tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Properly Treble-ize tmpfs access

Browse source 
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.

Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...

Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
This commit is contained in:
Jeff Vander Stoep 2019-01-23 15:07:40 -08:00
parent 0c7428049c
commit e16fb9109c
41 changed files with 47 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/audioserver.te
View file

@ -4,6 +4,7 @@ typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)

4
private/compat/28.0/28.0.ignore.cil
View file

@ -18,6 +18,7 @@
apexd_prop
apexd_tmpfs
app_zygote
app_zygote_tmpfs
biometric_service
bpf_progs_loaded_prop
bugreport_service
@ -75,6 +76,7 @@
mnt_product_file
network_stack
network_stack_service
network_stack_tmpfs
overlayfs_file
permissionmgr_service
recovery_socket
@ -85,11 +87,13 @@
rss_hwm_reset
rss_hwm_reset_exec
runas_app
runas_app_tmpfs
runtime_service
sensor_privacy_service
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
su_tmpfs
super_block_device
system_event_log_tags_file
system_lmk_prop

1
private/dexoptanalyzer.te
View file

@ -1,6 +1,7 @@
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their

2
private/logd.te
View file

@ -4,10 +4,8 @@ init_daemon_domain(logd)
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow logd {
file_type
-logd_tmpfs
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
}:file { create write append };

1
private/mediaextractor.te
View file

@ -1,3 +1,4 @@
typeattribute mediaextractor coredomain;
init_daemon_domain(mediaextractor)
tmpfs_domain(mediaextractor)

1
private/mediaserver.te
View file

@ -1,6 +1,7 @@
typeattribute mediaserver coredomain;
init_daemon_domain(mediaserver)
tmpfs_domain(mediaserver)
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)

1
private/perfetto.te
View file

@ -4,6 +4,7 @@
# daemon.
type perfetto_exec, system_file_type, exec_type, file_type;
type perfetto_tmpfs, file_type;
tmpfs_domain(perfetto);

3
private/recovery_persist.te
View file

@ -3,5 +3,4 @@ typeattribute recovery_persist coredomain;
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;

3
private/recovery_refresh.te
View file

@ -3,5 +3,4 @@ typeattribute recovery_refresh coredomain;
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;

1
private/system_server_startup.te
View file

@ -1,4 +1,5 @@
type system_server_startup, domain, coredomain;
type system_server_startup_tmpfs, file_type;
tmpfs_domain(system_server_startup)

2
private/traced.te
View file

@ -1,9 +1,11 @@
# Perfetto user-space tracing daemon (unprivileged)
type traced, domain, coredomain, mlstrustedsubject;
type traced_exec, system_file_type, exec_type, file_type;
type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
tmpfs_domain(traced)
# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.

1
private/viewcompiler.te
View file

@ -1,6 +1,7 @@
# viewcompiler
type viewcompiler, domain, coredomain, mlstrustedsubject;
type viewcompiler_exec, system_file_type, exec_type, file_type;
type viewcompiler_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their

1
public/app_zygote.te
View file

@ -3,3 +3,4 @@
# spawned from the regular zygote process as a "child zygote".
type app_zygote, domain;
type app_zygote_tmpfs, file_type;

1
public/audioserver.te
View file

@ -1,2 +1,3 @@
# audioserver - audio services daemon
type audioserver, domain;
type audioserver_tmpfs, file_type;

1
public/bluetooth.te
View file

@ -1,2 +1,3 @@
# bluetooth subsystem
type bluetooth, domain;
type bluetooth_tmpfs, file_type;

1
public/domain.te
View file

@ -52,6 +52,7 @@ userdebug_or_eng(`
')
# Root fs.
allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };

1
public/ephemeral_app.te
View file

@ -12,3 +12,4 @@
### PackageManager flags an app as ephemeral at install time.
type ephemeral_app, domain;
type ephemeral_app_tmpfs, file_type;

3
public/init.te
View file

@ -1,8 +1,7 @@
# init is its own domain.
type init, domain, mlstrustedsubject;
# The init domain is entered by execing init.
type init_exec, system_file_type, exec_type, file_type;
type init_tmpfs, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };

1
public/isolated_app.te
View file

@ -7,3 +7,4 @@
###
type isolated_app, domain;
type isolated_app_tmpfs, file_type;

1
public/mediaextractor.te
View file

@ -1,6 +1,7 @@
# mediaextractor - multimedia daemon
type mediaextractor, domain;
type mediaextractor_exec, system_file_type, exec_type, file_type;
type mediaextractor_tmpfs, file_type;
typeattribute mediaextractor mlstrustedsubject;

1
public/mediaprovider.te
View file

@ -4,3 +4,4 @@
###
type mediaprovider, domain;
type mediaprovider_tmpfs, file_type;

1
public/mediaserver.te
View file

@ -1,6 +1,7 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, system_file_type, exec_type, file_type;
type mediaserver_tmpfs, file_type;
typeattribute mediaserver mlstrustedsubject;

1
public/network_stack.te
View file

@ -1,2 +1,3 @@
# Network stack service app
type network_stack, domain;
type network_stack_tmpfs, file_type;

1
public/nfc.te
View file

@ -1,2 +1,3 @@
# nfc subsystem
type nfc, domain;
type nfc_tmpfs, file_type;

1
public/platform_app.te
View file

@ -3,3 +3,4 @@
###
type platform_app, domain;
type platform_app_tmpfs, file_type;

1
public/priv_app.te
View file

@ -3,3 +3,4 @@
###
type priv_app, domain;
type priv_app_tmpfs, file_type;

1
public/radio.te
View file

@ -1,5 +1,6 @@
# phone subsystem
type radio, domain, mlstrustedsubject;
type radio_tmpfs, file_type;
net_domain(radio)
bluetooth_domain(radio)

1
public/runas_app.te
View file

@ -1 +1,2 @@
type runas_app, domain;
type runas_app_tmpfs, file_type;

1
public/secure_element.te
View file

@ -1,2 +1,3 @@
# secure_element subsystem
type secure_element, domain;
type secure_element_tmpfs, file_type;

1
public/shared_relro.te
View file

@ -1,5 +1,6 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
type shared_relro_tmpfs, file_type;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;

1
public/shell.te
View file

@ -1,6 +1,7 @@
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;
type shell_tmpfs, file_type;
# Create and use network sockets.
net_domain(shell)

1
public/su.te
View file

@ -1,6 +1,7 @@
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
type su_tmpfs, file_type;
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;

1
public/system_app.te
View file

@ -5,3 +5,4 @@
###
type system_app, domain;
type system_app_tmpfs, file_type;

1
public/system_server.te
View file

@ -3,3 +3,4 @@
# Most of the framework services run in this process.
#
type system_server, domain;
type system_server_tmpfs, file_type;

6
public/te_macros
View file

@ -72,13 +72,10 @@ allow $1 $2:{ file lnk_file } r_file_perms;
#####################################
# tmpfs_domain(domain)
# Define and allow access to a unique type for
# this domain when creating tmpfs / shmem / ashmem files.
# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write getattr map };
allow $1 tmpfs:dir { getattr search };
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
@ -164,7 +161,6 @@ pdx_use($1, $2)
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
tmpfs_domain($1)
')
#####################################

1
public/traceur_app.te
View file

@ -1,4 +1,5 @@
type traceur_app, domain;
type traceur_app_tmpfs, file_type;
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;

1
public/ueventd.te
View file

@ -1,6 +1,7 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
type ueventd_tmpfs, file_type;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;

3
public/untrusted_app.te
View file

@ -19,3 +19,6 @@
type untrusted_app, domain;
type untrusted_app_27, domain;
type untrusted_app_25, domain;
type untrusted_app_tmpfs, file_type;
type untrusted_app_27_tmpfs, file_type;
type untrusted_app_25_tmpfs, file_type;

1
public/webview_zygote.te
View file

@ -3,3 +3,4 @@
type webview_zygote, domain;
type webview_zygote_exec, exec_type, file_type;
type webview_zygote_tmpfs, file_type;

1
public/zygote.te
View file

@ -1,3 +1,4 @@
# zygote
type zygote, domain;
type zygote_tmpfs, file_type;
type zygote_exec, system_file_type, exec_type, file_type;

2
vendor/hal_graphics_allocator_default.te vendored
View file

@ -1,8 +1,10 @@
type hal_graphics_allocator_default, domain;
type hal_graphics_allocator_default_tmpfs, file_type;
hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
tmpfs_domain(hal_graphics_allocator_default)
# b/70180742
dontaudit hal_graphics_allocator_default unlabeled:dir search;