Modify authfs related permissions
Allow microdroid_manager to start authfs when needed. Migrate the authfs-related permissions from compos to microdroid_payload, so it can be used by any payload. Move a neverallow to the correct file. Bug: 245262525 Test: atest MicrodroidTests MicrodroidHostTestCases Test: atest ComposHostTestCases Change-Id: I0f5eb9c11bdb427b1f78c9fc721c40de76add484
This commit is contained in:
Alan Stokes
parent
f4382c5391
commit
d014aa2ca1
5 changed files with 26 additions and 23 deletions
|
|
@ -2,18 +2,6 @@
|
|||
type compos, domain, coredomain, microdroid_payload;
|
||||
type compos_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# Allow using various binder services
|
||||
binder_use(compos);
|
||||
allow compos authfs_binder_service:service_manager find;
|
||||
binder_call(compos, authfs_service);
|
||||
|
||||
# Read artifacts created by odrefresh and create signature files.
|
||||
allow compos authfs_fuse:dir rw_dir_perms;
|
||||
allow compos authfs_fuse:file create_file_perms;
|
||||
|
||||
# Allow locating the authfs mount directory.
|
||||
allow compos authfs_data_file:dir search;
|
||||
|
||||
# Run derive_classpath in our domain
|
||||
allow compos derive_classpath_exec:file rx_file_perms;
|
||||
allow compos apex_mnt_dir:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -56,9 +56,10 @@ allow microdroid_manager diced:diced { derive demote_self };
|
|||
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
|
||||
allow microdroid_manager apex_mnt_dir:file create_file_perms;
|
||||
|
||||
# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
|
||||
# Allow microdroid_manager to start various services
|
||||
set_prop(microdroid_manager, ctl_apexd_vm_prop)
|
||||
set_prop(microdroid_manager, ctl_apkdmverity_prop)
|
||||
set_prop(microdroid_manager, ctl_authfs_prop)
|
||||
set_prop(microdroid_manager, ctl_seriallogging_prop)
|
||||
set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
|
||||
set_prop(microdroid_manager, ctl_zipfuse_prop)
|
||||
|
|
@ -93,4 +94,14 @@ allow microdroid_manager extra_apk_file:dir create_dir_perms;
|
|||
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
|
||||
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
|
||||
|
||||
# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager,
|
||||
# in their own domains.
|
||||
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
|
||||
neverallow microdroid_manager {
|
||||
domain
|
||||
-crash_dump
|
||||
-microdroid_payload
|
||||
-apkdmverity
|
||||
-zipfuse
|
||||
-kexec
|
||||
}:process transition;
|
||||
|
|
|
|||
|
|
@ -27,16 +27,6 @@ allow microdroid_payload microdroid_manager:vsock_socket { read write };
|
|||
# Write to /dev/kmsg.
|
||||
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
|
||||
|
||||
# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
|
||||
neverallow microdroid_manager {
|
||||
domain
|
||||
-crash_dump
|
||||
-microdroid_payload
|
||||
-apkdmverity
|
||||
-zipfuse
|
||||
-kexec
|
||||
}:process transition;
|
||||
|
||||
# Allow microdroid_payload to open binder servers via vsock.
|
||||
allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
|
||||
|
||||
|
|
@ -45,3 +35,15 @@ r_dir_file(microdroid_payload, extra_apk_file)
|
|||
|
||||
# Payload can read /proc/meminfo.
|
||||
allow microdroid_payload proc_meminfo:file r_file_perms;
|
||||
|
||||
# Allow use of authfs.
|
||||
binder_use(microdroid_payload);
|
||||
allow microdroid_payload authfs_binder_service:service_manager find;
|
||||
binder_call(microdroid_payload, authfs_service);
|
||||
|
||||
# Allow locating the authfs mount directory.
|
||||
allow microdroid_payload authfs_data_file:dir search;
|
||||
|
||||
# Read and write files authfs-proxied files.
|
||||
allow microdroid_payload authfs_fuse:dir rw_dir_perms;
|
||||
allow microdroid_payload authfs_fuse:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ ctl.stop$tombstoned u:object_r:ctl_tombstoned_prop:s0
|
|||
|
||||
ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
|
||||
ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
|
||||
ctl.start$authfs_service u:object_r:ctl_authfs_prop:s0
|
||||
ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
|
||||
ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
|
||||
ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ type ctl_adbd_prop, property_type;
|
|||
type ctl_apexd_prop, property_type;
|
||||
type ctl_apexd_vm_prop, property_type;
|
||||
type ctl_apkdmverity_prop, property_type;
|
||||
type ctl_authfs_prop, property_type;
|
||||
type ctl_console_prop, property_type;
|
||||
type ctl_default_prop, property_type;
|
||||
type ctl_fuse_prop, property_type;
|
||||
|
|
|
|||
Loading…
Reference in a new issue