platform_system_sepolicy/private/postinstall.te

typeattribute postinstall coredomain;
type postinstall_exec, system_file_type, exec_type, file_type;
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)

allow postinstall rootfs:dir r_dir_perms;

# Allow invoking `pm` shell commands.
allow postinstall package_service:service_manager find;

# Allow postinstall to write to its stdout/stderr when redirected via pipes to
# update_engine.
allow postinstall update_engine_common:fd use;
allow postinstall update_engine_common:fifo_file rw_file_perms;

# Allow postinstall to read and execute directories and files in the same
# mounted location.
allow postinstall postinstall_file:file rx_file_perms;
allow postinstall postinstall_file:lnk_file r_file_perms;
allow postinstall postinstall_file:dir r_dir_perms;

# Allow postinstall to execute the shell or other system executables.
allow postinstall shell_exec:file rx_file_perms;
allow postinstall system_file:file rx_file_perms;
allow postinstall toolbox_exec:file rx_file_perms;

# Allow postinstall to execute shell in recovery.
recovery_only(`
  allow postinstall rootfs:file rx_file_perms;
')

#
# For OTA dexopt.
#

# Allow postinstall scripts to talk to the system server.
binder_use(postinstall)
binder_call(postinstall, system_server)

# Need to talk to the otadexopt service.
allow postinstall otadexopt_service:service_manager find;

# Allow postinstall scripts to trigger f2fs garbage collection
allow postinstall sysfs_fs_f2fs:file rw_file_perms;
allow postinstall sysfs_fs_f2fs:dir r_dir_perms;

###
### Neverallow rules
###

# No domain other than update_engine and recovery (via update_engine_sideload)
# should transition to postinstall, as it is only meant to run during the
# update.
neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute postinstall coredomain;`
Use postinstall file_contexts Previously we would mount OTA images with a 'context=...' mount option. This meant that all selinux contexts were ignored in the ota image, limiting the usefulness of selinux in this situation. To fix this the mount has been changed to not overwrite the declared contexts and the policies have been updated to accurately describe the actions being performed by an OTA. Bug: 181182967 Test: Manual OTA of blueline Merged-In: I5eb53625202479ea7e75c27273531257d041e69d Change-Id: I5eb53625202479ea7e75c27273531257d041e69d 2021-03-11 20:26:08 +01:00			`type postinstall_exec, system_file_type, exec_type, file_type;`
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)`
Use postinstall file_contexts Previously we would mount OTA images with a 'context=...' mount option. This meant that all selinux contexts were ignored in the ota image, limiting the usefulness of selinux in this situation. To fix this the mount has been changed to not overwrite the declared contexts and the policies have been updated to accurately describe the actions being performed by an OTA. Bug: 181182967 Test: Manual OTA of blueline Merged-In: I5eb53625202479ea7e75c27273531257d041e69d Change-Id: I5eb53625202479ea7e75c27273531257d041e69d 2021-03-11 20:26:08 +01:00
			`allow postinstall rootfs:dir r_dir_perms;`
Allow postinstall script to invoke `pm` shell commands. Bug: 311377497 Change-Id: I46653dcbbe1d1b87b3d370bee80aae2d60998fbe Test: manual - Install an OTA package and see the hook called. 2024-03-01 00:12:32 +01:00
			# Allow invoking `pm` shell commands.
			`allow postinstall package_service:service_manager find;`
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged \| grep "^-" \| cut -b2- \| sort) \ <(git diff --staged \| grep "^+" \| cut -b2- \| sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12 2024-03-27 09:18:41 +01:00
			`# Allow postinstall to write to its stdout/stderr when redirected via pipes to`
			`# update_engine.`
			`allow postinstall update_engine_common:fd use;`
			`allow postinstall update_engine_common:fifo_file rw_file_perms;`

			`# Allow postinstall to read and execute directories and files in the same`
			`# mounted location.`
			`allow postinstall postinstall_file:file rx_file_perms;`
			`allow postinstall postinstall_file:lnk_file r_file_perms;`
			`allow postinstall postinstall_file:dir r_dir_perms;`

			`# Allow postinstall to execute the shell or other system executables.`
			`allow postinstall shell_exec:file rx_file_perms;`
			`allow postinstall system_file:file rx_file_perms;`
			`allow postinstall toolbox_exec:file rx_file_perms;`

			`# Allow postinstall to execute shell in recovery.`
			recovery_only(`
			`allow postinstall rootfs:file rx_file_perms;`
			`')`

			`#`
			`# For OTA dexopt.`
			`#`

			`# Allow postinstall scripts to talk to the system server.`
			`binder_use(postinstall)`
			`binder_call(postinstall, system_server)`

			`# Need to talk to the otadexopt service.`
			`allow postinstall otadexopt_service:service_manager find;`

			`# Allow postinstall scripts to trigger f2fs garbage collection`
			`allow postinstall sysfs_fs_f2fs:file rw_file_perms;`
			`allow postinstall sysfs_fs_f2fs:dir r_dir_perms;`

			`###`
			`### Neverallow rules`
			`###`

			`# No domain other than update_engine and recovery (via update_engine_sideload)`
			`# should transition to postinstall, as it is only meant to run during the`
			`# update.`
			`neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };`