diff --git a/private/domain.te b/private/domain.te index 537e61b25..8431957b8 100644 --- a/private/domain.te +++ b/private/domain.te @@ -280,3 +280,19 @@ neverallow ~{ dac_override_allowed traced_probes } self:global_capability_class_set dac_read_search; + +# Limit what domains can mount filesystems or change their mount flags. +# sdcard_type / vfat is exempt as a larger set of domains need +# this capability, including device-specific domains. +neverallow { + domain + -apexd + recovery_only(`userdebug_or_eng(`-fastbootd')') + -init + -kernel + -otapreopt_chroot + -recovery + -update_engine + -vold + -zygote +} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; diff --git a/private/kernel.te b/private/kernel.te index a4e6ebe36..207800e08 100644 --- a/private/kernel.te +++ b/private/kernel.te @@ -1,3 +1,8 @@ typeattribute kernel coredomain; domain_auto_trans(kernel, init_exec, init) + +# Allow the kernel to read otapreopt_chroot's file descriptors and files under +# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex. +allow kernel otapreopt_chroot:fd use; +allow kernel postinstall_file:file read; diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te index aea2faaa0..c2ee607e0 100644 --- a/private/otapreopt_chroot.te +++ b/private/otapreopt_chroot.te @@ -1,4 +1,32 @@ -typeattribute otapreopt_chroot coredomain; +# otapreopt_chroot executable +type otapreopt_chroot, domain, coredomain; +type otapreopt_chroot_exec, system_file_type, exec_type, file_type; + +# Chroot preparation and execution. +# We need to create an unshared mount namespace, and then mount /data. +allow otapreopt_chroot postinstall_file:dir { search mounton }; +allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }; + +# This is required to mount /vendor and mount/unmount ext4 images from +# APEX packages in /postinstall/apex. +allow otapreopt_chroot block_device:dir search; +allow otapreopt_chroot labeledfs:filesystem { mount unmount }; +# Mounting /vendor can have this side-effect. Ignore denial. +dontaudit otapreopt_chroot kernel:process setsched; + +# Allow otapreopt_chroot to read SELinux policy files. +allow otapreopt_chroot file_contexts_file:file r_file_perms; + +# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex. +allow otapreopt_chroot postinstall_file:dir r_dir_perms; +# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property. +get_prop(otapreopt_chroot, apexd_prop) + +# Allow otapreopt to use file descriptors from update-engine. It will +# close them immediately. +allow otapreopt_chroot postinstall:fd use; +allow otapreopt_chroot update_engine:fd use; +allow otapreopt_chroot update_engine:fifo_file write; # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox. domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt) diff --git a/public/domain.te b/public/domain.te index a91cf40c5..8331d2db8 100644 --- a/public/domain.te +++ b/public/domain.te @@ -449,22 +449,6 @@ neverallow * *:{ blk_file chr_file } rename; # Rather force a relabel to a more specific type. neverallow domain device:chr_file { open read write }; -# Limit what domains can mount filesystems or change their mount flags. -# sdcard_type / vfat is exempt as a larger set of domains need -# this capability, including device-specific domains. -neverallow { - domain - -apexd - recovery_only(`userdebug_or_eng(`-fastbootd')') - -init - -kernel - -otapreopt_chroot - -recovery - -update_engine - -vold - -zygote -} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; - # Files from cache should never be executed neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; diff --git a/public/kernel.te b/public/kernel.te index 3ffb5cee2..50e72c2b1 100644 --- a/public/kernel.te +++ b/public/kernel.te @@ -88,12 +88,6 @@ allow kernel apexd:fd use; allow kernel apex_data_file:file read; allow kernel staging_data_file:file read; -# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and -# files under /postinstall, as it uses apexd logic to mount APEX packages in -# /postinstall/apex. -allow kernel otapreopt_chroot:fd use; -allow kernel postinstall_file:file read; - # Allow the first-stage init (which is running in the kernel domain) to execute the # dynamic linker when it re-executes /init to switch into the second stage. # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te deleted file mode 100644 index a8d5fda0b..000000000 --- a/public/otapreopt_chroot.te +++ /dev/null @@ -1,29 +0,0 @@ -# otapreopt_chroot executable -type otapreopt_chroot, domain; -type otapreopt_chroot_exec, system_file_type, exec_type, file_type; - -# Chroot preparation and execution. -# We need to create an unshared mount namespace, and then mount /data. -allow otapreopt_chroot postinstall_file:dir { search mounton }; -allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot }; - -# This is required to mount /vendor and mount/unmount ext4 images from -# APEX packages in /postinstall/apex. -allow otapreopt_chroot block_device:dir search; -allow otapreopt_chroot labeledfs:filesystem { mount unmount }; -# Mounting /vendor can have this side-effect. Ignore denial. -dontaudit otapreopt_chroot kernel:process setsched; - -# Allow otapreopt_chroot to read SELinux policy files. -allow otapreopt_chroot file_contexts_file:file r_file_perms; - -# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex. -allow otapreopt_chroot postinstall_file:dir r_dir_perms; -# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property. -get_prop(otapreopt_chroot, apexd_prop) - -# Allow otapreopt to use file descriptors from update-engine. It will -# close them immediately. -allow otapreopt_chroot postinstall:fd use; -allow otapreopt_chroot update_engine:fd use; -allow otapreopt_chroot update_engine:fifo_file write;