From b6211b88cfdab8cffb1a5372caf0a50cf8b10eaf Mon Sep 17 00:00:00 2001 From: Jooyung Han Date: Wed, 31 May 2023 17:51:14 +0900 Subject: [PATCH] Introduce vendor_apex_metadata_file A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf --- private/apexd.te | 4 ++-- private/compat/33.0/33.0.cil | 5 ++++- private/derive_classpath.te | 1 + private/derive_sdk.te | 1 + private/domain.te | 1 + private/linkerconfig.te | 3 +++ private/shell.te | 1 + private/zygote.te | 1 + public/file.te | 2 ++ public/te_macros | 1 + 10 files changed, 17 insertions(+), 3 deletions(-) diff --git a/private/apexd.te b/private/apexd.te index b74d4ee63..f158ef6a4 100644 --- a/private/apexd.te +++ b/private/apexd.te @@ -102,8 +102,8 @@ allow apexd staging_data_file:file { r_file_perms link }; allow apexd staging_data_file:file relabelto; # allow apexd to read files from /vendor/apex -allow apexd vendor_apex_file:dir r_dir_perms; -allow apexd vendor_apex_file:file r_file_perms; +r_dir_file(apexd, vendor_apex_file) +r_dir_file(apexd, vendor_apex_metadata_file) # Unmount and mount filesystems allow apexd labeledfs:filesystem { mount unmount }; diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil index 8fa3985a2..204048e70 100644 --- a/private/compat/33.0/33.0.cil +++ b/private/compat/33.0/33.0.cil @@ -2544,7 +2544,10 @@ (typeattributeset vendor_apex_file_33_0 (vendor_apex_file)) (typeattributeset vendor_app_file_33_0 (vendor_app_file)) (typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file)) -(typeattributeset vendor_configs_file_33_0 (vendor_configs_file)) +(typeattributeset vendor_configs_file_33_0 + ( vendor_configs_file + vendor_apex_metadata_file +)) (typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file)) (typeattributeset vendor_default_prop_33_0 (vendor_default_prop)) (typeattributeset vendor_file_33_0 (vendor_file)) diff --git a/private/derive_classpath.te b/private/derive_classpath.te index 2299ba092..4f15d5aa7 100644 --- a/private/derive_classpath.te +++ b/private/derive_classpath.te @@ -6,6 +6,7 @@ init_daemon_domain(derive_classpath) # Read /apex allow derive_classpath apex_mnt_dir:dir r_dir_perms; +allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms; # Create /data/system/environ/classpath file allow derive_classpath environ_system_data_file:dir rw_dir_perms; diff --git a/private/derive_sdk.te b/private/derive_sdk.te index f46c614fa..c47f0a5bd 100644 --- a/private/derive_sdk.te +++ b/private/derive_sdk.te @@ -6,6 +6,7 @@ init_daemon_domain(derive_sdk) # Read /apex allow derive_sdk apex_mnt_dir:dir r_dir_perms; +allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms; # Prop rules: writable by derive_sdk, readable by bootclasspath (apps) set_prop(derive_sdk, module_sdkextensions_prop) diff --git a/private/domain.te b/private/domain.te index f98a285cb..692c96294 100644 --- a/private/domain.te +++ b/private/domain.te @@ -609,6 +609,7 @@ full_treble_only(` -same_process_hal_file -vendor_app_file -vendor_apex_file + -vendor_apex_metadata_file -vendor_configs_file -vendor_service_contexts_file -vendor_framework_file diff --git a/private/linkerconfig.te b/private/linkerconfig.te index 7e78c194d..bd46ca46e 100644 --- a/private/linkerconfig.te +++ b/private/linkerconfig.te @@ -19,6 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms; # Allow linkerconfig to read apex-info-list.xml allow linkerconfig apex_info_file:file r_file_perms; +# Allow linkerconfig to read apex_manifest.pb file from vendor apex +r_dir_file(linkerconfig, vendor_apex_metadata_file) + # Allow linkerconfig to be called in the otapreopt_chroot allow linkerconfig otapreopt_chroot:fd use; allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms; diff --git a/private/shell.te b/private/shell.te index 85d09f9e7..181963cfc 100644 --- a/private/shell.te +++ b/private/shell.te @@ -136,6 +136,7 @@ neverallow shell self:perf_event ~{ open read write kernel }; allow shell apex_info_file:file r_file_perms; allow shell vendor_apex_file:file r_file_perms; allow shell vendor_apex_file:dir r_dir_perms; +allow shell vendor_apex_metadata_file:dir r_dir_perms; # Allow shell to read updated APEXes under /data/apex allow shell apex_data_file:dir search; diff --git a/private/zygote.te b/private/zygote.te index d61a4317d..be94a5263 100644 --- a/private/zygote.te +++ b/private/zygote.te @@ -258,6 +258,7 @@ allow zygote apex_info_file:file r_file_perms; # preinstalled path of APEXes that contain runtime resource overlays for the 'android' package. allow zygote vendor_apex_file:dir { getattr search }; allow zygote vendor_apex_file:file { getattr }; +allow zygote vendor_apex_metadata_file:dir { search }; # Allow zygote to query for compression/features. r_dir_file(zygote, sysfs_fs_f2fs) diff --git a/public/file.te b/public/file.te index 7aad936a0..f7fafcb1e 100644 --- a/public/file.te +++ b/public/file.te @@ -381,6 +381,8 @@ type server_configurable_flags_data_file, file_type, data_file_type, core_data_f type staging_data_file, file_type, data_file_type, core_data_file_type; # /vendor/apex type vendor_apex_file, vendor_file_type, file_type; +# apex_manifest.pb in vendor apex +type vendor_apex_metadata_file, vendor_file_type, file_type; # /data/system/shutdown-checkpoints type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type; diff --git a/public/te_macros b/public/te_macros index 63805de69..c4ebc63a7 100644 --- a/public/te_macros +++ b/public/te_macros @@ -1047,6 +1047,7 @@ define(`use_bootstrap_libs', ` define(`use_apex_info', ` allow $1 apex_mnt_dir:dir r_dir_perms; allow $1 apex_info_file:file r_file_perms; + r_dir_file($1, vendor_apex_metadata_file) ') ####################################