Commit graph

5 commits

Author SHA1 Message Date
Alan Stokes
7aa40413ae Split user_profile_data_file label.
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00
Alan Stokes
f8ad33985d Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-11-11 14:43:36 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Igor Murashkin
e39f8d23ed sepolicy: policies for iorap.inode2filename
binary transitions are as follows:

iorapd (fork/exec) -> iorap.cmd.compiler (fork/exec) -> iorap.inode2filename

Bug: 117840092
Test: adb shell cmd jobscheduler run -f android 28367305
Change-Id: I4249fcd37d2c8cbdd0ae1a0505983cce9c7fa7c6
2020-02-20 16:38:17 -08:00