aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Cherry2018-04-12 19:30:56 -0500
committerJeffrey Vander Stoep2018-04-18 14:39:04 -0500
commit620dc7f814451ebba7efe0208677d1c0164b192a (patch)
treeed937868b3a0a4bb231fa9f6b4432acdb512bae6
parent5a5894a979d09035777558678e18fac1bfdebba5 (diff)
downloadsystem-sepolicy-620dc7f814451ebba7efe0208677d1c0164b192a.tar.gz
system-sepolicy-620dc7f814451ebba7efe0208677d1c0164b192a.tar.xz
system-sepolicy-620dc7f814451ebba7efe0208677d1c0164b192a.zip
Allow vendor_init to access unencrypted_data_file
FBE needs to access these files to set up or verify encryption for directories during mkdir. Bug: 77850279 Test: walleye + more restrictions continues to have FBE work Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e (cherry picked from commit 18a284405f519ae49898031a4bea70e5e2d2fdac)
-rw-r--r--public/domain.te40
-rw-r--r--public/vendor_init.te4
2 files changed, 37 insertions, 7 deletions
diff --git a/public/domain.te b/public/domain.te
index 9458d796..3a914d7b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -841,13 +841,25 @@ full_treble_only(`
841 -appdomain # TODO(b/34980020) remove exemption for appdomain 841 -appdomain # TODO(b/34980020) remove exemption for appdomain
842 -coredomain 842 -coredomain
843 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up 843 -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
844 -vendor_init
844 } { 845 } {
845 core_data_file_type 846 core_data_file_type
846 # libc includes functions like mktime and localtime which attempt to access 847 # libc includes functions like mktime and localtime which attempt to access
847 # files in /data/misc/zoneinfo/tzdata file. These functions are considered 848 # files in /data/misc/zoneinfo/tzdata file. These functions are considered
848 # vndk-stable and thus must be allowed for all processes. 849 # vndk-stable and thus must be allowed for all processes.
849 -zoneinfo_data_file 850 -zoneinfo_data_file
850 }:file_class_set ~{ append getattr ioctl read write }; 851 }:file_class_set ~{ append getattr ioctl read write };
852 neverallow {
853 vendor_init
854 -data_between_core_and_vendor_violators
855 } {
856 core_data_file_type
857 -unencrypted_data_file
858 -zoneinfo_data_file
859 }:file_class_set ~{ append getattr ioctl read write };
860 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
861 # The vendor init binary lives on the system partition so there is not a concern with stability.
862 neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
851') 863')
852full_treble_only(` 864full_treble_only(`
853 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 865 # vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -856,12 +868,26 @@ full_treble_only(`
856 -appdomain # TODO(b/34980020) remove exemption for appdomain 868 -appdomain # TODO(b/34980020) remove exemption for appdomain
857 -coredomain 869 -coredomain
858 -data_between_core_and_vendor_violators 870 -data_between_core_and_vendor_violators
859 } { 871 -vendor_init
860 core_data_file_type 872 } {
861 -system_data_file # default label for files on /data. Covered below... 873 core_data_file_type
862 -vendor_data_file 874 -system_data_file # default label for files on /data. Covered below...
863 -zoneinfo_data_file 875 -vendor_data_file
864 }:dir *; 876 -zoneinfo_data_file
877 }:dir *;
878 neverallow {
879 vendor_init
880 -data_between_core_and_vendor_violators
881 } {
882 core_data_file_type
883 -unencrypted_data_file
884 -system_data_file
885 -vendor_data_file
886 -zoneinfo_data_file
887 }:dir *;
888 # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
889 # The vendor init binary lives on the system partition so there is not a concern with stability.
890 neverallow vendor_init unencrypted_data_file:dir ~search;
865') 891')
866full_treble_only(` 892full_treble_only(`
867 # vendor domains may only access dirs in /data/vendor, never core_data_file_types 893 # vendor domains may only access dirs in /data/vendor, never core_data_file_types
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 362244ee..135dfa85 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,10 @@ allow vendor_init self:global_capability_class_set dac_override;
34# we just allow all file types except /system files here. 34# we just allow all file types except /system files here.
35allow vendor_init self:global_capability_class_set { chown fowner fsetid }; 35allow vendor_init self:global_capability_class_set { chown fowner fsetid };
36 36
37# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
38allow vendor_init unencrypted_data_file:dir search;
39allow vendor_init unencrypted_data_file:file r_file_perms;
40
37allow vendor_init { 41allow vendor_init {
38 file_type 42 file_type
39 -core_data_file_type 43 -core_data_file_type