tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add rules for calling ReadDefaultFstab()

Browse source 
Grant ReadDefaultFstab() callers
  allow scontext { metadata_file gsi_metadata_file_type }:dir search;
  allow scontext gsi_public_metadata_file:file r_file_perms;
so they can search / read DSU metadata files.
The DSU metadata files are required to deduce the correct fstab.

Also tighten the neverallow rules in gsid.te.

Bug: 181110285
Test: Build pass, presubmit test
Test: Boot and check avc denials
Test: Boot with DSU and check avc denials
Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633
This commit is contained in:
Yi-Yo Chiang 2021-03-22 13:46:12 +08:00
parent 4d8f634987
commit 5854941f63
7 changed files with 13 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
private/gsid.te
View file

@ -166,8 +166,6 @@ neverallow {
-init -init
-gsid -gsid
-fastbootd -fastbootd
-recovery
-vold
} gsi_metadata_file_type:dir no_w_dir_perms; } gsi_metadata_file_type:dir no_w_dir_perms;
neverallow { neverallow {
@ -175,7 +173,6 @@ neverallow {
-init -init
-gsid -gsid
-fastbootd -fastbootd
-vold
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *; } { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow { neverallow {
@ -183,7 +180,6 @@ neverallow {
-init -init
-gsid -gsid
-fastbootd -fastbootd
-vold
} gsi_public_metadata_file:file_class_set ~{ r_file_perms }; } gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type. # Prevent apps from accessing gsi_metadata_file_type.
@ -193,15 +189,7 @@ neverallow {
domain domain
-init -init
-gsid -gsid
} gsi_data_file:dir *; } gsi_data_file:dir_file_class_set *;
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} gsi_data_file:file_class_set *;
neverallow { neverallow {
domain domain

7
private/lpdumpd.te
View file

@ -16,12 +16,7 @@ allow lpdumpd super_block_device_type:blk_file r_file_perms;
# Allow lpdumpd to read fstab. # Allow lpdumpd to read fstab.
allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms; allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms; allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
read_fstab(lpdumpd)
# Triggered when lpdumpd tries to read default fstab.
dontaudit lpdumpd metadata_file:dir r_dir_perms;
dontaudit lpdumpd metadata_file:file r_file_perms;
dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
### Neverallow rules ### Neverallow rules

5
public/uncrypt.te
View file

@ -38,6 +38,5 @@ allow uncrypt proc_cmdline:file r_file_perms;
# Read files in /sys # Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android) r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call. # Allow ReadDefaultFstab().
dontaudit uncrypt gsi_metadata_file_type:dir search; read_fstab(uncrypt)
dontaudit uncrypt metadata_file:dir search;

7
public/update_engine.te
View file

@ -64,12 +64,11 @@ allow update_engine proc_misc:file r_file_perms;
# read directories on /system and /vendor # read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms; allow update_engine system_file:dir r_dir_perms;
# Allow ReadDefaultFstab().
# update_engine tries to determine the parent path for all devices (e.g. # update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc # /dev/block/by-name) by reading the default fstab and looking for the misc
# device. ReadDefaultFstab() checks whether a GSI is running by checking # device.
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny read_fstab(update_engine)
# the access.
dontaudit update_engine gsi_metadata_file_type:dir search;
# Allow to write to snapshotctl_log logs. # Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed. # TODO(b/148818798) revert when parent bug is fixed.

5
public/vendor_misc_writer.te
View file

@ -8,8 +8,9 @@ allow vendor_misc_writer block_device:dir r_dir_perms;
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to # Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab. # load DT fstab.
dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms; dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search; dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms; dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
# Allow ReadDefaultFstab().
read_fstab(vendor_misc_writer)

5
public/vold.te
View file

@ -293,9 +293,8 @@ allow vold mnt_vendor_file:dir search;
dontaudit vold self:global_capability_class_set sys_resource; dontaudit vold self:global_capability_class_set sys_resource;
# vold needs to know whether we're running a GSI. # Allow ReadDefaultFstab().
allow vold gsi_metadata_file_type:dir r_dir_perms; read_fstab(vold)
allow vold gsi_metadata_file_type:file r_file_perms;
# vold might need to search loopback apex files # vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms; allow vold vendor_apex_file:file r_file_perms;

5
vendor/hal_bootctl_default.te vendored
View file

@ -9,10 +9,7 @@ init_daemon_domain(hal_bootctl_default)
allow hal_bootctl_default proc_cmdline:file r_file_perms; allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search; allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms; allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
read_fstab(hal_bootctl_default)
# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
# a GSI-corrected fstab.
dontaudit hal_bootctl_default metadata_file:dir search;
# Needed for reading/writing misc partition. # Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search; allow hal_bootctl_default block_device:dir search;