From 4a556890f9afb3b4af5d87bc0d91d73a69f97e96 Mon Sep 17 00:00:00 2001 From: Ramji Jiyani Date: Thu, 10 Feb 2022 00:35:54 +0000 Subject: [PATCH] system_dlkm: sepolicy: add system_dlkm_file_type Add new attribute system_dlkm_file_type for /system_dlkm partition files. Bug: 218392646 Bug: 200082547 Test: TH Signed-off-by: Ramji Jiyani Change-Id: I193c3f1270f7a1b1259bc241def3fe51d77396f3 --- private/compat/32.0/32.0.ignore.cil | 1 + private/file_contexts | 2 +- public/attributes | 3 +++ public/domain.te | 5 +++-- public/file.te | 3 +++ public/init.te | 8 ++++++++ public/vendor_init.te | 5 +++++ 7 files changed, 24 insertions(+), 3 deletions(-) diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil index f1307ad44..8964074fb 100644 --- a/private/compat/32.0/32.0.ignore.cil +++ b/private/compat/32.0/32.0.ignore.cil @@ -55,6 +55,7 @@ snapuserd_proxy_socket supplemental_process_service sysfs_fs_fuse_bpf + system_dlkm_file tare_service tv_iapp_service untrusted_app_30 diff --git a/private/file_contexts b/private/file_contexts index ba5037695..da9215ff2 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -19,7 +19,7 @@ # For kernel modules /lib(/.*)? u:object_r:rootfs:s0 -/system_dlkm(/.*)? u:object_r:rootfs:s0 +/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0 # Empty directories /lost\+found u:object_r:rootfs:s0 diff --git a/public/attributes b/public/attributes index b97bffc19..1e6bd6b42 100644 --- a/public/attributes +++ b/public/attributes @@ -51,6 +51,9 @@ expandattribute app_data_file_type false; # All types in /system attribute system_file_type; +# All types in /system_dlkm +attribute system_dlkm_file_type; + # All types in /vendor attribute vendor_file_type; diff --git a/public/domain.te b/public/domain.te index 50503cdc3..72b601b6d 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1261,8 +1261,9 @@ neverallow { # Enforce restrictions on kernel module origin. # Do not allow kernel module loading except from system, -# vendor, and boot partitions. -neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load; +# vendor, boot, and system_dlkm partitions. +# TODO(b/218951883): Remove usage of system and rootfs as origin +neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load; # Only allow filesystem caps to be set at build time. Runtime changes # to filesystem capabilities are not permitted. diff --git a/public/file.te b/public/file.te index 3545e2483..c0b7679d7 100644 --- a/public/file.te +++ b/public/file.te @@ -583,6 +583,9 @@ type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type; # kernel modules type vendor_kernel_modules, vendor_file_type, file_type; +# system_dlkm +type system_dlkm_file, system_dlkm_file_type, file_type; + # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; diff --git a/public/init.te b/public/init.te index 54e30823c..362c41eb9 100644 --- a/public/init.te +++ b/public/init.te @@ -98,6 +98,7 @@ allow init { mnt_user_file system_data_file system_data_root_file + system_dlkm_file system_file vendor_file postinstall_mnt_dir @@ -201,6 +202,7 @@ allow init { -nativetest_data_file -privapp_data_file -system_app_data_file + -system_dlkm_file_type -system_file_type -vendor_file_type }:dir { create search getattr open read setattr ioctl }; @@ -217,6 +219,7 @@ allow init { -privapp_data_file -shell_data_file -system_app_data_file + -system_dlkm_file_type -system_file_type -vendor_file_type -vold_data_file @@ -237,6 +240,7 @@ allow init { -runtime_event_log_tags_file -shell_data_file -system_app_data_file + -system_dlkm_file_type -system_file_type -vendor_file_type -vold_data_file @@ -258,6 +262,7 @@ allow init { -privapp_data_file -shell_data_file -system_app_data_file + -system_dlkm_file_type -system_file_type -vendor_file_type -vold_data_file @@ -277,6 +282,7 @@ allow init { -privapp_data_file -shell_data_file -system_app_data_file + -system_dlkm_file_type -system_file_type -vendor_file_type -vold_data_file @@ -286,6 +292,7 @@ allow init cache_file:lnk_file r_file_perms; allow init { file_type + -system_dlkm_file_type -system_file_type -vendor_file_type -exec_type @@ -590,6 +597,7 @@ allowxperm init { data_file_type unlabeled }:dir ioctl { allow init misc_block_device:blk_file w_file_perms; r_dir_file(init, system_file) +r_dir_file(init, system_dlkm_file_type) r_dir_file(init, vendor_file_type) allow init system_data_file:file { getattr read }; diff --git a/public/vendor_init.te b/public/vendor_init.te index 24d144a7f..bc6d3b926 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -50,6 +50,7 @@ allow vendor_init { file_type -core_data_file_type -exec_type + -system_dlkm_file_type -system_file_type -mnt_product_file -password_slot_metadata_file @@ -71,6 +72,7 @@ allow vendor_init { -password_slot_metadata_file -ota_metadata_file -runtime_event_log_tags_file + -system_dlkm_file_type -system_file_type -unlabeled -vendor_file_type @@ -88,6 +90,7 @@ allow vendor_init { -exec_type -password_slot_metadata_file -ota_metadata_file + -system_dlkm_file_type -system_file_type -unlabeled -vendor_file_type @@ -104,6 +107,7 @@ allow vendor_init { -exec_type -password_slot_metadata_file -ota_metadata_file + -system_dlkm_file_type -system_file_type -unlabeled -vendor_file_type @@ -120,6 +124,7 @@ allow vendor_init { -mnt_product_file -password_slot_metadata_file -ota_metadata_file + -system_dlkm_file_type -system_file_type -vendor_file_type -vold_metadata_file