IncFS: update SE policies for the new API

IncFS in S adds a bunch of new ioctls, and requires the users to read its features in sysfs directory. This change adds all the features, maps them into the processes that need to call into them, and allows any incfs user to query the features Bug: 170231230 Test: incremental unit tests Change-Id: Ieea6dca38ae9829230bc17d0c73f50c93c407d35
2021-01-14 21:01:25 -08:00 · 2021-01-14 21:01:25 -08:00 · 80dfa06984
commit 80dfa06984
parent 706d5feee2
9 changed files with 40 additions and 8 deletions
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@ -625,6 +625,7 @@
 /data/incremental(/.*)?                                 u:object_r:apk_data_file:s0
 /data/incremental/MT_[^/]+/mount/.pending_reads         u:object_r:incremental_control_file:s0
 /data/incremental/MT_[^/]+/mount/.log                   u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written        u:object_r:incremental_control_file:s0

 #############################
 # Expanded data files
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@ -2000,7 +2000,7 @@
 (typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
 (typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
 (typeattributeset swap_block_device_30_0 (swap_block_device))
-(typeattributeset sysfs_30_0 (sysfs))
+(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
 (typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
 (typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
 (typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
--- a/private/file_contexts
+++ b/private/file_contexts
@ -668,6 +668,7 @@
 /data/incremental(/.*)?                                 u:object_r:apk_data_file:s0
 /data/incremental/MT_[^/]+/mount/.pending_reads         u:object_r:incremental_control_file:s0
 /data/incremental/MT_[^/]+/mount/.log                   u:object_r:incremental_control_file:s0
+/data/incremental/MT_[^/]+/mount/.blocks_written        u:object_r:incremental_control_file:s0

 #############################
 # Expanded data files
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@ -140,6 +140,7 @@ genfscon sysfs /devices/virtual/wakeup          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /fs/f2fs                           u:object_r:sysfs_fs_f2fs:s0
+genfscon sysfs /fs/incremental-fs/features        u:object_r:sysfs_fs_incfs_features:s0
 genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
 genfscon sysfs /power/state u:object_r:sysfs_power:s0
 genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
--- a/private/priv_app.te
+++ b/private/priv_app.te
@ -152,9 +152,16 @@ dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
 allow priv_app system_server:udp_socket {
        connect getattr read recvfrom sendto write getopt setopt };

+# Access the IncFS list of features
+r_dir_file(priv_app, sysfs_fs_incfs_features)
+
 # allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, and fill missing blocks in the apk
-allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
+# the Incremental File System, fill missing blocks and get the app status
+allowxperm priv_app apk_data_file:file ioctl {
+  INCFS_IOCTL_READ_SIGNATURE
+  INCFS_IOCTL_FILL_BLOCKS
+  INCFS_IOCTL_GET_BLOCK_COUNT
+};

 # allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
 allow priv_app incremental_control_file:file { read getattr ioctl };
--- a/private/system_server.te
+++ b/private/system_server.te
@ -24,12 +24,27 @@ allow system_server appdomain_tmpfs:file { getattr map read write };
 # For Incremental Service to check if incfs is available
 allow system_server proc_filesystems:file r_file_perms;

-# To create files and get permission to fill blocks on Incremental File System
-allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
+# Access the IncFS list of features
+r_dir_file(system_server, sysfs_fs_incfs_features);

-# To get signature of an APK installed on Incremental File System and fill in data blocks
-allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS INCFS_IOCTL_GET_FILLED_BLOCKS };
+# To create files, get permission to fill blocks, and configure Incremental File System
+allow system_server incremental_control_file:file { ioctl r_file_perms };
+allowxperm system_server incremental_control_file:file ioctl {
+  INCFS_IOCTL_CREATE_FILE
+  INCFS_IOCTL_CREATE_MAPPED_FILE
+  INCFS_IOCTL_PERMIT_FILL
+  INCFS_IOCTL_GET_READ_TIMEOUTS
+  INCFS_IOCTL_SET_READ_TIMEOUTS
+};
+
+# To get signature of an APK installed on Incremental File System, and fill in data
+# blocks and get the filesystem state
+allowxperm system_server apk_data_file:file ioctl {
+  INCFS_IOCTL_READ_SIGNATURE
+  INCFS_IOCTL_FILL_BLOCKS
+  INCFS_IOCTL_GET_FILLED_BLOCKS
+  INCFS_IOCTL_GET_BLOCK_COUNT
+};

 # For art.
 allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
--- a/public/file.te
+++ b/public/file.te
@ -109,6 +109,7 @@ type sysfs_wakeup, fs_type, sysfs_type;
 type sysfs_wakeup_reasons, fs_type, sysfs_type;
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
 type sysfs_fs_f2fs, sysfs_type, fs_type;
+type sysfs_fs_incfs_features, sysfs_type, fs_type;
 type fs_bpf, fs_type;
 type configfs, fs_type;
 # /sys/devices/cs_etm
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@ -1066,6 +1066,10 @@ define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
 define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
 define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
 define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
+define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
+define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
+define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
+define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
 define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
 define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
 define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
--- a/public/vold.te
+++ b/public/vold.te
@ -126,6 +126,8 @@ allow vold mnt_expand_file:dir { create_dir_perms mounton };
 allow vold apk_data_file:dir { create getattr setattr };
 allow vold shell_data_file:dir { create getattr setattr };

+# Access the IncFS list of features
+r_dir_file(vold, sysfs_fs_incfs_features);
 # Allow to mount incremental file system on /data/incremental and create files
 allow vold apk_data_file:dir { mounton rw_dir_perms };
 # Allow to create and write files in /data/incremental