platform_system_sepolicy/public/uncrypt.te

47 lines
1.3 KiB
Text
Raw Normal View History

# uncrypt
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, system_file_type, exec_type, file_type;
allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
userdebug_or_eng(`
# For debugging, allow /data/local/tmp access
r_dir_file(uncrypt, shell_data_file)
')
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
# Raw writes to block device
allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
# Access userdata block device.
uncrypt: fix OTAs uncrypt needs to be able to read OTA files in GMS core's home directory, which is protected with MLS. Mark uncrypt as an mlstrustedsubject so that it can read the files. Addresses the following denial (and probably others): uncrypt : type=1400 audit(0.0:27): avc: denied { getattr } for path="/data/data/com.google.android.gms" dev="mmcblk0p30" ino=81970 scontext=u:r:uncrypt:s0 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir Remove the auditallow line for uncrypt. Per dd053a9b891195439b1c0848cb0e8a6e17b4b9bc, the auditallow line was added to confirm that uncrypt was actually accessing the userdata block device. The access to the userdata block device is definitely occurring, and auditing it doesn't add any value. Remove the auditing. Eliminates the following unnecessary audit lines: avc: granted { write } for pid=2449 comm="uncrypt" name="mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file avc: granted { write open } for pid=2449 comm="uncrypt" path="/dev/block/mmcblk0p31" dev="tmpfs" ino=10404 scontext=u:r:uncrypt:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file Tighten up userdata block access to write-only. uncrypt never reads directly from the block device. Testing: 1) Create the file /cache/recovery/command with a line like: --update_package=/data/data/com.google.android.gms/foo.zip 2) Create the file /data/data/com.google.android.gms/foo.zip (contents not important) 3) Run "setprop ctl.start pre-recovery" Expected: No SELinux denials. Actual: SELinux denials Bug: 18875451 Change-Id: I62c7f06313afb2535b0de8be3c16d9d33879dd5d
2015-01-06 00:03:43 +01:00
allow uncrypt userdata_block_device:blk_file w_file_perms;
r_dir_file(uncrypt, rootfs)
domain_deprecated: remove proc access Remove "granted" logspam. Grante the observed permissions to the individual processes that need them and remove the permission from domain_deprecated. avc: granted { read open } for comm="ndroid.settings" path="/proc/version" dev="proc" ino=4026532081 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm=4173796E635461736B202332 path="/proc/pagetypeinfo" dev="proc" ino=4026532129 scontext=u:r:system_app:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="uncrypt" path="/proc/cmdline" dev="proc" ino=4026532072 scontext=u:r:uncrypt:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="update_engine" path="/proc/sys/kernel/random/boot_id" dev="proc" ino=15852829 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read open } for comm="tiveportallogin" path="/proc/vmstat" dev="proc" ino=4026532130 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file This change is specifically not granting the following since it should not be allowed: avc: granted { read open } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { read } for comm="crash_dump64" name="filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file avc: granted { getattr } for comm="crash_dump64" path="/proc/filesystems" dev="proc" ino=4026532416 scontext=u:r:dex2oat:s0 tcontext=u:object_r:proc:s0 tclass=file Bug: 64032843 Bug: 28760354 Test: build Change-Id: Ib309e97b6229bdf013468dca34f606c0e8da96d0
2017-07-26 01:43:49 +02:00
# Access to bootconfig is needed when calling ReadDefaultFstab.
allow uncrypt {
proc_bootconfig
proc_cmdline
}:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Allow ReadDefaultFstab().
read_fstab(uncrypt)