From 41a2abfc0d8038802d75205168ab1769d812bdc9 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Wed, 23 Jan 2019 15:07:40 -0800 Subject: [PATCH] Properly Treble-ize tmpfs access This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358 Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358 (cherry picked from commit e16fb9109c678f47aa7698605477d9a6baf398fb) --- private/audioserver.te | 1 + private/compat/28.0/28.0.ignore.cil | 4 ++++ private/dexoptanalyzer.te | 1 + private/logd.te | 2 -- private/mediaextractor.te | 1 + private/mediaserver.te | 1 + private/perfetto.te | 1 + private/recovery_persist.te | 3 +-- private/recovery_refresh.te | 3 +-- private/system_server_startup.te | 1 + private/traced.te | 2 ++ private/viewcompiler.te | 1 + public/app_zygote.te | 1 + public/audioserver.te | 1 + public/bluetooth.te | 1 + public/domain.te | 1 + public/ephemeral_app.te | 1 + public/init.te | 3 +-- public/isolated_app.te | 1 + public/mediaextractor.te | 1 + public/mediaprovider.te | 1 + public/mediaserver.te | 1 + public/network_stack.te | 1 + public/nfc.te | 1 + public/platform_app.te | 1 + public/priv_app.te | 1 + public/radio.te | 1 + public/runas_app.te | 1 + public/secure_element.te | 1 + public/shared_relro.te | 1 + public/shell.te | 1 + public/su.te | 1 + public/system_app.te | 1 + public/system_server.te | 1 + public/te_macros | 6 +----- public/traceur_app.te | 1 + public/ueventd.te | 1 + public/untrusted_app.te | 3 +++ public/webview_zygote.te | 1 + public/zygote.te | 1 + vendor/hal_graphics_allocator_default.te | 2 ++ 41 files changed, 47 insertions(+), 13 deletions(-) diff --git a/private/audioserver.te b/private/audioserver.te index 53b62998b..29933ba73 100644 --- a/private/audioserver.te +++ b/private/audioserver.te @@ -4,6 +4,7 @@ typeattribute audioserver coredomain; type audioserver_exec, exec_type, file_type, system_file_type; init_daemon_domain(audioserver) +tmpfs_domain(audioserver) r_dir_file(audioserver, sdcard_type) diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index a8a833a32..e8ac33604 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -18,6 +18,7 @@ apexd_prop apexd_tmpfs app_zygote + app_zygote_tmpfs biometric_service bpf_progs_loaded_prop bugreport_service @@ -76,6 +77,7 @@ mnt_product_file network_stack network_stack_service + network_stack_tmpfs overlayfs_file permissionmgr_service recovery_socket @@ -85,11 +87,13 @@ rss_hwm_reset rss_hwm_reset_exec runas_app + runas_app_tmpfs runtime_service sensor_privacy_service server_configurable_flags_data_file simpleperf_app_runner simpleperf_app_runner_exec + su_tmpfs super_block_device system_event_log_tags_file system_lmk_prop diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te index 212608bca..ab2412022 100644 --- a/private/dexoptanalyzer.te +++ b/private/dexoptanalyzer.te @@ -1,6 +1,7 @@ # dexoptanalyzer type dexoptanalyzer, domain, coredomain, mlstrustedsubject; type dexoptanalyzer_exec, system_file_type, exec_type, file_type; +type dexoptanalyzer_tmpfs, file_type; # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their diff --git a/private/logd.te b/private/logd.te index 4338e4005..321727baf 100644 --- a/private/logd.te +++ b/private/logd.te @@ -4,10 +4,8 @@ init_daemon_domain(logd) # logd is not allowed to write anywhere other than /data/misc/logd, and then # only on userdebug or eng builds -# TODO: deal with tmpfs_domain pub/priv split properly neverallow logd { file_type - -logd_tmpfs -runtime_event_log_tags_file userdebug_or_eng(`-coredump_file -misc_logd_file') }:file { create write append }; diff --git a/private/mediaextractor.te b/private/mediaextractor.te index c1a85219c..eb90cdc81 100644 --- a/private/mediaextractor.te +++ b/private/mediaextractor.te @@ -1,3 +1,4 @@ typeattribute mediaextractor coredomain; init_daemon_domain(mediaextractor) +tmpfs_domain(mediaextractor) diff --git a/private/mediaserver.te b/private/mediaserver.te index 4c30bc027..b1cf64ad2 100644 --- a/private/mediaserver.te +++ b/private/mediaserver.te @@ -1,6 +1,7 @@ typeattribute mediaserver coredomain; init_daemon_domain(mediaserver) +tmpfs_domain(mediaserver) # allocate and use graphic buffers hal_client_domain(mediaserver, hal_graphics_allocator) diff --git a/private/perfetto.te b/private/perfetto.te index 2e43d9015..128205b0d 100644 --- a/private/perfetto.te +++ b/private/perfetto.te @@ -4,6 +4,7 @@ # daemon. type perfetto_exec, system_file_type, exec_type, file_type; +type perfetto_tmpfs, file_type; tmpfs_domain(perfetto); diff --git a/private/recovery_persist.te b/private/recovery_persist.te index 1fdd7583d..2d244fd59 100644 --- a/private/recovery_persist.te +++ b/private/recovery_persist.te @@ -3,5 +3,4 @@ typeattribute recovery_persist coredomain; init_daemon_domain(recovery_persist) # recovery_persist is not allowed to write anywhere other than recovery_data_file -# TODO: deal with tmpfs_domain pub/priv split properly -neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write; diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te index 327098dad..b6cd56f9b 100644 --- a/private/recovery_refresh.te +++ b/private/recovery_refresh.te @@ -3,5 +3,4 @@ typeattribute recovery_refresh coredomain; init_daemon_domain(recovery_refresh) # recovery_refresh is not allowed to write anywhere -# TODO: deal with tmpfs_domain pub/priv split properly -neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write; +neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write; diff --git a/private/system_server_startup.te b/private/system_server_startup.te index 4bd10c82c..bd7b2c089 100644 --- a/private/system_server_startup.te +++ b/private/system_server_startup.te @@ -1,4 +1,5 @@ type system_server_startup, domain, coredomain; +type system_server_startup_tmpfs, file_type; tmpfs_domain(system_server_startup) diff --git a/private/traced.te b/private/traced.te index f58aa0fe4..fb8465c89 100644 --- a/private/traced.te +++ b/private/traced.te @@ -3,9 +3,11 @@ # type traced is defined under /public (because iorapd rules # under public/ need to refer to it). type traced_exec, system_file_type, exec_type, file_type; +type traced_tmpfs, file_type; # Allow init to exec the daemon. init_daemon_domain(traced) +tmpfs_domain(traced) # Allow apps in other MLS contexts (for multi-user) to access # share memory buffers created by traced. diff --git a/private/viewcompiler.te b/private/viewcompiler.te index 14009c606..3c9c1ee03 100644 --- a/private/viewcompiler.te +++ b/private/viewcompiler.te @@ -1,6 +1,7 @@ # viewcompiler type viewcompiler, domain, coredomain, mlstrustedsubject; type viewcompiler_exec, system_file_type, exec_type, file_type; +type viewcompiler_tmpfs, file_type; # Reading an APK opens a ZipArchive, which unpack to tmpfs. # Use tmpfs_domain() which will give tmpfs files created by viewcompiler their diff --git a/public/app_zygote.te b/public/app_zygote.te index 0d5fec142..4c1ec9652 100644 --- a/public/app_zygote.te +++ b/public/app_zygote.te @@ -3,3 +3,4 @@ # spawned from the regular zygote process as a "child zygote". type app_zygote, domain; +type app_zygote_tmpfs, file_type; diff --git a/public/audioserver.te b/public/audioserver.te index 9a7285821..2ad86e3d0 100644 --- a/public/audioserver.te +++ b/public/audioserver.te @@ -1,2 +1,3 @@ # audioserver - audio services daemon type audioserver, domain; +type audioserver_tmpfs, file_type; diff --git a/public/bluetooth.te b/public/bluetooth.te index 9b3442aa5..28a169fa8 100644 --- a/public/bluetooth.te +++ b/public/bluetooth.te @@ -1,2 +1,3 @@ # bluetooth subsystem type bluetooth, domain; +type bluetooth_tmpfs, file_type; diff --git a/public/domain.te b/public/domain.te index a073f03e9..1816c81a1 100644 --- a/public/domain.te +++ b/public/domain.te @@ -52,6 +52,7 @@ userdebug_or_eng(` ') # Root fs. +allow domain tmpfs:dir { getattr search }; allow domain rootfs:dir search; allow domain rootfs:lnk_file { read getattr }; diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te index dc39a22b5..5993c0be3 100644 --- a/public/ephemeral_app.te +++ b/public/ephemeral_app.te @@ -12,3 +12,4 @@ ### PackageManager flags an app as ephemeral at install time. type ephemeral_app, domain; +type ephemeral_app_tmpfs, file_type; diff --git a/public/init.te b/public/init.te index baf5333e4..63edb206e 100644 --- a/public/init.te +++ b/public/init.te @@ -1,8 +1,7 @@ # init is its own domain. type init, domain, mlstrustedsubject; - -# The init domain is entered by execing init. type init_exec, system_file_type, exec_type, file_type; +type init_tmpfs, file_type; # /dev/__null__ node created by init. allow init tmpfs:chr_file { create setattr unlink rw_file_perms }; diff --git a/public/isolated_app.te b/public/isolated_app.te index a907dacc2..584d74375 100644 --- a/public/isolated_app.te +++ b/public/isolated_app.te @@ -7,3 +7,4 @@ ### type isolated_app, domain; +type isolated_app_tmpfs, file_type; diff --git a/public/mediaextractor.te b/public/mediaextractor.te index 4edab558f..ee5534c23 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -1,6 +1,7 @@ # mediaextractor - multimedia daemon type mediaextractor, domain; type mediaextractor_exec, system_file_type, exec_type, file_type; +type mediaextractor_tmpfs, file_type; typeattribute mediaextractor mlstrustedsubject; diff --git a/public/mediaprovider.te b/public/mediaprovider.te index 24170a5cf..90eb05362 100644 --- a/public/mediaprovider.te +++ b/public/mediaprovider.te @@ -4,3 +4,4 @@ ### type mediaprovider, domain; +type mediaprovider_tmpfs, file_type; diff --git a/public/mediaserver.te b/public/mediaserver.te index 540c039ef..ee2d2ecb5 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -1,6 +1,7 @@ # mediaserver - multimedia daemon type mediaserver, domain; type mediaserver_exec, system_file_type, exec_type, file_type; +type mediaserver_tmpfs, file_type; typeattribute mediaserver mlstrustedsubject; diff --git a/public/network_stack.te b/public/network_stack.te index feff66460..61a40b018 100644 --- a/public/network_stack.te +++ b/public/network_stack.te @@ -1,2 +1,3 @@ # Network stack service app type network_stack, domain; +type network_stack_tmpfs, file_type; diff --git a/public/nfc.te b/public/nfc.te index e3a03e796..5c1aa24a5 100644 --- a/public/nfc.te +++ b/public/nfc.te @@ -1,2 +1,3 @@ # nfc subsystem type nfc, domain; +type nfc_tmpfs, file_type; diff --git a/public/platform_app.te b/public/platform_app.te index 9b1faf0f6..b7d783dd8 100644 --- a/public/platform_app.te +++ b/public/platform_app.te @@ -3,3 +3,4 @@ ### type platform_app, domain; +type platform_app_tmpfs, file_type; diff --git a/public/priv_app.te b/public/priv_app.te index 0761fc30f..7c7dd12d2 100644 --- a/public/priv_app.te +++ b/public/priv_app.te @@ -3,3 +3,4 @@ ### type priv_app, domain; +type priv_app_tmpfs, file_type; diff --git a/public/radio.te b/public/radio.te index 8a8bef386..bbaa7527f 100644 --- a/public/radio.te +++ b/public/radio.te @@ -1,5 +1,6 @@ # phone subsystem type radio, domain, mlstrustedsubject; +type radio_tmpfs, file_type; net_domain(radio) bluetooth_domain(radio) diff --git a/public/runas_app.te b/public/runas_app.te index cdaa799c9..ff03940db 100644 --- a/public/runas_app.te +++ b/public/runas_app.te @@ -1 +1,2 @@ type runas_app, domain; +type runas_app_tmpfs, file_type; diff --git a/public/secure_element.te b/public/secure_element.te index 4ce6714f6..985c66df4 100644 --- a/public/secure_element.te +++ b/public/secure_element.te @@ -1,2 +1,3 @@ # secure_element subsystem type secure_element, domain; +type secure_element_tmpfs, file_type; diff --git a/public/shared_relro.te b/public/shared_relro.te index 8e58e421a..422a375bf 100644 --- a/public/shared_relro.te +++ b/public/shared_relro.te @@ -1,5 +1,6 @@ # Process which creates/updates shared RELRO files to be used by other apps. type shared_relro, domain; +type shared_relro_tmpfs, file_type; # Grant write access to the shared relro files/directory. allow shared_relro shared_relro_file:dir rw_dir_perms; diff --git a/public/shell.te b/public/shell.te index 7201df0ec..1c30d7aa7 100644 --- a/public/shell.te +++ b/public/shell.te @@ -1,6 +1,7 @@ # Domain for shell processes spawned by ADB or console service. type shell, domain, mlstrustedsubject; type shell_exec, system_file_type, exec_type, file_type; +type shell_tmpfs, file_type; # Create and use network sockets. net_domain(shell) diff --git a/public/su.te b/public/su.te index e09248b25..41ae4ef77 100644 --- a/public/su.te +++ b/public/su.te @@ -1,6 +1,7 @@ # All types must be defined regardless of build variant to ensure # policy compilation succeeds with userdebug/user combination at boot type su, domain; +type su_tmpfs, file_type; # File types must be defined for file_contexts. type su_exec, system_file_type, exec_type, file_type; diff --git a/public/system_app.te b/public/system_app.te index 023058ee0..da781bc29 100644 --- a/public/system_app.te +++ b/public/system_app.te @@ -5,3 +5,4 @@ ### type system_app, domain; +type system_app_tmpfs, file_type; diff --git a/public/system_server.te b/public/system_server.te index 805d6175d..aa9c6c16d 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -3,3 +3,4 @@ # Most of the framework services run in this process. # type system_server, domain; +type system_server_tmpfs, file_type; diff --git a/public/te_macros b/public/te_macros index ca6070b61..4195b884d 100644 --- a/public/te_macros +++ b/public/te_macros @@ -72,13 +72,10 @@ allow $1 $2:{ file lnk_file } r_file_perms; ##################################### # tmpfs_domain(domain) -# Define and allow access to a unique type for -# this domain when creating tmpfs / shmem / ashmem files. +# Allow access to a unique type for this domain when creating tmpfs / ashmem files. define(`tmpfs_domain', ` -type $1_tmpfs, file_type; type_transition $1 tmpfs:file $1_tmpfs; allow $1 $1_tmpfs:file { read write getattr map }; -allow $1 tmpfs:dir { getattr search }; ') # pdx macros for IPC. pdx is a high-level name which contains transport-specific @@ -164,7 +161,6 @@ pdx_use($1, $2) # upon executing its binary. define(`init_daemon_domain', ` domain_auto_trans(init, $1_exec, $1) -tmpfs_domain($1) ') ##################################### diff --git a/public/traceur_app.te b/public/traceur_app.te index 0bce88536..339657058 100644 --- a/public/traceur_app.te +++ b/public/traceur_app.te @@ -1,4 +1,5 @@ type traceur_app, domain; +type traceur_app_tmpfs, file_type; allow traceur_app servicemanager:service_manager list; allow traceur_app hwservicemanager:hwservice_manager list; diff --git a/public/ueventd.te b/public/ueventd.te index cc4e30bf5..db02d3fed 100644 --- a/public/ueventd.te +++ b/public/ueventd.te @@ -1,6 +1,7 @@ # ueventd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. type ueventd, domain; +type ueventd_tmpfs, file_type; # Write to /dev/kmsg. allow ueventd kmsg_device:chr_file rw_file_perms; diff --git a/public/untrusted_app.te b/public/untrusted_app.te index 5289bf96b..3843f551c 100644 --- a/public/untrusted_app.te +++ b/public/untrusted_app.te @@ -19,3 +19,6 @@ type untrusted_app, domain; type untrusted_app_27, domain; type untrusted_app_25, domain; +type untrusted_app_tmpfs, file_type; +type untrusted_app_27_tmpfs, file_type; +type untrusted_app_25_tmpfs, file_type; diff --git a/public/webview_zygote.te b/public/webview_zygote.te index 5d19b3226..ace3a013e 100644 --- a/public/webview_zygote.te +++ b/public/webview_zygote.te @@ -3,3 +3,4 @@ type webview_zygote, domain; type webview_zygote_exec, exec_type, file_type; +type webview_zygote_tmpfs, file_type; diff --git a/public/zygote.te b/public/zygote.te index 85c358004..071354e82 100644 --- a/public/zygote.te +++ b/public/zygote.te @@ -1,3 +1,4 @@ # zygote type zygote, domain; +type zygote_tmpfs, file_type; type zygote_exec, system_file_type, exec_type, file_type; diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te index 3d97ed04c..a129ad431 100644 --- a/vendor/hal_graphics_allocator_default.te +++ b/vendor/hal_graphics_allocator_default.te @@ -1,8 +1,10 @@ type hal_graphics_allocator_default, domain; +type hal_graphics_allocator_default_tmpfs, file_type; hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator) type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_graphics_allocator_default) +tmpfs_domain(hal_graphics_allocator_default) # b/70180742 dontaudit hal_graphics_allocator_default unlabeled:dir search;