From 0a6c2d013a1666147255412d67d30aa2d7f96aec Mon Sep 17 00:00:00 2001 From: Roland Levillain Date: Tue, 15 Jan 2019 17:36:47 +0000 Subject: [PATCH 1/3] Allow `otapreopt_chroot` to mount APEX packages using `apexd` logic. Allow `otapreopt_chroot` to: - read SELinux policy files; - open and read the contents of `/postinstall/system/apex`; - read the `persist.apexd.verity_on_system` system property; - create loop devices with `/dev/loop-control`; - access loop devices; - configure read-ahead of loop devices; - mount a tmpfs filesystem in `/postinstall/apex`; - manipulate the tmpfs filesystem mounted in `/postinstall/apex`; - mount APEX packages in `/postinstall/apex`. Allow the kernel to: - read `otapreopt_chroot`'s file descriptors; - read files under `/postinstall`. Allow `otapreopt` (running as "postinstall_dexopt") to: - read data from `/postinstall/apex`. Allow `dex2oat` to: - access `/postinstall/apex`. Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120796514 Change-Id: I204df92611dc710fdc97b22cd67d088ffd991210 --- private/otapreopt_chroot.te | 25 +++++++++++++++++++++++++ public/dex2oat.te | 3 +++ public/kernel.te | 6 ++++++ public/otapreopt_chroot.te | 8 ++++++++ public/postinstall_dexopt.te | 3 +++ 5 files changed, 45 insertions(+) diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te index 1f69931c8..9a9fb5f28 100644 --- a/private/otapreopt_chroot.te +++ b/private/otapreopt_chroot.te @@ -2,3 +2,28 @@ typeattribute otapreopt_chroot coredomain; # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox. domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt) + +# Allow otapreopt_chroot to create loop devices with /dev/loop-control. +allow otapreopt_chroot loop_control_device:chr_file rw_file_perms; +# Allow otapreopt_chroot to access loop devices. +allow otapreopt_chroot loop_device:blk_file rw_file_perms; +allowxperm otapreopt_chroot loop_device:blk_file ioctl { + LOOP_GET_STATUS64 + LOOP_SET_STATUS64 + LOOP_SET_FD + LOOP_SET_BLOCK_SIZE + LOOP_SET_DIRECT_IO + LOOP_CLR_FD + BLKFLSBUF +}; + +# Allow otapreopt_chroot to configure read-ahead of loop devices. +allow otapreopt_chroot sysfs_loop:dir r_dir_perms; +allow otapreopt_chroot sysfs_loop:file rw_file_perms; + +# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex. +allow otapreopt_chroot tmpfs:filesystem mount; +# Allow otapreopt_chroot to manipulate the tmpfs filesystem mounted in /postinstall/apex. +allow otapreopt_chroot tmpfs:dir create_dir_perms; +# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex. +allow otapreopt_chroot tmpfs:dir mounton; diff --git a/public/dex2oat.te b/public/dex2oat.te index 0a046c65f..897483800 100644 --- a/public/dex2oat.te +++ b/public/dex2oat.te @@ -46,6 +46,9 @@ allow dex2oat postinstall_file:dir { getattr search }; allow dex2oat postinstall_file:filesystem getattr; allow dex2oat postinstall_file:lnk_file { getattr read }; +# Allow dex2oat access to /postinstall/apex. +allow dex2oat tmpfs:dir search; + # Allow dex2oat access to files in /data/ota. allow dex2oat ota_data_file:dir ra_dir_perms; allow dex2oat ota_data_file:file r_file_perms; diff --git a/public/kernel.te b/public/kernel.te index 50e72c2b1..3ffb5cee2 100644 --- a/public/kernel.te +++ b/public/kernel.te @@ -88,6 +88,12 @@ allow kernel apexd:fd use; allow kernel apex_data_file:file read; allow kernel staging_data_file:file read; +# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and +# files under /postinstall, as it uses apexd logic to mount APEX packages in +# /postinstall/apex. +allow kernel otapreopt_chroot:fd use; +allow kernel postinstall_file:file read; + # Allow the first-stage init (which is running in the kernel domain) to execute the # dynamic linker when it re-executes /init to switch into the second stage. # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te index 902708b1b..d815d1d53 100644 --- a/public/otapreopt_chroot.te +++ b/public/otapreopt_chroot.te @@ -13,6 +13,14 @@ allow otapreopt_chroot labeledfs:filesystem mount; # Mounting /vendor can have this side-effect. Ignore denial. dontaudit otapreopt_chroot kernel:process setsched; +# Allow otapreopt_chroot to read SELinux policy files. +allow otapreopt_chroot file_contexts_file:file r_file_perms; + +# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex. +allow otapreopt_chroot postinstall_file:dir r_dir_perms; +# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property. +get_prop(otapreopt_chroot, apexd_prop) + # Allow otapreopt to use file descriptors from update-engine. It will # close them immediately. allow otapreopt_chroot postinstall:fd use; diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te index 0ccd16809..46a02dd11 100644 --- a/public/postinstall_dexopt.te +++ b/public/postinstall_dexopt.te @@ -13,6 +13,9 @@ allow postinstall_dexopt postinstall_file:lnk_file { getattr read }; allow postinstall_dexopt proc_filesystems:file { getattr open read }; allow postinstall_dexopt tmpfs:file read; +# Read data from /postinstall/apex. +allow postinstall_dexopt tmpfs:dir { read search }; + # Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access # here and having to relabel the directory. From ab9c05307816075d4551f7453424bd710890c2d2 Mon Sep 17 00:00:00 2001 From: Roland Levillain Date: Sat, 19 Jan 2019 12:42:11 +0000 Subject: [PATCH 2/3] Allow `oatpreopt` to run `dex2oat` from the Runtime APEX. - Allow `postinstall_dexopt` to transition to domain `dex2oat` when executing `dex2oat` from the Runtime APEX (`/postinstall/apex/com.android.com/bin/dex2oat`). - Allow `dex2oat` (from the Runtime APEX) to read files under `/postinstall` (e.g. APKs under `/system`, `/system/bin/linker`); - Also allow `dex2oat` (from the Runtime APEX) to use libraries under `/postinstall/system` (e.g. `/system/lib/libc.so`). This is temporary change until Bionic libraries are part of the Runtime APEX. Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120796514 Change-Id: I0a8a6ac485f725753ee909b1561becd3bd908ce4 --- private/postinstall_dexopt.te | 2 +- public/dex2oat.te | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te index ff5fe8735..f23781733 100644 --- a/private/postinstall_dexopt.te +++ b/private/postinstall_dexopt.te @@ -2,4 +2,4 @@ typeattribute postinstall_dexopt coredomain; # Run dex2oat/patchoat in its own sandbox. # We have to manually transition, as we don't have an entrypoint. -domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat) +domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat) diff --git a/public/dex2oat.te b/public/dex2oat.te index 897483800..7ae1b3453 100644 --- a/public/dex2oat.te +++ b/public/dex2oat.te @@ -46,6 +46,12 @@ allow dex2oat postinstall_file:dir { getattr search }; allow dex2oat postinstall_file:filesystem getattr; allow dex2oat postinstall_file:lnk_file { getattr read }; +# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker). +allow dex2oat postinstall_file:file read; +# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so). +# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX. +allow dex2oat postinstall_file:file { execute getattr open }; + # Allow dex2oat access to /postinstall/apex. allow dex2oat tmpfs:dir search; From 7094d4f50507a6935a73dad7e250235dd8f818a2 Mon Sep 17 00:00:00 2001 From: Roland Levillain Date: Mon, 21 Jan 2019 15:01:26 +0000 Subject: [PATCH 3/3] Allow `oatpreopt_chroot` to deactivate APEX packages in `/postinstall/apex`. Allow `otapreopt_chroot` to: - unmount APEX packages (ext4 images) mounted in `/postinstall/apex`; - access `/dev/block`. Deactivating APEX packages (unmounting them from `/postinstall/apex` and detaching the corresponding loop devices) is part of the tear-down phase run at the end of `oatpreopt_chroot`. Test: A/B OTA update test (asit/dexoptota/self_full). Bug: 113373927 Bug: 120796514 Change-Id: Ida07d2ceda31c7296228d973b26ff642f6533274 --- private/otapreopt_chroot.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te index 9a9fb5f28..8f3d797c9 100644 --- a/private/otapreopt_chroot.te +++ b/private/otapreopt_chroot.te @@ -27,3 +27,8 @@ allow otapreopt_chroot tmpfs:filesystem mount; allow otapreopt_chroot tmpfs:dir create_dir_perms; # Allow otapreopt_chroot to mount APEX packages in /postinstall/apex. allow otapreopt_chroot tmpfs:dir mounton; + +# Allow otapreopt_chroot to unmount APEX packages (ext4 images) mounted in /postinstall/apex. +allow otapreopt_chroot labeledfs:filesystem unmount; +# Allow otapreopt_chroot to access /dev/block. +allow otapreopt_chroot block_device:dir r_dir_perms;