Use postinstall file_contexts
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.
Bug: 181182967
Test: Manual OTA of blueline
Test: lunch wembley-userdebug; m droid
Ignore-AOSP-First: Requires changes to device/mediatek/wembley-sepolicy
to be applied simultaneously to avoid breaking
builds. Once merged this will be cherry-picked back
to AOSP to maintain state.
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
This commit is contained in:
Alex Light
parent
3fb2e9c2f6
commit
a1cdf2e311
12 changed files with 63 additions and 10 deletions
|
|
@ -183,3 +183,9 @@ neverallow { domain -apexd -init } apexd_prop:property_service set;
|
|||
|
||||
# only apexd can write apex-info-list.xml
|
||||
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
|
||||
|
||||
# Allow for use in postinstall
|
||||
allow apexd otapreopt_chroot:fd use;
|
||||
allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
|
||||
allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
|
||||
allow apexd proc_filesystems:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -81,6 +81,10 @@
|
|||
pac_proxy_service
|
||||
people_service
|
||||
persist_vendor_debug_wifi_prop
|
||||
postinstall_dexopt_exec
|
||||
postinstall_device_mnt_dir
|
||||
postinstall_product_mnt_dir
|
||||
postinstall_vendor_mnt_dir
|
||||
power_debug_prop
|
||||
powerstats_service
|
||||
proc_kallsyms
|
||||
|
|
|
|||
|
|
@ -485,3 +485,7 @@ full_treble_only(`
|
|||
# (Every domain is allowed self:fork, so this will trigger if the
|
||||
# intsersection of domain & mlsvendorcompat is not empty.)
|
||||
neverallow domain mlsvendorcompat:process fork;
|
||||
|
||||
# Only init and otapreopt_chroot should be mounting filesystems on locations
|
||||
# labeled system or vendor (/product and /vendor respectively).
|
||||
neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
|
||||
|
|
|
|||
|
|
@ -27,13 +27,15 @@
|
|||
/data_mirror u:object_r:mirror_data_file:s0
|
||||
/debug_ramdisk u:object_r:tmpfs:s0
|
||||
/mnt u:object_r:tmpfs:s0
|
||||
/postinstall u:object_r:postinstall_mnt_dir:s0
|
||||
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
|
||||
/proc u:object_r:rootfs:s0
|
||||
/second_stage_resources u:object_r:tmpfs:s0
|
||||
/sys u:object_r:sysfs:s0
|
||||
/apex u:object_r:apex_mnt_dir:s0
|
||||
|
||||
# Postinstall directories
|
||||
/postinstall u:object_r:postinstall_mnt_dir:s0
|
||||
/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
|
||||
|
||||
/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
|
||||
|
||||
# Symlinks
|
||||
|
|
@ -792,3 +794,9 @@
|
|||
#############################
|
||||
# mount point for read-write product partitions
|
||||
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
|
||||
|
||||
#############################
|
||||
# /postinstall file contexts
|
||||
/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
|
||||
/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
|
||||
/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
|
||||
|
|
|
|||
|
|
@ -19,4 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms;
|
|||
# Allow linkerconfig to read apex-info-list.xml
|
||||
allow linkerconfig apex_info_file:file r_file_perms;
|
||||
|
||||
# Allow linkerconfig to be called in the otapreopt_chroot
|
||||
allow linkerconfig otapreopt_chroot:fd use;
|
||||
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
||||
allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
|
||||
|
||||
neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
|
||||
|
|
|
|||
|
|
@ -1,10 +1,18 @@
|
|||
# otapreopt_chroot executable
|
||||
type otapreopt_chroot, domain, coredomain;
|
||||
type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
|
||||
typeattribute otapreopt_chroot coredomain;
|
||||
type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# Chroot preparation and execution.
|
||||
# We need to create an unshared mount namespace, and then mount /data.
|
||||
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
||||
allow otapreopt_chroot apex_mnt_dir:dir mounton;
|
||||
allow otapreopt_chroot device:dir mounton;
|
||||
allow otapreopt_chroot linkerconfig_file:dir mounton;
|
||||
allow otapreopt_chroot rootfs:dir mounton;
|
||||
allow otapreopt_chroot sysfs:dir mounton;
|
||||
allow otapreopt_chroot system_data_root_file:dir mounton;
|
||||
allow otapreopt_chroot system_file:dir mounton;
|
||||
allow otapreopt_chroot vendor_file:dir mounton;
|
||||
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
|
||||
|
||||
# This is required to mount /vendor and mount/unmount ext4 images from
|
||||
|
|
@ -35,7 +43,9 @@ allow otapreopt_chroot update_engine:fd use;
|
|||
allow otapreopt_chroot update_engine:fifo_file write;
|
||||
|
||||
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
|
||||
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
||||
domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
|
||||
domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
|
||||
domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
|
||||
|
||||
# Allow otapreopt_chroot to control linkerconfig
|
||||
allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
typeattribute postinstall coredomain;
|
||||
|
||||
type postinstall_exec, system_file_type, exec_type, file_type;
|
||||
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
|
||||
|
||||
allow postinstall rootfs:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
# this is derived and adapted from installd.te.
|
||||
|
||||
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
|
||||
type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Run dex2oat/patchoat in its own sandbox.
|
||||
# We have to manually transition, as we don't have an entrypoint.
|
||||
|
|
@ -20,6 +21,8 @@ allow postinstall_dexopt postinstall_file:filesystem getattr;
|
|||
allow postinstall_dexopt postinstall_file:dir { getattr read search };
|
||||
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
|
||||
allow postinstall_dexopt proc_filesystems:file { getattr open read };
|
||||
allow postinstall_dexopt rootfs:file r_file_perms;
|
||||
|
||||
allow postinstall_dexopt tmpfs:file read;
|
||||
|
||||
# Allow access to /postinstall/apex.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,13 @@
|
|||
# type_transition must be private policy the domain_trans rules could stay
|
||||
# public, but conceptually should go with this
|
||||
# The postinstall program is run by update_engine_common and will always be tagged as a
|
||||
# postinstall_file regardless of its attributes in the new system.
|
||||
# The postinstall program is run by update_engine_common and must be tagged
|
||||
# with postinstall_exec in the new filesystem.
|
||||
# TODO Have build system attempt to verify this
|
||||
domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
|
||||
|
||||
# Vendor directories can have the transition as well during OTA. This is caused
|
||||
# by update_engine execing scripts in vendor to perform any update tasks needed
|
||||
# there.
|
||||
domain_auto_trans(update_engine_common, postinstall_file, postinstall)
|
||||
|
||||
allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
|
||||
|
|
|
|||
|
|
@ -506,7 +506,6 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
|
|||
|
||||
# Don't allow mounting on top of /system files or directories
|
||||
neverallow * exec_type:dir_file_class_set mounton;
|
||||
neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
|
||||
|
||||
# Nothing should be writing to files in the rootfs.
|
||||
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
|
||||
|
|
|
|||
4
public/otapreopt_chroot.te
Normal file
4
public/otapreopt_chroot.te
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
# otapreopt_chroot seclabel
|
||||
|
||||
# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
|
||||
type otapreopt_chroot, domain;
|
||||
|
|
@ -33,7 +33,7 @@ allow update_engine_common rootfs:file r_file_perms;
|
|||
# labels on the mounted filesystem to postinstall_file.
|
||||
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
|
||||
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
|
||||
allow update_engine_common labeledfs:filesystem relabelfrom;
|
||||
allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
|
||||
|
||||
# Allow update_engine_common to read and execute postinstall_file.
|
||||
allow update_engine_common postinstall_file:file rx_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue