tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/postinstall_dexopt.te
Alan Stokes 7aa40413ae Split user_profile_data_file label. 
user_profile_data_file is mlstrustedobject. And it needs to be,
because we want untrusted apps to be able to write to their profile
files, but they do not have levels.

But now we want to apply levels in the parent directories that have
the same label, and we want them to work so they need to not be
MLS-exempt. To resolve that we introduce a new label,
user_profile_root_file, which is applied to those directories (but no
files). We grant mostly the same access to the new label as
directories with the existing label.

Apart from appdomain, almost every domain which accesses
user_profile_data_file, and now user_profile_root_file, is already
mlstrustedsubject and so can't be affected by this change. The
exception is postinstall_dexopt which we now make mlstrustedobject.

Bug: 141677108
Bug: 175311045
Test: Manual: flash with wipe
Test: Manual: flash on top of older version
Test: Manual: install & uninstall apps
Test: Manual: create & remove user
Test: Presubmits.
Change-Id: I4e0def3d513b129d6c292f7edb076db341b4a2b3
2020-12-11 17:35:06 +00:00

75 lines
3.4 KiB
Text
Raw Blame History

# Domain for the otapreopt executable, running under postinstall_dexopt
#
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
# - Case where dex2oat is in a non-flattened APEX, which has retained
# the correct type (`dex2oat_exec`).
domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
# - Case where dex2oat is in a flattened APEX, which has been tagged
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
# Allow access to /postinstall/apex.
allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
# here and having to relabel the directory.
# Read app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, apk_data_file)
# Read vendor app data (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_app_file)
# Read vendor overlay files (APKs) as input to dex2oat.
r_dir_file(postinstall_dexopt, vendor_overlay_file)
# Access to app oat directory.
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
allow postinstall_dexopt ota_data_file:file create_file_perms;
allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
# TODO: See whether we can apply ota_data_file?
allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
# Allow labeling of files under /data/app/com.example/oat/
# TODO: Restrict to .b suffix?
allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
# Check validity of SELinux context before use.
selinux_check_context(postinstall_dexopt)
selinux_check_access(postinstall_dexopt)
# Postinstall wants to know about our child.
allow postinstall_dexopt postinstall:process sigchld;
# Allow otapreopt to use file descriptors from otapreopt_chroot.
# TODO: Probably we can actually close file descriptors...
allow postinstall_dexopt otapreopt_chroot:fd use;
# Allow postinstall_dexopt to access the runtime feature flag properties.
get_prop(postinstall_dexopt, device_config_runtime_native_prop)
get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
Reference in a new issue View git blame Copy permalink