From aa987aaa2d4527628afc30433238e9bd513b4bc3 Mon Sep 17 00:00:00 2001 From: Victor Hsieh Date: Tue, 10 Aug 2021 16:33:32 -0700 Subject: [PATCH] Define sepolicy for compos and dex2oat Bug: 194474784 Test: ComposTestCase # with debug disabled Change-Id: I2a53df337356fc8e299837358da2a5a88c9c20d3 --- microdroid/system/private/compos.te | 14 +++++++++++--- microdroid/system/private/dex2oat.te | 19 +++++++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te index 9e6b2bbba..05936a6c7 100644 --- a/microdroid/system/private/compos.te +++ b/microdroid/system/private/compos.te @@ -4,11 +4,11 @@ type compos_exec, exec_type, file_type, system_file_type; allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept }; -# Talk to binder services (for keystore) +# Allow using keystore and authfs_service binder services binder_use(compos); - -# Allow payloads to use keystore use_keystore(compos); +allow compos authfs_binder_service:service_manager find; +binder_call(compos, authfs_service); # Allow payloads to use and manage their keys allow compos vm_payload_key:keystore2_key { @@ -18,3 +18,11 @@ allow compos vm_payload_key:keystore2_key { rebind use }; + +# Although the compos should not really read/write the FD on authfs_fuse, this +# is apparently required for the binder driver to pass the FDs to compos from +# authfs_service. +allow compos authfs_fuse:file { read write }; + +# Allow domain transition into dex2oat. +domain_auto_trans(compos, dex2oat_exec, dex2oat) diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te index 6bfd05e65..cde824bdd 100644 --- a/microdroid/system/private/dex2oat.te +++ b/microdroid/system/private/dex2oat.te @@ -3,3 +3,22 @@ type dex2oat, domain, coredomain; type dex2oat_exec, system_file_type, exec_type, file_type; allow dex2oat tmpfs:file { read getattr map }; + +# Allow dex2oat to use FDs from authfs_service via compos. +allow dex2oat authfs_service:fd use; +allow dex2oat compos:fd use; + +# Allow dex2oat to read/write FDs on authfs_fuse filesystem. +allow dex2oat authfs_fuse:file rw_file_perms; + +# Minijail uses pipe for the parent process to signal the child (as a fallback +# mechanism, since Android does not support minijail's preload). +# TODO(196109647): We can probably remove this once the minijail preload is +# supported on Android. +allow dex2oat compos:fifo_file read; + +# Allow acquiring advisory lock on /system/framework//* +allow dex2oat system_file:file lock; + +# Allow dex2oat to read /apex/apex-info-list.xml +allow dex2oat apex_info_file:file r_file_perms;