Properly Treble-ize tmpfs access

This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
Merged-In: I20a47d2bb22e61b16187015c7bc7ca10accf6358
(cherry picked from commit e16fb9109c)

private/audioserver.te

@@ -4,6 +4,7 @@ typeattribute audioserver coredomain;
 
 type audioserver_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(audioserver)
+tmpfs_domain(audioserver)
 
 r_dir_file(audioserver, sdcard_type)
 

private/compat/28.0/28.0.ignore.cil

@@ -18,6 +18,7 @@
     apexd_prop
     apexd_tmpfs
     app_zygote
+    app_zygote_tmpfs
     biometric_service
     bpf_progs_loaded_prop
     bugreport_service
@@ -76,6 +77,7 @@
     mnt_product_file
     network_stack
     network_stack_service
+    network_stack_tmpfs
     overlayfs_file
     permissionmgr_service
     recovery_socket
@@ -85,11 +87,13 @@
     rss_hwm_reset
     rss_hwm_reset_exec
     runas_app
+    runas_app_tmpfs
     runtime_service
     sensor_privacy_service
     server_configurable_flags_data_file
     simpleperf_app_runner
     simpleperf_app_runner_exec
+    su_tmpfs
     super_block_device
     system_event_log_tags_file
     system_lmk_prop

private/dexoptanalyzer.te

@@ -1,6 +1,7 @@
 # dexoptanalyzer
 type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
+type dexoptanalyzer_tmpfs, file_type;
 
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their

private/logd.te

@@ -4,10 +4,8 @@ init_daemon_domain(logd)
 
 # logd is not allowed to write anywhere other than /data/misc/logd, and then
 # only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
 neverallow logd {
   file_type
-  -logd_tmpfs
   -runtime_event_log_tags_file
   userdebug_or_eng(`-coredump_file -misc_logd_file')
 }:file { create write append };

private/mediaextractor.te

@@ -1,3 +1,4 @@
 typeattribute mediaextractor coredomain;
 
 init_daemon_domain(mediaextractor)
+tmpfs_domain(mediaextractor)

private/mediaserver.te

@@ -1,6 +1,7 @@
 typeattribute mediaserver coredomain;
 
 init_daemon_domain(mediaserver)
+tmpfs_domain(mediaserver)
 
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)

private/perfetto.te

@@ -4,6 +4,7 @@
 # daemon.
 
 type perfetto_exec, system_file_type, exec_type, file_type;
+type perfetto_tmpfs, file_type;
 
 tmpfs_domain(perfetto);
 

private/recovery_persist.te

@@ -3,5 +3,4 @@ typeattribute recovery_persist coredomain;
 init_daemon_domain(recovery_persist)
 
 # recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;

private/recovery_refresh.te

@@ -3,5 +3,4 @@ typeattribute recovery_refresh coredomain;
 init_daemon_domain(recovery_refresh)
 
 # recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;

private/system_server_startup.te

@@ -1,4 +1,5 @@
 type system_server_startup, domain, coredomain;
+type system_server_startup_tmpfs, file_type;
 
 tmpfs_domain(system_server_startup)
 

private/traced.te

@@ -3,9 +3,11 @@
 # type traced is defined under /public (because iorapd rules
 # under public/ need to refer to it).
 type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
 
 # Allow init to exec the daemon.
 init_daemon_domain(traced)
+tmpfs_domain(traced)
 
 # Allow apps in other MLS contexts (for multi-user) to access
 # share memory buffers created by traced.

private/viewcompiler.te

@@ -1,6 +1,7 @@
 # viewcompiler
 type viewcompiler, domain, coredomain, mlstrustedsubject;
 type viewcompiler_exec, system_file_type, exec_type, file_type;
+type viewcompiler_tmpfs, file_type;
 
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by viewcompiler their

public/app_zygote.te

@@ -3,3 +3,4 @@
 # spawned from the regular zygote process as a "child zygote".
 
 type app_zygote, domain;
+type app_zygote_tmpfs, file_type;

public/audioserver.te

@@ -1,2 +1,3 @@
 # audioserver - audio services daemon
 type audioserver, domain;
+type audioserver_tmpfs, file_type;

public/bluetooth.te

@@ -1,2 +1,3 @@
 # bluetooth subsystem
 type bluetooth, domain;
+type bluetooth_tmpfs, file_type;

public/domain.te

@@ -52,6 +52,7 @@ userdebug_or_eng(`
 ')
 
 # Root fs.
+allow domain tmpfs:dir { getattr search };
 allow domain rootfs:dir search;
 allow domain rootfs:lnk_file { read getattr };
 

public/ephemeral_app.te

@@ -12,3 +12,4 @@
 ### PackageManager flags an app as ephemeral at install time.
 
 type ephemeral_app, domain;
+type ephemeral_app_tmpfs, file_type;

public/init.te

@@ -1,8 +1,7 @@
 # init is its own domain.
 type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
 type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
 
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };

public/isolated_app.te

@@ -7,3 +7,4 @@
 ###
 
 type isolated_app, domain;
+type isolated_app_tmpfs, file_type;

public/mediaextractor.te

@@ -1,6 +1,7 @@
 # mediaextractor - multimedia daemon
 type mediaextractor, domain;
 type mediaextractor_exec, system_file_type, exec_type, file_type;
+type mediaextractor_tmpfs, file_type;
 
 typeattribute mediaextractor mlstrustedsubject;
 

public/mediaprovider.te

@@ -4,3 +4,4 @@
 ###
 
 type mediaprovider, domain;
+type mediaprovider_tmpfs, file_type;

public/mediaserver.te

@@ -1,6 +1,7 @@
 # mediaserver - multimedia daemon
 type mediaserver, domain;
 type mediaserver_exec, system_file_type, exec_type, file_type;
+type mediaserver_tmpfs, file_type;
 
 typeattribute mediaserver mlstrustedsubject;
 

public/network_stack.te

@@ -1,2 +1,3 @@
 # Network stack service app
 type network_stack, domain;
+type network_stack_tmpfs, file_type;

public/nfc.te

@@ -1,2 +1,3 @@
 # nfc subsystem
 type nfc, domain;
+type nfc_tmpfs, file_type;

public/platform_app.te

@@ -3,3 +3,4 @@
 ###
 
 type platform_app, domain;
+type platform_app_tmpfs, file_type;

public/priv_app.te

@@ -3,3 +3,4 @@
 ###
 
 type priv_app, domain;
+type priv_app_tmpfs, file_type;

public/radio.te

@@ -1,5 +1,6 @@
 # phone subsystem
 type radio, domain, mlstrustedsubject;
+type radio_tmpfs, file_type;
 
 net_domain(radio)
 bluetooth_domain(radio)

public/runas_app.te

@@ -1 +1,2 @@
 type runas_app, domain;
+type runas_app_tmpfs, file_type;

public/secure_element.te

@@ -1,2 +1,3 @@
 # secure_element subsystem
 type secure_element, domain;
+type secure_element_tmpfs, file_type;

public/shared_relro.te

@@ -1,5 +1,6 @@
 # Process which creates/updates shared RELRO files to be used by other apps.
 type shared_relro, domain;
+type shared_relro_tmpfs, file_type;
 
 # Grant write access to the shared relro files/directory.
 allow shared_relro shared_relro_file:dir rw_dir_perms;

public/shell.te

@@ -1,6 +1,7 @@
 # Domain for shell processes spawned by ADB or console service.
 type shell, domain, mlstrustedsubject;
 type shell_exec, system_file_type, exec_type, file_type;
+type shell_tmpfs, file_type;
 
 # Create and use network sockets.
 net_domain(shell)

public/su.te

@@ -1,6 +1,7 @@
 # All types must be defined regardless of build variant to ensure
 # policy compilation succeeds with userdebug/user combination at boot
 type su, domain;
+type su_tmpfs, file_type;
 
 # File types must be defined for file_contexts.
 type su_exec, system_file_type, exec_type, file_type;

public/system_app.te

@@ -5,3 +5,4 @@
 ###
 
 type system_app, domain;
+type system_app_tmpfs, file_type;

public/system_server.te

@@ -3,3 +3,4 @@
 # Most of the framework services run in this process.
 #
 type system_server, domain;
+type system_server_tmpfs, file_type;

public/te_macros

@@ -72,13 +72,10 @@ allow $1 $2:{ file lnk_file } r_file_perms;
 
 #####################################
 # tmpfs_domain(domain)
-# Define and allow access to a unique type for
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
-# this domain when creating tmpfs / shmem / ashmem files.
 define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
 allow $1 $1_tmpfs:file { read write getattr map };
-allow $1 tmpfs:dir { getattr search };
 ')
 
 # pdx macros for IPC. pdx is a high-level name which contains transport-specific
@@ -164,7 +161,6 @@ pdx_use($1, $2)
 # upon executing its binary.
 define(`init_daemon_domain', `
 domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
 ')
 
 #####################################

public/traceur_app.te

@@ -1,4 +1,5 @@
 type traceur_app, domain;
+type traceur_app_tmpfs, file_type;
 
 allow traceur_app servicemanager:service_manager list;
 allow traceur_app hwservicemanager:hwservice_manager list;

public/ueventd.te

@@ -1,6 +1,7 @@
 # ueventd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
+type ueventd_tmpfs, file_type;
 
 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;

public/untrusted_app.te

@@ -19,3 +19,6 @@
 type untrusted_app, domain;
 type untrusted_app_27, domain;
 type untrusted_app_25, domain;
+type untrusted_app_tmpfs, file_type;
+type untrusted_app_27_tmpfs, file_type;
+type untrusted_app_25_tmpfs, file_type;

public/webview_zygote.te

@@ -3,3 +3,4 @@
 
 type webview_zygote, domain;
 type webview_zygote_exec, exec_type, file_type;
+type webview_zygote_tmpfs, file_type;

public/zygote.te

@@ -1,3 +1,4 @@
 # zygote
 type zygote, domain;
+type zygote_tmpfs, file_type;
 type zygote_exec, system_file_type, exec_type, file_type;

vendor/hal_graphics_allocator_default.te

@@ -1,8 +1,10 @@
 type hal_graphics_allocator_default, domain;
+type hal_graphics_allocator_default_tmpfs, file_type;
 hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
 
 type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_allocator_default)
+tmpfs_domain(hal_graphics_allocator_default)
 
 # b/70180742
 dontaudit hal_graphics_allocator_default unlabeled:dir search;