2018-08-17 09:35:42 +02:00
|
|
|
typeattribute apexd coredomain;
|
|
|
|
|
|
|
|
init_daemon_domain(apexd)
|
|
|
|
|
2019-01-14 09:10:24 +01:00
|
|
|
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
|
|
|
|
allow apexd apex_data_file:dir create_dir_perms;
|
|
|
|
allow apexd apex_data_file:file create_file_perms;
|
2021-01-22 22:04:10 +01:00
|
|
|
# Allow relabeling file created in /data/apex/decompressed
|
|
|
|
allow apexd apex_data_file:file relabelfrom;
|
2018-08-17 09:35:42 +02:00
|
|
|
|
2019-03-12 16:37:13 +01:00
|
|
|
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
|
|
|
|
allow apexd metadata_file:dir search;
|
|
|
|
allow apexd apex_metadata_file:dir create_dir_perms;
|
|
|
|
allow apexd apex_metadata_file:file create_file_perms;
|
|
|
|
|
2022-01-28 18:11:41 +01:00
|
|
|
# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
|
|
|
|
allow apexd sepolicy_metadata_file:dir create_dir_perms;
|
|
|
|
allow apexd sepolicy_metadata_file:file create_file_perms;
|
2022-02-10 16:26:54 +01:00
|
|
|
# Allow apexd to setup fs-verity for SEPolicy files in metadata
|
|
|
|
allowxperm apexd sepolicy_metadata_file:file ioctl {
|
|
|
|
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
|
|
|
};
|
2022-01-28 18:11:41 +01:00
|
|
|
|
2021-03-04 13:21:43 +01:00
|
|
|
# Allow reserving space on /data/apex/ota_reserved for apex decompression
|
|
|
|
allow apexd apex_ota_reserved_file:dir create_dir_perms;
|
|
|
|
allow apexd apex_ota_reserved_file:file create_file_perms;
|
|
|
|
|
2020-01-24 18:20:19 +01:00
|
|
|
# Allow apexd to create files and directories for snapshots of apex data
|
2021-07-12 15:21:48 +02:00
|
|
|
allow apexd apex_data_file_type:dir { create_dir_perms relabelto };
|
|
|
|
allow apexd apex_data_file_type:file { create_file_perms relabelto };
|
2020-01-24 18:20:19 +01:00
|
|
|
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
|
|
|
|
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
|
2019-12-02 19:29:48 +01:00
|
|
|
allow apexd apex_rollback_data_file:dir create_dir_perms;
|
|
|
|
allow apexd apex_rollback_data_file:file create_file_perms;
|
|
|
|
|
Restrict creating per-user encrypted directories
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug. Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()". Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories. Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.
This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible. This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories. This
is similar to what https://r.android.com/1117297 did for /data itself.
Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.
A significant limitation is that /data/user/0 is currently being created
by init during early boot. Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories. As the
next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this
CL is needed regardless of whether we're able to do that.
Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then
created and deleted a user. Used 'ls -lZ' to check the relevant
SELinux labels on both internal and adoptable storage. Also did
similar tests on raven, with the addition of going through the
setup wizard and using an app that creates media files. No
relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 00:18:02 +02:00
|
|
|
# Allow apexd to read /data/misc_de and the directories under it, in order to
|
|
|
|
# snapshot and restore apex data for all users.
|
|
|
|
allow apexd {
|
|
|
|
system_userdir_file
|
|
|
|
system_data_file
|
|
|
|
}:dir r_dir_perms;
|
2020-01-24 18:20:19 +01:00
|
|
|
|
2018-08-17 09:35:42 +02:00
|
|
|
# allow apexd to create loop devices with /dev/loop-control
|
|
|
|
allow apexd loop_control_device:chr_file rw_file_perms;
|
|
|
|
# allow apexd to access loop devices
|
|
|
|
allow apexd loop_device:blk_file rw_file_perms;
|
2018-10-26 14:32:44 +02:00
|
|
|
allowxperm apexd loop_device:blk_file ioctl {
|
|
|
|
LOOP_GET_STATUS64
|
|
|
|
LOOP_SET_STATUS64
|
|
|
|
LOOP_SET_FD
|
|
|
|
LOOP_SET_BLOCK_SIZE
|
|
|
|
LOOP_SET_DIRECT_IO
|
|
|
|
LOOP_CLR_FD
|
2018-12-14 10:33:01 +01:00
|
|
|
BLKFLSBUF
|
2020-08-04 12:09:38 +02:00
|
|
|
LOOP_CONFIGURE
|
2018-10-26 14:32:44 +02:00
|
|
|
};
|
2021-08-06 19:50:25 +02:00
|
|
|
# Allow apexd to access /dev/block
|
2021-10-08 18:30:03 +02:00
|
|
|
allow apexd dev_type:dir r_dir_perms;
|
|
|
|
allow apexd dev_type:blk_file getattr;
|
2018-08-17 09:35:42 +02:00
|
|
|
|
2021-04-12 14:44:43 +02:00
|
|
|
#allow apexd to access virtual disks
|
|
|
|
allow apexd vd_device:blk_file r_file_perms;
|
|
|
|
|
2018-08-17 09:35:42 +02:00
|
|
|
# allow apexd to access /dev/block/dm-* (device-mapper entries)
|
|
|
|
allow apexd dm_device:chr_file rw_file_perms;
|
|
|
|
allow apexd dm_device:blk_file rw_file_perms;
|
|
|
|
|
|
|
|
# sys_admin is required to access the device-mapper and mount
|
2020-01-24 18:20:19 +01:00
|
|
|
# dac_override, chown, and fowner are needed for snapshot and restore
|
2020-01-30 19:43:38 +01:00
|
|
|
allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
|
2020-01-24 18:20:19 +01:00
|
|
|
|
|
|
|
# Note: fsetid is deliberately not included above. fsetid checks are
|
|
|
|
# triggered by chmod on a directory or file owned by a group other
|
|
|
|
# than one of the groups assigned to the current process to see if
|
|
|
|
# the setgid bit should be cleared, regardless of whether the setgid
|
|
|
|
# bit was even set. We do not appear to truly need this capability
|
|
|
|
# for apexd to operate.
|
|
|
|
dontaudit apexd self:global_capability_class_set fsetid;
|
2018-08-17 09:35:42 +02:00
|
|
|
|
|
|
|
# allow apexd to create a mount point in /apex
|
|
|
|
allow apexd apex_mnt_dir:dir create_dir_perms;
|
|
|
|
# allow apexd to mount in /apex
|
|
|
|
allow apexd apex_mnt_dir:filesystem { mount unmount };
|
|
|
|
allow apexd apex_mnt_dir:dir mounton;
|
2018-10-16 09:02:49 +02:00
|
|
|
# allow apexd to create symlinks in /apex
|
|
|
|
allow apexd apex_mnt_dir:lnk_file create_file_perms;
|
2020-05-11 13:49:07 +02:00
|
|
|
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
|
2020-07-02 15:22:05 +02:00
|
|
|
allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
|
2020-05-11 13:49:07 +02:00
|
|
|
allow apexd apex_info_file:file relabelto;
|
2021-06-04 19:39:32 +02:00
|
|
|
# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
|
|
|
|
allow apexd apex_info_file:file rw_file_perms;
|
|
|
|
|
2019-02-05 23:47:57 +01:00
|
|
|
# allow apexd to unlink apex files in /data/apex/active
|
2019-02-27 12:21:20 +01:00
|
|
|
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
|
2019-02-05 23:47:57 +01:00
|
|
|
# because it doesn't have write permission for staging_data_file object.
|
|
|
|
allow apexd staging_data_file:file unlink;
|
2018-10-16 09:02:49 +02:00
|
|
|
|
2019-02-27 12:21:20 +01:00
|
|
|
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
|
2019-01-02 15:20:52 +01:00
|
|
|
allow apexd staging_data_file:dir r_dir_perms;
|
|
|
|
allow apexd staging_data_file:file { r_file_perms link };
|
2021-01-22 22:04:10 +01:00
|
|
|
# # Allow relabeling file created in /data/apex/decompressed
|
|
|
|
allow apexd staging_data_file:file relabelto;
|
2019-01-02 15:20:52 +01:00
|
|
|
|
2019-04-24 03:45:40 +02:00
|
|
|
# allow apexd to read files from /vendor/apex
|
|
|
|
allow apexd vendor_apex_file:dir r_dir_perms;
|
|
|
|
allow apexd vendor_apex_file:file r_file_perms;
|
|
|
|
|
2018-08-17 09:35:42 +02:00
|
|
|
# Unmount and mount filesystems
|
|
|
|
allow apexd labeledfs:filesystem { mount unmount };
|
|
|
|
|
2019-02-01 03:17:15 +01:00
|
|
|
# /sys directory tree traversal
|
|
|
|
allow apexd sysfs_type:dir search;
|
2021-10-08 18:30:03 +02:00
|
|
|
# Access to /sys/class/block
|
|
|
|
allow apexd sysfs_type:dir r_dir_perms;
|
|
|
|
allow apexd sysfs_type:file r_file_perms;
|
2018-12-18 15:38:59 +01:00
|
|
|
# Configure read-ahead of dm-verity and loop devices
|
|
|
|
# for dm-X
|
2018-11-08 12:57:12 +01:00
|
|
|
allow apexd sysfs_dm:dir r_dir_perms;
|
|
|
|
allow apexd sysfs_dm:file rw_file_perms;
|
2018-12-18 15:38:59 +01:00
|
|
|
# for loopX
|
|
|
|
allow apexd sysfs_loop:dir r_dir_perms;
|
|
|
|
allow apexd sysfs_loop:file rw_file_perms;
|
2018-11-08 12:57:12 +01:00
|
|
|
|
2019-01-23 21:44:24 +01:00
|
|
|
# Allow apexd to log to the kernel.
|
|
|
|
allow apexd kmsg_device:chr_file w_file_perms;
|
|
|
|
|
2019-02-08 01:26:00 +01:00
|
|
|
# Allow apexd to reboot device. Required for rollbacks of apexes that are
|
|
|
|
# not covered by rollback manager.
|
|
|
|
set_prop(apexd, powerctl_prop)
|
|
|
|
|
2019-06-13 02:45:05 +02:00
|
|
|
# Allow apexd to stop itself
|
|
|
|
set_prop(apexd, ctl_apexd_prop)
|
|
|
|
|
2022-07-07 08:42:39 +02:00
|
|
|
# Allow apexd to send control messages to load/unload apex from init
|
|
|
|
set_prop(apexd, ctl_apex_load_prop)
|
|
|
|
|
2019-03-12 13:31:15 +01:00
|
|
|
# Find the vold service, and call into vold to manage FS checkpoints
|
|
|
|
allow apexd vold_service:service_manager find;
|
|
|
|
binder_call(apexd, vold)
|
|
|
|
|
2019-03-14 18:45:33 +01:00
|
|
|
# apexd is using bootstrap bionic
|
2022-01-23 15:55:41 +01:00
|
|
|
use_bootstrap_libs(apexd)
|
2019-03-14 18:45:33 +01:00
|
|
|
|
2019-11-14 15:28:43 +01:00
|
|
|
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
|
|
|
|
allow apexd devpts:chr_file { read write };
|
|
|
|
|
2020-01-24 18:20:19 +01:00
|
|
|
# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
|
|
|
|
# other processes
|
|
|
|
create_pty(apexd)
|
|
|
|
|
|
|
|
# Allow apexd to read file contexts when performing restorecon of snapshots.
|
|
|
|
allow apexd file_contexts_file:file r_file_perms;
|
|
|
|
|
2020-01-30 17:46:40 +01:00
|
|
|
# Allow apexd to execute toybox for snapshot & restore
|
|
|
|
allow apexd toolbox_exec:file rx_file_perms;
|
|
|
|
|
2021-06-08 16:11:57 +02:00
|
|
|
# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs.
|
|
|
|
allowxperm apexd staging_data_file:file ioctl {
|
|
|
|
FS_IOC_GETFLAGS
|
|
|
|
F2FS_IOC_RELEASE_COMPRESS_BLOCKS
|
|
|
|
};
|
|
|
|
|
2020-10-02 19:06:37 +02:00
|
|
|
# Allow apexd to read ro.cold_boot_done prop.
|
|
|
|
# apexd uses it to decide whether it needs to keep retrying polling for loop device.
|
|
|
|
get_prop(apexd, cold_boot_done_prop)
|
|
|
|
|
2021-03-13 02:35:51 +01:00
|
|
|
# Allow apexd to read per-device configuration properties.
|
|
|
|
get_prop(apexd, apexd_config_prop)
|
|
|
|
|
2021-11-16 21:28:29 +01:00
|
|
|
# Allow apexd to read apex selection properties.
|
|
|
|
# These are used to choose between multi-installed APEXes at activation time.
|
|
|
|
get_prop(apexd, apexd_select_prop)
|
2021-11-08 21:09:54 +01:00
|
|
|
#
|
|
|
|
# Allow apexd to read apexd_payload_metadata_prop
|
|
|
|
get_prop(apexd, apexd_payload_metadata_prop)
|
2021-11-16 21:28:29 +01:00
|
|
|
|
2018-08-17 09:35:42 +02:00
|
|
|
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
|
2019-03-12 16:37:13 +01:00
|
|
|
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
|
2019-01-04 17:22:19 +01:00
|
|
|
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
|
2019-03-12 16:37:13 +01:00
|
|
|
neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
|
2018-10-16 09:02:49 +02:00
|
|
|
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
|
2019-11-19 19:10:16 +01:00
|
|
|
|
|
|
|
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
|
|
|
|
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
|
2019-12-02 19:29:48 +01:00
|
|
|
|
|
|
|
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
|
|
|
|
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
|
2020-03-04 09:20:35 +01:00
|
|
|
|
|
|
|
# only apexd can set apexd sysprop
|
|
|
|
set_prop(apexd, apexd_prop)
|
|
|
|
neverallow { domain -apexd -init } apexd_prop:property_service set;
|
2020-05-11 13:49:07 +02:00
|
|
|
|
|
|
|
# only apexd can write apex-info-list.xml
|
|
|
|
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
|
2021-03-11 20:26:08 +01:00
|
|
|
|
2021-05-13 14:05:58 +02:00
|
|
|
# Only apexd and init should be allowed to manage /apex mounts
|
|
|
|
# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
|
|
|
|
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
|
|
|
|
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
|
|
|
|
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
|
|
|
|
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
|
|
|
|
|
2021-03-11 20:26:08 +01:00
|
|
|
# Allow for use in postinstall
|
|
|
|
allow apexd otapreopt_chroot:fd use;
|
|
|
|
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
|
|
|
|
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
|
2021-06-24 16:05:24 +02:00
|
|
|
allow apexd postinstall_apex_mnt_dir:lnk_file create;
|
2021-03-11 20:26:08 +01:00
|
|
|
allow apexd proc_filesystems:file r_file_perms;
|
2021-10-08 13:35:22 +02:00
|
|
|
|
|
|
|
# Allow calling derive_classpath to gather BCP information for staged sessions
|
|
|
|
domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
|
2022-09-02 00:20:10 +02:00
|
|
|
|
|
|
|
# Allow set apex ready property
|
|
|
|
set_prop(apexd, apex_ready_prop)
|