Merge "Use postinstall file_contexts" am: da7889276f

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1646766

Change-Id: Ia4a358af244df9ab36dcf15aa617eecaf57d2379

private/apexd.te

@@ -183,3 +183,9 @@ neverallow { domain -apexd -init } apexd_prop:property_service set;
 
 # only apexd can write apex-info-list.xml
 neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+
+# Allow for use in postinstall
+allow apexd otapreopt_chroot:fd use;
+allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
+allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd proc_filesystems:file r_file_perms;

private/compat/30.0/30.0.ignore.cil

@@ -82,6 +82,10 @@
     pac_proxy_service
     people_service
     persist_vendor_debug_wifi_prop
+    postinstall_dexopt_exec
+    postinstall_device_mnt_dir
+    postinstall_product_mnt_dir
+    postinstall_vendor_mnt_dir
     power_debug_prop
     power_stats_service
     proc_kallsyms

private/domain.te

@@ -485,3 +485,7 @@ full_treble_only(`
 # (Every domain is allowed self:fork, so this will trigger if the
 # intsersection of domain & mlsvendorcompat is not empty.)
 neverallow domain mlsvendorcompat:process fork;
+
+# Only init and otapreopt_chroot should be mounting filesystems on locations
+# labeled system or vendor (/product and /vendor respectively).
+neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;

private/file_contexts

@@ -27,13 +27,15 @@
 /data_mirror        u:object_r:mirror_data_file:s0
 /debug_ramdisk      u:object_r:tmpfs:s0
 /mnt                u:object_r:tmpfs:s0
-/postinstall        u:object_r:postinstall_mnt_dir:s0
-/postinstall/apex   u:object_r:postinstall_apex_mnt_dir:s0
 /proc               u:object_r:rootfs:s0
 /second_stage_resources u:object_r:tmpfs:s0
 /sys                u:object_r:sysfs:s0
 /apex               u:object_r:apex_mnt_dir:s0
 
+# Postinstall directories
+/postinstall         u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex    u:object_r:postinstall_apex_mnt_dir:s0
+
 /apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
 
 # Symlinks
@@ -797,3 +799,9 @@
 #############################
 # mount point for read-write product partitions
 /mnt/product(/.*)?          u:object_r:mnt_product_file:s0
+
+#############################
+# /postinstall file contexts
+/(system|product)/bin/check_dynamic_partitions  u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt_script          u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt                 u:object_r:postinstall_dexopt_exec:s0

private/linkerconfig.te

@@ -19,4 +19,9 @@ allow linkerconfig apex_mnt_dir:dir r_dir_perms;
 # Allow linkerconfig to read apex-info-list.xml
 allow linkerconfig apex_info_file:file r_file_perms;
 
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
 neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;

private/otapreopt_chroot.te

@@ -1,10 +1,18 @@
 # otapreopt_chroot executable
-type otapreopt_chroot, domain, coredomain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+typeattribute otapreopt_chroot coredomain;
+type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
 
 # Chroot preparation and execution.
 # We need to create an unshared mount namespace, and then mount /data.
 allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot apex_mnt_dir:dir mounton;
+allow otapreopt_chroot device:dir mounton;
+allow otapreopt_chroot linkerconfig_file:dir mounton;
+allow otapreopt_chroot rootfs:dir mounton;
+allow otapreopt_chroot sysfs:dir mounton;
+allow otapreopt_chroot system_data_root_file:dir mounton;
+allow otapreopt_chroot system_file:dir mounton;
+allow otapreopt_chroot vendor_file:dir mounton;
 allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
 
 # This is required to mount /vendor and mount/unmount ext4 images from
@@ -35,7 +43,9 @@ allow otapreopt_chroot update_engine:fd use;
 allow otapreopt_chroot update_engine:fifo_file write;
 
 # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
+domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
 
 # Allow otapreopt_chroot to control linkerconfig
 allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };

private/postinstall.te

@@ -1,3 +1,5 @@
 typeattribute postinstall coredomain;
-
+type postinstall_exec, system_file_type, exec_type, file_type;
 domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
+allow postinstall rootfs:dir r_dir_perms;

private/postinstall_dexopt.te

@@ -4,6 +4,7 @@
 # this is derived and adapted from installd.te.
 
 type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
+type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
 
 # Run dex2oat/patchoat in its own sandbox.
 # We have to manually transition, as we don't have an entrypoint.
@@ -20,6 +21,8 @@ allow postinstall_dexopt postinstall_file:filesystem getattr;
 allow postinstall_dexopt postinstall_file:dir { getattr read search };
 allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
 allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt rootfs:file r_file_perms;
+
 allow postinstall_dexopt tmpfs:file read;
 
 # Allow access to /postinstall/apex.

private/update_engine_common.te

@@ -1,5 +1,13 @@
 # type_transition must be private policy the domain_trans rules could stay
 # public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
+# The postinstall program is run by update_engine_common and must be tagged
+# with postinstall_exec in the new filesystem.
+# TODO Have build system attempt to verify this
+domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
+
+# Vendor directories can have the transition as well during OTA. This is caused
+# by update_engine execing scripts in vendor to perform any update tasks needed
+# there.
 domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };

public/domain.te

@@ -514,7 +514,6 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow * rootfs:file { create write setattr relabelto append unlink link rename };

public/otapreopt_chroot.te

@@ -0,0 +1,4 @@
+# otapreopt_chroot seclabel
+
+# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
+type otapreopt_chroot, domain;

public/update_engine_common.te

@@ -33,7 +33,7 @@ allow update_engine_common rootfs:file r_file_perms;
 # labels on the mounted filesystem to postinstall_file.
 allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
 allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
 
 # Allow update_engine_common to read and execute postinstall_file.
 allow update_engine_common postinstall_file:file rx_file_perms;