android_system_sepolicy/public/idmap.te

# idmap, when executed by installd
type idmap, domain;
type idmap_exec, system_file_type, exec_type, file_type;

# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file create_file_perms;
allow idmap resourcecache_data_file:dir rw_dir_perms;

# Ignore reading /proc/<pid>/maps after a fork.
dontaudit idmap installd:file read;

# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;

# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;

# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)

# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)

# Allow the idmap2d binary to register as a service and communicate via AIDL
binder_use(idmap)
binder_service(idmap)
add_service(idmap, idmap_service)
Run idmap in its own domain. Run idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-06-19 10:47:26 -07:00			`# idmap, when executed by installd`
remove more domain_deprecated Test: no denials showing up in log collection Test: device boots Bug: 28760354 Change-Id: I089cfcf486464952fcbb52cce9f6152caf662c23 2016-12-09 19:30:39 -08:00			`type idmap, domain;`
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 2018-09-27 10:21:37 -07:00			`type idmap_exec, system_file_type, exec_type, file_type;`
Run idmap in its own domain. Run idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-06-19 10:47:26 -07:00
Allow idmap1 to read vmdl*.tmp APK install files When upgrading a package, PackageParser acts on the temporary APK file copied from the install location. This is passed to idmap, which doesn't have read access because it's missing an SELinux rule. This is needed to fix a bug with manifest overlaying on updating an app, a feature kept alive for Q. Relevant logs when updating a target: [ 550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 Bug: 130559507 Test: manual adb push /system/product/app/TestApp.apk with /system/product/overlay/TestOverlay.apk enabling disabled launcher Activity in TestApp; adb install -r TestApp.apk keeps enabled state with changes Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff 2019-04-15 16:10:02 -07:00			`# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)`
Run idmap in its own domain. Run idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-06-19 10:47:26 -07:00			`# Use open file to /data/resource-cache file inherited from installd.`
			`allow idmap installd:fd use;`
Add idmap2 and idmap2d Bug: 78815803 Test: builds, boots Test: manual: adb shell idmap2 create ... Test: manual: adb shell ps \| grep -e idmap2d Change-Id: I60852e15d99329896ff9de6559d1e7cd1c67e33d 2018-06-14 23:08:19 -07:00			`allow idmap resourcecache_data_file:file create_file_perms;`
			`allow idmap resourcecache_data_file:dir rw_dir_perms;`
Run idmap in its own domain. Run idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-06-19 10:47:26 -07:00
Suppress denials from idmap reading installd's files. We are occasionally seeing the following SELinux denial: avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file This commit suppresses that exact denial. We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread. Bug: 72444813 Test: Boot Walleye and test wifi and camera. Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9 2018-01-24 13:56:28 -08:00			`# Ignore reading /proc/<pid>/maps after a fork.`
			`dontaudit idmap installd:file read;`

Run idmap in its own domain. Run idmap in its own domain rather than leaving it in installd's domain. This prevents misuse of installd's permissions by idmap. zygote also needs to run idmap. For now, just run it in zygote's domain as it was previously since that is what is done for dex2oat invocation by zygote. zygote appears to run idmap with system uid while installd runs it with app UIDs, so using different domains seems appropriate. Remove system_file execute_no_trans from both installd and zygote; this should no longer be needed with explicit labels for dex2oat and idmap. Change-Id: If47e2c1326b84c20e94a20f5e699300dce12bdfe Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2015-06-19 10:47:26 -07:00			`# Open and read from target and overlay apk files passed by argument.`
			`allow idmap apk_data_file:file r_file_perms;`
Add service 'overlay' to service_contexts The 'overlay' service is the Overlay Manager Service, which tracks packages and their Runtime Resource Overlay overlay packages. Change-Id: I897dea6a32c653d31be88a7b3fc56ee4538cf178 Co-authored-by: Martin Wallgren <martin.wallgren@sonymobile.com> Signed-off-by: Zoran Jovanovic <zoran.jovanovic@sonymobile.com> Bug: 31052947 Test: boot the Android framework 2015-06-22 00:31:25 -07:00			`allow idmap apk_data_file:dir search;`
sepolicy: restrict /vendor/app from most coredomains The change makes 'vendor_app_file' accessible only to few platform domains like dex2oat, idmap, installd, system_server and appdomain. Bug: 36681210 Test: Boot sailfish (treble device) from wiped flashall Test: Connect to wifi and launch chrome to load few websites. Test: Launch camera and record + playback video Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-04 09:30:41 -07:00
Allow idmap1 to read vmdl*.tmp APK install files When upgrading a package, PackageParser acts on the temporary APK file copied from the install location. This is passed to idmap, which doesn't have read access because it's missing an SELinux rule. This is needed to fix a bug with manifest overlaying on updating an app, a feature kept alive for Q. Relevant logs when updating a target: [ 550.068083] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.090115] type=1400 audit(1556124408.583:3812): avc: denied { read } for comm="idmap" name="base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.092064] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.096202] type=1400 audit(1556124408.603:3813): avc: denied { open } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.098459] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.101640] type=1400 audit(1556124408.613:3814): avc: denied { map } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 [ 550.104239] type=1400 audit(1556124408.613:3815): avc: denied { getattr } for comm="idmap" path="/data/app/vmdl1238645679.tmp/base.apk" dev="vdc" ino=8770 scontext=u:r:idmap:s0 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=1 Bug: 130559507 Test: manual adb push /system/product/app/TestApp.apk with /system/product/overlay/TestOverlay.apk enabling disabled launcher Activity in TestApp; adb install -r TestApp.apk keeps enabled state with changes Change-Id: Ieeb7fb4f79ae091d0febf42ca358e7ffdfa6c3ff 2019-04-15 16:10:02 -07:00			`# Allow /data/app/vmdl.tmp, /data/app-private/vmdl.tmp files`
			`allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;`
			`allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;`

sepolicy: restrict /vendor/app from most coredomains The change makes 'vendor_app_file' accessible only to few platform domains like dex2oat, idmap, installd, system_server and appdomain. Bug: 36681210 Test: Boot sailfish (treble device) from wiped flashall Test: Connect to wifi and launch chrome to load few websites. Test: Launch camera and record + playback video Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-04 09:30:41 -07:00			`# Allow apps access to /vendor/app`
			`r_dir_file(idmap, vendor_app_file)`
sepolicy: restrict /vendor/overlay from most coredomains The change makes 'vendor_overlay_file' accessible only to few platform domains like idmap, system_server, zygote and appdomain. The overlay files contains RROs (runtime resource overlays) Bug: 36681210 Test: Boot sailfish (treble device) from wiped flashall Test: Connect to wifi and launch chrome to load few websites. Test: Launch camera and record + playback video Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332 Signed-off-by: Sandeep Patil <sspatil@google.com> 2017-04-05 16:16:13 -07:00
			`# Allow apps access to /vendor/overlay`
			`r_dir_file(idmap, vendor_overlay_file)`
Add idmap2 and idmap2d Bug: 78815803 Test: builds, boots Test: manual: adb shell idmap2 create ... Test: manual: adb shell ps \| grep -e idmap2d Change-Id: I60852e15d99329896ff9de6559d1e7cd1c67e33d 2018-06-14 23:08:19 -07:00
			`# Allow the idmap2d binary to register as a service and communicate via AIDL`
			`binder_use(idmap)`
idmap: add binderservice permissions Allow dumpsys to dump process information for bug reports. Test: build Test: adb bugreport Bug: 140541614 Change-Id: Ia361e8c8de2cc5f798e746dffcf067393fd6bcae 2019-09-18 04:45:15 -07:00			`binder_service(idmap)`
Add idmap2 and idmap2d Bug: 78815803 Test: builds, boots Test: manual: adb shell idmap2 create ... Test: manual: adb shell ps \| grep -e idmap2d Change-Id: I60852e15d99329896ff9de6559d1e7cd1c67e33d 2018-06-14 23:08:19 -07:00			`add_service(idmap, idmap_service)`