From 3922253de9ac5c998ac2275614f3c806db8ecbc6 Mon Sep 17 00:00:00 2001 From: Songchun Fan Date: Thu, 13 Feb 2020 08:38:36 -0800 Subject: [PATCH] permissions for incremental control file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit === for mounting and create file === 02-12 21:09:41.828 593 593 I Binder:593_2: type=1400 audit(0.0:832): avc: denied { relabelto } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:833): avc: denied { read } for name=".pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:834): avc: denied { open } for path="/data/incremental/MT_data_incremental_tmp_1485189518/mount/.pending_reads" dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:835): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.838 593 593 I Binder:593_2: type=1400 audit(0.0:836): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 21:09:41.841 1429 1429 I PackageInstalle: type=1400 audit(0.0:837): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === for reading signature from file === 02-12 21:09:47.931 8972 8972 I android.vending: type=1400 audit(0.0:848): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:47.994 1429 1429 I AppIntegrityMan: type=1400 audit(0.0:849): avc: denied { ioctl } for path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 02-12 21:09:50.034 8972 8972 I com.android.vending: type=1400 audit(0.0:850): avc: denied { ioctl } for comm=62674578656375746F72202332 path="/data/app/vmdl951541350.tmp/base.apk" dev="incremental-fs" ino=6416 ioctlcmd=0x671f scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending 02-12 21:09:52.914 1429 1429 I PackageManager: type=1400 audit(0.0:851): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313438353138393531382F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x671e scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 === data loader app reading from log file === 02-12 22:09:19.741  1417  1417 I Binder:1417_3: type=1400 audit(0.0:654): avc: denied { read } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 02-12 22:09:19.741 15903 15903 I Binder:15903_4: type=1400 audit(0.0:655): avc: denied { getattr } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3131393237303339342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 scontext=u:r:system_app:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 Test: manual with incremental installation BUG: 133435829 Change-Id: Ie973be6bc63faf8fe98c9e684060e9c81d124e6e --- private/priv_app.te | 4 ++++ private/system_app.te | 3 +++ private/system_server.te | 7 +++++++ public/ioctl_defines | 2 ++ public/vold.te | 2 ++ 5 files changed, 18 insertions(+) diff --git a/private/priv_app.te b/private/priv_app.te index 74930ee27..75e9732a9 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -146,6 +146,10 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read; allow priv_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; +# allow apps like Phonesky to check the file signature of an apk installed on +# the Incremental File System +allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE; + ### ### neverallow rules ### diff --git a/private/system_app.te b/private/system_app.te index 1432017e6..9789a5226 100644 --- a/private/system_app.te +++ b/private/system_app.te @@ -72,6 +72,9 @@ allow system_app asec_apk_file:file r_file_perms; # Allow system_app (adb data loader) to write data to /data/incremental allow system_app apk_data_file:file write; +# Allow system app (adb data loader) to read logs +allow system_app incremental_control_file:file r_file_perms; + # Allow system apps (like Settings) to interact with statsd binder_call(system_app, statsd) diff --git a/private/system_server.te b/private/system_server.te index 9eea579db..ef527fd94 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -24,6 +24,13 @@ allow system_server appdomain_tmpfs:file { getattr map read write }; # For Incremental Service to check if incfs is available allow system_server proc_filesystems:file r_file_perms; +# To create files on Incremental File System +allow system_server incremental_control_file:file { ioctl r_file_perms }; +allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE; + +# To get signature of an APK installed on Incremental File System +allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE; + # For art. allow system_server dalvikcache_data_file:dir r_dir_perms; allow system_server dalvikcache_data_file:file r_file_perms; diff --git a/public/ioctl_defines b/public/ioctl_defines index b2a6fbf9a..4eeeb4e37 100644 --- a/public/ioctl_defines +++ b/public/ioctl_defines @@ -1055,6 +1055,8 @@ define(`IMGETDEVINFO', `0x80044944') define(`IMGETVERSION', `0x80044942') define(`IMHOLD_L1', `0x80044948') define(`IMSETDEVNAME', `0x80184947') +define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e') +define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f') define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501') define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502') define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500') diff --git a/public/vold.te b/public/vold.te index 1ddd19e16..fd3ed84a9 100644 --- a/public/vold.te +++ b/public/vold.te @@ -132,6 +132,8 @@ allow vold apk_data_file:dir { mounton rw_dir_perms }; allow vold apk_data_file:file rw_file_perms; # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files allow vold apk_tmp_file:dir { mounton r_dir_perms }; +# Allow to read incremental control file and call selinux restorecon on it +allow vold incremental_control_file:file { r_file_perms relabelto }; allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir create_dir_perms;