From a9671c6b9eff0b72ad797e2339865bd24222391b Mon Sep 17 00:00:00 2001 From: Alex Deymo Date: Tue, 5 Apr 2016 16:07:25 -0700 Subject: [PATCH] Allow postinstall_file to be an entrypoint. postinstall_file was an exec_type so it could be an entrypoint for the domain_auto_trans from update_engine domain to postinstall domain. This patch removes the exec_type from postinstall_file and exempts it from the neverallow rule to become an entrypoint. Bug: 28008031 TEST=postinstall_example still runs as the "postinstall" domain on edison-eng. Change-Id: Icbf5b262c6f971ce054f1b4896c611b32a6d66b5 --- domain.te | 4 ++-- file.te | 2 +- postinstall.te | 4 ++++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/domain.te b/domain.te index de00ac1df..f0201059e 100644 --- a/domain.te +++ b/domain.te @@ -201,8 +201,8 @@ neverallow { domain -init } kernel:security setsecparam; # Only init, ueventd and system_server should be able to access HW RNG neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *; -# Ensure that all entrypoint executables are in exec_type. -neverallow * { file_type -exec_type }:file entrypoint; +# Ensure that all entrypoint executables are in exec_type or postinstall_file. +neverallow * { file_type -exec_type -postinstall_file }:file entrypoint; # Ensure that nothing in userspace can access /dev/mem or /dev/kmem neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; diff --git a/file.te b/file.te index b789e36e5..833e41a4f 100644 --- a/file.te +++ b/file.te @@ -117,7 +117,7 @@ type storage_stub_file, file_type; # /postinstall: Mount point used by update_engine to run postinstall. type postinstall_mnt_dir, file_type; # Files inside the /postinstall mountpoint are all labeled as postinstall_file. -type postinstall_file, file_type, exec_type; +type postinstall_file, file_type; # /data/misc subdirectories type adb_keys_file, file_type, data_file_type; diff --git a/postinstall.te b/postinstall.te index 8afc56128..938fcd23f 100644 --- a/postinstall.te +++ b/postinstall.te @@ -18,3 +18,7 @@ allow postinstall postinstall_file:dir r_dir_perms; allow postinstall shell_exec:file rx_file_perms; allow postinstall system_file:file rx_file_perms; allow postinstall toolbox_exec:file rx_file_perms; + +# No domain other than update_engine should transition to postinstall, as it is +# only meant to run during the update. +neverallow { domain -update_engine } postinstall:process { transition dyntransition };