From 782636c9e2be240ec48543ca5171bf2ea2bc0f38 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Tue, 7 Aug 2018 13:44:20 -0700 Subject: [PATCH 19/26] Relax some neverallow rules Kernels above 4.14 have a new mmap permission. However, neverallow rules exclude the use of mmap, even when file FDs are passable across the vendor/non-vendor boundary. Since we allow reading / writing of passed file descriptors, also allow the use of mmap for passed file descriptors. Bug: 112171217 Test: policy compiles Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9 --- prebuilts/api/28.0/public/domain.te | 8 ++++---- public/domain.te | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te index a0a19166..26ce1a00 100644 --- a/prebuilts/api/28.0/public/domain.te +++ b/prebuilts/api/28.0/public/domain.te @@ -818,7 +818,7 @@ full_treble_only(` } { data_file_type -core_data_file_type - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; ') full_treble_only(` neverallow { @@ -850,7 +850,7 @@ full_treble_only(` # files in /data/misc/zoneinfo/tzdata file. These functions are considered # vndk-stable and thus must be allowed for all processes. -zoneinfo_data_file - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; neverallow { vendor_init -data_between_core_and_vendor_violators @@ -858,7 +858,7 @@ full_treble_only(` core_data_file_type -unencrypted_data_file -zoneinfo_data_file - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. neverallow vendor_init unencrypted_data_file:file ~r_file_perms; @@ -924,7 +924,7 @@ full_treble_only(` -init } { vendor_data_file # default label for files on /data/vendor{,_ce,_de}. - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; ') # On TREBLE devices, a limited set of files in /vendor are accessible to diff --git a/public/domain.te b/public/domain.te index a0a19166..26ce1a00 100644 --- a/public/domain.te +++ b/public/domain.te @@ -818,7 +818,7 @@ full_treble_only(` } { data_file_type -core_data_file_type - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; ') full_treble_only(` neverallow { @@ -850,7 +850,7 @@ full_treble_only(` # files in /data/misc/zoneinfo/tzdata file. These functions are considered # vndk-stable and thus must be allowed for all processes. -zoneinfo_data_file - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; neverallow { vendor_init -data_between_core_and_vendor_violators @@ -858,7 +858,7 @@ full_treble_only(` core_data_file_type -unencrypted_data_file -zoneinfo_data_file - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. # The vendor init binary lives on the system partition so there is not a concern with stability. neverallow vendor_init unencrypted_data_file:file ~r_file_perms; @@ -924,7 +924,7 @@ full_treble_only(` -init } { vendor_data_file # default label for files on /data/vendor{,_ce,_de}. - }:file_class_set ~{ append getattr ioctl read write }; + }:file_class_set ~{ append getattr ioctl read write map }; ') # On TREBLE devices, a limited set of files in /vendor are accessible to -- 2.17.1