Update SELinux policy for Pre-reboot Dexopt.

- Add pm.dexopt.* properties. - Add rules for running artd in chroot. Bug: 311377497 Test: manual - Run Pre-reboot Dexopt and see no denial. Change-Id: If5ff9b23e99be033f19ab257c90e0f52bf250ccf
2024-03-20 11:24:54 +00:00 · 2024-03-20 11:24:54 +00:00 · 4acd07323e
commit 4acd07323e
parent 88e37d37f1
14 changed files with 256 additions and 28 deletions
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@ -1296,3 +1296,5 @@
 /data/misc/uprobestats-configs/test                               uprobestats_configs_data_file

 /tmp                                                              shell_data_file
+
+/mnt/pre_reboot_dexopt                                            pre_reboot_dexopt_file
--- a/private/apexd.te
+++ b/private/apexd.te
@ -189,8 +189,10 @@ neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
 # A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
 # but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
 # around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+# dexopt_chroot_setup calls apexd to prepare /apex for Pre-reboot Dexopt, but it
+# needs to mount a tmpfs on /apex for apexd to work on.
 neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;

 # Allow for use in postinstall
 allow apexd otapreopt_chroot:fd use;
@ -199,6 +201,9 @@ allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
 allow apexd postinstall_apex_mnt_dir:lnk_file create;
 allow apexd proc_filesystems:file r_file_perms;

+# Allow for use in Pre-reboot Dexopt.
+allow apexd dexopt_chroot_setup:fd use;
+
 # Allow calling derive_classpath to gather BCP information for staged sessions
 domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);

--- a/private/art_exec.te
+++ b/private/art_exec.te
@ -0,0 +1,22 @@
+# A wrapper program that configures the process and executes a command.
+type art_exec, domain, coredomain;
+type art_exec_exec, system_file_type, exec_type, file_type;
+
+# Usually, this program is executed in the caller's domain. For example, it is
+# executed in the `artd` domain when artd calls it. Domain transition will take
+# place as soon as it executes other programs.
+# The only exception is when called by init. In this case, it's executed in its
+# own domain because init should never execute a program without changing to
+# another domain.
+init_daemon_domain(art_exec)
+
+# init calls this program to execute artd in a chroot environment for Pre-reboot
+# Dexopt.
+domain_auto_trans(art_exec, artd_exec, artd)
+
+# "sys_chroot" is for chroot'ing into the chroot environment, created by
+# dexopt_chroot_setup.
+allow art_exec self:global_capability_class_set sys_chroot;
+
+# Allow finding artd in the chroot dir for Pre-reboot Dexopt.
+allow art_exec pre_reboot_dexopt_file:dir search;
--- a/private/artd.te
+++ b/private/artd.te
@ -121,10 +121,9 @@ allow artd system_userdir_file:dir r_dir_perms;
 # /mnt/expand/<volume-uuid>, for cleaning up obsolete managed files.
 allow artd system_data_file:dir r_dir_perms;

-# Never allow running other binaries without a domain transition.
-# The only exception is art_exec. It is allowed to use the artd domain because
-# it is a thin wrapper that executes other binaries on behalf of artd.
-neverallow artd ~{art_exec_exec}:file execute_no_trans;
+# Allow art_exec_exec to use the artd domain because it is a thin wrapper that
+# executes other binaries on behalf of artd. Domain transition will take place
+# as soon as art_exec_exec executes other binaries.
 allow artd art_exec_exec:file rx_file_perms;

 # Allow running other binaries in their own domains.
@ -143,3 +142,43 @@ r_dir_file(artd, dex2oat);
 # artd needs to reopen a memfd with readonly in order to pass it to subprocesses
 # that don't have write permissions on memfds.
 allow artd artd_tmpfs:file open;
+
+# For Pre-reboot Dexopt.
+
+# Allow init to execute artd through art_exec.
+allow artd art_exec:fd use;
+
+# During Pre-reboot Dexopt, artd needs one more capability:
+# - "sys_admin" is for bind-mounting temp dirs at
+#   /data/misc/apexdata/com.android.art and /data/misc/odrefresh, to run
+#   odrefresh innocuously (in a way that doesn't affect the real boot images,
+#   metrics, etc.).
+allow artd self:global_capability_class_set sys_admin;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(artd, derive_classpath_exec, derive_classpath)
+domain_auto_trans(artd, odrefresh_exec, odrefresh)
+
+# Allow accessing Pre-reboot Dexopt files.
+allow artd pre_reboot_dexopt_file:dir { getattr search };
+
+# Allow reading /init.environ.rc in chroot, to extract env vars from it.
+allow artd rootfs:file { read open getattr };
+
+# Allow managing Pre-reboot Dexopt temp files.
+# The root of the temp dir that artd uses during Pre-reboot Dexopt is labeled
+# pre_reboot_dexopt_artd_file. Inside the temp dir, we create files and dirs and
+# relabel them after creation, so we need relabelfrom.
+allow artd pre_reboot_dexopt_artd_file:dir { create_dir_perms relabelfrom };
+allow artd pre_reboot_dexopt_artd_file:file { create_file_perms relabelfrom };
+
+# Allow bind-mounting at /data/misc/apexdata/com.android.art and
+# /data/misc/odrefresh and restorecon, to run odrefresh innocuously.
+allow artd { apex_art_data_file odrefresh_data_file }:dir relabelto;
+allow artd { apex_art_data_file odrefresh_data_file pre_reboot_dexopt_artd_file }:dir mounton;
+
+# Neverallow rules.
+
+# Never allow running other binaries without a domain transition.
+# The exception for art_exec_exec is explained above.
+neverallow artd ~{art_exec_exec}:file execute_no_trans;
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@ -24,3 +24,9 @@ allow derive_classpath postinstall_dexopt:fd use;
 allow derive_classpath postinstall_dexopt:file read;
 allow derive_classpath postinstall_dexopt:lnk_file read;
 allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
+
+# Allow to be called by artd in Pre-reboot Dexopt.
+allow derive_classpath artd:fd use;
+
+# Allow writing to Pre-reboot Dexopt temp files.
+allow derive_classpath pre_reboot_dexopt_artd_file:file { open read write };
--- a/private/dexopt_chroot_setup.te
+++ b/private/dexopt_chroot_setup.te
@ -1,3 +1,4 @@
+# A service that sets up the chroot environment for Pre-reboot Dexopt.
 type dexopt_chroot_setup, domain, coredomain;
 type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
 type dexopt_chroot_setup_tmpfs, file_type;
@ -10,10 +11,10 @@ allow dexopt_chroot_setup dumpstate:fd use;

 init_daemon_domain(dexopt_chroot_setup)

-# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexopt_chroot_setup vs other
-# processes.
+# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup
+# their own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexopt_chroot_setup vs
+# other processes.
 tmpfs_domain(dexopt_chroot_setup)

 # libart (mark_compact.cc) has some intialization code that touches the cache
@ -21,3 +22,118 @@ tmpfs_domain(dexopt_chroot_setup)
 allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
 r_dir_file(dexopt_chroot_setup, apex_art_data_file)
 userfaultfd_use(dexopt_chroot_setup)
+
+# Allow getting root capabilities to bypass permission checks.
+# - "sys_admin" is for performing mount and umount.
+# - "sys_chroot" is for performing chroot.
+allow dexopt_chroot_setup self:global_capability_class_set { sys_admin sys_chroot };
+
+# Allow managing its own files.
+# The root of the temp dir that dexopt_chroot_setup uses is labeled
+# pre_reboot_dexopt_file.
+allow dexopt_chroot_setup pre_reboot_dexopt_file:dir create_dir_perms;
+allow dexopt_chroot_setup pre_reboot_dexopt_file:file create_file_perms;
+
+# Allow accessing /proc/filesystems.
+allow dexopt_chroot_setup proc_filesystems:file r_file_perms;
+
+# Allow accessing block devices (/dev/block/...).
+allow dexopt_chroot_setup block_device:dir { getattr search };
+
+# Allow mounting file systems, to create a chroot environment.
+allow dexopt_chroot_setup {
+  apex_mnt_dir
+  binderfs
+  cgroup
+  cgroup_v2
+  debugfs_tracing_debug
+  device
+  devpts
+  fs_bpf
+  fusectlfs
+  linkerconfig_file
+  metadata_file
+  mnt_expand_file
+  pre_reboot_dexopt_file
+  proc
+  pstorefs
+  rootfs
+  selinuxfs
+  sysfs
+  system_data_file
+  system_data_root_file
+  system_file
+  tmpfs
+  vendor_file
+}:dir mounton;
+
+allow dexopt_chroot_setup { tmpfs labeledfs }:filesystem mount;
+
+allow dexopt_chroot_setup {
+  binderfs
+  cgroup
+  cgroup_v2
+  debugfs_tracing_debug
+  devpts
+  fs_bpf
+  fusectlfs
+  labeledfs
+  proc
+  pstorefs
+  selinuxfs
+  sysfs
+  tmpfs
+}:filesystem unmount;
+
+# Allow reading /apex in chroot.
+r_dir_file(dexopt_chroot_setup, apex_mnt_dir)
+allow dexopt_chroot_setup apex_info_file:file r_file_perms;
+
+# Allow writing an empty linker config in chroot to suppress linker warnings.
+# The empty linker config is used until linkerconfig has run.
+# In chroot, we're reusing the type outside the chroot, to reuse all the rules
+# for it for other domains, even though we're not changing the real linker
+# config outside the chroot.
+allow dexopt_chroot_setup linkerconfig_file:dir { write add_name };
+allow dexopt_chroot_setup linkerconfig_file:file { create write };
+
+# Allow using the `rootcontext=` option when mounting tmpfs, so we can give the
+# right labels to /apex, /linkerconfig, /mnt/artd_tmp in chroot.
+# Combined with `allow file_type tmpfs:filesystem associate;`, this allows
+# giving any labels to any tmpfs filesystems as soon as they are mounted.
+# Note that those tmpfs filesystems are known to be empty at the time where the
+# labels are given, and this rule doesn't allow relabeling any existing tmpfs.
+allow dexopt_chroot_setup tmpfs:filesystem relabelfrom;
+
+# Allow executing art_exec_exec without a domain transition because it is a thin
+# wrapper that executes other binaries on behalf of dexopt_chroot_setup. Domain
+# transition will take place as soon as art_exec_exec executes other binaries.
+allow dexopt_chroot_setup art_exec_exec:file rx_file_perms;
+
+# Allow running other binaries in their own domains.
+domain_auto_trans(dexopt_chroot_setup, apexd_exec, apexd)
+domain_auto_trans(dexopt_chroot_setup, linkerconfig_exec, linkerconfig)
+
+# Allow running snapshotctl through init, to map and unmap block devices.
+set_prop(dexopt_chroot_setup, snapshotctl_prop)
+
+# Neverallow rules.
+
+# Never allow running other binaries without a domain transition.
+# The exception for art_exec_exec is explained above.
+neverallow dexopt_chroot_setup ~{art_exec_exec}:file execute_no_trans;
+
+# Given how powerful this domain is, it shouldn't be used for other purposes.
+neverallow { domain -init } dexopt_chroot_setup:process transition;
+neverallow * dexopt_chroot_setup:process dyntransition;
+
+# Never allow other processes to access the temp dirs for Pre-reboot Dexopt.
+neverallow {
+  domain
+  -art_exec
+  -artd
+  -dexopt_chroot_setup
+  -init
+  -system_server
+  -vendor_init
+} pre_reboot_dexopt_file:dir *;
--- a/private/domain.te
+++ b/private/domain.te
@ -190,6 +190,7 @@ allow {
  -webview_zygote
  -system_server
  -artd
+  -dexopt_chroot_setup
  -audioserver
  -cameraserver
  -mediadrmserver
@ -526,6 +527,7 @@ neverallow ~{
 neverallow {
    domain
    -apexd
+    -dexopt_chroot_setup
    recovery_only(`-fastbootd')
    -init
    -kernel
@ -676,7 +678,7 @@ neverallow domain mlsvendorcompat:process fork;

 # Only init and otapreopt_chroot should be mounting filesystems on locations
 # labeled system or vendor (/product and /vendor respectively).
-neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+neverallow { domain -dexopt_chroot_setup -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;

 # Only allow init and vendor_init to read/write mm_events properties
 # NOTE: dumpstate is allowed to read any system property
@ -829,3 +831,5 @@ neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file
 neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
 neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;

+neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
+neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
--- a/private/file.te
+++ b/private/file.te
@ -132,11 +132,6 @@ type compos_exec, exec_type, file_type, system_file_type;
 # /apex/com.android.compos/bin/compos_key_helper
 type compos_key_helper_exec, exec_type, file_type, system_file_type;

-# /apex/com.android.art/bin/art_exec
-# This executable does not have its own domain because it is executed in the caller's domain. For
-# example, it is executed in the `artd` domain when artd calls it.
-type art_exec_exec, system_file_type, exec_type, file_type;
-
 # Filesystem entry for for PRNG seeder socket.  Processes require
 # write permission on this to connect, and needs to be mlstrustedobject
 # in to satisfy MLS constraints for trusted domains.
@ -163,3 +158,10 @@ type vendor_aconfig_storage_file, vendor_file_type, file_type;

 # /data/misc/connectivityblobdb
 type connectivityblob_data_file, file_type, data_file_type, core_data_file_type;
+
+# Type for /mnt/pre_reboot_dexopt
+type pre_reboot_dexopt_file, file_type;
+
+# Type for /mnt/artd_tmp in the Pre-reboot Dexopt chroot
+# This type is set on the directory through the `rootcontext=` mount option.
+type pre_reboot_dexopt_artd_file, file_type;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -902,3 +902,12 @@
 /(system|product)/bin/check_dynamic_partitions  u:object_r:postinstall_exec:s0
 /(system|product)/bin/otapreopt_script          u:object_r:postinstall_exec:s0
 /(system|product)/bin/otapreopt                 u:object_r:postinstall_dexopt_exec:s0
+
+#############################
+# For Pre-reboot Dexopt (see art/dexopt_chroot_setup/README.md)
+
+# Managed by dexopt_chroot_setup.
+# Note that pre_reboot_dexopt_file also applies to any tmpfs mounted by
+# dexopt_chroot_setup inside chroot, in addition to the files and directories
+# matching the pattern below.
+/mnt/pre_reboot_dexopt(/.*)?  u:object_r:pre_reboot_dexopt_file:s0
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@ -27,4 +27,13 @@ allow linkerconfig otapreopt_chroot:fd use;
 allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
 allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;

-neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
+# Allow for use in Pre-reboot Dexopt.
+allow linkerconfig dexopt_chroot_setup:fd use;
+
+neverallow {
+  domain
+  -dexopt_chroot_setup
+  -init
+  -linkerconfig
+  -otapreopt_chroot
+} linkerconfig_exec:file no_x_file_perms;
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@ -51,17 +51,28 @@ dontaudit odrefresh { adbd shell }:fd use;
 dontaudit odrefresh devpts:chr_file rw_file_perms;
 dontaudit odrefresh adbd:unix_stream_socket { getattr read write };

-# No other processes should be creating files in the staging area.
-neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_file:file open;
-
-# No processes other than init, odrefresh and system_server access
-# odrefresh_data_files.
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
 # Read access to SELinux context files, for restorecon.
 allow odrefresh file_contexts_file:file r_file_perms;
 allow odrefresh seapp_contexts_file:file r_file_perms;

 # Check validity of SELinux context, for restorecon.
 selinux_check_context(odrefresh)
+
+# odrefresh iterates over all properties to find the ones that it's interested
+# in. It's okay to ignore denials on other properties.
+dontaudit odrefresh property_type:file r_file_perms;
+
+# Allow to be called by artd in Pre-reboot Dexopt.
+allow odrefresh artd:fd use;
+
+# Neverallow rules.
+
+# No other processes should be creating files in the staging area.
+neverallow { domain -init -odrefresh -compos_fd_server } apex_art_staging_data_file:file open;
+
+# No processes other than init, odrefresh, system_server, and artd access
+# odrefresh_data_files.
+# Among those, artd only needs to bind-mount /data/misc/odrefresh, but doesn't
+# need to access the files.
+neverallow { domain -init -odrefresh -system_server -artd } odrefresh_data_file:dir *;
+neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
--- a/private/property_contexts
+++ b/private/property_contexts
@ -675,9 +675,11 @@ pm.dexopt.boot-after-ota                                u:object_r:exported_pm_p
 pm.dexopt.boot-after-ota.concurrency                    u:object_r:exported_pm_prop:s0 exact int
 pm.dexopt.boot-after-mainline-update                    u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.boot-after-mainline-update.concurrency        u:object_r:exported_pm_prop:s0 exact int
-
 pm.dexopt.post-boot                                     u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.post-boot.concurrency                         u:object_r:exported_pm_prop:s0 exact int
 pm.dexopt.ab-ota                                        u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.ab-ota.concurrency                            u:object_r:exported_pm_prop:s0 exact int
+
 pm.dexopt.cmdline                                       u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.inactive                                      u:object_r:exported_pm_prop:s0 exact string
 pm.dexopt.install                                       u:object_r:exported_pm_prop:s0 exact string
--- a/private/system_server.te
+++ b/private/system_server.te
@ -1618,3 +1618,7 @@ get_prop(system_server, pm_archiving_enabled_prop)
 # Do not allow any domain other than init or system server to get or set the property
 neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
 neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
+
+# Allow accessing /mnt/pre_reboot_dexopt/chroot, to load the new service-art.jar
+# in Pre-reboot Dexopt.
+allow system_server pre_reboot_dexopt_file:dir { getattr search };
--- a/public/domain.te
+++ b/public/domain.te
@ -1069,9 +1069,6 @@ neverallow * self:process { execstack execheap };
 # and modification of executable pages are unsafe.
 neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;

-neverallow { domain -init } proc:{ file dir } mounton;
-neverallow { domain -init -zygote } proc_type:{ file dir } mounton;
-
 # Ensure that all types assigned to processes are included
 # in the domain attribute, so that all allow and neverallow rules
 # written on domain are applied to all processes.