diff options
| author | Tom Cherry | 2018-04-18 17:08:57 -0500 |
|---|---|---|
| committer | Gerrit Code Review | 2018-04-18 17:08:57 -0500 |
| commit | 09ade7fce41115ce1bfbfa503229b8640b4dfdcc (patch) | |
| tree | c2151daa2d2052c7529ba5677401b6203f1fa566 | |
| parent | 4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b (diff) | |
| parent | 620dc7f814451ebba7efe0208677d1c0164b192a (diff) | |
| download | system-sepolicy-09ade7fce41115ce1bfbfa503229b8640b4dfdcc.tar.gz system-sepolicy-09ade7fce41115ce1bfbfa503229b8640b4dfdcc.tar.xz system-sepolicy-09ade7fce41115ce1bfbfa503229b8640b4dfdcc.zip | |
Merge "Allow vendor_init to access unencrypted_data_file"
| -rw-r--r-- | public/domain.te | 40 | ||||
| -rw-r--r-- | public/vendor_init.te | 4 |
2 files changed, 37 insertions, 7 deletions
diff --git a/public/domain.te b/public/domain.te index 9458d796..3a914d7b 100644 --- a/public/domain.te +++ b/public/domain.te | |||
| @@ -841,13 +841,25 @@ full_treble_only(` | |||
| 841 | -appdomain # TODO(b/34980020) remove exemption for appdomain | 841 | -appdomain # TODO(b/34980020) remove exemption for appdomain |
| 842 | -coredomain | 842 | -coredomain |
| 843 | -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up | 843 | -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up |
| 844 | -vendor_init | ||
| 844 | } { | 845 | } { |
| 845 | core_data_file_type | 846 | core_data_file_type |
| 846 | # libc includes functions like mktime and localtime which attempt to access | 847 | # libc includes functions like mktime and localtime which attempt to access |
| 847 | # files in /data/misc/zoneinfo/tzdata file. These functions are considered | 848 | # files in /data/misc/zoneinfo/tzdata file. These functions are considered |
| 848 | # vndk-stable and thus must be allowed for all processes. | 849 | # vndk-stable and thus must be allowed for all processes. |
| 849 | -zoneinfo_data_file | 850 | -zoneinfo_data_file |
| 850 | }:file_class_set ~{ append getattr ioctl read write }; | 851 | }:file_class_set ~{ append getattr ioctl read write }; |
| 852 | neverallow { | ||
| 853 | vendor_init | ||
| 854 | -data_between_core_and_vendor_violators | ||
| 855 | } { | ||
| 856 | core_data_file_type | ||
| 857 | -unencrypted_data_file | ||
| 858 | -zoneinfo_data_file | ||
| 859 | }:file_class_set ~{ append getattr ioctl read write }; | ||
| 860 | # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. | ||
| 861 | # The vendor init binary lives on the system partition so there is not a concern with stability. | ||
| 862 | neverallow vendor_init unencrypted_data_file:file ~r_file_perms; | ||
| 851 | ') | 863 | ') |
| 852 | full_treble_only(` | 864 | full_treble_only(` |
| 853 | # vendor domains may only access dirs in /data/vendor, never core_data_file_types | 865 | # vendor domains may only access dirs in /data/vendor, never core_data_file_types |
| @@ -856,12 +868,26 @@ full_treble_only(` | |||
| 856 | -appdomain # TODO(b/34980020) remove exemption for appdomain | 868 | -appdomain # TODO(b/34980020) remove exemption for appdomain |
| 857 | -coredomain | 869 | -coredomain |
| 858 | -data_between_core_and_vendor_violators | 870 | -data_between_core_and_vendor_violators |
| 859 | } { | 871 | -vendor_init |
| 860 | core_data_file_type | 872 | } { |
| 861 | -system_data_file # default label for files on /data. Covered below... | 873 | core_data_file_type |
| 862 | -vendor_data_file | 874 | -system_data_file # default label for files on /data. Covered below... |
| 863 | -zoneinfo_data_file | 875 | -vendor_data_file |
| 864 | }:dir *; | 876 | -zoneinfo_data_file |
| 877 | }:dir *; | ||
| 878 | neverallow { | ||
| 879 | vendor_init | ||
| 880 | -data_between_core_and_vendor_violators | ||
| 881 | } { | ||
| 882 | core_data_file_type | ||
| 883 | -unencrypted_data_file | ||
| 884 | -system_data_file | ||
| 885 | -vendor_data_file | ||
| 886 | -zoneinfo_data_file | ||
| 887 | }:dir *; | ||
| 888 | # vendor init needs to be able to read unencrypted_data_file to create directories with FBE. | ||
| 889 | # The vendor init binary lives on the system partition so there is not a concern with stability. | ||
| 890 | neverallow vendor_init unencrypted_data_file:dir ~search; | ||
| 865 | ') | 891 | ') |
| 866 | full_treble_only(` | 892 | full_treble_only(` |
| 867 | # vendor domains may only access dirs in /data/vendor, never core_data_file_types | 893 | # vendor domains may only access dirs in /data/vendor, never core_data_file_types |
diff --git a/public/vendor_init.te b/public/vendor_init.te index 362244ee..135dfa85 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te | |||
| @@ -34,6 +34,10 @@ allow vendor_init self:global_capability_class_set dac_override; | |||
| 34 | # we just allow all file types except /system files here. | 34 | # we just allow all file types except /system files here. |
| 35 | allow vendor_init self:global_capability_class_set { chown fowner fsetid }; | 35 | allow vendor_init self:global_capability_class_set { chown fowner fsetid }; |
| 36 | 36 | ||
| 37 | # mkdir with FBE requires reading /data/unencrypted/{ref,mode}. | ||
| 38 | allow vendor_init unencrypted_data_file:dir search; | ||
| 39 | allow vendor_init unencrypted_data_file:file r_file_perms; | ||
| 40 | |||
| 37 | allow vendor_init { | 41 | allow vendor_init { |
| 38 | file_type | 42 | file_type |
| 39 | -core_data_file_type | 43 | -core_data_file_type |