Allow Zygote and Installd to remount directories in /data/data

Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes

Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
This commit is contained in:
Ricky Wai 2019-12-13 12:30:26 +00:00
parent e8419e5832
commit 5b1b423039
8 changed files with 55 additions and 0 deletions

View file

@ -35,6 +35,7 @@
mediatranscoding mediatranscoding
mediatranscoding_exec mediatranscoding_exec
mediatranscoding_tmpfs mediatranscoding_tmpfs
mirror_data_file
linker_prop linker_prop
linkerconfig_file linkerconfig_file
mock_ota_prop mock_ota_prop

View file

@ -147,6 +147,7 @@ neverallow {
-runas -runas
-system_server -system_server
-viewcompiler -viewcompiler
-zygote
} { privapp_data_file app_data_file }:dir *; } { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for # Only apps should be modifying app data. installd is exempted for
@ -328,3 +329,11 @@ neverallow {
-hal_bootctl_server -hal_bootctl_server
-fastbootd -fastbootd
} self:global_capability_class_set sys_rawio; } self:global_capability_class_set sys_rawio;
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
-init
-installd
-zygote
} mirror_data_file:dir *;

View file

@ -24,6 +24,7 @@
/lost\+found u:object_r:rootfs:s0 /lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0 /acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0 /config u:object_r:rootfs:s0
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0 /debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0 /mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0 /postinstall u:object_r:postinstall_mnt_dir:s0

View file

@ -64,12 +64,16 @@ dontaudit gmscore_app sysfs_loop:file r_file_perms;
dontaudit gmscore_app wifi_prop:file r_file_perms; dontaudit gmscore_app wifi_prop:file r_file_perms;
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms; dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
# Attempts to write to system_data_file is generally a sign # Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before # that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
# denial to prevent apps from spamming the logs. # denial to prevent apps from spamming the logs.
dontaudit gmscore_app system_data_file:dir write; dontaudit gmscore_app system_data_file:dir write;
# suppress denials for scanning /data_mirror
dontaudit gmscore_app mirror_data_file:dir search;
# Access the network # Access the network
net_domain(gmscore_app) net_domain(gmscore_app)

View file

@ -50,6 +50,29 @@ allow zygote resourcecache_data_file:file create_file_perms;
# is ensured by fsverity protection (checked in art_apex_boot_integrity). # is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute; allow zygote dalvikcache_data_file:file execute;
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
# Create symlink for /data/user/0
allow zygote tmpfs:lnk_file create;
allow zygote mirror_data_file:dir r_dir_perms;
# Get and set data directories
allow zygote {
system_data_file
radio_data_file
app_data_file
shell_data_file
bluetooth_data_file
privapp_data_file
nfc_data_file
mnt_expand_file
}:dir getattr;
# Allow zygote to create JIT memory. # Allow zygote to create JIT memory.
allow zygote self:process execmem; allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute; allow zygote zygote_tmpfs:file execute;
@ -177,3 +200,9 @@ neverallow zygote {
bluetooth_prop bluetooth_prop
exported_bluetooth_prop exported_bluetooth_prop
}:file create_file_perms; }:file create_file_perms;
# Do not allow zygote to access app data except getting attributes and relabeling to.
neverallow zygote {
privapp_data_file
app_data_file
}:dir ~getattr;

View file

@ -330,6 +330,9 @@ type postinstall_file, file_type;
# /postinstall/apex: Mount point used for APEX images within /postinstall. # /postinstall/apex: Mount point used for APEX images within /postinstall.
type postinstall_apex_mnt_dir, file_type; type postinstall_apex_mnt_dir, file_type;
# /data_mirror: Contains mirror directory for storing all apps data.
type mirror_data_file, file_type, core_data_file_type;
# /data/misc subdirectories # /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type; type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type; type apex_module_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -94,6 +94,7 @@ allow init {
system_file system_file
vendor_file vendor_file
postinstall_mnt_dir postinstall_mnt_dir
mirror_data_file
}:dir mounton; }:dir mounton;
allow init cgroup_bpf:dir { create mounton }; allow init cgroup_bpf:dir { create mounton };

View file

@ -70,6 +70,9 @@ allow installd storage_file:dir search;
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir }; allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
allow installd sdcard_type:file { getattr unlink }; allow installd sdcard_type:file { getattr unlink };
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
allow installd mirror_data_file:dir { create_dir_perms mounton };
# Upgrade /data/misc/keychain for multi-user if necessary. # Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms; allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms; allow installd misc_user_data_file:file create_file_perms;
@ -105,6 +108,7 @@ allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlin
# upon creation via setfilecon or running restorecon_recursive, # upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them # setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall. # upon package uninstall.
# Types extracted from seapp_contexts type= fields. # Types extracted from seapp_contexts type= fields.
allow installd { allow installd {
system_app_data_file system_app_data_file
@ -126,6 +130,9 @@ allow installd {
privapp_data_file privapp_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto }; }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
# Similar for the files under /data/misc/profiles/ # Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir create_dir_perms; allow installd user_profile_data_file:dir create_dir_perms;
allow installd user_profile_data_file:file create_file_perms; allow installd user_profile_data_file:file create_file_perms;