Sepolicy: Initial Apexd pre-/postinstall rules

Give apexd permission to execute sh.

Add userdebug_or_eng domains and rules for the test
APEX for pre- and post-install.

Bug: 119260955
Bug: 119261380
Test: atest apexservice_test
Change-Id: I0c4a5e35e096101a53c9d1f212d2db2e63728267
This commit is contained in:
Andreas Gampe 2018-12-04 16:29:21 -08:00
parent 055286fc94
commit 261ea86192
3 changed files with 38 additions and 2 deletions

View file

@ -1,2 +1,4 @@
/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
(/.*)? u:object_r:system_file:s0
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0

View file

@ -0,0 +1,20 @@
# APEX pre- & post-install test.
#
# Allow to run pre- and post-install hooks for APEX test modules
# in debuggable builds.
type apex_test_prepostinstall, domain, coredomain;
type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
# /dev/zero
allow apex_test_prepostinstall apexd:fd use;
# Logwrapper.
create_pty(apex_test_prepostinstall)
# Logwrapper executing sh.
allow apex_test_prepostinstall shell_exec:file rx_file_perms;
# Logwrapper exec.
allow apex_test_prepostinstall system_file:file execute_no_trans;
# Ls.
allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
')

View file

@ -70,6 +70,20 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
# Allow apexd to log to the kernel.
allow apexd kmsg_device:chr_file w_file_perms;
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
allow apexd apexd_exec:file execute_no_trans;
# Allow to execute shell for pre- and postinstall scripts. A transition
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;