Introduce vendor_apex_metadata_file

A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.

Previously, these entries were labelled as system_file even for vendor
apexes.

Bug: 285075529
Bug: 308058980
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
Merged-In: Icc234bf604e3cafe6da81d21db744abfaa524dcf
This commit is contained in:
Jooyung Han 2023-05-31 17:51:14 +09:00 committed by Thiébaud Weksteen
parent c2af2e2ec4
commit 157848354e
20 changed files with 34 additions and 6 deletions

View file

@ -102,8 +102,8 @@ allow apexd staging_data_file:file { r_file_perms link };
allow apexd staging_data_file:file relabelto; allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex # allow apexd to read files from /vendor/apex
allow apexd vendor_apex_file:dir r_dir_perms; r_dir_file(apexd, vendor_apex_file)
allow apexd vendor_apex_file:file r_file_perms; r_dir_file(apexd, vendor_apex_metadata_file)
# Unmount and mount filesystems # Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount }; allow apexd labeledfs:filesystem { mount unmount };

View file

@ -2544,7 +2544,10 @@
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file)) (typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
(typeattributeset vendor_app_file_33_0 (vendor_app_file)) (typeattributeset vendor_app_file_33_0 (vendor_app_file))
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file)) (typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
(typeattributeset vendor_configs_file_33_0 (vendor_configs_file)) (typeattributeset vendor_configs_file_33_0
( vendor_configs_file
vendor_apex_metadata_file
))
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file)) (typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop)) (typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
(typeattributeset vendor_file_33_0 (vendor_file)) (typeattributeset vendor_file_33_0 (vendor_file))

View file

@ -6,6 +6,7 @@ init_daemon_domain(derive_classpath)
# Read /apex # Read /apex
allow derive_classpath apex_mnt_dir:dir r_dir_perms; allow derive_classpath apex_mnt_dir:dir r_dir_perms;
allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
# Create /data/system/environ/classpath file # Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir rw_dir_perms; allow derive_classpath environ_system_data_file:dir rw_dir_perms;

View file

@ -6,6 +6,7 @@ init_daemon_domain(derive_sdk)
# Read /apex # Read /apex
allow derive_sdk apex_mnt_dir:dir r_dir_perms; allow derive_sdk apex_mnt_dir:dir r_dir_perms;
allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps) # Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
set_prop(derive_sdk, module_sdkextensions_prop) set_prop(derive_sdk, module_sdkextensions_prop)

View file

@ -609,6 +609,7 @@ full_treble_only(`
-same_process_hal_file -same_process_hal_file
-vendor_app_file -vendor_app_file
-vendor_apex_file -vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file -vendor_configs_file
-vendor_service_contexts_file -vendor_service_contexts_file
-vendor_framework_file -vendor_framework_file

View file

@ -19,6 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms;
# Allow linkerconfig to read apex-info-list.xml # Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms; allow linkerconfig apex_info_file:file r_file_perms;
# Allow linkerconfig to read apex_manifest.pb file from vendor apex
r_dir_file(linkerconfig, vendor_apex_metadata_file)
# Allow linkerconfig to be called in the otapreopt_chroot # Allow linkerconfig to be called in the otapreopt_chroot
allow linkerconfig otapreopt_chroot:fd use; allow linkerconfig otapreopt_chroot:fd use;
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms; allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;

View file

@ -136,6 +136,7 @@ neverallow shell self:perf_event ~{ open read write kernel };
allow shell apex_info_file:file r_file_perms; allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms; allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms; allow shell vendor_apex_file:dir r_dir_perms;
allow shell vendor_apex_metadata_file:dir r_dir_perms;
# Allow shell to read updated APEXes under /data/apex # Allow shell to read updated APEXes under /data/apex
allow shell apex_data_file:dir search; allow shell apex_data_file:dir search;

View file

@ -258,6 +258,7 @@ allow zygote apex_info_file:file r_file_perms;
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package. # preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
allow zygote vendor_apex_file:dir { getattr search }; allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr }; allow zygote vendor_apex_file:file { getattr };
allow zygote vendor_apex_metadata_file:dir { search };
# Allow zygote to query for compression/features. # Allow zygote to query for compression/features.
r_dir_file(zygote, sysfs_fs_f2fs) r_dir_file(zygote, sysfs_fs_f2fs)

View file

@ -381,6 +381,8 @@ type server_configurable_flags_data_file, file_type, data_file_type, core_data_f
type staging_data_file, file_type, data_file_type, core_data_file_type; type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex # /vendor/apex
type vendor_apex_file, vendor_file_type, file_type; type vendor_apex_file, vendor_file_type, file_type;
# apex_manifest.pb in vendor apex
type vendor_apex_metadata_file, vendor_file_type, file_type;
# /data/system/shutdown-checkpoints # /data/system/shutdown-checkpoints
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type; type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -1047,6 +1047,7 @@ define(`use_bootstrap_libs', `
define(`use_apex_info', ` define(`use_apex_info', `
allow $1 apex_mnt_dir:dir r_dir_perms; allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms; allow $1 apex_info_file:file r_file_perms;
r_dir_file($1, vendor_apex_metadata_file)
') ')
#################################### ####################################

View file

@ -102,8 +102,8 @@ allow apexd staging_data_file:file { r_file_perms link };
allow apexd staging_data_file:file relabelto; allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex # allow apexd to read files from /vendor/apex
allow apexd vendor_apex_file:dir r_dir_perms; r_dir_file(apexd, vendor_apex_file)
allow apexd vendor_apex_file:file r_file_perms; r_dir_file(apexd, vendor_apex_metadata_file)
# Unmount and mount filesystems # Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount }; allow apexd labeledfs:filesystem { mount unmount };

View file

@ -2544,7 +2544,10 @@
(typeattributeset vendor_apex_file_33_0 (vendor_apex_file)) (typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
(typeattributeset vendor_app_file_33_0 (vendor_app_file)) (typeattributeset vendor_app_file_33_0 (vendor_app_file))
(typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file)) (typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
(typeattributeset vendor_configs_file_33_0 (vendor_configs_file)) (typeattributeset vendor_configs_file_33_0
( vendor_configs_file
vendor_apex_metadata_file
))
(typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file)) (typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
(typeattributeset vendor_default_prop_33_0 (vendor_default_prop)) (typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
(typeattributeset vendor_file_33_0 (vendor_file)) (typeattributeset vendor_file_33_0 (vendor_file))

View file

@ -6,6 +6,7 @@ init_daemon_domain(derive_classpath)
# Read /apex # Read /apex
allow derive_classpath apex_mnt_dir:dir r_dir_perms; allow derive_classpath apex_mnt_dir:dir r_dir_perms;
allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
# Create /data/system/environ/classpath file # Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir rw_dir_perms; allow derive_classpath environ_system_data_file:dir rw_dir_perms;

View file

@ -6,6 +6,7 @@ init_daemon_domain(derive_sdk)
# Read /apex # Read /apex
allow derive_sdk apex_mnt_dir:dir r_dir_perms; allow derive_sdk apex_mnt_dir:dir r_dir_perms;
allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
# Prop rules: writable by derive_sdk, readable by bootclasspath (apps) # Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
set_prop(derive_sdk, module_sdkextensions_prop) set_prop(derive_sdk, module_sdkextensions_prop)

View file

@ -609,6 +609,7 @@ full_treble_only(`
-same_process_hal_file -same_process_hal_file
-vendor_app_file -vendor_app_file
-vendor_apex_file -vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file -vendor_configs_file
-vendor_service_contexts_file -vendor_service_contexts_file
-vendor_framework_file -vendor_framework_file

View file

@ -19,6 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms;
# Allow linkerconfig to read apex-info-list.xml # Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms; allow linkerconfig apex_info_file:file r_file_perms;
# Allow linkerconfig to read apex_manifest.pb file from vendor apex
r_dir_file(linkerconfig, vendor_apex_metadata_file)
# Allow linkerconfig to be called in the otapreopt_chroot # Allow linkerconfig to be called in the otapreopt_chroot
allow linkerconfig otapreopt_chroot:fd use; allow linkerconfig otapreopt_chroot:fd use;
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms; allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;

View file

@ -136,6 +136,7 @@ neverallow shell self:perf_event ~{ open read write kernel };
allow shell apex_info_file:file r_file_perms; allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms; allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms; allow shell vendor_apex_file:dir r_dir_perms;
allow shell vendor_apex_metadata_file:dir r_dir_perms;
# Allow shell to read updated APEXes under /data/apex # Allow shell to read updated APEXes under /data/apex
allow shell apex_data_file:dir search; allow shell apex_data_file:dir search;

View file

@ -258,6 +258,7 @@ allow zygote apex_info_file:file r_file_perms;
# preinstalled path of APEXes that contain runtime resource overlays for the 'android' package. # preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
allow zygote vendor_apex_file:dir { getattr search }; allow zygote vendor_apex_file:dir { getattr search };
allow zygote vendor_apex_file:file { getattr }; allow zygote vendor_apex_file:file { getattr };
allow zygote vendor_apex_metadata_file:dir { search };
# Allow zygote to query for compression/features. # Allow zygote to query for compression/features.
r_dir_file(zygote, sysfs_fs_f2fs) r_dir_file(zygote, sysfs_fs_f2fs)

View file

@ -381,6 +381,8 @@ type server_configurable_flags_data_file, file_type, data_file_type, core_data_f
type staging_data_file, file_type, data_file_type, core_data_file_type; type staging_data_file, file_type, data_file_type, core_data_file_type;
# /vendor/apex # /vendor/apex
type vendor_apex_file, vendor_file_type, file_type; type vendor_apex_file, vendor_file_type, file_type;
# apex_manifest.pb in vendor apex
type vendor_apex_metadata_file, vendor_file_type, file_type;
# /data/system/shutdown-checkpoints # /data/system/shutdown-checkpoints
type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type; type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -1047,6 +1047,7 @@ define(`use_bootstrap_libs', `
define(`use_apex_info', ` define(`use_apex_info', `
allow $1 apex_mnt_dir:dir r_dir_perms; allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms; allow $1 apex_info_file:file r_file_perms;
r_dir_file($1, vendor_apex_metadata_file)
') ')
#################################### ####################################