From 206b6535f1b6793480062cb3d90f7e0af1004435 Mon Sep 17 00:00:00 2001 From: Paul Crowley Date: Thu, 1 Aug 2019 15:57:47 -0700 Subject: [PATCH] Root of /data belongs to init Give /data itself a different label to its contents, to ensure that only init creates files and directories there. Bug: 139190159 Test: aosp boots, logs look good Change-Id: I3ee654a928bdab3f5d435ab6ac24040d9bdd9abe --- private/compat/29.0/29.0.cil | 2 +- private/file_contexts | 3 ++- private/perfetto.te | 1 + private/traced.te | 1 + private/traced_probes.te | 1 + private/vendor_init.te | 3 +++ public/domain.te | 7 +++++-- public/file.te | 2 ++ public/init.te | 17 ++++++++++++++++- public/vold.te | 5 ++++- 10 files changed, 36 insertions(+), 6 deletions(-) diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil index 86f8a8d8e..2079248e4 100644 --- a/private/compat/29.0/29.0.cil +++ b/private/compat/29.0/29.0.cil @@ -1780,7 +1780,7 @@ (typeattributeset system_block_device_29_0 (system_block_device)) (typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop)) (typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file)) -(typeattributeset system_data_file_29_0 (system_data_file)) +(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file)) (typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file)) (typeattributeset system_file_29_0 (system_file)) (typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file)) diff --git a/private/file_contexts b/private/file_contexts index 8b25cfdf1..8849885af 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -434,7 +434,8 @@ # NOTE: When modifying existing label rules, changes may also need to # propagate to the "Expanded data files" section. # -/data(/.*)? u:object_r:system_data_file:s0 +/data u:object_r:system_data_root_file:s0 +/data/(.*)? u:object_r:system_data_file:s0 /data/system/packages\.list u:object_r:packages_list_file:s0 /data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0 /data/backup(/.*)? u:object_r:backup_data_file:s0 diff --git a/private/perfetto.te b/private/perfetto.te index 419c4b98f..e95defa14 100644 --- a/private/perfetto.te +++ b/private/perfetto.te @@ -69,6 +69,7 @@ neverallow perfetto domain:process ptrace; neverallow perfetto { data_file_type -system_data_file + -system_data_root_file # TODO(b/72998741) Remove exemption. Further restricted in a subsequent # neverallow. Currently only getattr and search are allowed. -vendor_data_file diff --git a/private/traced.te b/private/traced.te index 2d7d07fd9..42c67042d 100644 --- a/private/traced.te +++ b/private/traced.te @@ -62,6 +62,7 @@ neverallow traced domain:process ptrace; neverallow traced { data_file_type -system_data_file + -system_data_root_file # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a # subsequent neverallow. Currently only getattr and search are allowed. -vendor_data_file diff --git a/private/traced_probes.te b/private/traced_probes.te index 8746c3401..97a7e6e40 100644 --- a/private/traced_probes.te +++ b/private/traced_probes.te @@ -101,6 +101,7 @@ neverallow traced_probes { -apk_data_file -dalvikcache_data_file -system_data_file + -system_data_root_file -system_app_data_file -backup_data_file -bootstat_data_file diff --git a/private/vendor_init.te b/private/vendor_init.te index 50efc22d6..6a68f1fed 100644 --- a/private/vendor_init.te +++ b/private/vendor_init.te @@ -2,3 +2,6 @@ # Sometimes we have to write to non-existent files to avoid conditional # init behavior. See b/35303861 for an example. dontaudit vendor_init sysfs:dir write; + +# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now +allow vendor_init system_data_root_file:dir rw_dir_perms; diff --git a/public/domain.te b/public/domain.te index 61a2ee4db..d11d3ba2a 100644 --- a/public/domain.te +++ b/public/domain.te @@ -222,8 +222,9 @@ not_full_treble(` allow domain system_data_file:dir getattr; ') allow { coredomain appdomain } system_data_file:dir getattr; -# /data has the label system_data_file. Vendor components need the search -# permission on system_data_file for path traversal to /data/vendor. +# /data has the label system_data_root_file. Vendor components need the search +# permission on system_data_root_file for path traversal to /data/vendor. +allow domain system_data_root_file:dir { search getattr } ; allow domain system_data_file:dir search; # TODO restrict this to non-coredomain allow domain vendor_data_file:dir { getattr search }; @@ -858,6 +859,7 @@ full_treble_only(` } { core_data_file_type -system_data_file # default label for files on /data. Covered below... + -system_data_root_file -vendor_data_file -zoneinfo_data_file with_native_coverage(`-method_trace_data_file') @@ -869,6 +871,7 @@ full_treble_only(` core_data_file_type -unencrypted_data_file -system_data_file + -system_data_root_file -vendor_data_file -zoneinfo_data_file with_native_coverage(`-method_trace_data_file') diff --git a/public/file.te b/public/file.te index e37da023c..97cd097de 100644 --- a/public/file.te +++ b/public/file.te @@ -228,6 +228,8 @@ type logcat_exec, system_file_type, exec_type, file_type; type cgroup_rc_file, file_type; # /cores for coredumps on userdebug / eng builds type coredump_file, file_type; +# Type of /data itself +type system_data_root_file, file_type, data_file_type, core_data_file_type; # Default type for anything under /data. type system_data_file, file_type, data_file_type, core_data_file_type; # Type for /data/system/packages.list. diff --git a/public/init.te b/public/init.te index 4d7da5572..f811bbe69 100644 --- a/public/init.te +++ b/public/init.te @@ -80,7 +80,18 @@ allow init self:global_capability_class_set sys_chroot; # Create and mount on directories in /. allow init rootfs:dir create_dir_perms; -allow init { rootfs cache_file cgroup storage_file mnt_user_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton; +allow init { + rootfs + cache_file + cgroup + storage_file + mnt_user_file + system_data_file + system_data_root_file + system_file + vendor_file + postinstall_mnt_dir +}:dir mounton; allow init cgroup_bpf:dir { create mounton }; # Mount bpf fs on sys/fs/bpf @@ -590,3 +601,7 @@ neverallow init sysfs:file { open read write }; # No domain should be allowed to ptrace init. neverallow * init:process ptrace; + +# init owns the root of /data +# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now +neverallow { domain -init -vendor_init -vold } system_data_root_file:dir { write add_name remove_name }; diff --git a/public/vold.te b/public/vold.te index 3a38ba539..f4a62597a 100644 --- a/public/vold.te +++ b/public/vold.te @@ -135,7 +135,10 @@ allow vold labeledfs:filesystem { mount unmount remount }; allow vold efs_file:file rw_file_perms; # Create and mount on /data/tmp_mnt and management of expansion mounts -allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; +allow vold { + system_data_file + system_data_root_file +}:dir { create rw_dir_perms mounton setattr rmdir }; allow vold system_data_file:lnk_file getattr; # Vold create users in /data/vendor_{ce,de}/[0-9]+