tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/installd.te

247 lines
10 KiB
Text
Raw Normal View History

Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
typeattribute installd coredomain;
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
init_daemon_domain(installd)
Move change from ag/7565384 aside Commit I35d35016680379e3a9363408704ee890a78a9748 is not yet in AOSP and is causing a merge conflict with my change aosp/1105757. Move the lines causing the conflict elsewhere. Bug: 1105489 Test: treehugger Cherrypicked-From: 1da93c9f327d89d64aa8554814e324dc89dc4657 Merged-In: I35dca026e40c9e2f89b831395db3958e399bfbb7 Change-Id: I35dca026e40c9e2f89b831395db3958e399bfbb7
2019-08-23 19:34:32 +02:00
# Run migrate_legacy_obb_data.sh in its own sandbox.
domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
allow installd shell_exec:file rx_file_perms;
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
SElinux policies for compiling secondary dex files This CLs adds SElinux policies necessary to compile secondary dex files. When an app loads secondary dex files via the base class loader the files will get reported to PM. During maintance mode PM will compile the secondary dex files which were used via the standard installd model (fork, exec, change uid and lower capabilities). What is needed: dexoptanalyzer - needs to read the dex file and the boot image in order to decide if we need to actually comppile. dex2oat - needs to be able to create *.oat files next to the secondary dex files. Test: devices boots compilation of secondary dex files works without selinux denials cmd package compile --secondary-dex -f -m speed com.google.android.gms Bug: 32871170 Change-Id: I038955b5bc9a72d49f6c24c1cb76276e0f53dc45
2017-01-18 05:31:31 +01:00
# Run dexoptanalyzer in its own sandbox.
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-07-22 22:13:11 +02:00
# Run profman in its own sandbox.
domain_auto_trans(installd, profman_exec, profman)
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
Ensure taking a bugreport generates no denials. This commit adds new SELinux permissions and neverallow rules so that taking a bugreport does not produce any denials. Bug: 73256908 Test: Captured bugreports on Sailfish and Walleye and verified that there were no denials. Merged-In: If3f2093a2b51934938e3d7e5c42036b2e2bf6de9 Change-Id: I10882e7adda0bb51bf373e0e62fda0acc8ad34eb
2018-02-14 23:32:38 +01:00
# For collecting bugreports.
allow installd dumpstate:fd use;
allow installd dumpstate:fifo_file r_file_perms;
bless app created renderscript files When an app uses renderscript to compile a Script instance, renderscript compiles and links the script using /system/bin/bcc and /system/bin/ld.mc, then places the resulting shared library into the application's code_cache directory. The application then dlopen()s the resulting shared library. Currently, this executable code is writable to the application. This violates the W^X property (https://en.wikipedia.org/wiki/W%5EX), which requires any executable code be immutable. This change introduces a new label "rs_data_file". Files created by /system/bin/bcc and /system/bin/ld.mc in the application's home directory assume this label. This allows us to differentiate in security policy between app created files, and files created by renderscript on behalf of the application. Apps are allowed to delete these files, but cannot create or write these files. This is enforced through a neverallow compile time assertion. Several exceptions are added to Treble neverallow assertions to support this functionality. However, because renderscript was previously invoked from an application context, this is not a Treble separation regression. This change is needed to support blocking dlopen() for non-renderscript /data/data files, which will be submitted in a followup change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: Ie38bbd94d26db8a418c2a049c24500a5463698a3
2018-12-12 18:06:05 +01:00
# Delete /system/bin/bcc generated artifacts
rename rs_data_file to app_exec_data_file There are multiple trusted system components which may be responsible for creating executable code within an application's home directory. Renderscript is just one of those trusted components. Generalize rs_data_file to app_exec_data_file. This label is intended to be used for any executable code created by trusted components placed into an application's home directory. Introduce a typealias statement to ensure files with the previous label continue to be understood by policy. This change is effectively a no-op, as it just renames a type, but neither adds or removes any rules. Bug: 121375718 Bug: 112357170 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I17dca5e3e8a1237eb236761862174744fb2196c0
2019-01-11 18:37:46 +01:00
allow installd app_exec_data_file:file unlink;
Allow installd sufficient permissions to rollback_data_file. Used to capture and restore app data snapshots as implemented in change I3e4d36c11e52fb885b585b1946e215cf986206fd. Test: make, manual Bug: 112431924 Change-Id: I1cd1ec3f9c93c4af65b662a5ada582299b595a8f
2019-01-17 14:38:05 +01:00
# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
# subsequently restore them.
allow installd rollback_data_file:dir create_dir_perms;
allow installd rollback_data_file:file create_file_perms;
Add runtime_native property permission to installd Installd will read one of these properties as a feature flag. (cherry-picked from commit e59e731dd1648ac1f65cc41ff2bdff0d79dd8b0d) Bug: 116059983 Bug: 123524494 Test: adb shell /data/nativetest64/installd_dexopt_test/installd_dexopt_test Change-Id: I6c5c058ba316b98f58d8d08f7cb13828cf311833 Merged-In: I6c5c058ba316b98f58d8d08f7cb13828cf311833
2019-01-31 22:21:39 +01:00
# Allow installd to access the runtime feature flag properties.
get_prop(installd, device_config_runtime_native_prop)
Allow installd to access device_config_runtime_native_boot_prop. Test: m && boot Bug: 119800099 Change-Id: I3d9c48b9474ed68c98cf65110ed9375a2c4c8aa1
2019-02-25 21:45:14 +01:00
get_prop(installd, device_config_runtime_native_boot_prop)
Allow installd to delete directories in staging dir In order to support deleting session files after a staged session reaches a final state, installd will need to delete the session directories from /data/staging. Bug: 123624108 Test: triggered 2 flows in which a staged session reaches a final state and made sure installd can delete the session files Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
2019-02-19 13:21:59 +01:00
sepolicy: allow rules for apk verify system property ro.apk_verity.mode was introduced in P on crosshatch. This change changes the label from default_prop to a new property, apk_verity_prop. ro.apk_verity.mode is set by vendor_init per build.prop, in order to honor Treble split. It is also read by system_server and installd currently. Test: verify functioning without denials in dmesg Bug: 142494008 Bug: 144164497 Change-Id: I1f24513d79237091cf30025bb7ca63282e23c739
2019-11-27 19:06:03 +01:00
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
Allow zygotes and installd to read odsign properties Bug: 192049377 Test: manual Change-Id: I88cfd0b7fa63f195a1ec8f498c106cbf95f649ec
2021-07-01 14:29:37 +02:00
# Allow installd to access odsign verification status
get_prop(installd, odsign_prop)
Allow installd to delete directories in staging dir In order to support deleting session files after a staged session reaches a final state, installd will need to delete the session directories from /data/staging. Bug: 123624108 Test: triggered 2 flows in which a staged session reaches a final state and made sure installd can delete the session files Change-Id: I76a7d4252d1e033791f67f268cf941672c5e6a3a
2019-02-19 13:21:59 +01:00
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
Allow installd delete staging folders. Apparently readdir uses getattr and skips a folder if denied. Bug: 244638667 Test: adb root; adb shell mkdir -p /data/app-staging/session_917335144/lib; adb reboot; adb logcat | grep session_917335144, check if the folder was removed Change-Id: I39de49c77d3bf3428d75f0cf4d4c603ea7e03ed5
2022-09-02 21:47:39 +02:00
allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
allow installd to kill dex2oat and dexoptanalyzer Bug: 179094324 Bug: 156537504 Test: confirm that installd killing those processes are not brininging selinux violation Change-Id: Icac3f5acc3d4d398bbe1431bb02140f3fe9cdc45
2021-07-15 05:05:41 +02:00
Allow installd to kill profman. installd needs to kill profman if profman times out. Bug: 242352919 Test: - 1. Add an infinate loop to profman. 2. Run `adb shell pm compile -m speed-profile com.android.chrome` 3. See profman being killed after 1 minute. Change-Id: I71761eaab027698de0339d855b9a436b56580ed8
2023-01-30 10:31:43 +01:00
allow installd { dex2oat dexoptanalyzer }:process signal;
# installd kills subprocesses if they time out.
allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
Create a separate label for sandbox root directory Currently, app process can freely execute path at `/data/misc_ce/0/sdksandbox/<package-name>` since it's labeled as system file. They can't read or write, but use 403/404 error to figure out if an app is installed or not. By changing the selinux label of the parent directory: `/data/misc_ce/0/sdksandbox`, we can restrict app process from executing inside the directory and avoid the privacy leak. Sandbox process should only have "search" permission on the new label so that it can pass through it to its data directory located in `/data/misc_ce/0/sdksandbox/<package-name>/<per-sdk-dir>`. Bug: 214241165 Test: atest SdkSandboxStorageHostTest Test: `adb shell cd /data/misc_ce/0/sdksandbox` gives error Test: manual test to verify webview still works Change-Id: Id8771b322d4eb5532eaf719f203ca94035e2a8ed Merged-In: Id8771b322d4eb5532eaf719f203ca94035e2a8ed
2022-05-11 22:43:54 +02:00
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
Allow installd to enable fs-verity on app's file See aosp/2681476 for more details. Bug: 285185747 Test: Call installd from a local client, no denial Change-Id: Ie3fa45aceb8a6e61123d477bd994d964a3ae6529
2023-07-29 00:28:44 +02:00
# Allow installd to enable fs-verity for app file passed as FD;
allow installd { untrusted_app_all priv_app gmscore_app }:fd use;
allowxperm installd app_data_file_type:file ioctl FS_IOC_ENABLE_VERITY;
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
typeattribute installd mlstrustedsubject;
allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
allow installd dalvikcache_data_file:file { relabelto link };
# Allow movement of APK files between volumes
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
allow installd apk_data_file:file { create_file_perms relabelfrom link };
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
allow installd asec_apk_file:file r_file_perms;
allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
# Scan through APKs in /vendor/app
r_dir_file(installd, vendor_app_file)
# Scan through JARs in /vendor/framework
r_dir_file(installd, vendor_framework_file)
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
r_dir_file(installd, vendor_overlay_file)
# Vendor overlay can be found in vendor apex
allow installd vendor_apex_metadata_file:dir { getattr search };
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
allow installd asec_image_file:file getattr;
# Required to initially create subdirectories of /data/user/$userId
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
# Also, allow read for lnk_file so that we can process symlinks within
# /data/user/$userId when optimizing application code.
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
# Manage lower filesystem via pass_through mounts
allow installd mnt_pass_through_file:dir r_dir_perms;
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
allow installd media_rw_data_file:file { getattr unlink };
# restorecon new /data/media directory.
allow installd system_data_file:dir relabelfrom;
allow installd media_rw_data_file:dir relabelto;
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd media_userdir_file:dir r_dir_perms;
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
allow installd { sdcard_type fuse }:file { getattr unlink };
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
allow installd mirror_data_file:dir { create_dir_perms mounton };
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd system_userdir_file:dir r_dir_perms;
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
allow installd keychain_data_file:dir create_dir_perms;
allow installd keychain_data_file:file {r_file_perms unlink};
# Create /data/misc/installd/layout_version.* file
allow installd install_data_file:file create_file_perms;
allow installd install_data_file:dir rw_dir_perms;
# Create files under /data/dalvik-cache.
allow installd dalvikcache_data_file:dir create_dir_perms;
allow installd dalvikcache_data_file:file create_file_perms;
allow installd dalvikcache_data_file:lnk_file getattr;
# Create files under /data/resource-cache.
allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms;
# Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
# Read pkg.apk file for input during dexopt.
allow installd unlabeled:file r_file_perms;
# Upgrade from before system_app_data_file was used for system UID apps.
# Just need enough to relabel it and to unlink removed package files.
# Directory access covered by earlier rule above.
allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
# Manage /data/data subdirectories, including initially labeling them
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Allow setting extended attributes (for project quota IDs) on dirs and files
# and to enable project ID inheritance through FS_IOC_SETFLAGS
# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
FS_IOC_FSGETXATTR
FS_IOC_FSSETXATTR
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
};
# Similar for the files under /data/misc/profiles/
allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
allow installd user_profile_data_file:dir { create_dir_perms relabelto };
allow installd user_profile_data_file:file create_file_perms;
allow installd user_profile_data_file:file unlink;
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
# execute toybox for app relocation
allow installd toolbox_exec:file rx_file_perms;
# Allow installd to publish a binder service and make binder calls.
binder_use(installd)
add_service(installd, installd_service)
allow installd dumpstate:fifo_file { getattr write };
# Allow installd to call into the system server so it can check permissions.
binder_call(installd, system_server)
allow installd permission_service:service_manager find;
# Allow installd to read and write quotas
allow installd block_device:dir { search };
allow installd labeledfs:filesystem { quotaget quotamod };
# Allow installd to delete from /data/preloads when trimming data caches
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
allow installd preloads_data_file:file { r_file_perms unlink };
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
allow installd preloads_media_file:file { r_file_perms unlink };
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
#add for move app to sd card
get_prop(installd, storage_config_prop)
# Allow installd to access apps installed on the Incremental File System
# Accessing files on the Incremental File System uses fds opened in the context of vold.
allow installd vold:fd use;
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
# on app uninstall, installd deletes the storage area keys for the app
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
Add read permission to storage_area_keys to installd Installd needs the read permission on storage area key directories. This only comes up in testing when the tests are rerun on the same device. Bug: 325129836 Test: atest StorageAreaTest Change-Id: I74c776c52d66492552aaf8b61c7591fb19194f7a
2024-05-01 03:00:02 +02:00
allow installd storage_area_key_file:dir { open search write remove_name lock read };
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
allow installd storage_area_key_file:file unlink;
')
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
###
### Neverallow rules
###
# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
neverallow installd {
domain
-system_server
-servicemanager
userdebug_or_eng(`-su')
}:binder call;
Reference in a new issue Copy permalink