Merge "zygote.te: clean up and tighten app data isolation rules" am: a77c2963e9

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2078007

Change-Id: Ia6806138f6c09c885a61f98799828e4fd3477690
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Eric Biggers 2022-05-02 18:57:58 +00:00 committed by Automerger Merge Worker
commit cf064c32a1

View file

@ -36,6 +36,9 @@ allow zygote app_zygote:process { getpgid setpgid };
allow zygote system_data_file:dir r_dir_perms;
allow zygote system_data_file:file r_file_perms;
# Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders.
allow zygote mnt_expand_file:dir getattr;
# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
@ -59,43 +62,49 @@ allow zygote apex_module_data_file:dir search;
allow zygote apex_art_data_file:dir { getattr search };
allow zygote apex_art_data_file:file { r_file_perms execute };
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
# Mount tmpfs over various directories containing per-app directories, to hide
# them for app data isolation. Also traverse these directories (via
# /data_mirror) to find the allowlisted per-app directories to bind-mount in.
allow zygote {
# /data/data, /data/user{,_de}, /mnt/expand/$volume/user{,_de}
system_data_file
# /data/misc/profiles/cur
user_profile_root_file
# /data/misc/profiles/ref
user_profile_data_file
# /storage/emulated/$uid/Android/{data,obb}
media_rw_data_file
}:dir { mounton search };
# Relabel /data/user /data/user_de and /data/data
# Traverse /data_mirror to get to the above directories while their normal paths
# are hidden, in order to bind-mount allowlisted per-app directories.
allow zygote mirror_data_file:dir search;
# List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that
# need to be hidden by app data isolation, and traverse /mnt/expand to get to
# any allowlisted per-app directories within these directories.
allow zygote mnt_expand_file:dir { open read search };
# Get the inode number of app CE data directories to find them by inode number
# when CE storage is locked. Needed for app data isolation.
allow zygote app_data_file_type:dir getattr;
# Create dirs in the app data isolation tmpfs mounts and bind mount on them.
allow zygote tmpfs:dir { create_dir_perms mounton };
# Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount
# when setting up app data isolation.
allow zygote tmpfs:lnk_file create;
# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their
# standard labels. Note: it seems that not all dirs are actually relabeled yet,
# but it works anyway since all domains can search tmpfs:dir.
allow zygote tmpfs:{ dir lnk_file } relabelfrom;
allow zygote system_data_file:{ dir lnk_file } relabelto;
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
# Goes into media directory and bind mount obb directory
allow zygote media_rw_data_file:dir { getattr search };
# Bind mount on top of existing mounted obb and data directory
allow zygote media_rw_data_file:dir { mounton };
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
# Create symlink for /data/user/0
allow zygote tmpfs:lnk_file create;
allow zygote mirror_data_file:dir r_dir_perms;
# Get inode of directories for app data isolation
allow zygote {
app_data_file_type
system_data_file
mnt_expand_file
}:dir getattr;
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;