Split user_profile_data_file label.

user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3

private/compat/30.0/30.0.cil

@@ -2155,7 +2155,10 @@
 (typeattributeset usbd_exec_30_0 (usbd_exec))
 (typeattributeset usbfs_30_0 (usbfs))
 (typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
-(typeattributeset user_profile_data_file_30_0 (user_profile_data_file))
+(typeattributeset user_profile_data_file_30_0
+  ( user_profile_data_file
+    user_profile_root_file
+))
 (typeattributeset user_service_30_0 (user_service))
 (typeattributeset userdata_block_device_30_0 (userdata_block_device))
 (typeattributeset usermodehelper_30_0 (usermodehelper))

private/file_contexts

@@ -609,7 +609,8 @@
 /data/misc/wmtrace(/.*)?        u:object_r:wm_trace_data_file:s0
 # TODO(calin) label profile reference differently so that only
 # profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur(/[0-9]+)?   u:object_r:user_profile_root_file:s0
+/data/misc/profiles/cur/[0-9]+/.*   u:object_r:user_profile_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0
 /data/vendor(/.*)?              u:object_r:vendor_data_file:s0

private/mls

@@ -75,7 +75,7 @@ mlsconstrain { lnk_file } { open setattr unlink link rename read }
 # or the object is trusted.
 mlsconstrain dir { read getattr search }
 	     (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
-	     or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
+	     or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
 	     (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

private/postinstall_dexopt.te

@@ -3,7 +3,7 @@
 # Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
 # this is derived and adapted from installd.te.
 
-type postinstall_dexopt, domain, coredomain;
+type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
 
 # Run dex2oat/patchoat in its own sandbox.
 # We have to manually transition, as we don't have an entrypoint.
@@ -38,7 +38,7 @@ r_dir_file(postinstall_dexopt, vendor_overlay_file)
 r_dir_file(postinstall_dexopt, dalvikcache_data_file)
 
 # Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
 allow postinstall_dexopt user_profile_data_file:file r_file_perms;
 # Suppress deletion denial (we do not want to update the profile).
 dontaudit postinstall_dexopt user_profile_data_file:file { write };

private/system_server.te

@@ -977,7 +977,7 @@ allow system_server bpfloader:bpf { map_read map_write prog_run };
 # Allow system_server to open profile snapshots for read.
 # System server never reads the actual content. It passes the descriptor to
 # to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { getattr search };
+allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
 allow system_server user_profile_data_file:file { getattr open read };
 
 # System server may dump profile data for debuggable apps in the /data/misc/profman.

private/traced_probes.te

@@ -58,7 +58,7 @@ allow traced_probes backup_data_file:dir { getattr open read search };
 allow traced_probes bootstat_data_file:dir { getattr open read search };
 allow traced_probes update_engine_data_file:dir { getattr open read search };
 allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes user_profile_data_file:dir { getattr open read search };
+allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
 
 # Allow traced_probes to run atrace. atrace pokes at system services to enable
 # their userspace TRACE macros.
@@ -113,6 +113,7 @@ neverallow traced_probes {
   -bootstat_data_file
   -update_engine_data_file
   -update_engine_log_data_file
+  -user_profile_root_file
   -user_profile_data_file
   # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
   # subsequent neverallow. Currently only getattr and search are allowed.

private/vold_prepare_subdirs.te

@@ -45,7 +45,8 @@ allow vold_prepare_subdirs {
 }:file { getattr unlink };
 allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
 allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
 # /data/misc is unlabeled during early boot.
 allow vold_prepare_subdirs unlabeled:dir search;
 

private/zygote.te

@@ -61,7 +61,7 @@ allow zygote system_data_file:{ dir lnk_file } relabelto;
 allow zygote mnt_expand_file:dir { open read search relabelto };
 
 # Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote { user_profile_data_file }:dir { mounton search };
+allow zygote user_profile_root_file:dir { mounton search };
 
 # Create and bind dirs on /data/data
 allow zygote tmpfs:dir { create_dir_perms mounton };

public/app.te

@@ -170,6 +170,7 @@ allow appdomain incidentd:fifo_file { write getattr };
 unix_socket_send(appdomain, statsdw, statsd)
 
 # Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
 allow appdomain user_profile_data_file:dir { search write add_name };
 allow appdomain user_profile_data_file:file create_file_perms;
 

public/dumpstate.te

@@ -229,7 +229,7 @@ allow dumpstate update_engine_log_data_file:file r_file_perms;
 
 # Access /data/misc/profiles/{cur,ref}/
 userdebug_or_eng(`
-  allow dumpstate user_profile_data_file:dir r_dir_perms;
+  allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
   allow dumpstate user_profile_data_file:file r_file_perms;
 ')
 

public/file.te

@@ -295,6 +295,7 @@ type ota_data_file, file_type, data_file_type, core_data_file_type;
 # /data/ota_package
 type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
 type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 # /data/misc/profman
 type profman_dump_data_file, file_type, data_file_type, core_data_file_type;

public/installd.te

@@ -114,15 +114,15 @@ allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlin
 allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
 allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
 
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
 # Allow zygote to unmount mirror directories
 allow installd labeledfs:filesystem unmount;
 
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
 # Files created/updated by profman dumps.
 allow installd profman_dump_data_file:dir { search add_name write };
 allow installd profman_dump_data_file:file { create setattr open write };

public/iorap_inode2filename.te

@@ -52,6 +52,7 @@ allow iorap_inode2filename system_data_root_file:dir { getattr open read search
 allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
 allow iorap_inode2filename textclassifier_data_file:file { getattr };
 allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
 allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
 allow iorap_inode2filename user_profile_data_file:file { getattr };
 allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };

public/iorap_prefetcherd.te

@@ -39,6 +39,7 @@ allow iorap_prefetcherd same_process_hal_file:file { open read };
 allow iorap_prefetcherd system_data_file:dir { open read search };
 allow iorap_prefetcherd system_data_file:file { open read };
 allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
 allow iorap_prefetcherd user_profile_data_file:dir { open read search };
 allow iorap_prefetcherd user_profile_data_file:file { open read };
 allow iorap_prefetcherd vendor_overlay_file:dir { open read search };

public/vold.te

@@ -280,7 +280,7 @@ allow vold app_fuse_file:file { read write open getattr append };
 allow vold toolbox_exec:file rx_file_perms;
 
 # Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
 
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;