From 9f07ea544267a35214fd3a88b67515da35c4da7f Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 27 Apr 2022 04:39:17 +0000 Subject: [PATCH] zygote.te: clean up and tighten app data isolation rules Group together the rules for setting up app data isolation and get all the comments up-to-date. Also remove some parts that aren't needed: - 'allow zygote mnt_expand_file:dir mounton;' -- not needed. It might have been thought that this was needed for mounting tmpfs on /mnt/expand/$volume/user{,_de}, but those have type system_data_file. - 'allow zygote mnt_expand_file:dir relabelto;' -- not needed, as nothing is ever relabeled to this type. - 'allow zygote media_rw_data_file:dir getattr;' -- not needed to create bind mounts. The similar rules for user_profile_* don't include this. - 'allow zygote mirror_data_file:dir r_dir_perms;' -- tighten to just the required search permission. - 'allow zygote system_data_file:dir getattr;' -- redundant with 'allow zygote system_data_file:dir r_dir_perms;', and not needed for the stated reason of "Get inode of directories for app data isolation". Test: booted Cuttlefish, no denials seen. Change-Id: Id77b8c81625fd785a5d0d88c37d7c85b8fff7244 --- private/zygote.te | 69 ++++++++++++++++++++++++++--------------------- 1 file changed, 39 insertions(+), 30 deletions(-) diff --git a/private/zygote.te b/private/zygote.te index ea983fd55..db390053a 100644 --- a/private/zygote.te +++ b/private/zygote.te @@ -36,6 +36,9 @@ allow zygote app_zygote:process { getpgid setpgid }; allow zygote system_data_file:dir r_dir_perms; allow zygote system_data_file:file r_file_perms; +# Get attributes of /mnt/expand, needed by cacheNonBootClasspathClassLoaders. +allow zygote mnt_expand_file:dir getattr; + # Write to /data/dalvik-cache. allow zygote dalvikcache_data_file:dir create_dir_perms; allow zygote dalvikcache_data_file:file create_file_perms; @@ -59,43 +62,49 @@ allow zygote apex_module_data_file:dir search; allow zygote apex_art_data_file:dir { getattr search }; allow zygote apex_art_data_file:file { r_file_perms execute }; -# Bind mount on /data/data and mounted volumes -allow zygote { system_data_file mnt_expand_file }:dir mounton; +# Mount tmpfs over various directories containing per-app directories, to hide +# them for app data isolation. Also traverse these directories (via +# /data_mirror) to find the allowlisted per-app directories to bind-mount in. +allow zygote { + # /data/data, /data/user{,_de}, /mnt/expand/$volume/user{,_de} + system_data_file + # /data/misc/profiles/cur + user_profile_root_file + # /data/misc/profiles/ref + user_profile_data_file + # /storage/emulated/$uid/Android/{data,obb} + media_rw_data_file +}:dir { mounton search }; -# Relabel /data/user /data/user_de and /data/data +# Traverse /data_mirror to get to the above directories while their normal paths +# are hidden, in order to bind-mount allowlisted per-app directories. +allow zygote mirror_data_file:dir search; + +# List /mnt/expand to find all /mnt/expand/$volume/user{,_de} directories that +# need to be hidden by app data isolation, and traverse /mnt/expand to get to +# any allowlisted per-app directories within these directories. +allow zygote mnt_expand_file:dir { open read search }; + +# Get the inode number of app CE data directories to find them by inode number +# when CE storage is locked. Needed for app data isolation. +allow zygote app_data_file_type:dir getattr; + +# Create dirs in the app data isolation tmpfs mounts and bind mount on them. +allow zygote tmpfs:dir { create_dir_perms mounton }; + +# Create the '/data/user/0 => /data/data' symlink in the /data/user tmpfs mount +# when setting up app data isolation. +allow zygote tmpfs:lnk_file create; + +# Relabel dirs and symlinks in the app data isolation tmpfs mounts to their +# standard labels. Note: it seems that not all dirs are actually relabeled yet, +# but it works anyway since all domains can search tmpfs:dir. allow zygote tmpfs:{ dir lnk_file } relabelfrom; allow zygote system_data_file:{ dir lnk_file } relabelto; -# Zygote opens /mnt/expand to mount CE DE storage on each vol -allow zygote mnt_expand_file:dir { open read search relabelto }; - -# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref -allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search }; - -# Create and bind dirs on /data/data -allow zygote tmpfs:dir { create_dir_perms mounton }; - -# Goes into media directory and bind mount obb directory -allow zygote media_rw_data_file:dir { getattr search }; - -# Bind mount on top of existing mounted obb and data directory -allow zygote media_rw_data_file:dir { mounton }; - # Read if sdcardfs is supported allow zygote proc_filesystems:file r_file_perms; -# Create symlink for /data/user/0 -allow zygote tmpfs:lnk_file create; - -allow zygote mirror_data_file:dir r_dir_perms; - -# Get inode of directories for app data isolation -allow zygote { - app_data_file_type - system_data_file - mnt_expand_file -}:dir getattr; - # Allow zygote to create JIT memory. allow zygote self:process execmem; allow zygote zygote_tmpfs:file execute;