Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory: - Mount on it - Create directories in it - Mount directory for each app data, and get/set attributes Bug: 143937733 Test: No denials at boot Test: No denials seen when creating mounts Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
This commit is contained in:
parent
e8419e5832
commit
5b1b423039
8 changed files with 55 additions and 0 deletions
|
@ -35,6 +35,7 @@
|
||||||
mediatranscoding
|
mediatranscoding
|
||||||
mediatranscoding_exec
|
mediatranscoding_exec
|
||||||
mediatranscoding_tmpfs
|
mediatranscoding_tmpfs
|
||||||
|
mirror_data_file
|
||||||
linker_prop
|
linker_prop
|
||||||
linkerconfig_file
|
linkerconfig_file
|
||||||
mock_ota_prop
|
mock_ota_prop
|
||||||
|
|
|
@ -147,6 +147,7 @@ neverallow {
|
||||||
-runas
|
-runas
|
||||||
-system_server
|
-system_server
|
||||||
-viewcompiler
|
-viewcompiler
|
||||||
|
-zygote
|
||||||
} { privapp_data_file app_data_file }:dir *;
|
} { privapp_data_file app_data_file }:dir *;
|
||||||
|
|
||||||
# Only apps should be modifying app data. installd is exempted for
|
# Only apps should be modifying app data. installd is exempted for
|
||||||
|
@ -328,3 +329,11 @@ neverallow {
|
||||||
-hal_bootctl_server
|
-hal_bootctl_server
|
||||||
-fastbootd
|
-fastbootd
|
||||||
} self:global_capability_class_set sys_rawio;
|
} self:global_capability_class_set sys_rawio;
|
||||||
|
|
||||||
|
# Limit directory operations that doesn't need to do app data isolation.
|
||||||
|
neverallow {
|
||||||
|
domain
|
||||||
|
-init
|
||||||
|
-installd
|
||||||
|
-zygote
|
||||||
|
} mirror_data_file:dir *;
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
/lost\+found u:object_r:rootfs:s0
|
/lost\+found u:object_r:rootfs:s0
|
||||||
/acct u:object_r:cgroup:s0
|
/acct u:object_r:cgroup:s0
|
||||||
/config u:object_r:rootfs:s0
|
/config u:object_r:rootfs:s0
|
||||||
|
/data_mirror u:object_r:mirror_data_file:s0
|
||||||
/debug_ramdisk u:object_r:tmpfs:s0
|
/debug_ramdisk u:object_r:tmpfs:s0
|
||||||
/mnt u:object_r:tmpfs:s0
|
/mnt u:object_r:tmpfs:s0
|
||||||
/postinstall u:object_r:postinstall_mnt_dir:s0
|
/postinstall u:object_r:postinstall_mnt_dir:s0
|
||||||
|
|
|
@ -64,12 +64,16 @@ dontaudit gmscore_app sysfs_loop:file r_file_perms;
|
||||||
dontaudit gmscore_app wifi_prop:file r_file_perms;
|
dontaudit gmscore_app wifi_prop:file r_file_perms;
|
||||||
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
|
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
|
||||||
|
|
||||||
|
|
||||||
# Attempts to write to system_data_file is generally a sign
|
# Attempts to write to system_data_file is generally a sign
|
||||||
# that apps are attempting to access encrypted storage before
|
# that apps are attempting to access encrypted storage before
|
||||||
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
|
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
|
||||||
# denial to prevent apps from spamming the logs.
|
# denial to prevent apps from spamming the logs.
|
||||||
dontaudit gmscore_app system_data_file:dir write;
|
dontaudit gmscore_app system_data_file:dir write;
|
||||||
|
|
||||||
|
# suppress denials for scanning /data_mirror
|
||||||
|
dontaudit gmscore_app mirror_data_file:dir search;
|
||||||
|
|
||||||
# Access the network
|
# Access the network
|
||||||
net_domain(gmscore_app)
|
net_domain(gmscore_app)
|
||||||
|
|
||||||
|
|
|
@ -50,6 +50,29 @@ allow zygote resourcecache_data_file:file create_file_perms;
|
||||||
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
|
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
|
||||||
allow zygote dalvikcache_data_file:file execute;
|
allow zygote dalvikcache_data_file:file execute;
|
||||||
|
|
||||||
|
# Bind mount on /data/data and mounted volumes
|
||||||
|
allow zygote { system_data_file mnt_expand_file }:dir mounton;
|
||||||
|
|
||||||
|
# Create and bind dirs on /data/data
|
||||||
|
allow zygote tmpfs:dir { create_dir_perms mounton };
|
||||||
|
|
||||||
|
# Create symlink for /data/user/0
|
||||||
|
allow zygote tmpfs:lnk_file create;
|
||||||
|
|
||||||
|
allow zygote mirror_data_file:dir r_dir_perms;
|
||||||
|
|
||||||
|
# Get and set data directories
|
||||||
|
allow zygote {
|
||||||
|
system_data_file
|
||||||
|
radio_data_file
|
||||||
|
app_data_file
|
||||||
|
shell_data_file
|
||||||
|
bluetooth_data_file
|
||||||
|
privapp_data_file
|
||||||
|
nfc_data_file
|
||||||
|
mnt_expand_file
|
||||||
|
}:dir getattr;
|
||||||
|
|
||||||
# Allow zygote to create JIT memory.
|
# Allow zygote to create JIT memory.
|
||||||
allow zygote self:process execmem;
|
allow zygote self:process execmem;
|
||||||
allow zygote zygote_tmpfs:file execute;
|
allow zygote zygote_tmpfs:file execute;
|
||||||
|
@ -177,3 +200,9 @@ neverallow zygote {
|
||||||
bluetooth_prop
|
bluetooth_prop
|
||||||
exported_bluetooth_prop
|
exported_bluetooth_prop
|
||||||
}:file create_file_perms;
|
}:file create_file_perms;
|
||||||
|
|
||||||
|
# Do not allow zygote to access app data except getting attributes and relabeling to.
|
||||||
|
neverallow zygote {
|
||||||
|
privapp_data_file
|
||||||
|
app_data_file
|
||||||
|
}:dir ~getattr;
|
||||||
|
|
|
@ -330,6 +330,9 @@ type postinstall_file, file_type;
|
||||||
# /postinstall/apex: Mount point used for APEX images within /postinstall.
|
# /postinstall/apex: Mount point used for APEX images within /postinstall.
|
||||||
type postinstall_apex_mnt_dir, file_type;
|
type postinstall_apex_mnt_dir, file_type;
|
||||||
|
|
||||||
|
# /data_mirror: Contains mirror directory for storing all apps data.
|
||||||
|
type mirror_data_file, file_type, core_data_file_type;
|
||||||
|
|
||||||
# /data/misc subdirectories
|
# /data/misc subdirectories
|
||||||
type adb_keys_file, file_type, data_file_type, core_data_file_type;
|
type adb_keys_file, file_type, data_file_type, core_data_file_type;
|
||||||
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
|
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
|
||||||
|
|
|
@ -94,6 +94,7 @@ allow init {
|
||||||
system_file
|
system_file
|
||||||
vendor_file
|
vendor_file
|
||||||
postinstall_mnt_dir
|
postinstall_mnt_dir
|
||||||
|
mirror_data_file
|
||||||
}:dir mounton;
|
}:dir mounton;
|
||||||
allow init cgroup_bpf:dir { create mounton };
|
allow init cgroup_bpf:dir { create mounton };
|
||||||
|
|
||||||
|
|
|
@ -70,6 +70,9 @@ allow installd storage_file:dir search;
|
||||||
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
|
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
|
||||||
allow installd sdcard_type:file { getattr unlink };
|
allow installd sdcard_type:file { getattr unlink };
|
||||||
|
|
||||||
|
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
|
||||||
|
allow installd mirror_data_file:dir { create_dir_perms mounton };
|
||||||
|
|
||||||
# Upgrade /data/misc/keychain for multi-user if necessary.
|
# Upgrade /data/misc/keychain for multi-user if necessary.
|
||||||
allow installd misc_user_data_file:dir create_dir_perms;
|
allow installd misc_user_data_file:dir create_dir_perms;
|
||||||
allow installd misc_user_data_file:file create_file_perms;
|
allow installd misc_user_data_file:file create_file_perms;
|
||||||
|
@ -105,6 +108,7 @@ allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlin
|
||||||
# upon creation via setfilecon or running restorecon_recursive,
|
# upon creation via setfilecon or running restorecon_recursive,
|
||||||
# setting owner/mode, creating symlinks within them, and deleting them
|
# setting owner/mode, creating symlinks within them, and deleting them
|
||||||
# upon package uninstall.
|
# upon package uninstall.
|
||||||
|
|
||||||
# Types extracted from seapp_contexts type= fields.
|
# Types extracted from seapp_contexts type= fields.
|
||||||
allow installd {
|
allow installd {
|
||||||
system_app_data_file
|
system_app_data_file
|
||||||
|
@ -126,6 +130,9 @@ allow installd {
|
||||||
privapp_data_file
|
privapp_data_file
|
||||||
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
|
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
|
||||||
|
|
||||||
|
# Allow zygote to unmount mirror directories
|
||||||
|
allow installd labeledfs:filesystem unmount;
|
||||||
|
|
||||||
# Similar for the files under /data/misc/profiles/
|
# Similar for the files under /data/misc/profiles/
|
||||||
allow installd user_profile_data_file:dir create_dir_perms;
|
allow installd user_profile_data_file:dir create_dir_perms;
|
||||||
allow installd user_profile_data_file:file create_file_perms;
|
allow installd user_profile_data_file:file create_file_perms;
|
||||||
|
|
Loading…
Reference in a new issue