From b238fe666212ce86fe3fe1521e9692a361a53047 Mon Sep 17 00:00:00 2001 From: Fyodor Kupolov Date: Tue, 14 Mar 2017 11:42:03 -0700 Subject: [PATCH] Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446 --- private/app_neverallows.te | 3 +++ private/file_contexts | 2 ++ private/platform_app.te | 2 ++ private/priv_app.te | 2 ++ private/system_server.te | 2 ++ private/untrusted_app_all.te | 7 ++++--- public/file.te | 2 ++ public/installd.te | 2 ++ public/mediaserver.te | 4 ++-- 9 files changed, 21 insertions(+), 5 deletions(-) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 2f8066ab0..15ab764c4 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -97,3 +97,6 @@ neverallow all_untrusted_apps anr_data_file:dir ~search; # Avoid reads from generically labeled /proc files # Create a more specific label if needed neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms }; + +# Do not allow untrusted apps access to preloads data files +neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms; diff --git a/private/file_contexts b/private/file_contexts index 03ab637d2..2f009ac6b 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -291,6 +291,8 @@ /data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0 /data/property(/.*)? u:object_r:property_data_file:s0 /data/preloads(/.*)? u:object_r:preloads_data_file:s0 +/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0 +/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0 # Misc data /data/misc/adb(/.*)? u:object_r:adb_keys_file:s0 diff --git a/private/platform_app.te b/private/platform_app.te index 2817e5a47..6b18d8fee 100644 --- a/private/platform_app.te +++ b/private/platform_app.te @@ -56,5 +56,7 @@ allow platform_app vr_manager_service:service_manager find; # Access to /data/preloads allow platform_app preloads_data_file:file r_file_perms; allow platform_app preloads_data_file:dir r_dir_perms; +allow platform_app preloads_media_file:file r_file_perms; +allow platform_app preloads_media_file:dir r_dir_perms; read_runtime_log_tags(platform_app) diff --git a/private/priv_app.te b/private/priv_app.te index 76dbb98b1..83a4b3f76 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -96,6 +96,8 @@ allow priv_app ringtone_file:file { getattr read write }; # Access to /data/preloads allow priv_app preloads_data_file:file r_file_perms; allow priv_app preloads_data_file:dir r_dir_perms; +allow priv_app preloads_media_file:file r_file_perms; +allow priv_app preloads_media_file:dir r_dir_perms; # TODO: revert this as part of fixing 33574909 # android.process.media uses /dev/mtp_usb diff --git a/private/system_server.te b/private/system_server.te index d78c57682..f25e8ce7f 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -599,6 +599,8 @@ allow system_server update_engine:fifo_file write; # Access to /data/preloads allow system_server preloads_data_file:file { r_file_perms unlink }; allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir }; +allow system_server preloads_media_file:file { r_file_perms unlink }; +allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; r_dir_file(system_server, cgroup) allow system_server ion_device:chr_file r_file_perms; diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index 653441271..993b3d0e3 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -88,6 +88,7 @@ allow untrusted_app_all self:process ptrace; allow untrusted_app_all sysfs_hwrandom:dir search; allow untrusted_app_all sysfs_hwrandom:file r_file_perms; -# Allow apps to view preloaded content -allow untrusted_app_all preloads_data_file:dir r_dir_perms; -allow untrusted_app_all preloads_data_file:file r_file_perms; +# Allow apps to view preloaded media content +allow untrusted_app_all preloads_media_file:dir r_dir_perms; +allow untrusted_app_all preloads_media_file:file r_file_perms; +allow untrusted_app_all preloads_data_file:dir search; diff --git a/public/file.te b/public/file.te index 2936d6515..5b99344e0 100644 --- a/public/file.te +++ b/public/file.te @@ -132,6 +132,8 @@ type nativetest_data_file, file_type, data_file_type; type ringtone_file, file_type, data_file_type, mlstrustedobject; # /data/preloads type preloads_data_file, file_type, data_file_type; +# /data/preloads/media +type preloads_media_file, file_type, data_file_type; # Mount locations managed by vold type mnt_media_rw_file, file_type; diff --git a/public/installd.te b/public/installd.te index 5e0ccc437..0a5b8a380 100644 --- a/public/installd.te +++ b/public/installd.te @@ -132,6 +132,8 @@ allow installd labeledfs:filesystem { quotaget quotamod }; # TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server allow installd preloads_data_file:file { r_file_perms unlink }; allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir }; +allow installd preloads_media_file:file { r_file_perms unlink }; +allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir }; ### ### Neverallow rules diff --git a/public/mediaserver.te b/public/mediaserver.te index 6b3f0511e..a641bf743 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -124,8 +124,8 @@ allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket } allow mediaserver media_rw_data_file:dir create_dir_perms; allow mediaserver media_rw_data_file:file create_file_perms; -# Access to /data/preloads -allow mediaserver preloads_data_file:file { getattr read ioctl }; +# Access to media in /data/preloads +allow mediaserver preloads_media_file:file { getattr read ioctl }; allow mediaserver ion_device:chr_file r_file_perms; allow mediaserver hal_graphics_allocator:fd use;