Split gsi_metadata_file and add gsi_metadata_file_type attribute am: 806898db48
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1620650 Change-Id: Ib37a1edae1e21b7d5dfd43ed001d4cbf42b3ef63
This commit is contained in:
commit
e922f404e5
15 changed files with 62 additions and 22 deletions
|
@ -61,6 +61,7 @@
|
||||||
gpuservice
|
gpuservice
|
||||||
gsi_data_file
|
gsi_data_file
|
||||||
gsi_metadata_file
|
gsi_metadata_file
|
||||||
|
gsi_public_metadata_file
|
||||||
gsi_service
|
gsi_service
|
||||||
gsid
|
gsid
|
||||||
gsid_exec
|
gsid_exec
|
||||||
|
|
|
@ -1482,7 +1482,9 @@
|
||||||
(typeattributeset graphics_device_30_0 (graphics_device))
|
(typeattributeset graphics_device_30_0 (graphics_device))
|
||||||
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
|
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
|
||||||
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
|
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
|
||||||
(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
|
(typeattributeset gsi_metadata_file_30_0
|
||||||
|
( gsi_metadata_file
|
||||||
|
gsi_public_metadata_file))
|
||||||
(typeattributeset gsid_prop_30_0 (gsid_prop))
|
(typeattributeset gsid_prop_30_0 (gsid_prop))
|
||||||
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
|
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
|
||||||
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
|
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
|
||||||
|
|
|
@ -762,6 +762,10 @@
|
||||||
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
|
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
|
||||||
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
|
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
|
||||||
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
|
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
|
||||||
|
/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
|
||||||
|
/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
|
||||||
|
/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
|
||||||
|
/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
|
||||||
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
|
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
|
||||||
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
|
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
|
||||||
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
|
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
|
||||||
|
|
|
@ -123,7 +123,7 @@ allow gsid userdata_block_device:blk_file r_file_perms;
|
||||||
#
|
#
|
||||||
allow gsid metadata_file:dir { search getattr };
|
allow gsid metadata_file:dir { search getattr };
|
||||||
allow gsid {
|
allow gsid {
|
||||||
gsi_metadata_file
|
gsi_metadata_file_type
|
||||||
}:dir create_dir_perms;
|
}:dir create_dir_perms;
|
||||||
|
|
||||||
allow gsid {
|
allow gsid {
|
||||||
|
@ -131,10 +131,15 @@ allow gsid {
|
||||||
}:dir rw_dir_perms;
|
}:dir rw_dir_perms;
|
||||||
|
|
||||||
allow gsid {
|
allow gsid {
|
||||||
gsi_metadata_file
|
gsi_metadata_file_type
|
||||||
ota_metadata_file
|
ota_metadata_file
|
||||||
}:file create_file_perms;
|
}:file create_file_perms;
|
||||||
|
|
||||||
|
# Allow restorecon to fix context of gsi_public_metadata_file.
|
||||||
|
allow gsid file_contexts_file:file r_file_perms;
|
||||||
|
allow gsid gsi_metadata_file:file relabelfrom;
|
||||||
|
allow gsid gsi_public_metadata_file:file relabelto;
|
||||||
|
|
||||||
allow gsid {
|
allow gsid {
|
||||||
gsi_data_file
|
gsi_data_file
|
||||||
ota_image_data_file
|
ota_image_data_file
|
||||||
|
@ -153,6 +158,9 @@ allowxperm gsid {
|
||||||
|
|
||||||
allow gsid system_server:binder call;
|
allow gsid system_server:binder call;
|
||||||
|
|
||||||
|
# Prevent most processes from writing to gsi_metadata_file_type, but allow
|
||||||
|
# adding rules for path resolution of gsi_public_metadata_file and reading
|
||||||
|
# gsi_public_metadata_file.
|
||||||
neverallow {
|
neverallow {
|
||||||
domain
|
domain
|
||||||
-init
|
-init
|
||||||
|
@ -160,7 +168,7 @@ neverallow {
|
||||||
-fastbootd
|
-fastbootd
|
||||||
-recovery
|
-recovery
|
||||||
-vold
|
-vold
|
||||||
} gsi_metadata_file:dir *;
|
} gsi_metadata_file_type:dir no_w_dir_perms;
|
||||||
|
|
||||||
neverallow {
|
neverallow {
|
||||||
domain
|
domain
|
||||||
|
@ -168,7 +176,18 @@ neverallow {
|
||||||
-gsid
|
-gsid
|
||||||
-fastbootd
|
-fastbootd
|
||||||
-vold
|
-vold
|
||||||
} gsi_metadata_file:file_class_set *;
|
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
|
||||||
|
|
||||||
|
neverallow {
|
||||||
|
domain
|
||||||
|
-init
|
||||||
|
-gsid
|
||||||
|
-fastbootd
|
||||||
|
-vold
|
||||||
|
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
|
||||||
|
|
||||||
|
# Prevent apps from accessing gsi_metadata_file_type.
|
||||||
|
neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
|
||||||
|
|
||||||
neverallow {
|
neverallow {
|
||||||
domain
|
domain
|
||||||
|
|
|
@ -20,8 +20,8 @@ allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
|
||||||
# Triggered when lpdumpd tries to read default fstab.
|
# Triggered when lpdumpd tries to read default fstab.
|
||||||
dontaudit lpdumpd metadata_file:dir r_dir_perms;
|
dontaudit lpdumpd metadata_file:dir r_dir_perms;
|
||||||
dontaudit lpdumpd metadata_file:file r_file_perms;
|
dontaudit lpdumpd metadata_file:file r_file_perms;
|
||||||
dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
|
dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
|
||||||
dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
|
dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
|
||||||
|
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
|
|
||||||
|
|
|
@ -386,3 +386,6 @@ attribute super_block_device_type;
|
||||||
# All types used for DMA-BUF heaps
|
# All types used for DMA-BUF heaps
|
||||||
attribute dmabuf_heap_device_type;
|
attribute dmabuf_heap_device_type;
|
||||||
expandattribute dmabuf_heap_device_type false;
|
expandattribute dmabuf_heap_device_type false;
|
||||||
|
|
||||||
|
# All types used for DSU metadata files.
|
||||||
|
attribute gsi_metadata_file_type;
|
||||||
|
|
|
@ -49,8 +49,8 @@ recovery_only(`
|
||||||
allow fastbootd metadata_block_device:blk_file r_file_perms;
|
allow fastbootd metadata_block_device:blk_file r_file_perms;
|
||||||
allow fastbootd {rootfs tmpfs}:dir mounton;
|
allow fastbootd {rootfs tmpfs}:dir mounton;
|
||||||
allow fastbootd metadata_file:dir { search getattr };
|
allow fastbootd metadata_file:dir { search getattr };
|
||||||
allow fastbootd gsi_metadata_file:dir rw_dir_perms;
|
allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
|
||||||
allow fastbootd gsi_metadata_file:file create_file_perms;
|
allow fastbootd gsi_metadata_file_type:file create_file_perms;
|
||||||
|
|
||||||
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
||||||
|
|
||||||
|
@ -103,7 +103,7 @@ recovery_only(`
|
||||||
')
|
')
|
||||||
|
|
||||||
# Allow using libfiemap/gsid directly (no binder in recovery).
|
# Allow using libfiemap/gsid directly (no binder in recovery).
|
||||||
allow fastbootd gsi_metadata_file:dir search;
|
allow fastbootd gsi_metadata_file_type:dir search;
|
||||||
allow fastbootd ota_metadata_file:dir rw_dir_perms;
|
allow fastbootd ota_metadata_file:dir rw_dir_perms;
|
||||||
allow fastbootd ota_metadata_file:file create_file_perms;
|
allow fastbootd ota_metadata_file:file create_file_perms;
|
||||||
')
|
')
|
||||||
|
|
|
@ -242,7 +242,9 @@ type metadata_file, file_type;
|
||||||
# Vold files within /metadata
|
# Vold files within /metadata
|
||||||
type vold_metadata_file, file_type;
|
type vold_metadata_file, file_type;
|
||||||
# GSI files within /metadata
|
# GSI files within /metadata
|
||||||
type gsi_metadata_file, file_type;
|
type gsi_metadata_file, gsi_metadata_file_type, file_type;
|
||||||
|
# DSU (GSI) files within /metadata that are globally readable.
|
||||||
|
type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
|
||||||
# system_server shares Weaver slot information in /metadata
|
# system_server shares Weaver slot information in /metadata
|
||||||
type password_slot_metadata_file, file_type;
|
type password_slot_metadata_file, file_type;
|
||||||
# APEX files within /metadata
|
# APEX files within /metadata
|
||||||
|
|
|
@ -127,7 +127,7 @@ recovery_only(`
|
||||||
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
|
||||||
|
|
||||||
# Allow using libfiemap/gsid directly (no binder in recovery).
|
# Allow using libfiemap/gsid directly (no binder in recovery).
|
||||||
allow recovery gsi_metadata_file:dir search;
|
allow recovery gsi_metadata_file_type:dir search;
|
||||||
allow recovery ota_metadata_file:dir rw_dir_perms;
|
allow recovery ota_metadata_file:dir rw_dir_perms;
|
||||||
allow recovery ota_metadata_file:file create_file_perms;
|
allow recovery ota_metadata_file:file create_file_perms;
|
||||||
|
|
||||||
|
|
|
@ -965,3 +965,12 @@ define(`vendor_restricted_prop', `
|
||||||
# Define a /vendor-owned property with no restrictions
|
# Define a /vendor-owned property with no restrictions
|
||||||
#
|
#
|
||||||
define(`vendor_public_prop', `define_prop($1, vendor, public)')
|
define(`vendor_public_prop', `define_prop($1, vendor, public)')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
# read_fstab(domain)
|
||||||
|
# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
|
||||||
|
#
|
||||||
|
define(`read_fstab', `
|
||||||
|
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
|
||||||
|
allow $1 gsi_public_metadata_file:file r_file_perms;
|
||||||
|
')
|
||||||
|
|
|
@ -39,5 +39,5 @@ allow uncrypt proc_cmdline:file r_file_perms;
|
||||||
r_dir_file(uncrypt, sysfs_dt_firmware_android)
|
r_dir_file(uncrypt, sysfs_dt_firmware_android)
|
||||||
|
|
||||||
# Suppress the denials coming from ReadDefaultFstab call.
|
# Suppress the denials coming from ReadDefaultFstab call.
|
||||||
dontaudit uncrypt gsi_metadata_file:dir search;
|
dontaudit uncrypt gsi_metadata_file_type:dir search;
|
||||||
dontaudit uncrypt metadata_file:dir search;
|
dontaudit uncrypt metadata_file:dir search;
|
||||||
|
|
|
@ -69,7 +69,7 @@ allow update_engine system_file:dir r_dir_perms;
|
||||||
# device. ReadDefaultFstab() checks whether a GSI is running by checking
|
# device. ReadDefaultFstab() checks whether a GSI is running by checking
|
||||||
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
|
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
|
||||||
# the access.
|
# the access.
|
||||||
dontaudit update_engine gsi_metadata_file:dir search;
|
dontaudit update_engine gsi_metadata_file_type:dir search;
|
||||||
|
|
||||||
# Allow to write to snapshotctl_log logs.
|
# Allow to write to snapshotctl_log logs.
|
||||||
# TODO(b/148818798) revert when parent bug is fixed.
|
# TODO(b/148818798) revert when parent bug is fixed.
|
||||||
|
|
|
@ -57,7 +57,7 @@ allow vendor_init {
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
-gsi_metadata_file
|
-gsi_metadata_file_type
|
||||||
-apex_metadata_file
|
-apex_metadata_file
|
||||||
-userspace_reboot_metadata_file
|
-userspace_reboot_metadata_file
|
||||||
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
|
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
|
||||||
|
@ -75,7 +75,7 @@ allow vendor_init {
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
-gsi_metadata_file
|
-gsi_metadata_file_type
|
||||||
-apex_metadata_file
|
-apex_metadata_file
|
||||||
-apex_info_file
|
-apex_info_file
|
||||||
-userspace_reboot_metadata_file
|
-userspace_reboot_metadata_file
|
||||||
|
@ -91,7 +91,7 @@ allow vendor_init {
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
-gsi_metadata_file
|
-gsi_metadata_file_type
|
||||||
-apex_metadata_file
|
-apex_metadata_file
|
||||||
-userspace_reboot_metadata_file
|
-userspace_reboot_metadata_file
|
||||||
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
|
||||||
|
@ -107,7 +107,7 @@ allow vendor_init {
|
||||||
-unlabeled
|
-unlabeled
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
-gsi_metadata_file
|
-gsi_metadata_file_type
|
||||||
-apex_metadata_file
|
-apex_metadata_file
|
||||||
-userspace_reboot_metadata_file
|
-userspace_reboot_metadata_file
|
||||||
}:lnk_file { create getattr setattr relabelfrom unlink };
|
}:lnk_file { create getattr setattr relabelfrom unlink };
|
||||||
|
@ -122,7 +122,7 @@ allow vendor_init {
|
||||||
-system_file_type
|
-system_file_type
|
||||||
-vendor_file_type
|
-vendor_file_type
|
||||||
-vold_metadata_file
|
-vold_metadata_file
|
||||||
-gsi_metadata_file
|
-gsi_metadata_file_type
|
||||||
-apex_metadata_file
|
-apex_metadata_file
|
||||||
-userspace_reboot_metadata_file
|
-userspace_reboot_metadata_file
|
||||||
}:dir_file_class_set relabelto;
|
}:dir_file_class_set relabelto;
|
||||||
|
|
|
@ -8,7 +8,7 @@ allow vendor_misc_writer block_device:dir r_dir_perms;
|
||||||
|
|
||||||
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
|
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
|
||||||
# load DT fstab.
|
# load DT fstab.
|
||||||
dontaudit vendor_misc_writer gsi_metadata_file:dir search;
|
dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
|
||||||
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
|
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
|
||||||
dontaudit vendor_misc_writer metadata_file:dir search;
|
dontaudit vendor_misc_writer metadata_file:dir search;
|
||||||
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
|
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
|
||||||
|
|
|
@ -294,8 +294,8 @@ allow vold mnt_vendor_file:dir search;
|
||||||
dontaudit vold self:global_capability_class_set sys_resource;
|
dontaudit vold self:global_capability_class_set sys_resource;
|
||||||
|
|
||||||
# vold needs to know whether we're running a GSI.
|
# vold needs to know whether we're running a GSI.
|
||||||
allow vold gsi_metadata_file:dir r_dir_perms;
|
allow vold gsi_metadata_file_type:dir r_dir_perms;
|
||||||
allow vold gsi_metadata_file:file r_file_perms;
|
allow vold gsi_metadata_file_type:file r_file_perms;
|
||||||
|
|
||||||
# vold might need to search loopback apex files
|
# vold might need to search loopback apex files
|
||||||
allow vold vendor_apex_file:file r_file_perms;
|
allow vold vendor_apex_file:file r_file_perms;
|
||||||
|
|
Loading…
Reference in a new issue