From 9f74a428c4ad085ac8ea26509240dfeccb658b85 Mon Sep 17 00:00:00 2001
From: Igor Murashkin <iam@google.com>
Date: Thu, 19 Sep 2019 11:04:20 -0700
Subject: [PATCH] sepolicy: Add iorap_prefetcherd rules

/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup

See also go/android-iorap-security for the design doc

Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
---
 private/compat/29.0/29.0.ignore.cil |  4 +++
 private/coredomain.te               |  2 ++
 private/domain.te                   |  4 +++
 private/file_contexts               |  1 +
 private/iorap_prefecherd.te         |  4 +++
 private/iorapd.te                   |  2 ++
 public/domain.te                    |  3 ++
 public/iorap_prefetcherd.te         | 54 +++++++++++++++++++++++++++++
 8 files changed, 74 insertions(+)
 create mode 100644 private/iorap_prefecherd.te
 create mode 100644 public/iorap_prefetcherd.te

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 133c9b2cc..eb99076c1 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -17,6 +17,10 @@
     hal_can_controller_hwservice
     hal_tv_tuner_hwservice
     init_svc_debug_prop
+    iorap_prefetcherd
+    iorap_prefetcherd_data_file
+    iorap_prefetcherd_exec
+    iorap_prefetcherd_tmpfs
     linker_prop
     mock_ota_prop
     ota_metadata_file
diff --git a/private/coredomain.te b/private/coredomain.te
index af9102803..dac061ad1 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -56,6 +56,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
@@ -73,6 +74,7 @@ full_treble_only(`
         -idmap
         -init
         -installd
+        -iorap_prefetcherd
         -postinstall_dexopt
         -rs # spawned by appdomain, so carryover the exception above
         -system_server
diff --git a/private/domain.te b/private/domain.te
index 98251d0dc..3fc55a2d8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -136,6 +136,7 @@ neverallow {
   -app_zygote
   -dexoptanalyzer
   -installd
+  -iorap_prefetcherd
   -profman
   -rs # spawned by appdomain, so carryover the exception above
   -runas
@@ -157,6 +158,7 @@ neverallow {
   -appdomain
   -app_zygote
   -installd
+  -iorap_prefetcherd
   -rs # spawned by appdomain, so carryover the exception above
 } { privapp_data_file app_data_file }:file_class_set open;
 
@@ -201,6 +203,7 @@ neverallow {
     domain
     -appdomain
     with_asan(`-asan_extract')
+    -iorap_prefetcherd
     -shell
     userdebug_or_eng(`-su')
     -system_server_startup # for memfd backed executable regions
@@ -284,6 +287,7 @@ neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
 # this list should be a superset of the one above.
 neverallow ~{
   dac_override_allowed
+  iorap_prefetcherd
   traced_probes
   userdebug_or_eng(`heapprofd')
 } self:global_capability_class_set dac_read_search;
diff --git a/private/file_contexts b/private/file_contexts
index 3e989e7ce..ac22908f5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -289,6 +289,7 @@
 /system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
 /system/bin/profman(d)?     u:object_r:profman_exec:s0
 /system/bin/iorapd          u:object_r:iorapd_exec:s0
+/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
new file mode 100644
index 000000000..9ddb512c9
--- /dev/null
+++ b/private/iorap_prefecherd.te
@@ -0,0 +1,4 @@
+typeattribute iorap_prefetcherd coredomain;
+
+init_daemon_domain(iorap_prefetcherd)
+tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
index 91f4ddccf..ba8ece307 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -2,3 +2,5 @@ typeattribute iorapd coredomain;
 
 init_daemon_domain(iorapd)
 tmpfs_domain(iorapd)
+
+domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
diff --git a/public/domain.te b/public/domain.te
index 9ebe4e057..1773de5d4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -927,6 +927,7 @@ full_treble_only(`
         -system_lib_file
         -system_linker_exec
         -crash_dump_exec
+        -iorap_prefetcherd_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
     }:file { entrypoint execute execute_no_trans };
@@ -969,6 +970,7 @@ full_treble_only(`
     # TODO(b/37168747): clean up fwk access to /vendor
     -crash_dump
     -init # starts vendor executables
+    -iorap_prefetcherd
     -kernel # loads /vendor/firmware
     userdebug_or_eng(`-heapprofd')
     -shell
@@ -1296,6 +1298,7 @@ full_treble_only(`
     -bootanim
     -crash_dump
     -init
+    -iorap_prefetcherd
     -kernel
     -heapprofd
     -ueventd
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
new file mode 100644
index 000000000..ad9db142b
--- /dev/null
+++ b/public/iorap_prefetcherd.te
@@ -0,0 +1,54 @@
+# volume manager
+type iorap_prefetcherd, domain;
+type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
+type iorap_prefetcherd_tmpfs, file_type;
+
+r_dir_file(iorap_prefetcherd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
+
+# iorap_prefetcherd temporarily changes its priority when running benchmarks
+allow iorap_prefetcherd self:global_capability_class_set sys_nice;
+
+# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
+allow iorap_prefetcherd iorapd:fd use;
+allow iorap_prefetcherd iorapd:fifo_file { read write };
+
+# Allow reading most files under / ignoring usual access controls.
+allow iorap_prefetcherd self:capability dac_read_search;
+
+typeattribute iorap_prefetcherd mlstrustedsubject;
+
+# Grant logcat access
+allow iorap_prefetcherd logcat_exec:file { open read };
+
+# Grant access to open most of the files under /
+allow iorap_prefetcherd apk_data_file:dir { open read search };
+allow iorap_prefetcherd apk_data_file:file { open read };
+allow iorap_prefetcherd app_data_file:dir { open read search };
+allow iorap_prefetcherd app_data_file:file { open read };
+allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
+allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
+allow iorap_prefetcherd packages_list_file:dir { open read search };
+allow iorap_prefetcherd packages_list_file:file { open read };
+allow iorap_prefetcherd privapp_data_file:dir { open read search };
+allow iorap_prefetcherd privapp_data_file:file { open read };
+allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
+allow iorap_prefetcherd same_process_hal_file:file { open read };
+allow iorap_prefetcherd system_data_file:dir { open read search };
+allow iorap_prefetcherd system_data_file:file { open read };
+allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_data_file:dir { open read search };
+allow iorap_prefetcherd user_profile_data_file:file { open read };
+allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
+allow iorap_prefetcherd vendor_overlay_file:file { open read };
+# Note: Do not add any /vendor labels because they can be customized
+# by the vendor and we won't know about them beforehand.
+
+###
+### neverallow rules
+###
+
+neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
+neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;