27b515e70a
We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
246 lines
10 KiB
Text
246 lines
10 KiB
Text
typeattribute installd coredomain;
|
|
|
|
init_daemon_domain(installd)
|
|
|
|
# Run migrate_legacy_obb_data.sh in its own sandbox.
|
|
domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
|
|
allow installd shell_exec:file rx_file_perms;
|
|
|
|
# Run dex2oat in its own sandbox.
|
|
domain_auto_trans(installd, dex2oat_exec, dex2oat)
|
|
|
|
# Run dexoptanalyzer in its own sandbox.
|
|
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
|
|
|
|
# Run profman in its own sandbox.
|
|
domain_auto_trans(installd, profman_exec, profman)
|
|
|
|
# Run idmap in its own sandbox.
|
|
domain_auto_trans(installd, idmap_exec, idmap)
|
|
|
|
# For collecting bugreports.
|
|
allow installd dumpstate:fd use;
|
|
allow installd dumpstate:fifo_file r_file_perms;
|
|
|
|
# Delete /system/bin/bcc generated artifacts
|
|
allow installd app_exec_data_file:file unlink;
|
|
|
|
# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
|
|
# subsequently restore them.
|
|
allow installd rollback_data_file:dir create_dir_perms;
|
|
allow installd rollback_data_file:file create_file_perms;
|
|
|
|
# Allow installd to access the runtime feature flag properties.
|
|
get_prop(installd, device_config_runtime_native_prop)
|
|
get_prop(installd, device_config_runtime_native_boot_prop)
|
|
|
|
# Allow installd to access apk verity feature flag (for legacy case).
|
|
get_prop(installd, apk_verity_prop)
|
|
|
|
# Allow installd to access odsign verification status
|
|
get_prop(installd, odsign_prop)
|
|
|
|
# Allow installd to delete files in /data/staging
|
|
allow installd staging_data_file:file unlink;
|
|
allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
|
|
|
|
allow installd { dex2oat dexoptanalyzer }:process signal;
|
|
|
|
# installd kills subprocesses if they time out.
|
|
allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
|
|
|
|
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
|
|
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
|
|
|
|
# Allow installd to enable fs-verity for app file passed as FD;
|
|
allow installd { untrusted_app_all priv_app gmscore_app }:fd use;
|
|
allowxperm installd app_data_file_type:file ioctl FS_IOC_ENABLE_VERITY;
|
|
|
|
typeattribute installd mlstrustedsubject;
|
|
allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin kill };
|
|
|
|
# Allow labeling of files under /data/app/com.example/oat/
|
|
allow installd dalvikcache_data_file:dir relabelto;
|
|
allow installd dalvikcache_data_file:file { relabelto link };
|
|
|
|
# Allow movement of APK files between volumes
|
|
allow installd apk_data_file:dir { create_dir_perms relabelfrom };
|
|
allow installd apk_data_file:file { create_file_perms relabelfrom link };
|
|
allow installd apk_data_file:lnk_file { create r_file_perms unlink };
|
|
|
|
allow installd asec_apk_file:file r_file_perms;
|
|
allow installd apk_tmp_file:file { r_file_perms unlink };
|
|
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
|
|
allow installd oemfs:dir r_dir_perms;
|
|
allow installd oemfs:file r_file_perms;
|
|
allow installd cgroup:dir create_dir_perms;
|
|
allow installd cgroup_v2:dir create_dir_perms;
|
|
allow installd mnt_expand_file:dir { search getattr };
|
|
# Check validity of SELinux context before use.
|
|
selinux_check_context(installd)
|
|
|
|
r_dir_file(installd, rootfs)
|
|
# Scan through APKs in /system/app and /system/priv-app
|
|
r_dir_file(installd, system_file)
|
|
# Scan through APKs in /vendor/app
|
|
r_dir_file(installd, vendor_app_file)
|
|
# Scan through JARs in /vendor/framework
|
|
r_dir_file(installd, vendor_framework_file)
|
|
# Scan through Runtime Resource Overlay APKs in /vendor/overlay
|
|
r_dir_file(installd, vendor_overlay_file)
|
|
# Vendor overlay can be found in vendor apex
|
|
allow installd vendor_apex_metadata_file:dir { getattr search };
|
|
# Get file context
|
|
allow installd file_contexts_file:file r_file_perms;
|
|
# Get seapp_context
|
|
allow installd seapp_contexts_file:file r_file_perms;
|
|
|
|
# Search /data/app-asec and stat files in it.
|
|
allow installd asec_image_file:dir search;
|
|
allow installd asec_image_file:file getattr;
|
|
|
|
# Required to initially create subdirectories of /data/user/$userId
|
|
# and lib symlinks before the setfilecon call. May want to
|
|
# move symlink creation after setfilecon in installd.
|
|
allow installd system_data_file:dir create_dir_perms;
|
|
# Also, allow read for lnk_file so that we can process symlinks within
|
|
# /data/user/$userId when optimizing application code.
|
|
allow installd system_data_file:lnk_file { create getattr read setattr unlink };
|
|
|
|
# Manage lower filesystem via pass_through mounts
|
|
allow installd mnt_pass_through_file:dir r_dir_perms;
|
|
|
|
# Upgrade /data/media for multi-user if necessary.
|
|
allow installd media_rw_data_file:dir create_dir_perms;
|
|
allow installd media_rw_data_file:file { getattr unlink };
|
|
# restorecon new /data/media directory.
|
|
allow installd system_data_file:dir relabelfrom;
|
|
allow installd media_rw_data_file:dir relabelto;
|
|
|
|
# Delete /data/media files through sdcardfs, instead of going behind its back
|
|
allow installd media_userdir_file:dir r_dir_perms;
|
|
allow installd tmpfs:dir r_dir_perms;
|
|
allow installd storage_file:dir search;
|
|
allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
|
|
allow installd { sdcard_type fuse }:file { getattr unlink };
|
|
|
|
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
|
|
allow installd mirror_data_file:dir { create_dir_perms mounton };
|
|
|
|
# Upgrade /data/misc/keychain for multi-user if necessary.
|
|
allow installd system_userdir_file:dir r_dir_perms;
|
|
allow installd misc_user_data_file:dir create_dir_perms;
|
|
allow installd misc_user_data_file:file create_file_perms;
|
|
allow installd keychain_data_file:dir create_dir_perms;
|
|
allow installd keychain_data_file:file {r_file_perms unlink};
|
|
|
|
# Create /data/misc/installd/layout_version.* file
|
|
allow installd install_data_file:file create_file_perms;
|
|
allow installd install_data_file:dir rw_dir_perms;
|
|
|
|
# Create files under /data/dalvik-cache.
|
|
allow installd dalvikcache_data_file:dir create_dir_perms;
|
|
allow installd dalvikcache_data_file:file create_file_perms;
|
|
allow installd dalvikcache_data_file:lnk_file getattr;
|
|
|
|
# Create files under /data/resource-cache.
|
|
allow installd resourcecache_data_file:dir rw_dir_perms;
|
|
allow installd resourcecache_data_file:file create_file_perms;
|
|
|
|
# Upgrade from unlabeled userdata.
|
|
# Just need enough to remove and/or relabel it.
|
|
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
|
|
allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
|
|
# Read pkg.apk file for input during dexopt.
|
|
allow installd unlabeled:file r_file_perms;
|
|
|
|
# Upgrade from before system_app_data_file was used for system UID apps.
|
|
# Just need enough to relabel it and to unlink removed package files.
|
|
# Directory access covered by earlier rule above.
|
|
allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
|
|
|
|
# Manage /data/data subdirectories, including initially labeling them
|
|
# upon creation via setfilecon or running restorecon_recursive,
|
|
# setting owner/mode, creating symlinks within them, and deleting them
|
|
# upon package uninstall.
|
|
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
|
|
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
|
|
|
|
# Allow setting extended attributes (for project quota IDs) on dirs and files
|
|
# and to enable project ID inheritance through FS_IOC_SETFLAGS
|
|
# Added install_data_file to be able to create file under /data/misc/installd/ioctl_check
|
|
allowxperm installd { app_data_file_type system_data_file install_data_file}:{ dir file } ioctl {
|
|
FS_IOC_FSGETXATTR
|
|
FS_IOC_FSSETXATTR
|
|
FS_IOC_GETFLAGS
|
|
FS_IOC_SETFLAGS
|
|
};
|
|
|
|
# Similar for the files under /data/misc/profiles/
|
|
allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
|
|
allow installd user_profile_data_file:dir { create_dir_perms relabelto };
|
|
allow installd user_profile_data_file:file create_file_perms;
|
|
allow installd user_profile_data_file:file unlink;
|
|
|
|
# Allow zygote to unmount mirror directories
|
|
allow installd labeledfs:filesystem unmount;
|
|
|
|
# Files created/updated by profman dumps.
|
|
allow installd profman_dump_data_file:dir { search add_name write };
|
|
allow installd profman_dump_data_file:file { create setattr open write };
|
|
|
|
# Create and use pty created by android_fork_execvp().
|
|
allow installd devpts:chr_file rw_file_perms;
|
|
|
|
# execute toybox for app relocation
|
|
allow installd toolbox_exec:file rx_file_perms;
|
|
|
|
# Allow installd to publish a binder service and make binder calls.
|
|
binder_use(installd)
|
|
add_service(installd, installd_service)
|
|
allow installd dumpstate:fifo_file { getattr write };
|
|
|
|
# Allow installd to call into the system server so it can check permissions.
|
|
binder_call(installd, system_server)
|
|
allow installd permission_service:service_manager find;
|
|
|
|
# Allow installd to read and write quotas
|
|
allow installd block_device:dir { search };
|
|
allow installd labeledfs:filesystem { quotaget quotamod };
|
|
|
|
# Allow installd to delete from /data/preloads when trimming data caches
|
|
# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
|
|
allow installd preloads_data_file:file { r_file_perms unlink };
|
|
allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
|
|
allow installd preloads_media_file:file { r_file_perms unlink };
|
|
allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
|
|
|
# Allow installd to read /proc/filesystems
|
|
allow installd proc_filesystems:file r_file_perms;
|
|
|
|
#add for move app to sd card
|
|
get_prop(installd, storage_config_prop)
|
|
|
|
# Allow installd to access apps installed on the Incremental File System
|
|
# Accessing files on the Incremental File System uses fds opened in the context of vold.
|
|
allow installd vold:fd use;
|
|
|
|
# on app uninstall, installd deletes the storage area keys for the app
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
|
|
allow installd storage_area_key_file:dir { open search write remove_name lock };
|
|
allow installd storage_area_key_file:file unlink;
|
|
')
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
|
|
neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
|
|
neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
|
|
neverallow installd {
|
|
domain
|
|
-system_server
|
|
-servicemanager
|
|
userdebug_or_eng(`-su')
|
|
}:binder call;
|