tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/vold_prepare_subdirs.te

102 lines
3.4 KiB
Text
Raw Normal View History

vold_prepare_subdirs sets policy in vold-created dirs. Bug: 25861755 Test: Boot device, observe logs Change-Id: I6c13430d42e9794003eb48e6ca219b874112b900 Merged-In: I6c13430d42e9794003eb48e6ca219b874112b900 (cherry picked from commit 47f3ed09d222ee126cf2fe23b5fe15cd0b64520e)
2017-10-13 23:54:32 +02:00
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
allow vold_prepare_subdirs to create storaged directories Test: Boot device, observe logs Bug: 63740245 Change-Id: I1068304b12ea90736b7927b7368ba1a213d2fbae
2017-10-19 23:41:37 +02:00
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
typeattribute vold_prepare_subdirs coredomain;
Allow vold to set MLS level on per-user directories. We want to extend vold_prepare_subdirs to set the MLS level to the correct per-user value for selected user-specific directories. Grant vold_prepare_subdirs the access it needs to do this, and allow vold to access the temporary property controlling this. Bug: 141677108 Test: Manual, with and without property set. Change-Id: I572462cfd9b8869381f2af5faa29165bb8373d4b
2020-02-11 15:43:05 +01:00
typeattribute vold_prepare_subdirs mlstrustedsubject;
Move most of public/vold_prepare_subdirs.te to private AIUI permissions should be in private unless they need to be public. Bug: 25861755 Test: Boot device, create and remove a user, observe logs Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da
2017-10-25 22:03:24 +02:00
allow vold_prepare_subdirs system_file:file execute_no_trans;
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
allow vold_prepare_subdirs seapp_contexts_file:file r_file_perms;
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-07 00:19:40 +02:00
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
Move most of public/vold_prepare_subdirs.te to private AIUI permissions should be in private unless they need to be public. Bug: 25861755 Test: Boot device, create and remove a user, observe logs Change-Id: I6c3521d50dab2d508fce4b614d51e163e7c8f3da
2017-10-25 22:03:24 +02:00
allow vold_prepare_subdirs self:process setfscreate;
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
allow vold_prepare_subdirs {
Create a separate label for sandbox root directory Currently, app process can freely execute path at `/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system file. They can't read or write, but use 403/404 error to figure out if an app is installed or not. By changing the selinux label of the parent directory: `/data/misc_ce/0/sdksandbox`, we can restrict app process from executing inside the directory and avoid the privacy leak. Sandbox process should only have "search" permission on the new label so that it can pass through it to its data directory located in `/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error Test: manual test to verify webview still works Ignore-AOSP-First: Test is missing in AOSP. Will cherry-pick to AOSP once merged here. Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
2022-05-11 22:43:54 +02:00
sdk_sandbox_system_data_file
label /data/vendor{_ce,_de} Restrictions introduced in vendor init mean that new devices may not no longer exempt vendor init from writing to system_data_file. This means we must introduce a new label for /data/vendor which vendor_init may write to. Bug: 73087047 Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint No new denials. Change-Id: I65f904bb28952d4776aab947515947e14befbe34
2018-02-08 01:29:06 +01:00
system_data_file
vendor_data_file
Let vold_prepare_subdirs completely clean deleted user data. After adding a new user, deleting it, and rebooting, some of the user's data still remained. This adds the SELinux permissions necessary to remove all of the data. It fixes the followign denials: avc: denied { rmdir } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir avc: denied { unlink } for scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 74866238 Test: Create user, delete user, reboot user, see no denials or leftover data. Change-Id: Ibc43bd2552b388a9708bf781b5ad206f21df62dc
2018-04-16 23:50:38 +02:00
}:dir { open read write add_name remove_name rmdir relabelfrom };
Allow vold_prepare_subdirs to delete more files. Bug: 78591623 Test: Create a new user with a fingerprint. Reboot. Delete that user. Check for denials, files left over in /data/*_{c,d}e/10 Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
2018-04-26 22:41:13 +02:00
allow vold_prepare_subdirs {
Refactor apex data file types. We ended up with 4 labels for specific APEX files that were all identical; I've replaced them with a single one (apex_system_server_data_file). Additionally I created an attribute to be applied to a "standard" APEX module data file type that establishes the basics (it can be managed by vold_prepare_subdirs and apexd), to make it easier to add new such types - which I'm about to do. Fix: 189415223 Test: Presubmits Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
2021-07-12 15:21:48 +02:00
apex_data_file_type
Add type for APEX data directories. This adds a new apex_module_data_file type for the APEX data directories under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata. Permission is given for vold to identify which APEXes are present and create the corresponding directories under apexdata in the ce/de user directories. See go/apex-data-directories. Bug: 141148175 Test: Built & flashed, checked directories were created. Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-11-19 19:10:16 +01:00
apex_module_data_file
Add type for directories containing snapshots of apex data. This adds a new apex_rollback_data_file type for the snapshots (backups) of APEX data directories that can be restored in the event of a rollback. Permission is given for apexd to create files and dirs in those directories and for vold_prepare_subdirs to create the directories. See go/apex-data-directories for details. Bug: 141148175 Test: Built and flashed, checked directory was created with the correct type. Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-02 19:29:48 +01:00
apex_rollback_data_file
Add rules for multi-user backup/restore The backup system service will move its storage location to per-user CE directories to support multiple users. Add additional iterations on the existing rules to support the new location. /data/backup -> /data/system_ce/[user id]/backup Previously covered by rule backup_data_file /cache/backup -> /data/system_ce/[user id]/backup_stage Previously covered by rule cache_backup_file Also add support for vold to create and perform restorecon on the new locations. Example denials and detailed proposal in the doc on the linked bug. Bug: 121197420 Test: 1) Boot device; check dirs created with correct label; run backup successfully on system user 2) Create secondary user; check dirs created with correct label; run backup successfully Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77
2019-01-15 22:20:13 +01:00
backup_data_file
Add context for checkin directory Checkin apps use /data/misc_ce/<id>/checkin to backup the checkin metadata. So users won't lose the checkin tokens when they clear the app's storage. One example is when GMScore is used for checkin, users may clear GMScore data via "settings". If the device accidentally loses the token without backup, it won't be able to checkin again until factory reset. The contents in checkin dir will be cleaned up when a user is removed from the device. We also plan to add Gmscore test to ensure the dir is cleaned up at checkin time, thus prevent other Gmscore modules from using this storage by mistake. Bug: 197636740 Test: boot device, check selinux label, check gmscore writes to the new dir Change-Id: If3ff5e0fb75b4d49ce80d91b0086b58db002e4fb
2021-10-06 07:13:20 +02:00
checkin_data_file
Add placeholder iris and face policy for vold data directory This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause the same issue. Test: vold is able to create directories, ag/5534962 Bug: 116528212 Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
2018-11-16 00:28:07 +01:00
face_vendor_data_file
Revert "Add placeholder iris and face policy for vold data directory" This reverts commit 92bde4b941b7078a5fdf8aec6660ca44d0ffbb49. Reason for revert: Rebooting after OTA fails due to the filesystem still seeing the old label on the device. Bug: 116528212 Bug: 119747564 Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c Test: rollback change
2018-11-19 19:42:11 +01:00
fingerprint_vendor_data_file
Add placeholder iris and face policy for vold data directory This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause the same issue. Test: vold is able to create directories, ag/5534962 Bug: 116528212 Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
2018-11-16 00:28:07 +01:00
iris_vendor_data_file
Add initial sepolicy for app data snapshots. Define a rollback_data_file label and apply it to the snapshots directory. This change contains just enough detail to allow vold_prepare_subdirs to prepare these directories correctly. A follow up change will flesh out the access policy on these directories in more detail. Test: make, manual Bug: 112431924 Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
2019-01-14 16:02:12 +01:00
rollback_data_file
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
Allow vold_prepare_subdirs to delete more files. Bug: 78591623 Test: Create a new user with a fingerprint. Reboot. Delete that user. Check for denials, files left over in /data/*_{c,d}e/10 Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
2018-04-26 22:41:13 +02:00
storaged_data_file
Rename SupplementalProcess to SdkSandbox Ignore-AOSP-First: sepolicy is not in aosp, yet Bug: 220320098 Test: presubmit Change-Id: I9fb98e0caee75bdaaa35d11d174004505f236799
2022-02-21 18:55:59 +01:00
sdk_sandbox_data_file
Create a separate label for sandbox root directory Currently, app process can freely execute path at `/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system file. They can't read or write, but use 403/404 error to figure out if an app is installed or not. By changing the selinux label of the parent directory: `/data/misc_ce/0/sdksandbox`, we can restrict app process from executing inside the directory and avoid the privacy leak. Sandbox process should only have "search" permission on the new label so that it can pass through it to its data directory located in `/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error Test: manual test to verify webview still works Ignore-AOSP-First: Test is missing in AOSP. Will cherry-pick to AOSP once merged here. Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
2022-05-11 22:43:54 +02:00
sdk_sandbox_system_data_file
Allow vold to set MLS level on per-user directories. We want to extend vold_prepare_subdirs to set the MLS level to the correct per-user value for selected user-specific directories. Grant vold_prepare_subdirs the access it needs to do this, and allow vold to access the temporary property controlling this. Bug: 141677108 Test: Manual, with and without property set. Change-Id: I572462cfd9b8869381f2af5faa29165bb8373d4b
2020-02-11 15:43:05 +01:00
system_data_file
Allow vold_prepare_subdirs to delete more files. Bug: 78591623 Test: Create a new user with a fingerprint. Reboot. Delete that user. Check for denials, files left over in /data/*_{c,d}e/10 Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
2018-04-26 22:41:13 +02:00
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
Refactor apex data file types. We ended up with 4 labels for specific APEX files that were all identical; I've replaced them with a single one (apex_system_server_data_file). Additionally I created an attribute to be applied to a "standard" APEX module data file type that establishes the basics (it can be managed by vold_prepare_subdirs and apexd), to make it easier to add new such types - which I'm about to do. Fix: 189415223 Test: Presubmits Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
2021-07-12 15:21:48 +02:00
apex_data_file_type
Permissions for odrefresh and /data/misc/apexdata/com.android.art odrefresh is the process responsible for checking and creating ART compilation artifacts that live in the ART APEX data directory (/data/misc/apexdata/com.android.art). There are two types of change here: 1) enabling odrefresh to run dex2oat and write updated boot class path and system server AOT artifacts into the ART APEX data directory. 2) enabling the zygote and assorted diagnostic tools to use the updated AOT artifacts. odrefresh uses two file contexts: apex_art_data_file and apex_art_staging_data_file. When odrefresh invokes dex2oat, the generated files have the apex_art_staging_data_file label (which allows writing). odrefresh then moves these files from the staging area to their installation area and gives them the apex_art_data_file label. Bug: 160683548 Test: adb root && adb shell /apex/com.android.art/bin/odrefresh Change-Id: I9fa290e0c9c1b7b82be4dacb9f2f8cb8c11e4895
2020-10-16 16:29:55 +02:00
apex_art_staging_data_file
Add type for APEX data directories. This adds a new apex_module_data_file type for the APEX data directories under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata. Permission is given for vold to identify which APEXes are present and create the corresponding directories under apexdata in the ce/de user directories. See go/apex-data-directories. Bug: 141148175 Test: Built & flashed, checked directories were created. Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-11-19 19:10:16 +01:00
apex_module_data_file
Add type for directories containing snapshots of apex data. This adds a new apex_rollback_data_file type for the snapshots (backups) of APEX data directories that can be restored in the event of a rollback. Permission is given for apexd to create files and dirs in those directories and for vold_prepare_subdirs to create the directories. See go/apex-data-directories for details. Bug: 141148175 Test: Built and flashed, checked directory was created with the correct type. Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-02 19:29:48 +01:00
apex_rollback_data_file
Add rules for multi-user backup/restore The backup system service will move its storage location to per-user CE directories to support multiple users. Add additional iterations on the existing rules to support the new location. /data/backup -> /data/system_ce/[user id]/backup Previously covered by rule backup_data_file /cache/backup -> /data/system_ce/[user id]/backup_stage Previously covered by rule cache_backup_file Also add support for vold to create and perform restorecon on the new locations. Example denials and detailed proposal in the doc on the linked bug. Bug: 121197420 Test: 1) Boot device; check dirs created with correct label; run backup successfully on system user 2) Create secondary user; check dirs created with correct label; run backup successfully Change-Id: I47faa69cd2a6ac55fb762edbf366a86d3b06ca77
2019-01-15 22:20:13 +01:00
backup_data_file
Add context for checkin directory Checkin apps use /data/misc_ce/<id>/checkin to backup the checkin metadata. So users won't lose the checkin tokens when they clear the app's storage. One example is when GMScore is used for checkin, users may clear GMScore data via "settings". If the device accidentally loses the token without backup, it won't be able to checkin again until factory reset. The contents in checkin dir will be cleaned up when a user is removed from the device. We also plan to add Gmscore test to ensure the dir is cleaned up at checkin time, thus prevent other Gmscore modules from using this storage by mistake. Bug: 197636740 Test: boot device, check selinux label, check gmscore writes to the new dir Change-Id: If3ff5e0fb75b4d49ce80d91b0086b58db002e4fb
2021-10-06 07:13:20 +02:00
checkin_data_file
Add placeholder iris and face policy for vold data directory This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause the same issue. Test: vold is able to create directories, ag/5534962 Bug: 116528212 Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
2018-11-16 00:28:07 +01:00
face_vendor_data_file
Revert "Add placeholder iris and face policy for vold data directory" This reverts commit 92bde4b941b7078a5fdf8aec6660ca44d0ffbb49. Reason for revert: Rebooting after OTA fails due to the filesystem still seeing the old label on the device. Bug: 116528212 Bug: 119747564 Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c Test: rollback change
2018-11-19 19:42:11 +01:00
fingerprint_vendor_data_file
Add placeholder iris and face policy for vold data directory This is PS1 of aosp/828283 which was reverted. Using PS1 shouldn't cause the same issue. Test: vold is able to create directories, ag/5534962 Bug: 116528212 Change-Id: I84aca49a8dae0a087498120780dea0962aca04b3
2018-11-16 00:28:07 +01:00
iris_vendor_data_file
Add initial sepolicy for app data snapshots. Define a rollback_data_file label and apply it to the snapshots directory. This change contains just enough detail to allow vold_prepare_subdirs to prepare these directories correctly. A follow up change will flesh out the access policy on these directories in more detail. Test: make, manual Bug: 112431924 Change-Id: I4fa7187d9558697016af4918df6e34aac1957176
2019-01-14 16:02:12 +01:00
rollback_data_file
Allow vold_prepare_subdirs to delete more files. Bug: 78591623 Test: Create a new user with a fingerprint. Reboot. Delete that user. Check for denials, files left over in /data/*_{c,d}e/10 Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
2018-04-26 22:41:13 +02:00
storaged_data_file
Rename SupplementalProcess to SdkSandbox Ignore-AOSP-First: sepolicy is not in aosp, yet Bug: 220320098 Test: presubmit Change-Id: I9fb98e0caee75bdaaa35d11d174004505f236799
2022-02-21 18:55:59 +01:00
sdk_sandbox_data_file
Allow vold_prepare_subdirs to delete more files. Bug: 78591623 Test: Create a new user with a fingerprint. Reboot. Delete that user. Check for denials, files left over in /data/*_{c,d}e/10 Merged-In: Ib818e112a98c5b954ee829e93ebd69c3b12940cf Change-Id: Ib818e112a98c5b954ee829e93ebd69c3b12940cf
2018-04-26 22:41:13 +02:00
system_data_file
vold_data_file
}:file { getattr unlink };
Add type for APEX data directories. This adds a new apex_module_data_file type for the APEX data directories under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata. Permission is given for vold to identify which APEXes are present and create the corresponding directories under apexdata in the ce/de user directories. See go/apex-data-directories. Bug: 141148175 Test: Built & flashed, checked directories were created. Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-11-19 19:10:16 +01:00
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
Allow vold to set MLS level on per-user directories. We want to extend vold_prepare_subdirs to set the MLS level to the correct per-user value for selected user-specific directories. Grant vold_prepare_subdirs the access it needs to do this, and allow vold to access the temporary property controlling this. Bug: 141677108 Test: Manual, with and without property set. Change-Id: I572462cfd9b8869381f2af5faa29165bb8373d4b
2020-02-11 15:43:05 +01:00
allow vold_prepare_subdirs mnt_expand_file:dir search;
Split user_profile_data_file label. user_profile_data_file is mlstrustedobject. And it needs to be, because we want untrusted apps to be able to write to their profile files, but they do not have levels. But now we want to apply levels in the parent directories that have the same label, and we want them to work so they need to not be MLS-exempt. To resolve that we introduce a new label, user_profile_root_file, which is applied to those directories (but no files). We grant mostly the same access to the new label as directories with the existing label. Apart from appdomain, almost every domain which accesses user_profile_data_file, and now user_profile_root_file, is already mlstrustedsubject and so can't be affected by this change. The exception is postinstall_dexopt which we now make mlstrustedobject. Bug: 141677108 Bug: 175311045 Test: Manual: flash with wipe Test: Manual: flash on top of older version Test: Manual: install & uninstall apps Test: Manual: create & remove user Test: Presubmits. Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-04 15:07:52 +01:00
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
Support legacy apexdata labels This partly reverts fa10a14fac28f9c407b4ff800972f9cef75fcf35. There we removed individual labels for various apexdata labels, replacing them with apex_system_server_data_file. Unfortunately that doesn't handle upgrade scenarios well, e.g. when updating system but keeping the old vendor sepolicy. The directories keep their old labels, and vold_prepare_subdirs is unable to relabel them as there is no policy to allow it to. So we bring back the legacy labels, in private not public, and add the rules needed to ensure system_server and vold_prepare_subdirs have the access they need. All the other access needed is obtained via the apex_data_file_type attribute. Bug: 217581286 Test: Reset labels using chcon, reboot, directories are relabeled, no denials Change-Id: If696882450f2634e382f217dab8f9f3882bff03f
2022-02-08 16:44:06 +01:00
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
# Allow vold_prepare_subdirs to create storage area directories on behalf of apps.
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
allow vold_prepare_subdirs {
storage_area_dir
storage_area_app_dir
}:dir {
rw_dir_perms
create
setattr # for chown() and chmod()
rmdir
unlink
relabelfrom # setfilecon
relabelto # setfilecon
};
# The storage area directories should have type storage_area_dir
type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
selinux_check_context(vold_prepare_subdirs)
Modify permissions to move encryption policy assignment to vold_prepare_subdirs We have moved the encryption policy assignment from vold to vold_prepare_subdirs. This CL removes some permissions from vold over storage areas that are no longer needed due to this change, and adds some permissions to vold_prepare_subdirs. Bug: 325129836 Test: atest StorageAreaTest Change-Id: Ief2a8021ed3524018d001e20eae60f712f485d81
2024-05-20 19:59:16 +02:00
allowxperm vold_prepare_subdirs storage_area_dir:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
')
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallowxperm vold_prepare_subdirs {
data_file_type
-storage_area_dir
}:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
')
Support legacy apexdata labels This partly reverts fa10a14fac28f9c407b4ff800972f9cef75fcf35. There we removed individual labels for various apexdata labels, replacing them with apex_system_server_data_file. Unfortunately that doesn't handle upgrade scenarios well, e.g. when updating system but keeping the old vendor sepolicy. The directories keep their old labels, and vold_prepare_subdirs is unable to relabel them as there is no policy to allow it to. So we bring back the legacy labels, in private not public, and add the rules needed to ensure system_server and vold_prepare_subdirs have the access they need. All the other access needed is obtained via the apex_data_file_type attribute. Bug: 217581286 Test: Reset labels using chcon, reboot, directories are relabeled, no denials Change-Id: If696882450f2634e382f217dab8f9f3882bff03f
2022-02-08 16:44:06 +01:00
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
[MS82.3] Add sepolicy to access connectivity apex directory Test: m Bug: 230289468 Change-Id: I7e43c09f929a418c6c7b6bcfc3696a242c19f2d8 Merged-In: I7e43c09f929a418c6c7b6bcfc3696a242c19f2d8 (cherry picked from commit 441c149894e6ddd89dd6318e557c5728c8eebb00)
2022-05-03 15:44:35 +02:00
apex_tethering_data_file
Support legacy apexdata labels This partly reverts fa10a14fac28f9c407b4ff800972f9cef75fcf35. There we removed individual labels for various apexdata labels, replacing them with apex_system_server_data_file. Unfortunately that doesn't handle upgrade scenarios well, e.g. when updating system but keeping the old vendor sepolicy. The directories keep their old labels, and vold_prepare_subdirs is unable to relabel them as there is no policy to allow it to. So we bring back the legacy labels, in private not public, and add the rules needed to ensure system_server and vold_prepare_subdirs have the access they need. All the other access needed is obtained via the apex_data_file_type attribute. Bug: 217581286 Test: Reset labels using chcon, reboot, directories are relabeled, no denials Change-Id: If696882450f2634e382f217dab8f9f3882bff03f
2022-02-08 16:44:06 +01:00
apex_wifi_data_file
}:dir relabelfrom;
Allow vold to set MLS level on per-user directories. We want to extend vold_prepare_subdirs to set the MLS level to the correct per-user value for selected user-specific directories. Grant vold_prepare_subdirs the access it needs to do this, and allow vold to access the temporary property controlling this. Bug: 141677108 Test: Manual, with and without property set. Change-Id: I572462cfd9b8869381f2af5faa29165bb8373d4b
2020-02-11 15:43:05 +01:00
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
Dontaudit unneeded denials. These denials are intermittent and unnecessary. Hide them while we investigate how to properly fix the issue. Bug: 131096543 Bug: 132093726 Test: Build Change-Id: I1950c10a93d183c19c510f869419fcfccd5006d2 (cherry picked from commit 654ceeb93f7d504a2496d2357e7a954a96b8d9df)
2019-05-09 19:43:59 +02:00
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
Reference in a new issue Copy permalink