sepolicy: Fixup neverallows for non-shipping builds..
Change-Id: Id377a5821df76f5bc92360d3891989490da9e42e
diff --git a/domain.te b/domain.te
index 05f61c8..b6eeb2e 100644
--- a/domain.te
+++ b/domain.te
@@ -316,7 +316,10 @@
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
+ifelse(shipping_build, `true',
+ `neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };'
+,
+)
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
@@ -356,21 +359,17 @@
# Only authorized processes should be writing to files in /data/dalvik-cache
# (excluding /data/dalvik-cache/profiles, which is labeled differently)
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -dex2oat
-} dalvikcache_data_file:file no_w_file_perms;
+ifelse(shipping_build, `true',
+ `neverallow { domain -init -zygote -installd -dex2oat } dalvikcache_data_file:file no_w_file_perms;'
+,
+ `neverallow { domain -init -zygote -installd -dex2oat -system_server -recovery} dalvikcache_data_file:file no_w_file_perms;'
+)
-neverallow {
- domain
- -init
- -installd
- -dex2oat
- -zygote
-} dalvikcache_data_file:dir no_w_dir_perms;
+ifelse(shipping_build, `true',
+ `neverallow { domain -init -installd -dex2oat -zygote } dalvikcache_data_file:dir no_w_dir_perms;'
+,
+ `neverallow { domain -init -installd -dex2oat -zygote -recovery } dalvikcache_data_file:dir no_w_dir_perms;'
+)
# Only system_server should be able to send commands via the zygote socket
neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
@@ -401,7 +400,7 @@
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -init -untrusted_app -sudaemon') } su_exec:file no_x_file_perms;
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
@@ -439,13 +438,12 @@
# Example type transition:
# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
-} system_data_file:file no_w_file_perms;
+ifelse(shipping_build, `true',
+ `neverallow { domain -system_server -system_app -init -installd } system_data_file:file no_w_file_perms;'
+,
+ `neverallow { domain -system_server -system_app -init -installd -recovery } system_data_file:file no_w_file_perms;'
+)
+
# do not grant anything greater than r_file_perms and relabelfrom unlink
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
diff --git a/keystore.te b/keystore.te
index 54439ec..b5d119f 100644
--- a/keystore.te
+++ b/keystore.te
@@ -26,7 +26,12 @@
neverallow { domain -keystore -recovery } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -keystore -recovery } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
+ifelse(shipping_build, `true',
+ `neverallow { domain -keystore -init } keystore_data_file:dir *;
+ neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;'
+,
+ `neverallow { domain -keystore -init -recovery } keystore_data_file:dir *;
+ neverallow { domain -keystore -init -recovery } keystore_data_file:notdevfile_class_set *;'
+)
neverallow domain keystore:process ptrace;
diff --git a/recovery.te b/recovery.te
index 8d6fd62..646e42f 100644
--- a/recovery.te
+++ b/recovery.te
@@ -114,5 +114,11 @@
# domains, including recovery.
#
# TODO: tighten this up further.
-neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
-neverallow recovery data_file_type:dir no_w_dir_perms;
+ifelse(shipping_build, `true',
+ `neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };'
+,
+)
+ifelse(shipping_build, `true',
+ `neverallow recovery data_file_type:dir no_w_dir_perms;'
+,
+)
diff --git a/system_server.te b/system_server.te
index 036e90e..6c088f3 100644
--- a/system_server.te
+++ b/system_server.te
@@ -457,7 +457,10 @@
# a bug (for example, bug 16317188), or represents an attempt by
# system server to dynamically load a dex file, something we do not
# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
+ifelse(shipping_build, `true',
+ `neverallow system_server dex2oat_exec:file no_x_file_perms;'
+,
+)
# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
diff --git a/vold.te b/vold.te
index 3ff2e74..7ddf2b7 100644
--- a/vold.te
+++ b/vold.te
@@ -171,8 +171,16 @@
allow vold self:capability sys_chroot;
allow vold storage_file:dir mounton;
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
-neverallow { domain -vold -init } restorecon_prop:property_service set;
+ifelse(shipping_build, `true',
+ `neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+ neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+ neverallow { domain -vold -init } vold_data_file:dir *;
+ neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
+ neverallow { domain -vold -init } restorecon_prop:property_service set;'
+,
+ `neverallow { domain -vold -recovery } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+ neverallow { domain -vold -recovery } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+ neverallow { domain -vold -init -recovery } vold_data_file:dir *;
+ neverallow { domain -vold -init -recovery } vold_data_file:notdevfile_class_set *;
+ neverallow { domain -vold -init -recovery } restorecon_prop:property_service set;'
+)