Introduce vendor_apex_metadata_file
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Bug: 308058980 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf Merged-In: Icc234bf604e3cafe6da81d21db744abfaa524dcf
This commit is contained in:
parent
c2af2e2ec4
commit
157848354e
20 changed files with 34 additions and 6 deletions
|
@ -102,8 +102,8 @@ allow apexd staging_data_file:file { r_file_perms link };
|
||||||
allow apexd staging_data_file:file relabelto;
|
allow apexd staging_data_file:file relabelto;
|
||||||
|
|
||||||
# allow apexd to read files from /vendor/apex
|
# allow apexd to read files from /vendor/apex
|
||||||
allow apexd vendor_apex_file:dir r_dir_perms;
|
r_dir_file(apexd, vendor_apex_file)
|
||||||
allow apexd vendor_apex_file:file r_file_perms;
|
r_dir_file(apexd, vendor_apex_metadata_file)
|
||||||
|
|
||||||
# Unmount and mount filesystems
|
# Unmount and mount filesystems
|
||||||
allow apexd labeledfs:filesystem { mount unmount };
|
allow apexd labeledfs:filesystem { mount unmount };
|
||||||
|
|
|
@ -2544,7 +2544,10 @@
|
||||||
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
|
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
|
||||||
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
|
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
|
||||||
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
|
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
|
||||||
(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
|
(typeattributeset vendor_configs_file_33_0
|
||||||
|
( vendor_configs_file
|
||||||
|
vendor_apex_metadata_file
|
||||||
|
))
|
||||||
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
|
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
|
||||||
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
|
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
|
||||||
(typeattributeset vendor_file_33_0 (vendor_file))
|
(typeattributeset vendor_file_33_0 (vendor_file))
|
||||||
|
|
|
@ -6,6 +6,7 @@ init_daemon_domain(derive_classpath)
|
||||||
|
|
||||||
# Read /apex
|
# Read /apex
|
||||||
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
|
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
|
||||||
|
allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Create /data/system/environ/classpath file
|
# Create /data/system/environ/classpath file
|
||||||
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
|
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
|
||||||
|
|
|
@ -6,6 +6,7 @@ init_daemon_domain(derive_sdk)
|
||||||
|
|
||||||
# Read /apex
|
# Read /apex
|
||||||
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
||||||
|
allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
||||||
set_prop(derive_sdk, module_sdkextensions_prop)
|
set_prop(derive_sdk, module_sdkextensions_prop)
|
||||||
|
|
|
@ -609,6 +609,7 @@ full_treble_only(`
|
||||||
-same_process_hal_file
|
-same_process_hal_file
|
||||||
-vendor_app_file
|
-vendor_app_file
|
||||||
-vendor_apex_file
|
-vendor_apex_file
|
||||||
|
-vendor_apex_metadata_file
|
||||||
-vendor_configs_file
|
-vendor_configs_file
|
||||||
-vendor_service_contexts_file
|
-vendor_service_contexts_file
|
||||||
-vendor_framework_file
|
-vendor_framework_file
|
||||||
|
|
|
@ -19,6 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms;
|
||||||
# Allow linkerconfig to read apex-info-list.xml
|
# Allow linkerconfig to read apex-info-list.xml
|
||||||
allow linkerconfig apex_info_file:file r_file_perms;
|
allow linkerconfig apex_info_file:file r_file_perms;
|
||||||
|
|
||||||
|
# Allow linkerconfig to read apex_manifest.pb file from vendor apex
|
||||||
|
r_dir_file(linkerconfig, vendor_apex_metadata_file)
|
||||||
|
|
||||||
# Allow linkerconfig to be called in the otapreopt_chroot
|
# Allow linkerconfig to be called in the otapreopt_chroot
|
||||||
allow linkerconfig otapreopt_chroot:fd use;
|
allow linkerconfig otapreopt_chroot:fd use;
|
||||||
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
||||||
|
|
|
@ -136,6 +136,7 @@ neverallow shell self:perf_event ~{ open read write kernel };
|
||||||
allow shell apex_info_file:file r_file_perms;
|
allow shell apex_info_file:file r_file_perms;
|
||||||
allow shell vendor_apex_file:file r_file_perms;
|
allow shell vendor_apex_file:file r_file_perms;
|
||||||
allow shell vendor_apex_file:dir r_dir_perms;
|
allow shell vendor_apex_file:dir r_dir_perms;
|
||||||
|
allow shell vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Allow shell to read updated APEXes under /data/apex
|
# Allow shell to read updated APEXes under /data/apex
|
||||||
allow shell apex_data_file:dir search;
|
allow shell apex_data_file:dir search;
|
||||||
|
|
|
@ -258,6 +258,7 @@ allow zygote apex_info_file:file r_file_perms;
|
||||||
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
|
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
|
||||||
allow zygote vendor_apex_file:dir { getattr search };
|
allow zygote vendor_apex_file:dir { getattr search };
|
||||||
allow zygote vendor_apex_file:file { getattr };
|
allow zygote vendor_apex_file:file { getattr };
|
||||||
|
allow zygote vendor_apex_metadata_file:dir { search };
|
||||||
|
|
||||||
# Allow zygote to query for compression/features.
|
# Allow zygote to query for compression/features.
|
||||||
r_dir_file(zygote, sysfs_fs_f2fs)
|
r_dir_file(zygote, sysfs_fs_f2fs)
|
||||||
|
|
|
@ -381,6 +381,8 @@ type server_configurable_flags_data_file, file_type, data_file_type, core_data_f
|
||||||
type staging_data_file, file_type, data_file_type, core_data_file_type;
|
type staging_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
# /vendor/apex
|
# /vendor/apex
|
||||||
type vendor_apex_file, vendor_file_type, file_type;
|
type vendor_apex_file, vendor_file_type, file_type;
|
||||||
|
# apex_manifest.pb in vendor apex
|
||||||
|
type vendor_apex_metadata_file, vendor_file_type, file_type;
|
||||||
# /data/system/shutdown-checkpoints
|
# /data/system/shutdown-checkpoints
|
||||||
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
|
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
|
|
|
@ -1047,6 +1047,7 @@ define(`use_bootstrap_libs', `
|
||||||
define(`use_apex_info', `
|
define(`use_apex_info', `
|
||||||
allow $1 apex_mnt_dir:dir r_dir_perms;
|
allow $1 apex_mnt_dir:dir r_dir_perms;
|
||||||
allow $1 apex_info_file:file r_file_perms;
|
allow $1 apex_info_file:file r_file_perms;
|
||||||
|
r_dir_file($1, vendor_apex_metadata_file)
|
||||||
')
|
')
|
||||||
|
|
||||||
####################################
|
####################################
|
||||||
|
|
|
@ -102,8 +102,8 @@ allow apexd staging_data_file:file { r_file_perms link };
|
||||||
allow apexd staging_data_file:file relabelto;
|
allow apexd staging_data_file:file relabelto;
|
||||||
|
|
||||||
# allow apexd to read files from /vendor/apex
|
# allow apexd to read files from /vendor/apex
|
||||||
allow apexd vendor_apex_file:dir r_dir_perms;
|
r_dir_file(apexd, vendor_apex_file)
|
||||||
allow apexd vendor_apex_file:file r_file_perms;
|
r_dir_file(apexd, vendor_apex_metadata_file)
|
||||||
|
|
||||||
# Unmount and mount filesystems
|
# Unmount and mount filesystems
|
||||||
allow apexd labeledfs:filesystem { mount unmount };
|
allow apexd labeledfs:filesystem { mount unmount };
|
||||||
|
|
|
@ -2544,7 +2544,10 @@
|
||||||
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
|
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
|
||||||
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
|
(typeattributeset vendor_app_file_33_0 (vendor_app_file))
|
||||||
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
|
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
|
||||||
(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
|
(typeattributeset vendor_configs_file_33_0
|
||||||
|
( vendor_configs_file
|
||||||
|
vendor_apex_metadata_file
|
||||||
|
))
|
||||||
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
|
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
|
||||||
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
|
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
|
||||||
(typeattributeset vendor_file_33_0 (vendor_file))
|
(typeattributeset vendor_file_33_0 (vendor_file))
|
||||||
|
|
|
@ -6,6 +6,7 @@ init_daemon_domain(derive_classpath)
|
||||||
|
|
||||||
# Read /apex
|
# Read /apex
|
||||||
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
|
allow derive_classpath apex_mnt_dir:dir r_dir_perms;
|
||||||
|
allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Create /data/system/environ/classpath file
|
# Create /data/system/environ/classpath file
|
||||||
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
|
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
|
||||||
|
|
|
@ -6,6 +6,7 @@ init_daemon_domain(derive_sdk)
|
||||||
|
|
||||||
# Read /apex
|
# Read /apex
|
||||||
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
allow derive_sdk apex_mnt_dir:dir r_dir_perms;
|
||||||
|
allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
|
||||||
set_prop(derive_sdk, module_sdkextensions_prop)
|
set_prop(derive_sdk, module_sdkextensions_prop)
|
||||||
|
|
|
@ -609,6 +609,7 @@ full_treble_only(`
|
||||||
-same_process_hal_file
|
-same_process_hal_file
|
||||||
-vendor_app_file
|
-vendor_app_file
|
||||||
-vendor_apex_file
|
-vendor_apex_file
|
||||||
|
-vendor_apex_metadata_file
|
||||||
-vendor_configs_file
|
-vendor_configs_file
|
||||||
-vendor_service_contexts_file
|
-vendor_service_contexts_file
|
||||||
-vendor_framework_file
|
-vendor_framework_file
|
||||||
|
|
|
@ -19,6 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms;
|
||||||
# Allow linkerconfig to read apex-info-list.xml
|
# Allow linkerconfig to read apex-info-list.xml
|
||||||
allow linkerconfig apex_info_file:file r_file_perms;
|
allow linkerconfig apex_info_file:file r_file_perms;
|
||||||
|
|
||||||
|
# Allow linkerconfig to read apex_manifest.pb file from vendor apex
|
||||||
|
r_dir_file(linkerconfig, vendor_apex_metadata_file)
|
||||||
|
|
||||||
# Allow linkerconfig to be called in the otapreopt_chroot
|
# Allow linkerconfig to be called in the otapreopt_chroot
|
||||||
allow linkerconfig otapreopt_chroot:fd use;
|
allow linkerconfig otapreopt_chroot:fd use;
|
||||||
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
||||||
|
|
|
@ -136,6 +136,7 @@ neverallow shell self:perf_event ~{ open read write kernel };
|
||||||
allow shell apex_info_file:file r_file_perms;
|
allow shell apex_info_file:file r_file_perms;
|
||||||
allow shell vendor_apex_file:file r_file_perms;
|
allow shell vendor_apex_file:file r_file_perms;
|
||||||
allow shell vendor_apex_file:dir r_dir_perms;
|
allow shell vendor_apex_file:dir r_dir_perms;
|
||||||
|
allow shell vendor_apex_metadata_file:dir r_dir_perms;
|
||||||
|
|
||||||
# Allow shell to read updated APEXes under /data/apex
|
# Allow shell to read updated APEXes under /data/apex
|
||||||
allow shell apex_data_file:dir search;
|
allow shell apex_data_file:dir search;
|
||||||
|
|
|
@ -258,6 +258,7 @@ allow zygote apex_info_file:file r_file_perms;
|
||||||
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
|
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
|
||||||
allow zygote vendor_apex_file:dir { getattr search };
|
allow zygote vendor_apex_file:dir { getattr search };
|
||||||
allow zygote vendor_apex_file:file { getattr };
|
allow zygote vendor_apex_file:file { getattr };
|
||||||
|
allow zygote vendor_apex_metadata_file:dir { search };
|
||||||
|
|
||||||
# Allow zygote to query for compression/features.
|
# Allow zygote to query for compression/features.
|
||||||
r_dir_file(zygote, sysfs_fs_f2fs)
|
r_dir_file(zygote, sysfs_fs_f2fs)
|
||||||
|
|
|
@ -381,6 +381,8 @@ type server_configurable_flags_data_file, file_type, data_file_type, core_data_f
|
||||||
type staging_data_file, file_type, data_file_type, core_data_file_type;
|
type staging_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
# /vendor/apex
|
# /vendor/apex
|
||||||
type vendor_apex_file, vendor_file_type, file_type;
|
type vendor_apex_file, vendor_file_type, file_type;
|
||||||
|
# apex_manifest.pb in vendor apex
|
||||||
|
type vendor_apex_metadata_file, vendor_file_type, file_type;
|
||||||
# /data/system/shutdown-checkpoints
|
# /data/system/shutdown-checkpoints
|
||||||
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
|
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
||||||
|
|
|
@ -1047,6 +1047,7 @@ define(`use_bootstrap_libs', `
|
||||||
define(`use_apex_info', `
|
define(`use_apex_info', `
|
||||||
allow $1 apex_mnt_dir:dir r_dir_perms;
|
allow $1 apex_mnt_dir:dir r_dir_perms;
|
||||||
allow $1 apex_info_file:file r_file_perms;
|
allow $1 apex_info_file:file r_file_perms;
|
||||||
|
r_dir_file($1, vendor_apex_metadata_file)
|
||||||
')
|
')
|
||||||
|
|
||||||
####################################
|
####################################
|
||||||
|
|
Loading…
Reference in a new issue