Sepolicy: Move otapreopt_chroot to private

Move complete domain to private/. Move referencing parts in domain and kernel to private. Bug: 128840749 Test: m Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
2019-03-18 10:54:42 -07:00 · 2019-03-18 10:54:42 -07:00 · d6fdcefaa8
commit d6fdcefaa8
parent ac9cd71fed
6 changed files with 50 additions and 52 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -280,3 +280,19 @@ neverallow ~{
  dac_override_allowed
  traced_probes
 } self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+    domain
+    -apexd
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
+    -init
+    -kernel
+    -otapreopt_chroot
+    -recovery
+    -update_engine
+    -vold
+    -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
--- a/private/kernel.te
+++ b/private/kernel.te
@ -1,3 +1,8 @@
 typeattribute kernel coredomain;

 domain_auto_trans(kernel, init_exec, init)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@ -1,4 +1,32 @@
-typeattribute otapreopt_chroot coredomain;
+# otapreopt_chroot executable
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;

 # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
--- a/public/domain.te
+++ b/public/domain.te
@ -449,22 +449,6 @@ neverallow * *:{ blk_file chr_file } rename;
 # Rather force a relabel to a more specific type.
 neverallow domain device:chr_file { open read write };

-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
-    domain
-    -apexd
-    recovery_only(`userdebug_or_eng(`-fastbootd')')
-    -init
-    -kernel
-    -otapreopt_chroot
-    -recovery
-    -update_engine
-    -vold
-    -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;

--- a/public/kernel.te
+++ b/public/kernel.te
@ -88,12 +88,6 @@ allow kernel apexd:fd use;
 allow kernel apex_data_file:file read;
 allow kernel staging_data_file:file read;

-# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
-# files under /postinstall, as it uses apexd logic to mount APEX packages in
-# /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
-
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
 # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@ -1,29 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;