tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/apexd.te

228 lines
9 KiB
Text
Raw Normal View History

Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
typeattribute apexd coredomain;
init_daemon_domain(apexd)
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
binder_use(apexd)
add_service(apexd, apex_service)
Allow apexd to also create dirs/files in its storage. Bug: 118865310 Test: no denials when running ApexServiceTest#SubmitSessionTestSuccess Change-Id: I9a309fca99c23ca7db4af58db782a2bd6a83d829
2019-01-14 09:10:24 +01:00
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
Allow apexd to relabel files in /data/apex/decompressed We have created a new directory called /data/apex/decompressed. All files under this directory will have staging_data_file label, but the directory itself needs to have apex_data_file label. This is because apexd needs to write inside this directory and we don't want to give apexd write access to staging_data_file label. When a file is written under this directory, it gets its parent's label. So we need to restore the proper labeling. Hence, we are allowing apexd labeling permissions. Bug: 172911820 Test: atest ApexCompressionTests#testCompressedApexIsActivated Change-Id: I0a910fa5591b2aace70804701545eb4ac510ec24
2021-01-22 22:04:10 +01:00
# Allow relabeling file created in /data/apex/decompressed
allow apexd apex_data_file:file relabelfrom;
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
Add policy for /metadata/apex. This is an area that apexd can use to store session metadata, which won't be rolled back with filesystem checkpointing. Bug: 126740531 Test: builds Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
2019-03-12 16:37:13 +01:00
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
Relocate permission to reserve file from update_engine to apexd Now that we have proper API using which update_engine can ask apexd to reserve space, we no longer need to allow update_engine access to directories at /data/apex. Instead, apexd should get those permission. Bug: 172911822 Test: atest ApexHandlerAndroidTest Change-Id: I3a575eead0ac2fef69e275077e5862e721dc0fbf
2021-03-04 13:21:43 +01:00
# Allow reserving space on /data/apex/ota_reserved for apex decompression
allow apexd apex_ota_reserved_file:dir create_dir_perms;
allow apexd apex_ota_reserved_file:file create_file_perms;
Add sepolicy rules to allow apexd to perform snapshot and restore. This adds rules required for apexd to perform snapshot and restore of the new apex data directories. See go/apex-data-directories for more information on the feature. See the chain of CLs up to ag/10169468 for the implementation of snapshot and restore. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-24 18:20:19 +01:00
# Allow apexd to create files and directories for snapshots of apex data
Refactor apex data file types. We ended up with 4 labels for specific APEX files that were all identical; I've replaced them with a single one (apex_system_server_data_file). Additionally I created an attribute to be applied to a "standard" APEX module data file type that establishes the basics (it can be managed by vold_prepare_subdirs and apexd), to make it easier to add new such types - which I'm about to do. Fix: 189415223 Test: Presubmits Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
2021-07-12 15:21:48 +02:00
allow apexd apex_data_file_type:dir { create_dir_perms relabelto };
allow apexd apex_data_file_type:file { create_file_perms relabelto };
Add sepolicy rules to allow apexd to perform snapshot and restore. This adds rules required for apexd to perform snapshot and restore of the new apex data directories. See go/apex-data-directories for more information on the feature. See the chain of CLs up to ag/10169468 for the implementation of snapshot and restore. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-24 18:20:19 +01:00
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
Add type for directories containing snapshots of apex data. This adds a new apex_rollback_data_file type for the snapshots (backups) of APEX data directories that can be restored in the event of a rollback. Permission is given for apexd to create files and dirs in those directories and for vold_prepare_subdirs to create the directories. See go/apex-data-directories for details. Bug: 141148175 Test: Built and flashed, checked directory was created with the correct type. Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-02 19:29:48 +01:00
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
Restrict creating per-user encrypted directories Creating a per-user encrypted directory such as /data/system_ce/0 and the subdirectories in it too early has been a recurring bug. Typically, individual services in system_server are to blame; system_server has permission to create these directories, and it's easy to write "mkdirs()" instead of "mkdir()". Such bugs are very bad, as they prevent these directories from being encrypted, as encryption policies can only be set on empty directories. Due to recent changes, a factory reset is now forced in such cases, which helps detect these bugs; however, it would be much better to prevent them in the first place. This CL locks down the ability to create these directories to just vold and init, or to just vold when possible. This is done by assigning new types to the directories that contain these directories, and then only allowing the needed domains to write to these parent directories. This is similar to what https://r.android.com/1117297 did for /data itself. Three new types are used instead of just one, since these directories had three different types already (system_data_file, media_rw_data_file, vendor_data_file), and this allows the policy to be a bit more precise. A significant limitation is that /data/user/0 is currently being created by init during early boot. Therefore, this CL doesn't help much for /data/user/0, though it helps a lot for the other directories. As the next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this CL is needed regardless of whether we're able to do that. Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then created and deleted a user. Used 'ls -lZ' to check the relevant SELinux labels on both internal and adoptable storage. Also did similar tests on raven, with the addition of going through the setup wizard and using an app that creates media files. No relevant SELinux denials seen during any of this. Bug: 156305599 Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
# Allow apexd to read /data/misc_de and the directories under it, in order to
# snapshot and restore apex data for all users.
allow apexd {
system_userdir_file
system_data_file
}:dir r_dir_perms;
Add sepolicy rules to allow apexd to perform snapshot and restore. This adds rules required for apexd to perform snapshot and restore of the new apex data directories. See go/apex-data-directories for more information on the feature. See the chain of CLs up to ag/10169468 for the implementation of snapshot and restore. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-24 18:20:19 +01:00
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
# allow apexd to create loop devices with /dev/loop-control
allow apexd loop_control_device:chr_file rw_file_perms;
# allow apexd to access loop devices
allow apexd loop_device:blk_file rw_file_perms;
Allow apexd more ioctl cmds for loop devices apexd is using following additional ioctl cmds to mount the mini filesystem inside APEXs: LOOP_SET_STATUS64 LOOP_SET_FD LOOP_SET_BLOCK_SIZE LOOP_SET_DIRECT_IO LOOP_CLR_FD Test: m; m apex.test; adb push <the_built_apex> /data/apex; adb reboot /apex/com.android.example.apex exists Change-Id: I68388cc4f323e4fcff370c8cdc0958cbd827e9cc
2018-10-26 14:32:44 +02:00
allowxperm apexd loop_device:blk_file ioctl {
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
Allow apexd to flush block devices. To work around a kernel bug where pages that are read before changing the loop device offset are not invalidated correctly. Bug: 120853401 Test: apexd mounts APEX files on gphone_sdk_x86_64 Change-Id: I89f23f8f9d472e599f053553b73cc0618dcb3747
2018-12-14 10:33:01 +01:00
BLKFLSBUF
Add policy for LOOP_CONFIGURE ioctl. This is a new ioctl for configuring loop devices, and is used by apexd. Bug: 148607611 Bug: 161575393 Test: boot on device with/without LOOP_CONFIGURE Change-Id: I9ef940c7c9f91eb32a01e68b858169c140d15d0f Merged-In: I9ef940c7c9f91eb32a01e68b858169c140d15d0f
2020-08-04 12:09:38 +02:00
LOOP_CONFIGURE
Allow apexd more ioctl cmds for loop devices apexd is using following additional ioctl cmds to mount the mini filesystem inside APEXs: LOOP_SET_STATUS64 LOOP_SET_FD LOOP_SET_BLOCK_SIZE LOOP_SET_DIRECT_IO LOOP_CLR_FD Test: m; m apex.test; adb push <the_built_apex> /data/apex; adb reboot /apex/com.android.example.apex exists Change-Id: I68388cc4f323e4fcff370c8cdc0958cbd827e9cc
2018-10-26 14:32:44 +02:00
};
Allow the init and apexd processes to read all block device properties Addressing b/194450129 requires configuring the I/O scheduler and the queue depth of loop devices. Doing this in a generic way requires iterating over the block devices under /sys/class/block and also to examine the properties of the boot device (/dev/sda). Hence this patch that allows 'init' and 'apexd' to read the properties of all block devices. The patch that configures the queue depth is available at https://android-review.googlesource.com/c/platform/system/core/+/1783847. Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints. Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-08-06 19:50:25 +02:00
# Allow apexd to access /dev/block
Stop using the bdev_type and sysfs_block_type SELinux attributes Stop using these attributes since these will be removed soon. Bug: 202520796 Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd Change-Id: I61dffb482f4e952299156f34be642ae52fcbfeb3 Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-08 18:30:03 +02:00
allow apexd dev_type:dir r_dir_perms;
allow apexd dev_type:blk_file getattr;
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
Allow apexd to access a new dev_type: virtual disk In microdroid, apexd activates apexes which are passed as a virtual disk to share apexes with host Android. Bug: 184605708 Test: apexd running in microdroid can read /dev/block/vdb2 when a disk image is passed to crosvm via --disk= option. Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c
2021-04-12 14:44:43 +02:00
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
allow apexd dm_device:blk_file rw_file_perms;
# sys_admin is required to access the device-mapper and mount
Add sepolicy rules to allow apexd to perform snapshot and restore. This adds rules required for apexd to perform snapshot and restore of the new apex data directories. See go/apex-data-directories for more information on the feature. See the chain of CLs up to ag/10169468 for the implementation of snapshot and restore. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-24 18:20:19 +01:00
# dac_override, chown, and fowner are needed for snapshot and restore
Add dac_read_search to apexd to prevent spurious denials. As apexd now has dac_override, it should also have dac_read_search to avoid spurious denials. Bug: 141148175 Test: Build, run apex installation, check denials. Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
2020-01-30 19:43:38 +01:00
allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
Add sepolicy rules to allow apexd to perform snapshot and restore. This adds rules required for apexd to perform snapshot and restore of the new apex data directories. See go/apex-data-directories for more information on the feature. See the chain of CLs up to ag/10169468 for the implementation of snapshot and restore. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-24 18:20:19 +01:00
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for apexd to operate.
dontaudit apexd self:global_capability_class_set fsetid;
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
# allow apexd to create a mount point in /apex
allow apexd apex_mnt_dir:dir create_dir_perms;
# allow apexd to mount in /apex
allow apexd apex_mnt_dir:filesystem { mount unmount };
allow apexd apex_mnt_dir:dir mounton;
Allow apexd to create symlink in /apex. Bug: 115710947 Test: on device Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
2018-10-16 09:02:49 +02:00
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
Introduce apex_info_file type /apex/apex-info-file.xml is labeled as apex_info_file. It is created/written by apexd once by apexd, and can be read by zygote and system_server. The content of the file is essentially the same as the return value of getAllPackages() call to apexd. Bug: 154823184 Test: m Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2 (cherry picked from commit f1de4c02cc3da98d052ca81e48e7d4682eea6088) Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
2020-05-11 13:49:07 +02:00
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
allow apexd to mount apex-info-list.xml file apexd runs in two separate mount namespaces: bootstrap & default. To support separate apex-info-list.xml for each mount namespaces, apexd needs to emit separate .xml file according to the mount namespace and then bind-mount it to apex-info-list.xml file. Bug: 158964569 Test: m & boot nsenter -m/proc/1/ns/mnt -- ls -lZ /apex/apex-info-list.xml nsenter -m/proc/2/ns/mnt -- ls -lZ /apex/apex-info-list.xml => shows the label apex_info_file correctly Change-Id: I25c7445da570755ec489edee38b0c6af5685724b
2020-07-02 15:22:05 +02:00
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
Introduce apex_info_file type /apex/apex-info-file.xml is labeled as apex_info_file. It is created/written by apexd once by apexd, and can be read by zygote and system_server. The content of the file is essentially the same as the return value of getAllPackages() call to apexd. Bug: 154823184 Test: m Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2 (cherry picked from commit f1de4c02cc3da98d052ca81e48e7d4682eea6088) Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
2020-05-11 13:49:07 +02:00
allow apexd apex_info_file:file relabelto;
Allow apexd to write to /apex/apex-info-list.xml After non-staged install apexd needs to be update apex-info-list.xml. Test: m Bug: 187864524 Bug: 188713178 Change-Id: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6 Merged-In: I78e182c70b5c34b8a763ed41ddd8130fa3e787a6 (cherry picked from commit 894657bea355f85619ce58434b78e17ed288408b)
2021-06-04 19:39:32 +02:00
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
allow apexd apex_info_file:file rw_file_perms;
apexd: allow apexd to unlink staging_data_file files In order to support rollback for apex files, apexd will need to unlink previously active apex files in /data/apex/active folder. Those files are hardlinked from /data/staging/session_XXXX which means that they have staging_data_file:file SELinux fields. I double checked that this change won't allow apexd to unlink files in /data/staging/session_XXXX folders, because it will lack write access, logcat contains following entries: avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0 Bug: 122339211 Test: verified that apexd can't unlink files in /data/staging/session_XXXX Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
2019-02-05 23:47:57 +01:00
# allow apexd to unlink apex files in /data/apex/active
Rename data/pkg_staging to data/app-staging Test: n/a Bug: 126330086 Change-Id: I34d5085d8e6546d77cc854e27ca849462d482396 Merged-In: I34d5085d8e6546d77cc854e27ca849462d482396
2019-02-27 12:21:20 +01:00
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
apexd: allow apexd to unlink staging_data_file files In order to support rollback for apex files, apexd will need to unlink previously active apex files in /data/apex/active folder. Those files are hardlinked from /data/staging/session_XXXX which means that they have staging_data_file:file SELinux fields. I double checked that this change won't allow apexd to unlink files in /data/staging/session_XXXX folders, because it will lack write access, logcat contains following entries: avc: denied { write } for name="session_305119585" dev="sda13" ino=5496838 scontext=u:r:apexd:s0 tcontext=u:object_r:staging_data_file:s0 tclass=dir permissive=0 Bug: 122339211 Test: verified that apexd can't unlink files in /data/staging/session_XXXX Change-Id: Iddef724c3d73269c97d9fa12a05a276fad189ea9
2019-02-05 23:47:57 +01:00
# because it doesn't have write permission for staging_data_file object.
allow apexd staging_data_file:file unlink;
Allow apexd to create symlink in /apex. Bug: 115710947 Test: on device Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
2018-10-16 09:02:49 +02:00
Rename data/pkg_staging to data/app-staging Test: n/a Bug: 126330086 Change-Id: I34d5085d8e6546d77cc854e27ca849462d482396 Merged-In: I34d5085d8e6546d77cc854e27ca849462d482396
2019-02-27 12:21:20 +01:00
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
Allow apexd to relabel files in /data/apex/decompressed We have created a new directory called /data/apex/decompressed. All files under this directory will have staging_data_file label, but the directory itself needs to have apex_data_file label. This is because apexd needs to write inside this directory and we don't want to give apexd write access to staging_data_file label. When a file is written under this directory, it gets its parent's label. So we need to restore the proper labeling. Hence, we are allowing apexd labeling permissions. Bug: 172911820 Test: atest ApexCompressionTests#testCompressedApexIsActivated Change-Id: I0a910fa5591b2aace70804701545eb4ac510ec24
2021-01-22 22:04:10 +01:00
# # Allow relabeling file created in /data/apex/decompressed
allow apexd staging_data_file:file relabelto;
SEPolicy for Staged Installs. Test: basic workflow between apexd and PackageManager tested with changes being developed. Bug: 118865310 Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
2019-01-02 15:20:52 +01:00
Adding vendor_apex_file for /vendor/apex apexd needs to read /vendor/apex dir and files in it. Bug: 131190070 Bug: 123378252 Test: 1. Add apex to /vendor/apex -> see if boot succeeds with new policy 2. Add flattened apex to /vendor/apex -> see if only root files are labelled as vendor_apex_file Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
2019-04-24 03:45:40 +02:00
# allow apexd to read files from /vendor/apex
Introduce vendor_apex_metadata_file A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
2023-05-31 10:51:14 +02:00
r_dir_file(apexd, vendor_apex_file)
r_dir_file(apexd, vendor_apex_metadata_file)
Adding vendor_apex_file for /vendor/apex apexd needs to read /vendor/apex dir and files in it. Bug: 131190070 Bug: 123378252 Test: 1. Add apex to /vendor/apex -> see if boot succeeds with new policy 2. Add flattened apex to /vendor/apex -> see if only root files are labelled as vendor_apex_file Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
2019-04-24 03:45:40 +02:00
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
apexd: permission to traverse /sys directory tree. Different devices can have /sys/* labeled differently. This allows apexd, to traverse /sys directory tree agnostic of device-specific labeling. Bug: 122876102 Test: m selinux_policy Change-Id: I08f2eb2242913e3a7d532d36a452cf111fd4e4c4
2019-02-01 03:17:15 +01:00
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
Stop using the bdev_type and sysfs_block_type SELinux attributes Stop using these attributes since these will be removed soon. Bug: 202520796 Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd Change-Id: I61dffb482f4e952299156f34be642ae52fcbfeb3 Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-08 18:30:03 +02:00
# Access to /sys/class/block
allow apexd sysfs_type:dir r_dir_perms;
allow apexd sysfs_type:file r_file_perms;
Allow apexd to write to sysfs loop device parameters. To configure read-ahead on loop devices, eg. /sys/devices/virtual/block/loop0/queue/read_ahead_kb Bug: 120776455 Test: configuring read-ahead on loop devices works from apexd Change-Id: Ib25372358e8ca62fa634daf286e4b64e635fac58
2018-12-18 15:38:59 +01:00
# Configure read-ahead of dm-verity and loop devices
# for dm-X
Allow apexd to configure /sys/block/dm- To configure readahead for APEX dm-verity devices. Bug: 117823094 Test: apexd can change readahead Change-Id: Ie0396d59ef758ad55f499f65957697d26a48aae9
2018-11-08 12:57:12 +01:00
allow apexd sysfs_dm:dir r_dir_perms;
allow apexd sysfs_dm:file rw_file_perms;
Allow apexd to write to sysfs loop device parameters. To configure read-ahead on loop devices, eg. /sys/devices/virtual/block/loop0/queue/read_ahead_kb Bug: 120776455 Test: configuring read-ahead on loop devices works from apexd Change-Id: Ib25372358e8ca62fa634daf286e4b64e635fac58
2018-12-18 15:38:59 +01:00
# for loopX
allow apexd sysfs_loop:dir r_dir_perms;
allow apexd sysfs_loop:file rw_file_perms;
Allow apexd to configure /sys/block/dm- To configure readahead for APEX dm-verity devices. Bug: 117823094 Test: apexd can change readahead Change-Id: Ie0396d59ef758ad55f499f65957697d26a48aae9
2018-11-08 12:57:12 +01:00
Sepolicy: Allow apexd to log to kmsg Allow apexd to log to the kernel log. This aids in low-level diagnostics, when adb is not available. Test: m Change-Id: Ib8f286bd917b34f5e8992b37ab230313a4820bf9
2019-01-23 21:44:24 +01:00
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
Sepolicy: Add base runtime APEX preinstall policies Add art_apex_preinstall domain that is allowed to create AoT artifacts in /data/ota. Bug: 125474642 Test: m Change-Id: Ia091d8df34c4be4f84c2052d3c333a0e36bcb036
2019-02-08 01:26:00 +01:00
# Allow apexd to reboot device. Required for rollbacks of apexes that are
# not covered by rollback manager.
set_prop(apexd, powerctl_prop)
Allow apexd to stop itself apexd stops itself when it finds that it is running on a device with flattened APEXes (i.e. ro.apex.updatable = false). Bug: 133907211 Test: launch sdk_phone_x86_64 adb logcat -d | grep apexd | wc -l returns 3 Change-Id: I7fa161b069aa34adb028194b55f367fe740a0cfc
2019-06-13 02:45:05 +02:00
# Allow apexd to stop itself
set_prop(apexd, ctl_apexd_prop)
Added properties for rebootless apex install When apexd installs an apex without reboot, init also need to do some work around the installation (e.g. terminating services from the apex and remove data read from the apex and updating linker configuration etc) Apexd sets control properties to unload and load apex and init notifies the completion with state properties. These new properties are supposed to be used by apexd/init interaction. Bug: 232114573 Bug: 232173613 Test: CtsStagedInstallHostTestCases Test: CtsInitTestCases Change-Id: I5af6b36310f3c81f1cd55537473e54756541d347
2022-07-07 08:42:39 +02:00
# Allow apexd to send control messages to load/unload apex from init
set_prop(apexd, ctl_apex_load_prop)
Allow apexd to talk to vold. To query filesystem checkpointing state. Bug: 126740531 Test: no denials Change-Id: I28a68b9899d7cb42d7e557fb904a2bf8fa4ecf66
2019-03-12 13:31:15 +01:00
# Find the vold service, and call into vold to manage FS checkpoints
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
Allow bootstrap bionic only to init, ueventd, and apexd The bootstrap bionic (/system/lib/bootstrap/*) are only to the early processes that are executed before the bionic libraries become available via the runtime APEX. Allowing them to other processes is not needed and sometimes causes a problem like b/123183824. Bug: 123183824 Test: device boots to the UI Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
2019-03-14 18:45:33 +01:00
# apexd is using bootstrap bionic
Add use_bionic_libs macro ... to dedupe rules for allowing access to bootstrap bionic libraries. Bug: N/A Test: m Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4
2022-01-23 15:55:41 +01:00
use_bootstrap_libs(apexd)
Allow bootstrap bionic only to init, ueventd, and apexd The bootstrap bionic (/system/lib/bootstrap/*) are only to the early processes that are executed before the bionic libraries become available via the runtime APEX. Allowing them to other processes is not needed and sometimes causes a problem like b/123183824. Bug: 123183824 Test: device boots to the UI Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160
2019-03-14 18:45:33 +01:00
Allow apexd to be fork_execvp'ed from init during userspace reboot Test: builds Test: adb reboot userspace Bug: 135984674 Change-Id: I089078232c40d533b712736b83a5ed757dde689e
2019-11-14 15:28:43 +01:00
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
Add sepolicy rules to allow apexd to perform snapshot and restore. This adds rules required for apexd to perform snapshot and restore of the new apex data directories. See go/apex-data-directories for more information on the feature. See the chain of CLs up to ag/10169468 for the implementation of snapshot and restore. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeUser Test: atest StagedRollbackTest#testRollbackApexDataDirectories_Ce Change-Id: I1756bbc1d80cad7cf9c2cebcee9bee6bc261728c
2020-01-24 18:20:19 +01:00
# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
# other processes
create_pty(apexd)
# Allow apexd to read file contexts when performing restorecon of snapshots.
allow apexd file_contexts_file:file r_file_perms;
Allow apexd to execute toybox for snapshot & restore. This allows apexd to execute "cp" to perform snapshot and restore operations. Other rules for this were added in aosp/1217340, but this one was missed. Bug: 141148175 Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
2020-01-30 17:46:40 +01:00
# Allow apexd to execute toybox for snapshot & restore
allow apexd toolbox_exec:file rx_file_perms;
Allow apexd to call f2fs-compression related ioctls on staging_data_file apexd needs to call the following two ioctls: * FS_COMPR_FL - to check if fs supports compression. * F2FS_IOC_RELEASE_COMPRESS_BLOCKS - to release compressed blocks. Bug: 188859167 Test: m Change-Id: Ia105d3dbcd64286cc33d1e996b2d2b85c09eae7a Merged-In: Ia105d3dbcd64286cc33d1e996b2d2b85c09eae7a (cherry picked from commit a12ba8a439a722735be0ff7d887188185d7640ea)
2021-06-08 16:11:57 +02:00
# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs.
allowxperm apexd staging_data_file:file ioctl {
FS_IOC_GETFLAGS
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
};
Allow apexd to read ro.cold_boot_done prop Test: presubmit Bug: 169092045 Change-Id: Iae8d7ae80cba3bdda1ff113b623862a03d05f515
2020-10-02 19:06:37 +02:00
# Allow apexd to read ro.cold_boot_done prop.
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
get_prop(apexd, cold_boot_done_prop)
Add apexd_config_prop type This type is used for properties that provides per-device configuration for apexd behaviour (so far - timeouts for creating/deleting dm device). Test: builds Bug: 182296338 Change-Id: Ib815f081d3ab94aa8c941ac68b57ebe661acedb9
2021-03-13 02:35:51 +01:00
# Allow apexd to read per-device configuration properties.
get_prop(apexd, apexd_config_prop)
Revert "Revert "Adds a new prop context for choosing between mul..." Revert "Revert "Adds multi_install_skip_symbol_files field (defa..." Revert submission 1893459-revert-1869814-vapex-multi-config-VKODFOVCWY Reason for revert: Fix-forward in https://r.android.com/1894088 Reverted Changes: I087bfe0dc:Revert "Adds a new prop context for choosing betwe... I27a498506:Revert "Load persist props before starting apexd."... Ib5344edc0:Revert "Allow users to choose between multi-instal... If09bf590e:Revert "Adds multi_install_skip_symbol_files field... I905dac14c:Revert "Demonstrate multi-installed APEXes." Change-Id: I03fb124d4e7044f236539a132816fd96cb814775
2021-11-16 21:28:29 +01:00
# Allow apexd to read apex selection properties.
# These are used to choose between multi-installed APEXes at activation time.
get_prop(apexd, apexd_select_prop)
Add apexd_payload_metadata_prop This should be read-only and corresponds to apexd.payload_metadata.path Bug: 191097666 Test: android-sh -c 'setprop apexd.payload_metadata.path' See permission denied atest MicrodroidHostTestCases Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
2021-11-08 21:09:54 +01:00
#
# Allow apexd to read apexd_payload_metadata_prop
get_prop(apexd, apexd_payload_metadata_prop)
Revert "Revert "Adds a new prop context for choosing between mul..." Revert "Revert "Adds multi_install_skip_symbol_files field (defa..." Revert submission 1893459-revert-1869814-vapex-multi-config-VKODFOVCWY Reason for revert: Fix-forward in https://r.android.com/1894088 Reverted Changes: I087bfe0dc:Revert "Adds a new prop context for choosing betwe... I27a498506:Revert "Load persist props before starting apexd."... Ib5344edc0:Revert "Allow users to choose between multi-instal... If09bf590e:Revert "Adds multi_install_skip_symbol_files field... I905dac14c:Revert "Demonstrate multi-installed APEXes." Change-Id: I03fb124d4e7044f236539a132816fd96cb814775
2021-11-16 21:28:29 +01:00
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
set_prop(apexd, apexd_prop)
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
allow apexd postinstall_apex_mnt_dir:lnk_file create;
allow apexd proc_filesystems:file r_file_perms;
# Allow for use in Pre-reboot Dexopt.
allow apexd dexopt_chroot_setup:fd use;
# Allow calling derive_classpath to gather BCP information for staged sessions
domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
# Allow set apex ready property
set_prop(apexd, apex_ready_prop)
# Allow apexd to write to statsd.
unix_socket_send(apexd, statsdw, statsd)
###
### Neverallow rules
###
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 09:35:42 +02:00
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
Add policy for /metadata/apex. This is an area that apexd can use to store session metadata, which won't be rolled back with filesystem checkpointing. Bug: 126740531 Test: builds Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
2019-03-12 16:37:13 +01:00
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
Allow system_server to read apex_data_file. For consistency with APKs, signature verification is performed in the system_server. This includes checking that the signature of an updated install matches the signature of the active package that it updates. For this, it requires search access to /data/apex and read access to the files under that directory. Test: m Change-Id: Ia073adb8892886e4767fa5529e95c110b9cbff1b
2019-01-04 17:22:19 +01:00
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
Add policy for /metadata/apex. This is an area that apexd can use to store session metadata, which won't be rolled back with filesystem checkpointing. Bug: 126740531 Test: builds Change-Id: I5abbc500dc1b92aa46830829be76e7a4381eef91
2019-03-12 16:37:13 +01:00
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
Allow apexd to create symlink in /apex. Bug: 115710947 Test: on device Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
2018-10-16 09:02:49 +02:00
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
Add type for APEX data directories. This adds a new apex_module_data_file type for the APEX data directories under /data/misc/apexdata and /data/misc_[de|ce]/<u>/apexdata. Permission is given for vold to identify which APEXes are present and create the corresponding directories under apexdata in the ce/de user directories. See go/apex-data-directories. Bug: 141148175 Test: Built & flashed, checked directories were created. Change-Id: I95591e5fe85fc34f7ed21e2f4a75900ec2cfacfa
2019-11-19 19:10:16 +01:00
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
Add type for directories containing snapshots of apex data. This adds a new apex_rollback_data_file type for the snapshots (backups) of APEX data directories that can be restored in the event of a rollback. Permission is given for apexd to create files and dirs in those directories and for vold_prepare_subdirs to create the directories. See go/apex-data-directories for details. Bug: 141148175 Test: Built and flashed, checked directory was created with the correct type. Change-Id: I94b448dfc096e5702d3e33ace6f9df69f58340fd
2019-12-02 19:29:48 +01:00
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
# only apexd can set apexd sysprop
neverallow { domain -apexd -init } apexd_prop:property_service set;
Introduce apex_info_file type /apex/apex-info-file.xml is labeled as apex_info_file. It is created/written by apexd once by apexd, and can be read by zygote and system_server. The content of the file is essentially the same as the return value of getAllPackages() call to apexd. Bug: 154823184 Test: m Merged-In: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2 (cherry picked from commit f1de4c02cc3da98d052ca81e48e7d4682eea6088) Change-Id: Ic6af79ddebf465b389d9dcb5fd569d3a786423b2
2020-05-11 13:49:07 +02:00
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
Use postinstall file_contexts Previously we would mount OTA images with a 'context=...' mount option. This meant that all selinux contexts were ignored in the ota image, limiting the usefulness of selinux in this situation. To fix this the mount has been changed to not overwrite the declared contexts and the policies have been updated to accurately describe the actions being performed by an OTA. Bug: 181182967 Test: Manual OTA of blueline Merged-In: I5eb53625202479ea7e75c27273531257d041e69d Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
2021-03-11 20:26:08 +01:00
Add neverallow rules around who can mount/unmount /apex Test: m Bug: 188002184 Change-Id: I8f46896edbee7b68df6f1e3008ff4141df164e4c
2021-05-13 14:05:58 +02:00
# Only apexd and init should be allowed to manage /apex mounts
# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
Update SELinux policy for Pre-reboot Dexopt. - Add pm.dexopt.* properties. - Add rules for running artd in chroot. Bug: 311377497 Test: manual - Run Pre-reboot Dexopt and see no denial. Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
2024-03-20 12:24:54 +01:00
# dexopt_chroot_setup calls apexd to prepare /apex for Pre-reboot Dexopt, but it
# needs to mount a tmpfs on /apex for apexd to work on.
Add neverallow rules around who can mount/unmount /apex Test: m Bug: 188002184 Change-Id: I8f46896edbee7b68df6f1e3008ff4141df164e4c
2021-05-13 14:05:58 +02:00
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
Update SELinux policy for Pre-reboot Dexopt. - Add pm.dexopt.* properties. - Add rules for running artd in chroot. Bug: 311377497 Test: manual - Run Pre-reboot Dexopt and see no denial. Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
2024-03-20 12:24:54 +01:00
neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;
Add neverallow rules around who can mount/unmount /apex Test: m Bug: 188002184 Change-Id: I8f46896edbee7b68df6f1e3008ff4141df164e4c
2021-05-13 14:05:58 +02:00
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
Modifed sepolicy for new apex ready prop Bug: 232172382 Test: atest ApexTestCases Change-Id: I2947b2c9b1d983bdbc410e67509508f73efff1f4
2022-09-02 00:20:10 +02:00
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
Reference in a new issue Copy permalink