Commit graph

13 commits

Author SHA1 Message Date
Roland Levillain
0a6c2d013a Allow otapreopt_chroot to mount APEX packages using apexd logic.
Allow `otapreopt_chroot` to:
- read SELinux policy files;
- open and read the contents of `/postinstall/system/apex`;
- read the `persist.apexd.verity_on_system` system property;
- create loop devices with `/dev/loop-control`;
- access loop devices;
- configure read-ahead of loop devices;
- mount a tmpfs filesystem in `/postinstall/apex`;
- manipulate the tmpfs filesystem mounted in `/postinstall/apex`;
- mount APEX packages in `/postinstall/apex`.

Allow the kernel to:
- read `otapreopt_chroot`'s file descriptors;
- read files under `/postinstall`.

Allow `otapreopt` (running as "postinstall_dexopt") to:
- read data from `/postinstall/apex`.

Allow `dex2oat` to:
- access `/postinstall/apex`.

Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I204df92611dc710fdc97b22cd67d088ffd991210
2019-01-17 21:42:46 +00:00
Tri Vo
d918c8df78 Remove redundant cgroup type/labelings.
cgroup is labeled from genfs_contexts. Also, cgroup filesystems can't be
context mounted, i.e. it's not possible to mount them with a label other
than "cgroup".

Bug: 110962171
Test: m selinux_policy
Test: boot aosp_walleye
Change-Id: I8319b10136c42a42d1edaee47b77ad1698e87f2c
2018-11-17 01:24:49 +00:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Andreas Gampe
006e160b1a Sepolicy: Modify postinstall_dexopt
Grant fsetid as it was done for installd. Suppress write to
profile files.

Bug: 77958490
Test: m
Test: manual
Change-Id: I33f47db7c16f0eda41ffdb526cf43f8fa9484c62
2018-04-30 09:52:54 -07:00
Jiyong Park
a6d9d6b68a Reland "Allow dexopt to follow /odm/lib(64) symlinks.""
This reverts commit 942500b910.

Bug: 75287236
Test: boot a device
Change-Id: If81a2d2a46979ffbd536bb95528c3b4ebe3483df
2018-04-02 10:43:22 +09:00
Bowgo Tsai
942500b910 Revert "Allow dexopt to follow /odm/lib(64) symlinks."
This reverts commit 88cd813fe2.

Bug: 75287236
Test: boot a device
Change-Id: Id1bc324e7bd0722065d8a410af31fd6b7aaa9d1c
2018-03-20 09:03:57 +08:00
Bowgo Tsai
88cd813fe2 Allow dexopt to follow /odm/lib(64) symlinks.
Several /odm/* symlinks are added in the following change, to fallback
to /vendor/odm/* when there is no /odm partition on the device.

  https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/638159/

This change allows dexopt operations to 'getattr' those symlinks during
OTA.

Bug: 75287236
Test: boot a device
Change-Id: I2710ce5e2c47eb1a3432123ab49f1b6f3dcb4ffe
2018-03-19 13:29:06 +08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Tri Vo
04fb82f232 /proc, /sys access from uncrypt, update_engine, postinstall_dexopt
New types:
1. proc_random
2. sysfs_dt_firmware_android

Labeled:
1. /proc/sys/kernel/random as proc_random.
2. /sys/firmware/devicetree/base/firmware/android/{compatible, fstab,
vbmeta} as sysfs_dt_firmware_android.

Changed access:
1. uncrypt, update_engine, postinstall_dexopt have access to generic proc
and sysfs labels removed.
2. appropriate permissions were added to uncrypt, update_engine,
update_engine_common, postinstall_dexopt.

Bug: 67416435
Bug: 67416336
Test: fake ota go/manual-ab-ota runs without denials
Test: adb sideload runs without denials to new types
Change-Id: Id31310ceb151a18652fcbb58037a0b90c1f6505a
2017-10-24 16:40:45 +00:00
Andreas Gampe
bddd189394 Sepolicy: Fix new access from the linker for postinstall
The linker now requires getattr rights for the filesystem. Otherwise
linking otapreopt and patchoat/dex2oat will fail.

Bug: 37776530
Test: m
Test: manual OTA
Change-Id: I1351fbfa101beca4ba80f84b0dd9dbcabe2c9d39
2017-04-28 17:34:41 -07:00
Andreas Gampe
e843044cc1 sepolicy: Allow postinstall_dexopt /vendor/app access
Follow-up to commit 1b5f81a2d2.

Bug: 36681210
Bug: 37158297
Test: lunch sailfish-userdebug && m
Test: Manually run OTA
Change-Id: Ifb4808c9255842a51a660c07ffd924cef52024c5
2017-04-11 20:39:47 -07:00
Andreas Gampe
3cc71b09d6 Sepolicy: Allow postinstall to read links
Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed
2017-03-17 10:08:52 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from postinstall_dexopt.te (Browse further)