tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

sepolicy: policies for iorap.inode2filename

Browse source 
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
This commit is contained in:
Igor Murashkin 2020-02-12 16:28:19 -08:00
parent b8c108e15f
commit e39f8d23ed
8 changed files with 103 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/compat/29.0/29.0.ignore.cil
View file

@ -54,6 +54,10 @@
incremental_service
init_perf_lsm_hooks_prop
init_svc_debug_prop
iorap_inode2filename
iorap_inode2filename_data_file
iorap_inode2filename_exec
iorap_inode2filename_tmpfs
iorap_prefetcherd
iorap_prefetcherd_data_file
iorap_prefetcherd_exec

2
private/coredomain.te
View file

@ -58,6 +58,7 @@ full_treble_only(`
-idmap
-init
-installd
-iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
@ -77,6 +78,7 @@ full_treble_only(`
-idmap
-init
-installd
-iorap_inode2filename
-iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above

6
private/domain.te
View file

@ -162,6 +162,7 @@ neverallow {
-app_zygote
-dexoptanalyzer
-installd
-iorap_inode2filename
-iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
@ -204,8 +205,8 @@ neverallow {
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@ -315,6 +316,7 @@ neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
iorap_inode2filename
iorap_prefetcherd
traced_perf
traced_probes

1
private/file_contexts
View file

@ -299,6 +299,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0

9
private/iorap_inode2filename.te Normal file
View file

@ -0,0 +1,9 @@
typeattribute iorap_inode2filename coredomain;
# Grant access to open most of the files under /
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
allow iorap_inode2filename storaged_data_file:file { getattr };

1
private/iorapd.te
View file

@ -4,6 +4,7 @@ init_daemon_domain(iorapd)
tmpfs_domain(iorapd)
domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
# Allow iorapd to access the runtime native boot feature flag properties.
get_prop(iorapd, device_config_runtime_native_boot_prop)

5
public/domain.te
View file

@ -945,6 +945,7 @@ full_treble_only(`
-system_linker_exec
-crash_dump_exec
-iorap_prefetcherd_exec
-iorap_inode2filename_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@ -987,6 +988,7 @@ full_treble_only(`
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
-init # starts vendor executables
-iorap_inode2filename
-iorap_prefetcherd
-kernel # loads /vendor/firmware
userdebug_or_eng(`-heapprofd')
@ -1027,6 +1029,7 @@ full_treble_only(`
system_file_type
-crash_dump_exec
-file_contexts_file
-iorap_inode2filename_exec
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
@ -1157,6 +1160,7 @@ neverallow {
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
-iorap_inode2filename
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
@ -1319,6 +1323,7 @@ full_treble_only(`
-crash_dump
-heapprofd
-init
-iorap_inode2filename
-iorap_prefetcherd
-kernel
-traced_perf

77
public/iorap_inode2filename.te Normal file
View file

@ -0,0 +1,77 @@
# iorap.inode2filename -> look up file paths from an inode
type iorap_inode2filename, domain;
type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
type iorap_inode2filename_tmpfs, file_type;
r_dir_file(iorap_inode2filename, rootfs)
# Allow usage of pipes (child stdout -> parent pipe).
allow iorap_inode2filename iorapd:fd use;
allow iorap_inode2filename iorapd:fifo_file { read write getattr };
# Allow reading most files under / ignoring usual access controls.
allow iorap_inode2filename self:capability dac_read_search;
typeattribute iorap_inode2filename mlstrustedsubject;
# Grant access to open most of the files under /
allow iorap_inode2filename apex_data_file:dir { getattr open read search };
allow iorap_inode2filename apex_data_file:file { getattr };
allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
allow iorap_inode2filename apex_mnt_dir:file { getattr };
allow iorap_inode2filename apk_data_file:dir { getattr open read search };
allow iorap_inode2filename apk_data_file:file { getattr };
allow iorap_inode2filename app_data_file:dir { getattr open read search };
allow iorap_inode2filename app_data_file:file { getattr };
allow iorap_inode2filename backup_data_file:dir { getattr open read search };
allow iorap_inode2filename backup_data_file:file { getattr };
allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
allow iorap_inode2filename bluetooth_data_file:file { getattr };
allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
allow iorap_inode2filename bootchart_data_file:file { getattr };
allow iorap_inode2filename metadata_file:dir { getattr open read search search };
allow iorap_inode2filename metadata_file:file { getattr };
allow iorap_inode2filename packages_list_file:dir { getattr open read search };
allow iorap_inode2filename packages_list_file:file { getattr };
allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
allow iorap_inode2filename privapp_data_file:file { getattr };
allow iorap_inode2filename property_data_file:dir { getattr open read search };
allow iorap_inode2filename property_data_file:file { getattr };
allow iorap_inode2filename radio_data_file:dir { getattr open read search };
allow iorap_inode2filename radio_data_file:file { getattr };
allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
allow iorap_inode2filename resourcecache_data_file:file { getattr };
allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
allow iorap_inode2filename ringtone_file:dir { getattr open read search };
allow iorap_inode2filename ringtone_file:file { getattr };
allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
allow iorap_inode2filename same_process_hal_file:file { getattr };
allow iorap_inode2filename sepolicy_file:file { getattr };
allow iorap_inode2filename staging_data_file:dir { getattr open read search };
allow iorap_inode2filename staging_data_file:file { getattr };
allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
allow iorap_inode2filename system_app_data_file:file { getattr };
allow iorap_inode2filename system_data_file:dir { getattr open read search };
allow iorap_inode2filename system_data_file:file { getattr };
allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:file { getattr };
allow iorap_inode2filename toolbox_exec:file getattr;
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:file { getattr };
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
allow iorap_inode2filename unlabeled:file { getattr };
allow iorap_inode2filename vendor_file:dir { getattr open read search };
allow iorap_inode2filename vendor_file:file { getattr };
allow iorap_inode2filename vendor_overlay_file:file { getattr };
allow iorap_inode2filename zygote_exec:file { getattr };
###
### neverallow rules
###
neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;