 allow init {
   proc_abi
+  proc_deny_new_usb
   proc_dirty
   proc_hostname
   proc_hung_task