Allow Zygote and Installd to remount directories in /data/data

Zygote/Installd now can do the following operations in app data directory: - Mount on it - Create directories in it - Mount directory for each app data, and get/set attributes Bug: 143937733 Test: No denials at boot Test: No denials seen when creating mounts Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
2019-12-13 12:30:26 +00:00 · 2019-12-13 12:30:26 +00:00 · 5b1b423039
commit 5b1b423039
parent e8419e5832
8 changed files with 55 additions and 0 deletions
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -35,6 +35,7 @@
    mediatranscoding
    mediatranscoding_exec
    mediatranscoding_tmpfs
+    mirror_data_file
    linker_prop
    linkerconfig_file
    mock_ota_prop
--- a/private/domain.te
+++ b/private/domain.te
@ -147,6 +147,7 @@ neverallow {
  -runas
  -system_server
  -viewcompiler
+  -zygote
 } { privapp_data_file app_data_file }:dir *;

 # Only apps should be modifying app data. installd is exempted for
@ -328,3 +329,11 @@ neverallow {
  -hal_bootctl_server
  -fastbootd
 } self:global_capability_class_set sys_rawio;
+
+# Limit directory operations that doesn't need to do app data isolation.
+neverallow {
+  domain
+  -init
+  -installd
+  -zygote
+} mirror_data_file:dir *;
--- a/private/file_contexts
+++ b/private/file_contexts
@ -24,6 +24,7 @@
 /lost\+found        u:object_r:rootfs:s0
 /acct               u:object_r:cgroup:s0
 /config             u:object_r:rootfs:s0
+/data_mirror        u:object_r:mirror_data_file:s0
 /debug_ramdisk      u:object_r:tmpfs:s0
 /mnt                u:object_r:tmpfs:s0
 /postinstall        u:object_r:postinstall_mnt_dir:s0
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@ -64,12 +64,16 @@ dontaudit gmscore_app sysfs_loop:file r_file_perms;
 dontaudit gmscore_app wifi_prop:file r_file_perms;
 dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;

+
 # Attempts to write to system_data_file is generally a sign
 # that apps are attempting to access encrypted storage before
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
 # denial to prevent apps from spamming the logs.
 dontaudit gmscore_app system_data_file:dir write;

+# suppress denials for scanning /data_mirror
+dontaudit gmscore_app mirror_data_file:dir search;
+
 # Access the network
 net_domain(gmscore_app)

--- a/private/zygote.te
+++ b/private/zygote.te
@ -50,6 +50,29 @@ allow zygote resourcecache_data_file:file create_file_perms;
 # is ensured by fsverity protection (checked in art_apex_boot_integrity).
 allow zygote dalvikcache_data_file:file execute;

+# Bind mount on /data/data and mounted volumes
+allow zygote { system_data_file mnt_expand_file }:dir mounton;
+
+# Create and bind dirs on /data/data
+allow zygote tmpfs:dir { create_dir_perms mounton };
+
+# Create symlink for /data/user/0
+allow zygote tmpfs:lnk_file create;
+
+allow zygote mirror_data_file:dir r_dir_perms;
+
+# Get and set data directories
+allow zygote {
+  system_data_file
+  radio_data_file
+  app_data_file
+  shell_data_file
+  bluetooth_data_file
+  privapp_data_file
+  nfc_data_file
+  mnt_expand_file
+}:dir getattr;
+
 # Allow zygote to create JIT memory.
 allow zygote self:process execmem;
 allow zygote zygote_tmpfs:file execute;
@ -177,3 +200,9 @@ neverallow zygote {
  bluetooth_prop
  exported_bluetooth_prop
 }:file create_file_perms;
+
+# Do not allow zygote to access app data except getting attributes and relabeling to.
+neverallow zygote {
+  privapp_data_file
+  app_data_file
+}:dir ~getattr;
--- a/public/file.te
+++ b/public/file.te
@ -330,6 +330,9 @@ type postinstall_file, file_type;
 # /postinstall/apex: Mount point used for APEX images within /postinstall.
 type postinstall_apex_mnt_dir, file_type;

+# /data_mirror: Contains mirror directory for storing all apps data.
+type mirror_data_file, file_type, core_data_file_type;
+
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type, core_data_file_type;
 type apex_module_data_file, file_type, data_file_type, core_data_file_type;
--- a/public/init.te
+++ b/public/init.te
@ -94,6 +94,7 @@ allow init {
    system_file
    vendor_file
    postinstall_mnt_dir
+    mirror_data_file
 }:dir mounton;
 allow init cgroup_bpf:dir { create mounton };

--- a/public/installd.te
+++ b/public/installd.te
@ -70,6 +70,9 @@ allow installd storage_file:dir search;
 allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
 allow installd sdcard_type:file { getattr unlink };

+# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
+allow installd mirror_data_file:dir { create_dir_perms mounton };
+
 # Upgrade /data/misc/keychain for multi-user if necessary.
 allow installd misc_user_data_file:dir create_dir_perms;
 allow installd misc_user_data_file:file create_file_perms;
@ -105,6 +108,7 @@ allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlin
 # upon creation via setfilecon or running restorecon_recursive,
 # setting owner/mode, creating symlinks within them, and deleting them
 # upon package uninstall.
+
 # Types extracted from seapp_contexts type= fields.
 allow installd {
    system_app_data_file
@ -126,6 +130,9 @@ allow installd {
    privapp_data_file
 }:notdevfile_class_set { create_file_perms relabelfrom relabelto };

+# Allow zygote to unmount mirror directories
+allow installd labeledfs:filesystem unmount;
+
 # Similar for the files under /data/misc/profiles/
 allow installd user_profile_data_file:dir create_dir_perms;
 allow installd user_profile_data_file:file create_file_perms;