Split gsi_metadata_file and add gsi_metadata_file_type attribute am: 806898db48

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1620650 Change-Id: Ib37a1edae1e21b7d5dfd43ed001d4cbf42b3ef63
2021-03-29 03:42:34 +00:00 · 2021-03-29 03:42:34 +00:00 · e922f404e5
commit e922f404e5
parent ca28ae0e73 806898db48
15 changed files with 62 additions and 22 deletions
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -61,6 +61,7 @@
    gpuservice
    gsi_data_file
    gsi_metadata_file
+    gsi_public_metadata_file
    gsi_service
    gsid
    gsid_exec
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@ -1482,7 +1482,9 @@
 (typeattributeset graphics_device_30_0 (graphics_device))
 (typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
 (typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
+(typeattributeset gsi_metadata_file_30_0
+  ( gsi_metadata_file
+    gsi_public_metadata_file))
 (typeattributeset gsid_prop_30_0 (gsid_prop))
 (typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
 (typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
--- a/private/file_contexts
+++ b/private/file_contexts
@ -762,6 +762,10 @@
 /metadata/apex(/.*)?      u:object_r:apex_metadata_file:s0
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
+/metadata/gsi/dsu/active  u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/booted  u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/lp_names  u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
 /metadata/gsi/ota(/.*)?   u:object_r:ota_metadata_file:s0
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
--- a/private/gsid.te
+++ b/private/gsid.te
@ -123,7 +123,7 @@ allow gsid userdata_block_device:blk_file r_file_perms;
 #
 allow gsid metadata_file:dir { search getattr };
 allow gsid {
-    gsi_metadata_file
+    gsi_metadata_file_type
 }:dir create_dir_perms;

 allow gsid {
@ -131,10 +131,15 @@ allow gsid {
 }:dir rw_dir_perms;

 allow gsid {
-    gsi_metadata_file
+    gsi_metadata_file_type
    ota_metadata_file
 }:file create_file_perms;

+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
 allow gsid {
      gsi_data_file
      ota_image_data_file
@ -153,6 +158,9 @@ allowxperm gsid {

 allow gsid system_server:binder call;

+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
 neverallow {
    domain
    -init
@ -160,7 +168,7 @@ neverallow {
    -fastbootd
    -recovery
    -vold
-} gsi_metadata_file:dir *;
+} gsi_metadata_file_type:dir no_w_dir_perms;

 neverallow {
    domain
@ -168,7 +176,18 @@ neverallow {
    -gsid
    -fastbootd
    -vold
-} gsi_metadata_file:file_class_set *;
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
+
+neverallow {
+    domain
+    -init
+    -gsid
+    -fastbootd
+    -vold
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
+
+# Prevent apps from accessing gsi_metadata_file_type.
+neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;

 neverallow {
    domain
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@ -20,8 +20,8 @@ allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
 # Triggered when lpdumpd tries to read default fstab.
 dontaudit lpdumpd metadata_file:dir r_dir_perms;
 dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
+dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;

 ### Neverallow rules

--- a/public/attributes
+++ b/public/attributes
@ -386,3 +386,6 @@ attribute super_block_device_type;
 # All types used for DMA-BUF heaps
 attribute dmabuf_heap_device_type;
 expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@ -49,8 +49,8 @@ recovery_only(`
  allow fastbootd metadata_block_device:blk_file r_file_perms;
  allow fastbootd {rootfs tmpfs}:dir mounton;
  allow fastbootd metadata_file:dir { search getattr };
-  allow fastbootd gsi_metadata_file:dir rw_dir_perms;
-  allow fastbootd gsi_metadata_file:file create_file_perms;
+  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+  allow fastbootd gsi_metadata_file_type:file create_file_perms;

  allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };

@ -103,7 +103,7 @@ recovery_only(`
  ')

  # Allow using libfiemap/gsid directly (no binder in recovery).
-  allow fastbootd gsi_metadata_file:dir search;
+  allow fastbootd gsi_metadata_file_type:dir search;
  allow fastbootd ota_metadata_file:dir rw_dir_perms;
  allow fastbootd ota_metadata_file:file create_file_perms;
 ')
--- a/public/file.te
+++ b/public/file.te
@ -242,7 +242,9 @@ type metadata_file, file_type;
 # Vold files within /metadata
 type vold_metadata_file, file_type;
 # GSI files within /metadata
-type gsi_metadata_file, file_type;
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
 # system_server shares Weaver slot information in /metadata
 type password_slot_metadata_file, file_type;
 # APEX files within /metadata
--- a/public/recovery.te
+++ b/public/recovery.te
@ -127,7 +127,7 @@ recovery_only(`
  allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };

  # Allow using libfiemap/gsid directly (no binder in recovery).
-  allow recovery gsi_metadata_file:dir search;
+  allow recovery gsi_metadata_file_type:dir search;
  allow recovery ota_metadata_file:dir rw_dir_perms;
  allow recovery ota_metadata_file:file create_file_perms;

--- a/public/te_macros
+++ b/public/te_macros
@ -965,3 +965,12 @@ define(`vendor_restricted_prop', `
 # Define a /vendor-owned property with no restrictions
 #
 define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+  allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+  allow $1 gsi_public_metadata_file:file r_file_perms;
+')
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@ -39,5 +39,5 @@ allow uncrypt proc_cmdline:file r_file_perms;
 r_dir_file(uncrypt, sysfs_dt_firmware_android)

 # Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt gsi_metadata_file_type:dir search;
 dontaudit uncrypt metadata_file:dir search;
--- a/public/update_engine.te
+++ b/public/update_engine.te
@ -69,7 +69,7 @@ allow update_engine system_file:dir r_dir_perms;
 # device. ReadDefaultFstab() checks whether a GSI is running by checking
 # gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
 # the access.
-dontaudit update_engine gsi_metadata_file:dir search;
+dontaudit update_engine gsi_metadata_file_type:dir search;

 # Allow to write to snapshotctl_log logs.
 # TODO(b/148818798) revert when parent bug is fixed.
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -57,7 +57,7 @@ allow vendor_init {
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
-  -gsi_metadata_file
+  -gsi_metadata_file_type
  -apex_metadata_file
  -userspace_reboot_metadata_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
@ -75,7 +75,7 @@ allow vendor_init {
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
-  -gsi_metadata_file
+  -gsi_metadata_file_type
  -apex_metadata_file
  -apex_info_file
  -userspace_reboot_metadata_file
@ -91,7 +91,7 @@ allow vendor_init {
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
-  -gsi_metadata_file
+  -gsi_metadata_file_type
  -apex_metadata_file
  -userspace_reboot_metadata_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@ -107,7 +107,7 @@ allow vendor_init {
  -unlabeled
  -vendor_file_type
  -vold_metadata_file
-  -gsi_metadata_file
+  -gsi_metadata_file_type
  -apex_metadata_file
  -userspace_reboot_metadata_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
@ -122,7 +122,7 @@ allow vendor_init {
  -system_file_type
  -vendor_file_type
  -vold_metadata_file
-  -gsi_metadata_file
+  -gsi_metadata_file_type
  -apex_metadata_file
  -userspace_reboot_metadata_file
 }:dir_file_class_set relabelto;
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@ -8,7 +8,7 @@ allow vendor_misc_writer block_device:dir r_dir_perms;

 # Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
 # load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
+dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
 dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
 dontaudit vendor_misc_writer metadata_file:dir search;
 dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
--- a/public/vold.te
+++ b/public/vold.te
@ -294,8 +294,8 @@ allow vold mnt_vendor_file:dir search;
 dontaudit vold self:global_capability_class_set sys_resource;

 # vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file:dir r_dir_perms;
-allow vold gsi_metadata_file:file r_file_perms;
+allow vold gsi_metadata_file_type:dir r_dir_perms;
+allow vold gsi_metadata_file_type:file r_file_perms;

 # vold might need to search loopback apex files
 allow vold vendor_apex_file:file r_file_perms;