From 9c3707f76a9bc49b602fbe65b4dfe3bfc7d22f24 Mon Sep 17 00:00:00 2001 From: Seigo Nonaka Date: Thu, 21 Jan 2021 13:08:31 -0800 Subject: [PATCH] Add /data/fonts/files directory The updated font files will be stored to /data/fonts/files and all application will read it for drawing text. Thus, /data/fonts/files needs to be readable by apps and only writable by system_server (and init). Bug: 173517579 Test: atest CtsGraphicsTestCases Test: Manually done Change-Id: Ia76b109704f6214eb3f1798e8d21260343eda231 --- private/app.te | 4 ++++ private/compat/30.0/30.0.ignore.cil | 1 + private/file.te | 3 +++ private/file_contexts | 1 + private/system_server.te | 11 +++++++++++ 5 files changed, 20 insertions(+) diff --git a/private/app.te b/private/app.te index 30ef99138..c635aed6b 100644 --- a/private/app.te +++ b/private/app.te @@ -63,6 +63,10 @@ get_prop(appdomain, camera_calibration_prop) # Allow to read db.log.detailed, db.log.slow_query_threshold* get_prop(appdomain, sqlite_log_prop) +# Allow font file read by apps. +allow appdomain font_data_file:file r_file_perms; +allow appdomain font_data_file:dir r_dir_perms; + # Read /data/misc/apexdata/com.android.art allow appdomain { apex_art_data_file apex_module_data_file }:dir search; allow appdomain apex_art_data_file:file r_file_perms; diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 686855442..559d4ad94 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -26,6 +26,7 @@ dumpstate_tmpfs framework_watchdog_config_prop game_service + font_data_file gki_apex_prepostinstall gki_apex_prepostinstall_exec hal_authsecret_service diff --git a/private/file.te b/private/file.te index 284a9eead..87443eff9 100644 --- a/private/file.te +++ b/private/file.te @@ -41,3 +41,6 @@ type apex_art_data_file, file_type, data_file_type, core_data_file_type; # /data/misc/apexdata/com.android.art/staging type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type; + +# /data/font/files +type font_data_file, file_type, data_file_type, core_data_file_type; diff --git a/private/file_contexts b/private/file_contexts index 0b21e39f2..89c67fcba 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -551,6 +551,7 @@ # to avoid restorecon conflicts /data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0 /data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0 +/data/fonts/files(/.*)? u:object_r:font_data_file:s0 # Misc data /data/misc/adb(/.*)? u:object_r:adb_keys_file:s0 diff --git a/private/system_server.te b/private/system_server.te index 98c1a1b41..b7dbed099 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1039,6 +1039,13 @@ userdebug_or_eng(` # Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop. get_prop(system_server, framework_watchdog_config_prop) + +# Font files are written by system server +allow system_server font_data_file:file create_file_perms; +allow system_server font_data_file:dir create_dir_perms; +# Allow system process to setup fs-verity for font files +allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY; + ### ### Neverallow rules ### @@ -1270,3 +1277,7 @@ neverallow { # BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder # interface neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO }; + +# Only system server can write the font files. +neverallow { domain -init -system_server } font_data_file:file no_w_file_perms; +neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;