Merge "Root of /data belongs to init" am: b935b6c664 am: e9465fceb6 am: 190b3b156f

am: d71a3cd452 Change-Id: I29816e67f3d806d722d4cee50c8d655924a8f807
2019-08-29 23:37:59 -07:00 · 2019-08-29 23:37:59 -07:00 · 5f2f10d281
commit 5f2f10d281
parent d6547c8802 d71a3cd452
10 changed files with 36 additions and 6 deletions
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@ -1780,7 +1780,7 @@
 (typeattributeset system_block_device_29_0 (system_block_device))
 (typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop))
 (typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file))
-(typeattributeset system_data_file_29_0 (system_data_file))
+(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file))
 (typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file))
 (typeattributeset system_file_29_0 (system_file))
 (typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file))
--- a/private/file_contexts
+++ b/private/file_contexts
@ -434,7 +434,8 @@
 # NOTE: When modifying existing label rules, changes may also need to
 # propagate to the "Expanded data files" section.
 #
-/data(/.*)?		u:object_r:system_data_file:s0
+/data		u:object_r:system_data_root_file:s0
 /data/(.*)?		u:object_r:system_data_file:s0
 /data/system/packages\.list u:object_r:packages_list_file:s0
 /data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
--- a/private/perfetto.te
+++ b/private/perfetto.te
@ -69,6 +69,7 @@ neverallow perfetto domain:process ptrace;
 neverallow perfetto {
  data_file_type
  -system_data_file
  -system_data_root_file
  # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
  # neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
--- a/private/traced.te
+++ b/private/traced.te
@ -62,6 +62,7 @@ neverallow traced domain:process ptrace;
 neverallow traced {
  data_file_type
  -system_data_file
  -system_data_root_file
  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
  # subsequent neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@ -101,6 +101,7 @@ neverallow traced_probes {
  -apk_data_file
  -dalvikcache_data_file
  -system_data_file
  -system_data_root_file
  -system_app_data_file
  -backup_data_file
  -bootstat_data_file
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@ -2,3 +2,6 @@
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit vendor_init sysfs:dir write;
 # TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
 allow vendor_init system_data_root_file:dir rw_dir_perms;
--- a/public/domain.te
+++ b/public/domain.te
@ -222,8 +222,9 @@ not_full_treble(`
  allow domain system_data_file:dir getattr;
 ')
 allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_file. Vendor components need the search
+# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_file for path traversal to /data/vendor.
+# permission on system_data_root_file for path traversal to /data/vendor.
 allow domain system_data_root_file:dir { search getattr } ;
 allow domain system_data_file:dir search;
 # TODO restrict this to non-coredomain
 allow domain vendor_data_file:dir { getattr search };
@ -858,6 +859,7 @@ full_treble_only(`
  } {
    core_data_file_type
    -system_data_file # default label for files on /data. Covered below...
    -system_data_root_file
    -vendor_data_file
    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
@ -869,6 +871,7 @@ full_treble_only(`
    core_data_file_type
    -unencrypted_data_file
    -system_data_file
    -system_data_root_file
    -vendor_data_file
    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
--- a/public/file.te
+++ b/public/file.te
@ -228,6 +228,8 @@ type logcat_exec, system_file_type, exec_type, file_type;
 type cgroup_rc_file, file_type;
 # /cores for coredumps on userdebug / eng builds
 type coredump_file, file_type;
 # Type of /data itself
 type system_data_root_file, file_type, data_file_type, core_data_file_type;
 # Default type for anything under /data.
 type system_data_file, file_type, data_file_type, core_data_file_type;
 # Type for /data/system/packages.list.
--- a/public/init.te
+++ b/public/init.te
@ -80,7 +80,18 @@ allow init self:global_capability_class_set sys_chroot;
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file mnt_user_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init {
    rootfs
    cache_file
    cgroup
    storage_file
    mnt_user_file
    system_data_file
    system_data_root_file
    system_file
    vendor_file
    postinstall_mnt_dir
 }:dir mounton;
 allow init cgroup_bpf:dir { create mounton };
 # Mount bpf fs on sys/fs/bpf
@ -591,3 +602,7 @@ neverallow init sysfs:file { open read write };
 # No domain should be allowed to ptrace init.
 neverallow * init:process ptrace;
 # init owns the root of /data
 # TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
 neverallow { domain -init -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
--- a/public/vold.te
+++ b/public/vold.te
@ -135,7 +135,10 @@ allow vold labeledfs:filesystem { mount unmount remount };
 allow vold efs_file:file rw_file_perms;
 # Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold {
    system_data_file
    system_data_root_file
 }:dir { create rw_dir_perms mounton setattr rmdir };
 allow vold system_data_file:lnk_file getattr;
 # Vold create users in /data/vendor_{ce,de}/[0-9]+