Merge "Root of /data belongs to init"

This commit is contained in:
Paul Crowley 2019-08-30 05:23:12 +00:00 committed by Gerrit Code Review
commit b935b6c664
10 changed files with 36 additions and 6 deletions

View file

@ -1780,7 +1780,7 @@
(typeattributeset system_block_device_29_0 (system_block_device))
(typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop))
(typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file))
(typeattributeset system_data_file_29_0 (system_data_file))
(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file))
(typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file))
(typeattributeset system_file_29_0 (system_file))
(typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file))

View file

@ -434,7 +434,8 @@
# NOTE: When modifying existing label rules, changes may also need to
# propagate to the "Expanded data files" section.
#
/data(/.*)? u:object_r:system_data_file:s0
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0

View file

@ -69,6 +69,7 @@ neverallow perfetto domain:process ptrace;
neverallow perfetto {
data_file_type
-system_data_file
-system_data_root_file
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file

View file

@ -62,6 +62,7 @@ neverallow traced domain:process ptrace;
neverallow traced {
data_file_type
-system_data_file
-system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file

View file

@ -101,6 +101,7 @@ neverallow traced_probes {
-apk_data_file
-dalvikcache_data_file
-system_data_file
-system_data_root_file
-system_app_data_file
-backup_data_file
-bootstat_data_file

View file

@ -2,3 +2,6 @@
# Sometimes we have to write to non-existent files to avoid conditional
# init behavior. See b/35303861 for an example.
dontaudit vendor_init sysfs:dir write;
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;

View file

@ -222,8 +222,9 @@ not_full_treble(`
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
# /data has the label system_data_root_file. Vendor components need the search
# permission on system_data_root_file for path traversal to /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };
@ -858,6 +859,7 @@ full_treble_only(`
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
-system_data_root_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
@ -869,6 +871,7 @@ full_treble_only(`
core_data_file_type
-unencrypted_data_file
-system_data_file
-system_data_root_file
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')

View file

@ -228,6 +228,8 @@ type logcat_exec, system_file_type, exec_type, file_type;
type cgroup_rc_file, file_type;
# /cores for coredumps on userdebug / eng builds
type coredump_file, file_type;
# Type of /data itself
type system_data_root_file, file_type, data_file_type, core_data_file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
# Type for /data/system/packages.list.

View file

@ -80,7 +80,18 @@ allow init self:global_capability_class_set sys_chroot;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file mnt_user_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
allow init {
rootfs
cache_file
cgroup
storage_file
mnt_user_file
system_data_file
system_data_root_file
system_file
vendor_file
postinstall_mnt_dir
}:dir mounton;
allow init cgroup_bpf:dir { create mounton };
# Mount bpf fs on sys/fs/bpf
@ -590,3 +601,7 @@ neverallow init sysfs:file { open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
# init owns the root of /data
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
neverallow { domain -init -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };

View file

@ -135,7 +135,10 @@ allow vold labeledfs:filesystem { mount unmount remount };
allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
allow vold {
system_data_file
system_data_root_file
}:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
# Vold create users in /data/vendor_{ce,de}/[0-9]+