commit abb1ba6532c923106b459dbb3ba47d9c7038bc97
author Joel Scherpelz <jscherpelz@google.com> Thu Jun 08 13:59:41 2017 +0900
committer Joel Scherpelz <jscherpelz@google.com> Mon Jun 12 11:00:59 2017 +0900
tree 926595d8652008c86e0cc981f6ee22dad39a4a98
parent 06486796a4e818d782ea1f2f20cfc8ddf6bf724c

SELinux policy for secure persistent netd storage

This is used to persist RFC 7217 stable secrets across device reboots.

First submit caused a merge conflict. This revision replaces netd_prop
with a more unique name netd_stable_secret_prop.

Test: as follows
    - Manually tested that stable_secret is generated on first use and
      persists until reset of user data partition (factory reset).
    - Tested that "adb shell getprop" was denied access to
      persist.netd.stable_secret after running "adb unroot".
Bug: 17613910

Change-Id: I0a609c724799a15b1926e62534c16810d34f2275

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 2315034..8eb2f28 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -50,6 +50,7 @@
 logd.logpersistd        u:object_r:logpersistd_logging_prop:s0
 persist.log.tag         u:object_r:log_tag_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
+persist.netd.stable_secret      u:object_r:netd_stable_secret_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
 ro.sys.safemode         u:object_r:safemode_prop:s0

public/netd.te

diff --git a/public/netd.te b/public/netd.te
index 35d9b7c..d01d2f8 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -58,6 +58,7 @@
 allow netd clatd:process signal;
 
 set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
 
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
@@ -104,3 +105,11 @@
 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
 neverallow { domain -system_server -dumpstate } netd:binder call;
 neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;

public/property.te

diff --git a/public/property.te b/public/property.te
index daac0fb..95efcaa 100644
--- a/public/property.te
+++ b/public/property.te
@@ -30,6 +30,7 @@
 type mmc_prop, property_type;
 type net_dns_prop, property_type;
 type net_radio_prop, property_type, core_property_type;
+type netd_stable_secret_prop, property_type;
 type nfc_prop, property_type, core_property_type;
 type overlay_prop, property_type;
 type pan_result_prop, property_type, core_property_type;