Sepolicy: Move otapreopt_chroot to private
Move complete domain to private/. Move referencing parts in domain and kernel to private. Bug: 128840749 Test: m Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
This commit is contained in:
parent
ac9cd71fed
commit
d6fdcefaa8
@ -280,3 +280,19 @@ neverallow ~{
|
||||
dac_override_allowed
|
||||
traced_probes
|
||||
} self:global_capability_class_set dac_read_search;
|
||||
|
||||
# Limit what domains can mount filesystems or change their mount flags.
|
||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
||||
# this capability, including device-specific domains.
|
||||
neverallow {
|
||||
domain
|
||||
-apexd
|
||||
recovery_only(`userdebug_or_eng(`-fastbootd')')
|
||||
-init
|
||||
-kernel
|
||||
-otapreopt_chroot
|
||||
-recovery
|
||||
-update_engine
|
||||
-vold
|
||||
-zygote
|
||||
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
||||
|
@ -1,3 +1,8 @@
|
||||
typeattribute kernel coredomain;
|
||||
|
||||
domain_auto_trans(kernel, init_exec, init)
|
||||
|
||||
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
|
||||
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
|
||||
allow kernel otapreopt_chroot:fd use;
|
||||
allow kernel postinstall_file:file read;
|
||||
|
@ -1,4 +1,32 @@
|
||||
typeattribute otapreopt_chroot coredomain;
|
||||
# otapreopt_chroot executable
|
||||
type otapreopt_chroot, domain, coredomain;
|
||||
type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Chroot preparation and execution.
|
||||
# We need to create an unshared mount namespace, and then mount /data.
|
||||
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
||||
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
|
||||
|
||||
# This is required to mount /vendor and mount/unmount ext4 images from
|
||||
# APEX packages in /postinstall/apex.
|
||||
allow otapreopt_chroot block_device:dir search;
|
||||
allow otapreopt_chroot labeledfs:filesystem { mount unmount };
|
||||
# Mounting /vendor can have this side-effect. Ignore denial.
|
||||
dontaudit otapreopt_chroot kernel:process setsched;
|
||||
|
||||
# Allow otapreopt_chroot to read SELinux policy files.
|
||||
allow otapreopt_chroot file_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
|
||||
allow otapreopt_chroot postinstall_file:dir r_dir_perms;
|
||||
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
|
||||
get_prop(otapreopt_chroot, apexd_prop)
|
||||
|
||||
# Allow otapreopt to use file descriptors from update-engine. It will
|
||||
# close them immediately.
|
||||
allow otapreopt_chroot postinstall:fd use;
|
||||
allow otapreopt_chroot update_engine:fd use;
|
||||
allow otapreopt_chroot update_engine:fifo_file write;
|
||||
|
||||
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
|
||||
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
|
||||
|
@ -449,22 +449,6 @@ neverallow * *:{ blk_file chr_file } rename;
|
||||
# Rather force a relabel to a more specific type.
|
||||
neverallow domain device:chr_file { open read write };
|
||||
|
||||
# Limit what domains can mount filesystems or change their mount flags.
|
||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
||||
# this capability, including device-specific domains.
|
||||
neverallow {
|
||||
domain
|
||||
-apexd
|
||||
recovery_only(`userdebug_or_eng(`-fastbootd')')
|
||||
-init
|
||||
-kernel
|
||||
-otapreopt_chroot
|
||||
-recovery
|
||||
-update_engine
|
||||
-vold
|
||||
-zygote
|
||||
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
|
||||
|
||||
# Files from cache should never be executed
|
||||
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
|
||||
|
||||
|
@ -88,12 +88,6 @@ allow kernel apexd:fd use;
|
||||
allow kernel apex_data_file:file read;
|
||||
allow kernel staging_data_file:file read;
|
||||
|
||||
# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
|
||||
# files under /postinstall, as it uses apexd logic to mount APEX packages in
|
||||
# /postinstall/apex.
|
||||
allow kernel otapreopt_chroot:fd use;
|
||||
allow kernel postinstall_file:file read;
|
||||
|
||||
# Allow the first-stage init (which is running in the kernel domain) to execute the
|
||||
# dynamic linker when it re-executes /init to switch into the second stage.
|
||||
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
|
||||
|
@ -1,29 +0,0 @@
|
||||
# otapreopt_chroot executable
|
||||
type otapreopt_chroot, domain;
|
||||
type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# Chroot preparation and execution.
|
||||
# We need to create an unshared mount namespace, and then mount /data.
|
||||
allow otapreopt_chroot postinstall_file:dir { search mounton };
|
||||
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
|
||||
|
||||
# This is required to mount /vendor and mount/unmount ext4 images from
|
||||
# APEX packages in /postinstall/apex.
|
||||
allow otapreopt_chroot block_device:dir search;
|
||||
allow otapreopt_chroot labeledfs:filesystem { mount unmount };
|
||||
# Mounting /vendor can have this side-effect. Ignore denial.
|
||||
dontaudit otapreopt_chroot kernel:process setsched;
|
||||
|
||||
# Allow otapreopt_chroot to read SELinux policy files.
|
||||
allow otapreopt_chroot file_contexts_file:file r_file_perms;
|
||||
|
||||
# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
|
||||
allow otapreopt_chroot postinstall_file:dir r_dir_perms;
|
||||
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
|
||||
get_prop(otapreopt_chroot, apexd_prop)
|
||||
|
||||
# Allow otapreopt to use file descriptors from update-engine. It will
|
||||
# close them immediately.
|
||||
allow otapreopt_chroot postinstall:fd use;
|
||||
allow otapreopt_chroot update_engine:fd use;
|
||||
allow otapreopt_chroot update_engine:fifo_file write;
|
Loading…
Reference in New Issue
Block a user