Protect keystore's files.

Only keystore itself should be reading / writing it's files.
Remove keystore file access from other SELinux domains, including
unconfined. Add neverallow rules to protect against regressions.
Allow init limited access to recurse into keystore's directory.

Change-Id: I0bb5de7804f4314997c16fac18507933014bcadf

init.te

@@ -23,3 +23,8 @@ allow init recovery:process transition;
 allow init shell:process transition;
 allow init ueventd:process transition;
 allow init watchdogd:process transition;
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };

installd.te

@@ -11,9 +11,9 @@ allow installd system_data_file:lnk_file create;
 allow installd dalvikcache_data_file:file create_file_perms;
 allow installd dalvikcache_profiles_data_file:dir create_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
-allow installd data_file_type:dir create_dir_perms;
-allow installd data_file_type:dir { relabelfrom relabelto };
-allow installd data_file_type:{ file_class_set } { getattr unlink };
+allow installd { data_file_type -keystore_data_file }:dir create_dir_perms;
+allow installd { data_file_type -keystore_data_file }:dir { relabelfrom relabelto };
+allow installd { data_file_type -keystore_data_file }:{ file_class_set } { getattr unlink };
 allow installd apk_data_file:file r_file_perms;
 allow installd apk_tmp_file:file r_file_perms;
 allow installd oemfs:dir r_dir_perms;

keystore.te

@@ -11,3 +11,15 @@ allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
 allow keystore tee_device:chr_file rw_file_perms;
 allow keystore tee:unix_stream_socket connectto;
+
+###
+### Neverallow rules
+###
+### Protect our files from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
+neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;

system_server.te

@@ -168,8 +168,8 @@ allow system_server adbd_socket:sock_file rw_file_perms;
 allow system_server tun_device:chr_file rw_file_perms;
 
 # Manage data files.
-allow system_server data_file_type:dir create_dir_perms;
-allow system_server data_file_type:notdevfile_class_set create_file_perms;
+allow system_server { data_file_type -keystore_data_file }:dir create_dir_perms;
+allow system_server { data_file_type -keystore_data_file }:notdevfile_class_set create_file_perms;
 
 # Read /file_contexts and /data/security/file_contexts
 security_access_policy(system_server)

unconfined.te

@@ -28,10 +28,10 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type -keystore_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;