Add use_bionic_libs macro

... to dedupe rules for allowing access to bootstrap bionic libraries.

Bug: N/A
Test: m
Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4

microdroid/system/private/apexd.te

@@ -81,8 +81,7 @@ allow apexd apexd_exec:file execute_no_trans;
 allow apexd rootfs:dir mounton;
 
 # apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
 
 # Allow apexd to read file contexts when performing restorecon
 allow apexd file_contexts_file:file r_file_perms;

microdroid/system/private/apkdmverity.te

@@ -4,8 +4,7 @@ type apkdmverity, domain, coredomain;
 type apkdmverity_exec, exec_type, file_type, system_file_type;
 
 # apkdmverity is using bootstrap bionic
-allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
-allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apkdmverity)
 
 # apkdmverity accesses "payload metadata disk" which points to
 # a /dev/vd* block device file.

microdroid/system/private/diced.te

@@ -17,5 +17,4 @@ add_service(diced, dice_maintenance_service)
 selinux_check_access(diced)
 
 # diced is using bootstrap bionic
-allow diced system_bootstrap_lib_file:dir r_dir_perms;
-allow diced system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(diced)

microdroid/system/private/init.te

@@ -437,8 +437,7 @@ allow init system_data_file:lnk_file r_file_perms;
 allow init proc_pressure_mem:file { rw_file_perms setattr };
 
 # init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
 
 # stat the root dir of fuse filesystems (for the mount handler)
 allow init fuse:dir { search getattr };

microdroid/system/private/microdroid_manager.te

@@ -38,8 +38,7 @@ userdebug_or_eng(`
 allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
 
 # microdroid_manager is using bootstrap bionic
-allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
-allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(microdroid_manager)
 
 # microdroid_manager can talk to diced over binder
 binder_use(microdroid_manager)

microdroid/system/private/servicemanager.te

@@ -27,5 +27,4 @@ add_service(servicemanager, service_manager_service)
 set_prop(servicemanager, ctl_interface_start_prop)
 
 # servicemanager is using bootstrap bionic
-allow servicemanager system_bootstrap_lib_file:dir r_dir_perms;
-allow servicemanager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(servicemanager)

microdroid/system/private/ueventd.te

@@ -47,8 +47,7 @@ allow ueventd vendor_file:system module_load;
 allow ueventd kernel:key search;
 
 # ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
 
 # TODO(b/193118220): find out why this happens.
 dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };

microdroid/system/private/zipfuse.te

@@ -7,8 +7,7 @@ type zipfuse, domain, coredomain;
 type zipfuse_exec, exec_type, file_type, system_file_type;
 
 # zipfuse is using bootstrap bionic
-allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
-allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(zipfuse)
 
 # allow basic rules to implement FUSE
 allow zipfuse fuse_device:chr_file rw_file_perms;

microdroid/system/public/te_macros

@@ -987,3 +987,11 @@ define(`read_fstab', `
   allow $1 gsi_public_metadata_file:file r_file_perms;
   allow $1 proc_bootconfig:file r_file_perms;
 ')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+  allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+  allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')

microdroid/system/public/vendor_init.te

@@ -133,8 +133,7 @@ r_dir_file(vendor_init, vendor_file_type)
 allow vendor_init self:global_capability_class_set sys_admin;
 
 # vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
 
 # Get file context
 allow vendor_init file_contexts_file:file r_file_perms;

microdroid/vendor/hal_dice_default.te

@@ -5,5 +5,4 @@ type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_dice_default)
 
 # hal_dice_default is using bootstrap bionic
-allow hal_dice_default system_bootstrap_lib_file:dir r_dir_perms;
-allow hal_dice_default system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(hal_dice_default)

private/apexd.te

@@ -126,8 +126,7 @@ allow apexd vold_service:service_manager find;
 binder_call(apexd, vold)
 
 # apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
 
 # Allow apexd to be invoked with logwrapper from init during userspace reboot.
 allow apexd devpts:chr_file { read write };

private/profcollectd.te

@@ -23,7 +23,7 @@ userdebug_or_eng(`
   allow profcollectd vendor_file:dir r_dir_perms;
   allow profcollectd vendor_kernel_modules:file r_file_perms;
 
-  # Allow profcollectd to read system bootstrap libs.
+  # Allow profcollectd to read (but not execute) system bootstrap libs.
   allow profcollectd system_bootstrap_lib_file:dir search;
   allow profcollectd system_bootstrap_lib_file:file r_file_perms;
 

public/init.te

@@ -609,8 +609,7 @@ allow init userspace_reboot_metadata_file:file w_file_perms;
 allow init proc_pressure_mem:file { rw_file_perms setattr };
 
 # init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
 
 # stat the root dir of fuse filesystems (for the mount handler)
 allow init fuse:dir { search getattr };

public/te_macros

@@ -1021,3 +1021,11 @@ define(`read_fstab', `
   allow $1 gsi_public_metadata_file:file r_file_perms;
   allow $1 proc_bootconfig:file r_file_perms;
 ')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+  allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+  allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')

public/ueventd.te

@@ -60,8 +60,7 @@ allow ueventd vendor_file:system module_load;
 allow ueventd kernel:key search;
 
 # ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
 
 # Allow ueventd to run shell scripts from vendor
 allow ueventd vendor_shell_exec:file execute;

public/vendor_init.te

@@ -191,8 +191,7 @@ allow vendor_init self:global_capability_class_set sys_admin;
 allow vendor_init misc_block_device:blk_file w_file_perms;
 
 # vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
 
 # allow filesystem tuning
 allow vendor_init userdata_sysdev:file create_file_perms;