aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Cherry2018-04-18 17:08:57 -0500
committerGerrit Code Review2018-04-18 17:08:57 -0500
commit09ade7fce41115ce1bfbfa503229b8640b4dfdcc (patch)
treec2151daa2d2052c7529ba5677401b6203f1fa566
parent4d3ee1a5b6bb1a38bc2f9efa374ac9951d45107b (diff)
parent620dc7f814451ebba7efe0208677d1c0164b192a (diff)
downloadsystem-sepolicy-09ade7fce41115ce1bfbfa503229b8640b4dfdcc.tar.gz
system-sepolicy-09ade7fce41115ce1bfbfa503229b8640b4dfdcc.tar.xz
system-sepolicy-09ade7fce41115ce1bfbfa503229b8640b4dfdcc.zip
Merge "Allow vendor_init to access unencrypted_data_file"
-rw-r--r--public/domain.te40
-rw-r--r--public/vendor_init.te4
2 files changed, 37 insertions, 7 deletions
diff --git a/public/domain.te b/public/domain.te
index 9458d796..3a914d7b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -841,13 +841,25 @@ full_treble_only(`
841 -appdomain # TODO(b/34980020) remove exemption for appdomain 841 -appdomain # TODO(b/34980020) remove exemption for appdomain
842 -coredomain 842 -coredomain
843 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 843 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
844 -vendor_init
844 } { 845 } {
845 core_data_file_type 846 core_data_file_type
846 # libc includes functions like mktime and localtime which attempt to access 847 # libc includes functions like mktime and localtime which attempt to access
847 # files in /data/misc/zoneinfo/tzdata file. These functions are considered 848 # files in /data/misc/zoneinfo/tzdata file. These functions are considered
848 # vndk-stable and thus must be allowed for all processes. 849 # vndk-stable and thus must be allowed for all processes.
849 -zoneinfo_data_file 850 -zoneinfo_data_file
850 }:file_class_set ~{ append getattr ioctl read write }; 851 }:file_class_set ~{ append getattr ioctl read write };
852 neverallow {
853 vendor_init
854 -data_between_core_and_vendor_violators
855 } {
856 core_data_file_type
857 -unencrypted_data_file
858 -zoneinfo_data_file
859 }:file_class_set ~{ append getattr ioctl read write };
860 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
861 # The vendor init binary lives on the system partition so there is not a concern with stability.
862 neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
851') 863')
852full_treble_only(` 864full_treble_only(`
853 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 865 # vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -856,12 +868,26 @@ full_treble_only(`
856 -appdomain # TODO(b/34980020) remove exemption for appdomain 868 -appdomain # TODO(b/34980020) remove exemption for appdomain
857 -coredomain 869 -coredomain
858 -data_between_core_and_vendor_violators 870 -data_between_core_and_vendor_violators
859 } { 871 -vendor_init
860 core_data_file_type 872 } {
861 -system_data_file # default label for files on /data. Covered below... 873 core_data_file_type
862 -vendor_data_file 874 -system_data_file # default label for files on /data. Covered below...
863 -zoneinfo_data_file 875 -vendor_data_file
864 }:dir *; 876 -zoneinfo_data_file
877 }:dir *;
878 neverallow {
879 vendor_init
880 -data_between_core_and_vendor_violators
881 } {
882 core_data_file_type
883 -unencrypted_data_file
884 -system_data_file
885 -vendor_data_file
886 -zoneinfo_data_file
887 }:dir *;
888 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
889 # The vendor init binary lives on the system partition so there is not a concern with stability.
890 neverallow vendor_init unencrypted_data_file:dir ~search;
865') 891')
866full_treble_only(` 892full_treble_only(`
867 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 893 # vendor domains may only access dirs in /data/vendor, never core_data_file_types
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 362244ee..135dfa85 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,10 @@ allow vendor_init self:global_capability_class_set dac_override;
34# we just allow all file types except /system files here. 34# we just allow all file types except /system files here.
35allow vendor_init self:global_capability_class_set { chown fowner fsetid }; 35allow vendor_init self:global_capability_class_set { chown fowner fsetid };
36 36
37# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
38allow vendor_init unencrypted_data_file:dir search;
39allow vendor_init unencrypted_data_file:file r_file_perms;
40
37allow vendor_init { 41allow vendor_init {
38 file_type 42 file_type
39 -core_data_file_type 43 -core_data_file_type