Merge "Create a separate label for sandbox root directory" into tm-dev am: 7accd9ad70

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/18344445

Change-Id: I07313fb72cd13e9ae2ab24e1b72e0b211f353468
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Samiul Islam 2022-05-19 13:24:36 +00:00 committed by Automerger Merge Worker
commit d8ffd4cdd8
12 changed files with 70 additions and 2 deletions

View file

@ -19,6 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

View file

@ -691,6 +691,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
# Sandbox sdk data (managed by installd)
/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0

View file

@ -48,3 +48,6 @@ allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

View file

@ -39,7 +39,10 @@ can_profile_perf(sdk_sandbox)
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow access to sdksandbox data directory
# allow sandbox to search in sdk system server directory
# additionally, for webview to work, getattr has been permitted
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@ -88,3 +91,20 @@ neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;

View file

@ -72,6 +72,9 @@ allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
# For SdkSandboxManagerService
allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;

View file

@ -12,6 +12,7 @@ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@ -27,6 +28,7 @@ allow vold_prepare_subdirs {
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };

View file

@ -19,6 +19,8 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox root data directory for sdk sandbox processes
type sdk_sandbox_system_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc_{ce/de}/<user>/sdksandbox/<app-name>/* subdirectory for sdk sandbox processes
type sdk_sandbox_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;

View file

@ -696,6 +696,10 @@
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
# Sandbox sdk data (managed by installd)
/data/misc_de/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
/data/misc_ce/[0-9]+/sdksandbox u:object_r:sdk_sandbox_system_data_file:s0
# App data snapshots (managed by installd).
/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0

View file

@ -48,3 +48,6 @@ allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };

View file

@ -105,7 +105,10 @@ can_profile_perf(sdk_sandbox)
allow sdk_sandbox system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
# allow access to sdksandbox data directory
# allow sandbox to search in sdk system server directory
# additionally, for webview to work, getattr has been permitted
allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search };
# allow sandbox to create files and dirs in sdk data directory
allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms;
@ -154,3 +157,20 @@ neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms;
neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms;
neverallow sdk_sandbox hal_drm_service:service_manager find;
# Only certain system components should have access to sdk_sandbox_system_data_file
# sdk_sandbox only needs search. Restricted in follow up neverallow rule.
neverallow {
domain
-init
-installd
-sdk_sandbox
-system_server
-vold_prepare_subdirs
} sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom relabelto };
# sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file
neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search };
# Only dirs should be created at sdk_sandbox_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;

View file

@ -72,6 +72,9 @@ allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
allow system_server sysfs_fs_f2fs:dir r_dir_perms;
allow system_server sysfs_fs_f2fs:file r_file_perms;
# For SdkSandboxManagerService
allow system_server sdk_sandbox_system_data_file:dir create_dir_perms;
# For art.
allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;

View file

@ -12,6 +12,7 @@ allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
@ -27,6 +28,7 @@ allow vold_prepare_subdirs {
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };