From 261ea86192679a250231f5ad8290efe01caaf142 Mon Sep 17 00:00:00 2001 From: Andreas Gampe Date: Tue, 4 Dec 2018 16:29:21 -0800 Subject: [PATCH] Sepolicy: Initial Apexd pre-/postinstall rules Give apexd permission to execute sh. Add userdebug_or_eng domains and rules for the test APEX for pre- and post-install. Bug: 119260955 Bug: 119261380 Test: atest apexservice_test Change-Id: I0c4a5e35e096101a53c9d1f212d2db2e63728267 --- apex/apex.test-file_contexts | 6 ++++-- private/apex_test_prepostinstall.te | 20 ++++++++++++++++++++ private/apexd.te | 14 ++++++++++++++ 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 private/apex_test_prepostinstall.te diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts index 784ad5473..a14e14b00 100644 --- a/apex/apex.test-file_contexts +++ b/apex/apex.test-file_contexts @@ -1,2 +1,4 @@ -(/.*)? u:object_r:system_file:s0 -/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 +/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0 +/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0 +(/.*)? u:object_r:system_file:s0 +/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 diff --git a/private/apex_test_prepostinstall.te b/private/apex_test_prepostinstall.te new file mode 100644 index 000000000..f1bc2145e --- /dev/null +++ b/private/apex_test_prepostinstall.te @@ -0,0 +1,20 @@ +# APEX pre- & post-install test. +# +# Allow to run pre- and post-install hooks for APEX test modules +# in debuggable builds. + +type apex_test_prepostinstall, domain, coredomain; +type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type; + +userdebug_or_eng(` + # /dev/zero + allow apex_test_prepostinstall apexd:fd use; + # Logwrapper. + create_pty(apex_test_prepostinstall) + # Logwrapper executing sh. + allow apex_test_prepostinstall shell_exec:file rx_file_perms; + # Logwrapper exec. + allow apex_test_prepostinstall system_file:file execute_no_trans; + # Ls. + allow apex_test_prepostinstall toolbox_exec:file rx_file_perms; +') diff --git a/private/apexd.te b/private/apexd.te index 5beaa4b6e..4a496e554 100644 --- a/private/apexd.te +++ b/private/apexd.te @@ -70,6 +70,20 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search # Allow apexd to log to the kernel. allow apexd kmsg_device:chr_file w_file_perms; +# Apex pre- & post-install permission. + +# Allow self-execute for the fork mount helper. +allow apexd apexd_exec:file execute_no_trans; + +# Allow to execute shell for pre- and postinstall scripts. A transition +# rule is required, thus restricted to execute and not execute_no_trans. +allow apexd shell_exec:file { r_file_perms execute }; + +# Allow transition to test APEX preinstall domain. +userdebug_or_eng(` + domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall) +') + neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms; neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms; neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;