diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index 8e0a7abba..70ceaca36 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -93,6 +93,7 @@ network_stack_service network_stack_tmpfs overlayfs_file + password_slot_metadata_file permissionmgr_service postinstall_apex_mnt_dir recovery_socket diff --git a/private/file_contexts b/private/file_contexts index 39244c1f1..33b4e18ae 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -619,6 +619,7 @@ /metadata(/.*)? u:object_r:metadata_file:s0 /metadata/vold(/.*)? u:object_r:vold_metadata_file:s0 /metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0 +/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0 ############################# # asec containers diff --git a/private/system_server.te b/private/system_server.te index db51da3e8..a2cbc6fbc 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1018,6 +1018,12 @@ wakelock_use(system_server) allow system_server apex_data_file:dir search; allow system_server apex_data_file:file r_file_perms; +# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can +# communicate which slots are available for use. +allow system_server metadata_file:dir search; +allow system_server password_slot_metadata_file:dir rw_dir_perms; +allow system_server password_slot_metadata_file:file create_file_perms; + # dexoptanalyzer is currently used only for secondary dex files which # system_server should never access. neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; @@ -1028,3 +1034,12 @@ neverallow system_server { domain -system_server }:process ptrace; # CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID # file read access. However, that is now unnecessary (b/34951864) neverallow system_server system_server:global_capability_class_set sys_resource; + +# Only system_server/init should access /metadata/password_slots. +neverallow { domain -init -system_server } password_slot_metadata_file:dir *; +neverallow { + domain + -init + -system_server +} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr }; +neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *; diff --git a/public/file.te b/public/file.te index 514f23d45..65b10d656 100644 --- a/public/file.te +++ b/public/file.te @@ -199,6 +199,8 @@ type metadata_file, file_type; type vold_metadata_file, file_type; # GSI files within /metadata type gsi_metadata_file, file_type; +# system_server shares Weaver slot information in /metadata +type password_slot_metadata_file, file_type; # Type for /dev/cpu_variant:.*. type dev_cpu_variant, file_type; diff --git a/public/vendor_init.te b/public/vendor_init.te index 76ee7a4ef..528d8ba02 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -50,6 +50,7 @@ allow vendor_init { -exec_type -system_file_type -mnt_product_file + -password_slot_metadata_file -unlabeled -vendor_file_type -vold_metadata_file @@ -62,6 +63,7 @@ allow vendor_init { file_type -core_data_file_type -exec_type + -password_slot_metadata_file -runtime_event_log_tags_file -system_file_type -unlabeled @@ -74,6 +76,7 @@ allow vendor_init { file_type -core_data_file_type -exec_type + -password_slot_metadata_file -system_file_type -unlabeled -vendor_file_type @@ -86,6 +89,7 @@ allow vendor_init { -apex_mnt_dir -core_data_file_type -exec_type + -password_slot_metadata_file -system_file_type -unlabeled -vendor_file_type @@ -98,6 +102,7 @@ allow vendor_init { -core_data_file_type -exec_type -mnt_product_file + -password_slot_metadata_file -system_file_type -vendor_file_type -vold_metadata_file