platform_system_sepolicy/uncrypt.te

33 lines
948 B
Text
Raw Normal View History

# uncrypt
uncrypt: fix OTAs uncrypt needs to be able to read OTA files in GMS core's home directory, which is protected with MLS. Mark uncrypt as an mlstrustedsubject so that it can read the files. Addresses the following denial (and probably others): uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Remove the auditallow line for uncrypt. Per dd053a9b891195439b1c0848cb0e8a6e17b4b9bc, the auditallow line was added to confirm that uncrypt was actually accessing the userdata block device. The access to the userdata block device is definitely occurring, and auditing it doesn't add any value. Remove the auditing. Eliminates the following unnecessary audit lines: avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file Tighten up userdata block access to write-only. uncrypt never reads directly from the block device. Testing: 1) Create the file /cache/recovery/command with a line like: --update_package=/data/data/com.google.android.gms/foo.zip 2) Create the file /data/data/com.google.android.gms/foo.zip (contents not important) 3) Run "setprop ctl.start pre-recovery" Expected: No SELinux denials. Actual: SELinux denials Bug: 18875451 Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d
2015-01-06 00:03:43 +01:00
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
init_daemon_domain(uncrypt)
allow uncrypt self:capability dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
r_dir_file(uncrypt, shell_data_file)
')
# Create tmp file /cache/recovery/command.tmp
# Read /cache/recovery/command
# Rename /cache/recovery/command.tmp to /cache/recovery/command
allow uncrypt cache_file:dir rw_dir_perms;
allow uncrypt cache_file:file create_file_perms;
# Set a property to reboot the device.
set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
allow uncrypt block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
uncrypt: fix OTAs uncrypt needs to be able to read OTA files in GMS core's home directory, which is protected with MLS. Mark uncrypt as an mlstrustedsubject so that it can read the files. Addresses the following denial (and probably others): uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Remove the auditallow line for uncrypt. Per dd053a9b891195439b1c0848cb0e8a6e17b4b9bc, the auditallow line was added to confirm that uncrypt was actually accessing the userdata block device. The access to the userdata block device is definitely occurring, and auditing it doesn't add any value. Remove the auditing. Eliminates the following unnecessary audit lines: avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file Tighten up userdata block access to write-only. uncrypt never reads directly from the block device. Testing: 1) Create the file /cache/recovery/command with a line like: --update_package=/data/data/com.google.android.gms/foo.zip 2) Create the file /data/data/com.google.android.gms/foo.zip (contents not important) 3) Run "setprop ctl.start pre-recovery" Expected: No SELinux denials. Actual: SELinux denials Bug: 18875451 Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d
2015-01-06 00:03:43 +01:00
allow uncrypt userdata_block_device:blk_file w_file_perms;