Split gsi_metadata_file and add gsi_metadata_file_type attribute am: 806898db48

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1620650

Change-Id: Ib37a1edae1e21b7d5dfd43ed001d4cbf42b3ef63
This commit is contained in:
Yi-Yo Chiang 2021-03-29 03:42:34 +00:00 committed by Automerger Merge Worker
commit e922f404e5
15 changed files with 62 additions and 22 deletions

View file

@ -61,6 +61,7 @@
gpuservice gpuservice
gsi_data_file gsi_data_file
gsi_metadata_file gsi_metadata_file
gsi_public_metadata_file
gsi_service gsi_service
gsid gsid
gsid_exec gsid_exec

View file

@ -1482,7 +1482,9 @@
(typeattributeset graphics_device_30_0 (graphics_device)) (typeattributeset graphics_device_30_0 (graphics_device))
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service)) (typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
(typeattributeset gsi_data_file_30_0 (gsi_data_file)) (typeattributeset gsi_data_file_30_0 (gsi_data_file))
(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file)) (typeattributeset gsi_metadata_file_30_0
( gsi_metadata_file
gsi_public_metadata_file))
(typeattributeset gsid_prop_30_0 (gsid_prop)) (typeattributeset gsid_prop_30_0 (gsid_prop))
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice)) (typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice)) (typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))

View file

@ -762,6 +762,10 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0 /metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0 /metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0 /metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0 /metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0 /metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0 /metadata/ota(/.*)? u:object_r:ota_metadata_file:s0

View file

@ -123,7 +123,7 @@ allow gsid userdata_block_device:blk_file r_file_perms;
# #
allow gsid metadata_file:dir { search getattr }; allow gsid metadata_file:dir { search getattr };
allow gsid { allow gsid {
gsi_metadata_file gsi_metadata_file_type
}:dir create_dir_perms; }:dir create_dir_perms;
allow gsid { allow gsid {
@ -131,10 +131,15 @@ allow gsid {
}:dir rw_dir_perms; }:dir rw_dir_perms;
allow gsid { allow gsid {
gsi_metadata_file gsi_metadata_file_type
ota_metadata_file ota_metadata_file
}:file create_file_perms; }:file create_file_perms;
# Allow restorecon to fix context of gsi_public_metadata_file.
allow gsid file_contexts_file:file r_file_perms;
allow gsid gsi_metadata_file:file relabelfrom;
allow gsid gsi_public_metadata_file:file relabelto;
allow gsid { allow gsid {
gsi_data_file gsi_data_file
ota_image_data_file ota_image_data_file
@ -153,6 +158,9 @@ allowxperm gsid {
allow gsid system_server:binder call; allow gsid system_server:binder call;
# Prevent most processes from writing to gsi_metadata_file_type, but allow
# adding rules for path resolution of gsi_public_metadata_file and reading
# gsi_public_metadata_file.
neverallow { neverallow {
domain domain
-init -init
@ -160,7 +168,7 @@ neverallow {
-fastbootd -fastbootd
-recovery -recovery
-vold -vold
} gsi_metadata_file:dir *; } gsi_metadata_file_type:dir no_w_dir_perms;
neverallow { neverallow {
domain domain
@ -168,7 +176,18 @@ neverallow {
-gsid -gsid
-fastbootd -fastbootd
-vold -vold
} gsi_metadata_file:file_class_set *; } { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
domain
-init
-gsid
-fastbootd
-vold
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
neverallow { neverallow {
domain domain

View file

@ -20,8 +20,8 @@ allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
# Triggered when lpdumpd tries to read default fstab. # Triggered when lpdumpd tries to read default fstab.
dontaudit lpdumpd metadata_file:dir r_dir_perms; dontaudit lpdumpd metadata_file:dir r_dir_perms;
dontaudit lpdumpd metadata_file:file r_file_perms; dontaudit lpdumpd metadata_file:file r_file_perms;
dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms; dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
dontaudit lpdumpd gsi_metadata_file:file r_file_perms; dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
### Neverallow rules ### Neverallow rules

View file

@ -386,3 +386,6 @@ attribute super_block_device_type;
# All types used for DMA-BUF heaps # All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type; attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false; expandattribute dmabuf_heap_device_type false;
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;

View file

@ -49,8 +49,8 @@ recovery_only(`
allow fastbootd metadata_block_device:blk_file r_file_perms; allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton; allow fastbootd {rootfs tmpfs}:dir mounton;
allow fastbootd metadata_file:dir { search getattr }; allow fastbootd metadata_file:dir { search getattr };
allow fastbootd gsi_metadata_file:dir rw_dir_perms; allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
allow fastbootd gsi_metadata_file:file create_file_perms; allow fastbootd gsi_metadata_file_type:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@ -103,7 +103,7 @@ recovery_only(`
') ')
# Allow using libfiemap/gsid directly (no binder in recovery). # Allow using libfiemap/gsid directly (no binder in recovery).
allow fastbootd gsi_metadata_file:dir search; allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms; allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms; allow fastbootd ota_metadata_file:file create_file_perms;
') ')

View file

@ -242,7 +242,9 @@ type metadata_file, file_type;
# Vold files within /metadata # Vold files within /metadata
type vold_metadata_file, file_type; type vold_metadata_file, file_type;
# GSI files within /metadata # GSI files within /metadata
type gsi_metadata_file, file_type; type gsi_metadata_file, gsi_metadata_file_type, file_type;
# DSU (GSI) files within /metadata that are globally readable.
type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata # system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type; type password_slot_metadata_file, file_type;
# APEX files within /metadata # APEX files within /metadata

View file

@ -127,7 +127,7 @@ recovery_only(`
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF }; allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery). # Allow using libfiemap/gsid directly (no binder in recovery).
allow recovery gsi_metadata_file:dir search; allow recovery gsi_metadata_file_type:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms; allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms; allow recovery ota_metadata_file:file create_file_perms;

View file

@ -965,3 +965,12 @@ define(`vendor_restricted_prop', `
# Define a /vendor-owned property with no restrictions # Define a /vendor-owned property with no restrictions
# #
define(`vendor_public_prop', `define_prop($1, vendor, public)') define(`vendor_public_prop', `define_prop($1, vendor, public)')
#####################################
# read_fstab(domain)
# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
#
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
')

View file

@ -39,5 +39,5 @@ allow uncrypt proc_cmdline:file r_file_perms;
r_dir_file(uncrypt, sysfs_dt_firmware_android) r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call. # Suppress the denials coming from ReadDefaultFstab call.
dontaudit uncrypt gsi_metadata_file:dir search; dontaudit uncrypt gsi_metadata_file_type:dir search;
dontaudit uncrypt metadata_file:dir search; dontaudit uncrypt metadata_file:dir search;

View file

@ -69,7 +69,7 @@ allow update_engine system_file:dir r_dir_perms;
# device. ReadDefaultFstab() checks whether a GSI is running by checking # device. ReadDefaultFstab() checks whether a GSI is running by checking
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny # gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access. # the access.
dontaudit update_engine gsi_metadata_file:dir search; dontaudit update_engine gsi_metadata_file_type:dir search;
# Allow to write to snapshotctl_log logs. # Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed. # TODO(b/148818798) revert when parent bug is fixed.

View file

@ -57,7 +57,7 @@ allow vendor_init {
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file
-gsi_metadata_file -gsi_metadata_file_type
-apex_metadata_file -apex_metadata_file
-userspace_reboot_metadata_file -userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
@ -75,7 +75,7 @@ allow vendor_init {
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file
-gsi_metadata_file -gsi_metadata_file_type
-apex_metadata_file -apex_metadata_file
-apex_info_file -apex_info_file
-userspace_reboot_metadata_file -userspace_reboot_metadata_file
@ -91,7 +91,7 @@ allow vendor_init {
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file
-gsi_metadata_file -gsi_metadata_file_type
-apex_metadata_file -apex_metadata_file
-userspace_reboot_metadata_file -userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@ -107,7 +107,7 @@ allow vendor_init {
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file
-gsi_metadata_file -gsi_metadata_file_type
-apex_metadata_file -apex_metadata_file
-userspace_reboot_metadata_file -userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink }; }:lnk_file { create getattr setattr relabelfrom unlink };
@ -122,7 +122,7 @@ allow vendor_init {
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file
-gsi_metadata_file -gsi_metadata_file_type
-apex_metadata_file -apex_metadata_file
-userspace_reboot_metadata_file -userspace_reboot_metadata_file
}:dir_file_class_set relabelto; }:dir_file_class_set relabelto;

View file

@ -8,7 +8,7 @@ allow vendor_misc_writer block_device:dir r_dir_perms;
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to # Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab. # load DT fstab.
dontaudit vendor_misc_writer gsi_metadata_file:dir search; dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms; dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search; dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search; dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;

View file

@ -294,8 +294,8 @@ allow vold mnt_vendor_file:dir search;
dontaudit vold self:global_capability_class_set sys_resource; dontaudit vold self:global_capability_class_set sys_resource;
# vold needs to know whether we're running a GSI. # vold needs to know whether we're running a GSI.
allow vold gsi_metadata_file:dir r_dir_perms; allow vold gsi_metadata_file_type:dir r_dir_perms;
allow vold gsi_metadata_file:file r_file_perms; allow vold gsi_metadata_file_type:file r_file_perms;
# vold might need to search loopback apex files # vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms; allow vold vendor_apex_file:file r_file_perms;