tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/vold_prepare_subdirs.te
Ellen Arteca 27b515e70a Add SELinux policy for storage areas 
We are adding the ability for apps to create "storage areas", which are
transparently encrypted directories that can only be opened when the
device is unlocked.
This CL makes the required SELinux policy changes.

First, assign the type "system_userdir_file" to the new top-level
directory /data/storage_area (non-recursively).  This is the same type
used by the other top-level directories containing app data, such as
/data/user, and it restricts access to the directory in the desired way.

Second, add new types to represent an app's directory of storage areas,
the storage areas themselves, and their contents:
`storage_area_app_dir`, `storage_area_dir`, and
`storage_area_content_file` respectively.
All are `app_data_file_type`s.
The directory structure and their associated labels is as follows (note
 that they also all get the categories of the user+package):
/data/storage_area/userId/pkgName
		storage_area_app_dir
/data/storage_area/userId/pkgName/storageAreaName
		storage_area_dir
/data/storage_area/userId/pkgName/storageAreaName/myFile.txt
		storage_area_content_file
/data/storage_area/userId/pkgName/storageAreaName/mySubDir
		storage_area_content_file

These new types allow us to restrict how and which processes interact
with storage areas.
The new type for the contents of storage areas allows us to add new,
desirable restrictions that we cannot add to the more general
`app_data_file` type in order to maintain backwards-compatibility,
e.g., we block apps from executing any files in their storage areas.

Third, allow:
-- vold_prepare_subdirs to create and delete
storage areas on behalf of apps, and assign them the SElinux type
`storage_area_dir`
i.e. create directories
/data/storage_area/$userId/$pkgName/$storageAreaName
-- vold to assign encryption policies to storage area directories
-- installd to create an app's directory of storage areas on app
install, and delete them on app uninstall, and assign them the SElinux
type `storage_area_app_dir`,
i.e. directories /data/storage_area/$userId/$pkgName

We also add a new SELinux type to represent the storage area encryption
keys: `storage_area_key_file`.
The keys are created by vold on storage area creation, and deleted
either by vold if an app calls
the `deleteStorageArea` API function explicitly, or by installd on
app uninstall.
These keys are stored in `/data/misc_ce/$userId/storage_area_keys`,
and only installd and vold have access to them.

Bug: 325121608
Test: atest StorageAreaTest
Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 20:26:55 +00:00

92 lines
3.1 KiB
Text
Raw Blame History

domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
typeattribute vold_prepare_subdirs coredomain;
typeattribute vold_prepare_subdirs mlstrustedsubject;
allow vold_prepare_subdirs system_file:file execute_no_trans;
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
allow vold_prepare_subdirs vold:fd use;
allow vold_prepare_subdirs vold:fifo_file { read write };
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs seapp_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
allow vold_prepare_subdirs self:process setfscreate;
allow vold_prepare_subdirs {
sdk_sandbox_system_data_file
system_data_file
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_data_file_type
apex_module_data_file
apex_rollback_data_file
backup_data_file
checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
storaged_data_file
sdk_sandbox_data_file
sdk_sandbox_system_data_file
system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
apex_data_file_type
apex_art_staging_data_file
apex_module_data_file
apex_rollback_data_file
backup_data_file
checkin_data_file
face_vendor_data_file
fingerprint_vendor_data_file
iris_vendor_data_file
rollback_data_file
storaged_data_file
sdk_sandbox_data_file
system_data_file
vold_data_file
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
allow vold_prepare_subdirs mnt_expand_file:dir search;
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
# Allow vold_prepare_subdirs to create storage area directories on behalf of apps.
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
allow vold_prepare_subdirs {
storage_area_dir
storage_area_app_dir
}:dir {
rw_dir_perms
create
setattr # for chown() and chmod()
rmdir
unlink
relabelfrom # setfilecon
relabelto # setfilecon
};
# The storage area directories should have type storage_area_dir
type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
selinux_check_context(vold_prepare_subdirs)
')
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
apex_tethering_data_file
apex_wifi_data_file
}:dir relabelfrom;
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
Reference in a new issue View git blame Copy permalink