Add SELinux policy for storage areas

We are adding the ability for apps to create "storage areas", which are
transparently encrypted directories that can only be opened when the
device is unlocked.
This CL makes the required SELinux policy changes.

First, assign the type "system_userdir_file" to the new top-level
directory /data/storage_area (non-recursively).  This is the same type
used by the other top-level directories containing app data, such as
/data/user, and it restricts access to the directory in the desired way.

Second, add new types to represent an app's directory of storage areas,
the storage areas themselves, and their contents:
`storage_area_app_dir`, `storage_area_dir`, and
`storage_area_content_file` respectively.
All are `app_data_file_type`s.
The directory structure and their associated labels is as follows (note
 that they also all get the categories of the user+package):
/data/storage_area/userId/pkgName
		storage_area_app_dir
/data/storage_area/userId/pkgName/storageAreaName
		storage_area_dir
/data/storage_area/userId/pkgName/storageAreaName/myFile.txt
		storage_area_content_file
/data/storage_area/userId/pkgName/storageAreaName/mySubDir
		storage_area_content_file

These new types allow us to restrict how and which processes interact
with storage areas.
The new type for the contents of storage areas allows us to add new,
desirable restrictions that we cannot add to the more general
`app_data_file` type in order to maintain backwards-compatibility,
e.g., we block apps from executing any files in their storage areas.

Third, allow:
-- vold_prepare_subdirs to create and delete
storage areas on behalf of apps, and assign them the SElinux type
`storage_area_dir`
i.e. create directories
/data/storage_area/$userId/$pkgName/$storageAreaName
-- vold to assign encryption policies to storage area directories
-- installd to create an app's directory of storage areas on app
install, and delete them on app uninstall, and assign them the SElinux
type `storage_area_app_dir`,
i.e. directories /data/storage_area/$userId/$pkgName

We also add a new SELinux type to represent the storage area encryption
keys: `storage_area_key_file`.
The keys are created by vold on storage area creation, and deleted
either by vold if an app calls
the `deleteStorageArea` API function explicitly, or by installd on
app uninstall.
These keys are stored in `/data/misc_ce/$userId/storage_area_keys`,
and only installd and vold have access to them.

Bug: 325121608
Test: atest StorageAreaTest
Change-Id: I74805d249f59226fc6963693f682c70949bfad93
This commit is contained in:
Ellen Arteca 2024-04-30 20:26:55 +00:00
parent 6543cf9843
commit 27b515e70a
13 changed files with 279 additions and 13 deletions

View file

@ -911,6 +911,8 @@
/data/system_de system_userdir_file /data/system_de system_userdir_file
/data/user system_userdir_file /data/user system_userdir_file
/data/user_de system_userdir_file /data/user_de system_userdir_file
/data/storage_area system_userdir_file
/data/misc_ce/0/storage_area_keys storage_area_key_file
/data/misc/adb adb_keys_file /data/misc/adb adb_keys_file
/data/misc/adb/test adb_keys_file /data/misc/adb/test adb_keys_file

View file

@ -21,6 +21,7 @@ se_flags {
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT", "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES", "RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE", "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
"RELEASE_UNLOCKED_STORAGE_API",
], ],
export_to: ["all_selinux_flags"], export_to: ["all_selinux_flags"],
} }

View file

@ -242,12 +242,37 @@ allow appdomain appdomain:fifo_file rw_file_perms;
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses. # App sandbox file accesses.
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:dir create_dir_perms; allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } {
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file create_file_perms; app_data_file
allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_data_file privapp_data_file }:file ioctl FS_IOC_MEASURE_VERITY; privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir create_dir_perms;
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } {
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:file create_file_perms;
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# an app can read but cannot write to its own directory of storage areas
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } storage_area_app_dir:dir r_dir_perms;
# an app can write to its storage areas
allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } storage_area_dir:dir rw_dir_perms;
')
allowxperm { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } {
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:file ioctl FS_IOC_MEASURE_VERITY;
# Access via already open fds is ok even for mlstrustedsubject. # Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write }; allow { appdomain -isolated_app_all -sdk_sandbox_all } {
app_data_file
privapp_data_file
system_app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:file { getattr map read write };
# Access open fds from SDK sandbox # Access open fds from SDK sandbox
allow appdomain sdk_sandbox_data_file:file { getattr read }; allow appdomain sdk_sandbox_data_file:file { getattr read };
@ -777,3 +802,13 @@ dontaudit appdomain system_font_fallback_file:file no_rw_file_perms;
neverallow appdomain system_font_fallback_file:file no_rw_file_perms; neverallow appdomain system_font_fallback_file:file no_rw_file_perms;
neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read }; neverallow { appdomain -shell } tombstone_data_file:file ~{ getattr read };
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# Files and directories that apps write to their storage areas
# should have type storage_area_content_file
type_transition {
appdomain
-isolated_app_all
-ephemeral_app
-sdk_sandbox_all
} storage_area_dir:{ notdevfile_class_set dir } storage_area_content_file;
')

View file

@ -68,6 +68,21 @@ neverallow {
-runas_app -runas_app
} { app_data_file privapp_data_file }:file execute_no_trans; } { app_data_file privapp_data_file }:file execute_no_trans;
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# block apps from executing files in their storage areas
# this is a stronger and more desirable guarantee than blocking execute_no_trans, but
# execute cannot be blocked on all of app_data_file without causing
# backwards compatibility issues (see b/237289679)
neverallow appdomain storage_area_content_file:file execute;
')
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# dont allow apps to modify their own directories of storage areas
neverallow appdomain storage_area_app_dir:dir_file_class_set {
create write setattr relabelfrom relabelto append unlink link rename
};
')
# Do not allow untrusted apps to invoke dex2oat. This was historically required # Do not allow untrusted apps to invoke dex2oat. This was historically required
# by ART for compiling secondary dex files but has been removed in Q. # by ART for compiling secondary dex files but has been removed in Q.
# Exempt legacy apps (targetApi<=28) for compatibility. # Exempt legacy apps (targetApi<=28) for compatibility.
@ -156,6 +171,7 @@ neverallow { all_untrusted_apps -mediaprovider } {
file_type file_type
-app_data_file # The apps sandbox itself -app_data_file # The apps sandbox itself
-privapp_data_file -privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `-storage_area_content_file')
-app_exec_data_file # stored within the app sandbox directory -app_exec_data_file # stored within the app sandbox directory
-media_rw_data_file # Internal storage. Known that apps can -media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall. # leave artfacts here after uninstall.

View file

@ -139,6 +139,7 @@ neverallow crosvm {
apk_data_file apk_data_file
app_data_file app_data_file
privapp_data_file privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
userdebug_or_eng(`-shell_data_file') userdebug_or_eng(`-shell_data_file')
}:file open; }:file open;

View file

@ -1594,7 +1594,20 @@ neverallow {
-appdomain -appdomain
-artd # compile secondary dex files -artd # compile secondary dex files
-installd # creation of sandbox -installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; } {
privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { create unlink };
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
-artd # compile secondary dex files
-installd # creation of sandbox
-vold_prepare_subdirs # creation of storage area directories
} {storage_area_app_dir storage_area_dir }:dir { create unlink };
')
# Only the following processes should be directly accessing private app # Only the following processes should be directly accessing private app
# directories. # directories.
@ -1611,7 +1624,38 @@ neverallow {
-runas -runas
-system_server -system_server
-zygote -zygote
} { privapp_data_file app_data_file }:dir *; } {
privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir *;
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
-appdomain
-app_zygote
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
-system_server
-vold # encryption of storage area directories
-vold_prepare_subdirs # creation of storage area directories
-zygote
} { storage_area_dir storage_area_app_dir }:dir *;
')
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# only vold and installd can access the storage area key files
# (and init, in case of a recursive restorecon)
neverallow {
domain
-init
-vold
-vold_prepare_subdirs
-installd
} { storage_area_key_file }:dir_file_class_set *;
')
# Only apps should be modifying app data. installd is exempted for # Only apps should be modifying app data. installd is exempted for
# restorecon and package install/uninstall. # restorecon and package install/uninstall.
@ -1621,7 +1665,22 @@ neverallow {
-artd # compile secondary dex files -artd # compile secondary dex files
-installd -installd
-rs # spawned by appdomain, so carryover the exception above -rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:dir ~r_dir_perms; } {
privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir ~r_dir_perms;
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
-appdomain
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
-vold_prepare_subdirs # creation of storage area directories
} { storage_area_dir storage_area_app_dir }:dir ~r_dir_perms;
')
neverallow { neverallow {
domain domain
@ -1630,20 +1689,41 @@ neverallow {
-artd # compile secondary dex files -artd # compile secondary dex files
-installd -installd
-rs # spawned by appdomain, so carryover the exception above -rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open; } {
privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:file_class_set open;
neverallow { neverallow {
domain domain
-appdomain -appdomain
-artd # compile secondary dex files -artd # compile secondary dex files
-installd # creation of sandbox -installd # creation of sandbox
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink }; } {
privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { create unlink };
neverallow { neverallow {
domain domain
-artd # compile secondary dex files -artd # compile secondary dex files
-installd -installd
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto }; } {
privapp_data_file
app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir_file_class_set { relabelfrom relabelto };
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
domain
-artd # compile secondary dex files
-installd
-vold_prepare_subdirs
} { storage_area_dir storage_area_app_dir }:dir { relabelfrom relabelto };
')
# The staging directory contains APEX and APK files. It is important to ensure # The staging directory contains APEX and APK files. It is important to ensure
# that these files cannot be accessed by other domains to ensure that the files # that these files cannot be accessed by other domains to ensure that the files

View file

@ -194,3 +194,12 @@ allow proc_net proc:filesystem associate;
# Should be: # Should be:
# type apk_data_file, file_type, data_file_type; # type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate; neverallow fs_type file_type:filesystem associate;
# app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it
type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
# app storage areas: /data/storage_area/userId/pkgName/storageAreaName
type storage_area_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
# contents of app storage areas: /data/storage_area/userId/pkgName/storageAreaName/*
type storage_area_content_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
# /data/misc_ce/userId/storage_area_keys
type storage_area_key_file, file_type, data_file_type, core_data_file_type;

View file

@ -624,6 +624,7 @@
/data/system_de u:object_r:system_userdir_file:s0 /data/system_de u:object_r:system_userdir_file:s0
/data/user u:object_r:system_userdir_file:s0 /data/user u:object_r:system_userdir_file:s0
/data/user_de u:object_r:system_userdir_file:s0 /data/user_de u:object_r:system_userdir_file:s0
/data/storage_area u:object_r:system_userdir_file:s0
# Misc data # Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0 /data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
@ -819,6 +820,9 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 /data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 /data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
# storage area keys
/data/misc_ce/[0-9]+/storage_area_keys(/.*)? u:object_r:storage_area_key_file:s0
# Backup service persistent per-user bookkeeping # Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0 /data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps # Backup service temporary per-user data for inter-change with apps

View file

@ -300,6 +300,11 @@ allow init self:global_capability_class_set { chown fowner fsetid };
allow init { allow init {
file_type file_type
-app_data_file -app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
-storage_area_dir
-storage_area_app_dir
-storage_area_content_file
')
-bpffs_type -bpffs_type
-exec_type -exec_type
-misc_logd_file -misc_logd_file
@ -314,6 +319,11 @@ allow init {
allow init { allow init {
file_type file_type
-app_data_file -app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
-storage_area_dir
-storage_area_app_dir
-storage_area_content_file
')
-bpffs_type -bpffs_type
-credstore_data_file -credstore_data_file
-exec_type -exec_type
@ -336,6 +346,11 @@ allow init {
file_type file_type
-apex_info_file -apex_info_file
-app_data_file -app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
-storage_area_dir
-storage_area_app_dir
-storage_area_content_file
')
-bpffs_type -bpffs_type
-exec_type -exec_type
-gsi_data_file -gsi_data_file
@ -363,6 +378,11 @@ allow init apex_info_file:file r_file_perms;
allow init { allow init {
file_type file_type
-app_data_file -app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
-storage_area_dir
-storage_area_app_dir
-storage_area_content_file
')
-bpffs_type -bpffs_type
-exec_type -exec_type
-gsi_data_file -gsi_data_file
@ -383,6 +403,11 @@ allow init {
file_type file_type
-apex_mnt_dir -apex_mnt_dir
-app_data_file -app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
-storage_area_dir
-storage_area_app_dir
-storage_area_content_file
')
-bpffs_type -bpffs_type
-exec_type -exec_type
-gsi_data_file -gsi_data_file
@ -409,6 +434,11 @@ allow init {
-vendor_file_type -vendor_file_type
-exec_type -exec_type
-app_data_file -app_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
-storage_area_dir
-storage_area_app_dir
-storage_area_content_file
')
-privapp_data_file -privapp_data_file
}:dir_file_class_set relabelto; }:dir_file_class_set relabelto;

View file

@ -225,6 +225,12 @@ get_prop(installd, storage_config_prop)
# Accessing files on the Incremental File System uses fds opened in the context of vold. # Accessing files on the Incremental File System uses fds opened in the context of vold.
allow installd vold:fd use; allow installd vold:fd use;
# on app uninstall, installd deletes the storage area keys for the app
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
allow installd storage_area_key_file:dir { open search write remove_name lock };
allow installd storage_area_key_file:file unlink;
')
### ###
### Neverallow rules ### Neverallow rules
### ###

View file

@ -8,13 +8,31 @@ neverallow {
mlstrustedsubject mlstrustedsubject
-artd # compile secondary dex files -artd # compile secondary dex files
-installd -installd
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append }; } {
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:file ~{ read write map getattr ioctl lock append };
neverallow { neverallow {
mlstrustedsubject mlstrustedsubject
-artd # compile secondary dex files -artd # compile secondary dex files
-installd -installd
} { app_data_file privapp_data_file }:dir ~{ read getattr search }; } {
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir ~{ read getattr search };
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
mlstrustedsubject
-artd # compile secondary dex files
-installd
-vold # encryption of storage areas
-vold_prepare_subdirs # creation of storage area directories
} { storage_area_dir storage_area_app_dir }:dir ~{ read getattr search };
')
neverallow { neverallow {
mlstrustedsubject mlstrustedsubject
@ -24,4 +42,22 @@ neverallow {
-adbd -adbd
-runas -runas
-zygote -zygote
} { app_data_file privapp_data_file }:dir { read getattr search }; } {
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
}:dir { read getattr search };
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
neverallow {
mlstrustedsubject
-artd # compile secondary dex files
-installd
-system_server
-adbd
-runas
-vold # encryption of storage area directories
-vold_prepare_subdirs # creation of storage area directories
-zygote
} { storage_area_dir storage_area_app_dir }:dir { read getattr search };
')

View file

@ -62,6 +62,27 @@ allow vold keystore_maintenance_service:service_manager find;
allow vold keystore:keystore2 early_boot_ended; allow vold keystore:keystore2 early_boot_ended;
allow vold keystore:keystore2 delete_all_keys; allow vold keystore:keystore2 delete_all_keys;
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
# Allow vold to encrypt storage area directories on behalf of apps.
allow vold {
storage_area_dir
storage_area_app_dir
}:dir {
getattr
ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
open
read # for open(O_RDONLY) for ioctl
search
};
')
# when a storage area is created (with `openStorageArea`), vold creates the key
# and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
allow vold storage_area_key_file:file create_file_perms;
allow vold storage_area_key_file:dir create_dir_perms;
')
# Allow vold to create and delete per-user directories like /data/user/$userId. # Allow vold to create and delete per-user directories like /data/user/$userId.
allow vold { allow vold {
media_userdir_file media_userdir_file
@ -119,6 +140,7 @@ allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
# and add/remove file-based encryption keys. # and add/remove file-based encryption keys.
allowxperm vold data_file_type:dir ioctl { allowxperm vold data_file_type:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_GET_ENCRYPTION_POLICY_EX
FS_IOC_SET_ENCRYPTION_POLICY FS_IOC_SET_ENCRYPTION_POLICY
FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_ADD_ENCRYPTION_KEY
FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY
@ -131,6 +153,7 @@ allowxperm vold data_file_type:dir ioctl {
allowxperm vold { allowxperm vold {
vold_data_file vold_data_file
vold_metadata_file vold_metadata_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
}:file ioctl { }:file ioctl {
F2FS_IOC_SEC_TRIM_FILE F2FS_IOC_SEC_TRIM_FILE
FS_IOC_FIEMAP FS_IOC_FIEMAP

View file

@ -10,6 +10,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use; allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write }; allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms; allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs seapp_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner }; allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate; allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs { allow vold_prepare_subdirs {
@ -27,6 +28,7 @@ allow vold_prepare_subdirs {
fingerprint_vendor_data_file fingerprint_vendor_data_file
iris_vendor_data_file iris_vendor_data_file
rollback_data_file rollback_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
storaged_data_file storaged_data_file
sdk_sandbox_data_file sdk_sandbox_data_file
sdk_sandbox_system_data_file sdk_sandbox_system_data_file
@ -54,6 +56,27 @@ allow vold_prepare_subdirs mnt_expand_file:dir search;
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom }; allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto }; allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
# Allow vold_prepare_subdirs to create storage area directories on behalf of apps.
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
allow vold_prepare_subdirs {
storage_area_dir
storage_area_app_dir
}:dir {
rw_dir_perms
create
setattr # for chown() and chmod()
rmdir
unlink
relabelfrom # setfilecon
relabelto # setfilecon
};
# The storage area directories should have type storage_area_dir
type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
selinux_check_context(vold_prepare_subdirs)
')
# Migrate legacy labels to apex_system_server_data_file (b/217581286) # Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs { allow vold_prepare_subdirs {
apex_appsearch_data_file apex_appsearch_data_file