Split gsi_metadata_file and add gsi_metadata_file_type attribute
Split gsi_metadata_file into gsi_metadata_file plus gsi_public_metadata_file, and add gsi_metadata_file_type attribute. Files that are okay to be publicly readable are labeled with gsi_public_metadata_file. Right now only files needed to infer the device fstab belong to this label. The difference between gsi_metadata_file and gsi_public_metadata_file is that gsi_public_metadata_file has relaxed neverallow rules, so processes who wish to read the fstab can add the respective allow rules to their policy files. Allow gsid to restorecon on gsi_metadata_file to fix the file context of gsi_public_metadata_file. Bug: 181110285 Test: Build pass Test: Issue a DSU installation then verify no DSU related denials and files under /metadata/gsi/ are labeled correctly. Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
This commit is contained in:
parent
9f3fe38950
commit
806898db48
15 changed files with 62 additions and 22 deletions
|
@ -61,6 +61,7 @@
|
|||
gpuservice
|
||||
gsi_data_file
|
||||
gsi_metadata_file
|
||||
gsi_public_metadata_file
|
||||
gsi_service
|
||||
gsid
|
||||
gsid_exec
|
||||
|
|
|
@ -1482,7 +1482,9 @@
|
|||
(typeattributeset graphics_device_30_0 (graphics_device))
|
||||
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
|
||||
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
|
||||
(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
|
||||
(typeattributeset gsi_metadata_file_30_0
|
||||
( gsi_metadata_file
|
||||
gsi_public_metadata_file))
|
||||
(typeattributeset gsid_prop_30_0 (gsid_prop))
|
||||
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
|
||||
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
|
||||
|
|
|
@ -762,6 +762,10 @@
|
|||
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
|
||||
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
|
||||
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
|
||||
/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
|
||||
/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
|
||||
/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
|
||||
/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
|
||||
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
|
||||
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
|
||||
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
|
||||
|
|
|
@ -123,7 +123,7 @@ allow gsid userdata_block_device:blk_file r_file_perms;
|
|||
#
|
||||
allow gsid metadata_file:dir { search getattr };
|
||||
allow gsid {
|
||||
gsi_metadata_file
|
||||
gsi_metadata_file_type
|
||||
}:dir create_dir_perms;
|
||||
|
||||
allow gsid {
|
||||
|
@ -131,10 +131,15 @@ allow gsid {
|
|||
}:dir rw_dir_perms;
|
||||
|
||||
allow gsid {
|
||||
gsi_metadata_file
|
||||
gsi_metadata_file_type
|
||||
ota_metadata_file
|
||||
}:file create_file_perms;
|
||||
|
||||
# Allow restorecon to fix context of gsi_public_metadata_file.
|
||||
allow gsid file_contexts_file:file r_file_perms;
|
||||
allow gsid gsi_metadata_file:file relabelfrom;
|
||||
allow gsid gsi_public_metadata_file:file relabelto;
|
||||
|
||||
allow gsid {
|
||||
gsi_data_file
|
||||
ota_image_data_file
|
||||
|
@ -153,6 +158,9 @@ allowxperm gsid {
|
|||
|
||||
allow gsid system_server:binder call;
|
||||
|
||||
# Prevent most processes from writing to gsi_metadata_file_type, but allow
|
||||
# adding rules for path resolution of gsi_public_metadata_file and reading
|
||||
# gsi_public_metadata_file.
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
|
@ -160,7 +168,7 @@ neverallow {
|
|||
-fastbootd
|
||||
-recovery
|
||||
-vold
|
||||
} gsi_metadata_file:dir *;
|
||||
} gsi_metadata_file_type:dir no_w_dir_perms;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
|
@ -168,7 +176,18 @@ neverallow {
|
|||
-gsid
|
||||
-fastbootd
|
||||
-vold
|
||||
} gsi_metadata_file:file_class_set *;
|
||||
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-gsid
|
||||
-fastbootd
|
||||
-vold
|
||||
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
|
||||
|
||||
# Prevent apps from accessing gsi_metadata_file_type.
|
||||
neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
|
|
|
@ -20,8 +20,8 @@ allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
|
|||
# Triggered when lpdumpd tries to read default fstab.
|
||||
dontaudit lpdumpd metadata_file:dir r_dir_perms;
|
||||
dontaudit lpdumpd metadata_file:file r_file_perms;
|
||||
dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
|
||||
dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
|
||||
dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
|
||||
dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
|
||||
|
||||
### Neverallow rules
|
||||
|
||||
|
|
|
@ -386,3 +386,6 @@ attribute super_block_device_type;
|
|||
# All types used for DMA-BUF heaps
|
||||
attribute dmabuf_heap_device_type;
|
||||
expandattribute dmabuf_heap_device_type false;
|
||||
|
||||
# All types used for DSU metadata files.
|
||||
attribute gsi_metadata_file_type;
|
||||
|
|
|
@ -49,8 +49,8 @@ recovery_only(`
|
|||
allow fastbootd metadata_block_device:blk_file r_file_perms;
|
||||
allow fastbootd {rootfs tmpfs}:dir mounton;
|
||||
allow fastbootd metadata_file:dir { search getattr };
|
||||
allow fastbootd gsi_metadata_file:dir rw_dir_perms;
|
||||
allow fastbootd gsi_metadata_file:file create_file_perms;
|
||||
allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
|
||||
allow fastbootd gsi_metadata_file_type:file create_file_perms;
|
||||
|
||||
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
||||
|
||||
|
@ -103,7 +103,7 @@ recovery_only(`
|
|||
')
|
||||
|
||||
# Allow using libfiemap/gsid directly (no binder in recovery).
|
||||
allow fastbootd gsi_metadata_file:dir search;
|
||||
allow fastbootd gsi_metadata_file_type:dir search;
|
||||
allow fastbootd ota_metadata_file:dir rw_dir_perms;
|
||||
allow fastbootd ota_metadata_file:file create_file_perms;
|
||||
')
|
||||
|
|
|
@ -242,7 +242,9 @@ type metadata_file, file_type;
|
|||
# Vold files within /metadata
|
||||
type vold_metadata_file, file_type;
|
||||
# GSI files within /metadata
|
||||
type gsi_metadata_file, file_type;
|
||||
type gsi_metadata_file, gsi_metadata_file_type, file_type;
|
||||
# DSU (GSI) files within /metadata that are globally readable.
|
||||
type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
|
||||
# system_server shares Weaver slot information in /metadata
|
||||
type password_slot_metadata_file, file_type;
|
||||
# APEX files within /metadata
|
||||
|
|
|
@ -127,7 +127,7 @@ recovery_only(`
|
|||
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
||||
|
||||
# Allow using libfiemap/gsid directly (no binder in recovery).
|
||||
allow recovery gsi_metadata_file:dir search;
|
||||
allow recovery gsi_metadata_file_type:dir search;
|
||||
allow recovery ota_metadata_file:dir rw_dir_perms;
|
||||
allow recovery ota_metadata_file:file create_file_perms;
|
||||
|
||||
|
|
|
@ -965,3 +965,12 @@ define(`vendor_restricted_prop', `
|
|||
# Define a /vendor-owned property with no restrictions
|
||||
#
|
||||
define(`vendor_public_prop', `define_prop($1, vendor, public)')
|
||||
|
||||
#####################################
|
||||
# read_fstab(domain)
|
||||
# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
|
||||
#
|
||||
define(`read_fstab', `
|
||||
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
|
||||
allow $1 gsi_public_metadata_file:file r_file_perms;
|
||||
')
|
||||
|
|
|
@ -39,5 +39,5 @@ allow uncrypt proc_cmdline:file r_file_perms;
|
|||
r_dir_file(uncrypt, sysfs_dt_firmware_android)
|
||||
|
||||
# Suppress the denials coming from ReadDefaultFstab call.
|
||||
dontaudit uncrypt gsi_metadata_file:dir search;
|
||||
dontaudit uncrypt gsi_metadata_file_type:dir search;
|
||||
dontaudit uncrypt metadata_file:dir search;
|
||||
|
|
|
@ -69,7 +69,7 @@ allow update_engine system_file:dir r_dir_perms;
|
|||
# device. ReadDefaultFstab() checks whether a GSI is running by checking
|
||||
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
|
||||
# the access.
|
||||
dontaudit update_engine gsi_metadata_file:dir search;
|
||||
dontaudit update_engine gsi_metadata_file_type:dir search;
|
||||
|
||||
# Allow to write to snapshotctl_log logs.
|
||||
# TODO(b/148818798) revert when parent bug is fixed.
|
||||
|
|
|
@ -57,7 +57,7 @@ allow vendor_init {
|
|||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
-gsi_metadata_file
|
||||
-gsi_metadata_file_type
|
||||
-apex_metadata_file
|
||||
-userspace_reboot_metadata_file
|
||||
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
|
||||
|
@ -75,7 +75,7 @@ allow vendor_init {
|
|||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
-gsi_metadata_file
|
||||
-gsi_metadata_file_type
|
||||
-apex_metadata_file
|
||||
-apex_info_file
|
||||
-userspace_reboot_metadata_file
|
||||
|
@ -91,7 +91,7 @@ allow vendor_init {
|
|||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
-gsi_metadata_file
|
||||
-gsi_metadata_file_type
|
||||
-apex_metadata_file
|
||||
-userspace_reboot_metadata_file
|
||||
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
||||
|
@ -107,7 +107,7 @@ allow vendor_init {
|
|||
-unlabeled
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
-gsi_metadata_file
|
||||
-gsi_metadata_file_type
|
||||
-apex_metadata_file
|
||||
-userspace_reboot_metadata_file
|
||||
}:lnk_file { create getattr setattr relabelfrom unlink };
|
||||
|
@ -122,7 +122,7 @@ allow vendor_init {
|
|||
-system_file_type
|
||||
-vendor_file_type
|
||||
-vold_metadata_file
|
||||
-gsi_metadata_file
|
||||
-gsi_metadata_file_type
|
||||
-apex_metadata_file
|
||||
-userspace_reboot_metadata_file
|
||||
}:dir_file_class_set relabelto;
|
||||
|
|
|
@ -8,7 +8,7 @@ allow vendor_misc_writer block_device:dir r_dir_perms;
|
|||
|
||||
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
|
||||
# load DT fstab.
|
||||
dontaudit vendor_misc_writer gsi_metadata_file:dir search;
|
||||
dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
|
||||
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
|
||||
dontaudit vendor_misc_writer metadata_file:dir search;
|
||||
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
|
||||
|
|
|
@ -294,8 +294,8 @@ allow vold mnt_vendor_file:dir search;
|
|||
dontaudit vold self:global_capability_class_set sys_resource;
|
||||
|
||||
# vold needs to know whether we're running a GSI.
|
||||
allow vold gsi_metadata_file:dir r_dir_perms;
|
||||
allow vold gsi_metadata_file:file r_file_perms;
|
||||
allow vold gsi_metadata_file_type:dir r_dir_perms;
|
||||
allow vold gsi_metadata_file_type:file r_file_perms;
|
||||
|
||||
# vold might need to search loopback apex files
|
||||
allow vold vendor_apex_file:file r_file_perms;
|
||||
|
|
Loading…
Reference in a new issue