Split gsi_metadata_file and add gsi_metadata_file_type attribute

Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
This commit is contained in:
Yi-Yo Chiang 2021-03-22 13:46:12 +08:00 committed by Yo Chiang
parent 9f3fe38950
commit 806898db48
15 changed files with 62 additions and 22 deletions

View file

@ -61,6 +61,7 @@
gpuservice
gsi_data_file
gsi_metadata_file
gsi_public_metadata_file
gsi_service
gsid
gsid_exec

View file

@ -1482,7 +1482,9 @@
(typeattributeset graphics_device_30_0 (graphics_device))
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
(typeattributeset gsi_metadata_file_30_0
( gsi_metadata_file
gsi_public_metadata_file))
(typeattributeset gsid_prop_30_0 (gsid_prop))
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))

View file

@ -762,6 +762,10 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0

View file

@ -123,7 +123,7 @@ allow gsid userdata_block_device:blk_file r_file_perms;
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
gsi_metadata_file
gsi_metadata_file_type
}:dir create_dir_perms;
allow gsid {
@ -131,10 +131,15 @@ allow gsid {
}:dir rw_dir_perms;
allow gsid {
gsi_metadata_file
gsi_metadata_file_type
ota_metadata_file
}:file create_file_perms;
# Allow restorecon to fix context of gsi_public_metadata_file.
allow gsid file_contexts_file:file r_file_perms;
allow gsid gsi_metadata_file:file relabelfrom;
allow gsid gsi_public_metadata_file:file relabelto;
allow gsid {
gsi_data_file
ota_image_data_file
@ -153,6 +158,9 @@ allowxperm gsid {
allow gsid system_server:binder call;
# Prevent most processes from writing to gsi_metadata_file_type, but allow
# adding rules for path resolution of gsi_public_metadata_file and reading
# gsi_public_metadata_file.
neverallow {
domain
-init
@ -160,7 +168,7 @@ neverallow {
-fastbootd
-recovery
-vold
} gsi_metadata_file:dir *;
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
domain
@ -168,7 +176,18 @@ neverallow {
-gsid
-fastbootd
-vold
} gsi_metadata_file:file_class_set *;
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain

View file

@ -20,8 +20,8 @@ allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
# Triggered when lpdumpd tries to read default fstab.
dontaudit lpdumpd metadata_file:dir r_dir_perms;
dontaudit lpdumpd metadata_file:file r_file_perms;
dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
### Neverallow rules

View file

@ -386,3 +386,6 @@ attribute super_block_device_type;
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;

View file

@ -49,8 +49,8 @@ recovery_only(`
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
allow fastbootd metadata_file:dir { search getattr };
allow fastbootd gsi_metadata_file:dir rw_dir_perms;
allow fastbootd gsi_metadata_file:file create_file_perms;
allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
allow fastbootd gsi_metadata_file_type:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@ -103,7 +103,7 @@ recovery_only(`
')
# Allow using libfiemap/gsid directly (no binder in recovery).
allow fastbootd gsi_metadata_file:dir search;
allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
')

View file

@ -242,7 +242,9 @@ type metadata_file, file_type;
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
type gsi_metadata_file, file_type;
type gsi_metadata_file, gsi_metadata_file_type, file_type;
# DSU (GSI) files within /metadata that are globally readable.
type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata

View file

@ -127,7 +127,7 @@ recovery_only(`
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
allow recovery gsi_metadata_file:dir search;
allow recovery gsi_metadata_file_type:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;

View file

@ -965,3 +965,12 @@ define(`vendor_restricted_prop', `
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')
#####################################
# read_fstab(domain)
# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
#
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
')

View file

@ -39,5 +39,5 @@ allow uncrypt proc_cmdline:file r_file_perms;
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call.
dontaudit uncrypt gsi_metadata_file:dir search;
dontaudit uncrypt gsi_metadata_file_type:dir search;
dontaudit uncrypt metadata_file:dir search;

View file

@ -69,7 +69,7 @@ allow update_engine system_file:dir r_dir_perms;
# device. ReadDefaultFstab() checks whether a GSI is running by checking
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
dontaudit update_engine gsi_metadata_file:dir search;
dontaudit update_engine gsi_metadata_file_type:dir search;
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.

View file

@ -57,7 +57,7 @@ allow vendor_init {
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
@ -75,7 +75,7 @@ allow vendor_init {
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
@ -91,7 +91,7 @@ allow vendor_init {
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@ -107,7 +107,7 @@ allow vendor_init {
-unlabeled
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
@ -122,7 +122,7 @@ allow vendor_init {
-system_file_type
-vendor_file_type
-vold_metadata_file
-gsi_metadata_file
-gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir_file_class_set relabelto;

View file

@ -8,7 +8,7 @@ allow vendor_misc_writer block_device:dir r_dir_perms;
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
dontaudit vendor_misc_writer gsi_metadata_file:dir search;
dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;

View file

@ -294,8 +294,8 @@ allow vold mnt_vendor_file:dir search;
dontaudit vold self:global_capability_class_set sys_resource;
# vold needs to know whether we're running a GSI.
allow vold gsi_metadata_file:dir r_dir_perms;
allow vold gsi_metadata_file:file r_file_perms;
allow vold gsi_metadata_file_type:dir r_dir_perms;
allow vold gsi_metadata_file_type:file r_file_perms;
# vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms;