Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / ff43be2ca9dcc80711fc14e0bfb847951f677243 / . / microdroid / sepolicy / system / private / apexd.te
blob: b6fff923f77fcf24abe8e126acc314d051f796b2 [file] [log] [blame]
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame^]1typeattribute apexd coredomain;
2
3init_daemon_domain(apexd)
4
5# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
6allow apexd apex_data_file:dir create_dir_perms;
7allow apexd apex_data_file:file create_file_perms;
8# Allow relabeling file created in /data/apex/decompressed
9allow apexd apex_data_file:file relabelfrom;
10
11# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
12allow apexd metadata_file:dir search;
13allow apexd apex_metadata_file:dir create_dir_perms;
14allow apexd apex_metadata_file:file create_file_perms;
15
16# Allow reserving space on /data/apex/ota_reserved for apex decompression
17allow apexd apex_ota_reserved_file:dir create_dir_perms;
18allow apexd apex_ota_reserved_file:file create_file_perms;
19
20# Allow apexd to create files and directories for snapshots of apex data
21allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
22allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
23allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
24allow apexd apex_art_data_file:file { create_file_perms relabelto };
25allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
26allow apexd apex_permission_data_file:file { create_file_perms relabelto };
27allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
28allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
29allow apexd apex_rollback_data_file:dir create_dir_perms;
30allow apexd apex_rollback_data_file:file create_file_perms;
31allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
32allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
33allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
34allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
35
36# Allow apexd to read directories under /data/misc_de in order to snapshot and
37# restore apex data for all users.
38allow apexd system_data_file:dir r_dir_perms;
39
40# allow apexd to create loop devices with /dev/loop-control
41allow apexd loop_control_device:chr_file rw_file_perms;
42# allow apexd to access loop devices
43allow apexd loop_device:blk_file rw_file_perms;
44allowxperm apexd loop_device:blk_file ioctl {
45 LOOP_GET_STATUS64
46 LOOP_SET_STATUS64
47 LOOP_SET_FD
48 LOOP_SET_BLOCK_SIZE
49 LOOP_SET_DIRECT_IO
50 LOOP_CLR_FD
51 BLKFLSBUF
52 LOOP_CONFIGURE
53};
54# allow apexd to access /dev/block
55allow apexd block_device:dir r_dir_perms;
56
57#allow apexd to access virtual disks
58allow apexd vd_device:blk_file r_file_perms;
59
60# allow apexd to access /dev/block/dm-* (device-mapper entries)
61allow apexd dm_device:chr_file rw_file_perms;
62allow apexd dm_device:blk_file rw_file_perms;
63
64# sys_admin is required to access the device-mapper and mount
65# dac_override, chown, and fowner are needed for snapshot and restore
66allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
67
68# Note: fsetid is deliberately not included above. fsetid checks are
69# triggered by chmod on a directory or file owned by a group other
70# than one of the groups assigned to the current process to see if
71# the setgid bit should be cleared, regardless of whether the setgid
72# bit was even set. We do not appear to truly need this capability
73# for apexd to operate.
74dontaudit apexd self:global_capability_class_set fsetid;
75
76# allow apexd to create a mount point in /apex
77allow apexd apex_mnt_dir:dir create_dir_perms;
78# allow apexd to mount in /apex
79allow apexd apex_mnt_dir:filesystem { mount unmount };
80allow apexd apex_mnt_dir:dir mounton;
81# allow apexd to create symlinks in /apex
82allow apexd apex_mnt_dir:lnk_file create_file_perms;
83# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
84allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
85allow apexd apex_info_file:file relabelto;
86# allow apexd to unlink apex files in /data/apex/active
87# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
88# because it doesn't have write permission for staging_data_file object.
89allow apexd staging_data_file:file unlink;
90
91# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
92allow apexd staging_data_file:dir r_dir_perms;
93allow apexd staging_data_file:file { r_file_perms link };
94# # Allow relabeling file created in /data/apex/decompressed
95allow apexd staging_data_file:file relabelto;
96
97# allow apexd to read files from /vendor/apex
98allow apexd vendor_apex_file:dir r_dir_perms;
99allow apexd vendor_apex_file:file r_file_perms;
100
101# Unmount and mount filesystems
102allow apexd labeledfs:filesystem { mount unmount };
103
104# /sys directory tree traversal
105allow apexd sysfs_type:dir search;
106# Configure read-ahead of dm-verity and loop devices
107# for dm-X
108allow apexd sysfs_dm:dir r_dir_perms;
109allow apexd sysfs_dm:file rw_file_perms;
110# for loopX
111allow apexd sysfs_loop:dir r_dir_perms;
112allow apexd sysfs_loop:file rw_file_perms;
113
114# Allow apexd to log to the kernel.
115allow apexd kmsg_device:chr_file w_file_perms;
116
117# Allow apexd to reboot device. Required for rollbacks of apexes that are
118# not covered by rollback manager.
119set_prop(apexd, powerctl_prop)
120
121# Allow apexd to stop itself
122set_prop(apexd, ctl_apexd_prop)
123
124# Find the vold service, and call into vold to manage FS checkpoints
125allow apexd vold_service:service_manager find;
126binder_call(apexd, vold)
127
128# Apex pre- & post-install permission.
129
130# Allow self-execute for the fork mount helper.
131allow apexd apexd_exec:file execute_no_trans;
132
133# Unshare and make / private so that hooks cannot influence the
134# running system.
135allow apexd rootfs:dir mounton;
136
137# Allow to execute shell for pre- and postinstall scripts. A transition
138# rule is required, thus restricted to execute and not execute_no_trans.
139allow apexd shell_exec:file { r_file_perms execute };
140
141# apexd is using bootstrap bionic
142allow apexd system_bootstrap_lib_file:dir r_dir_perms;
143allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
144
145# Allow transition to test APEX preinstall domain.
146userdebug_or_eng(`
147 domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
148')
149
150# Allow transition to GKI update pre/post install domain
151domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
152
153# Allow apexd to be invoked with logwrapper from init during userspace reboot.
154allow apexd devpts:chr_file { read write };
155
156# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
157# other processes
158create_pty(apexd)
159
160# Allow apexd to read file contexts when performing restorecon of snapshots.
161allow apexd file_contexts_file:file r_file_perms;
162
163# Allow apexd to execute toybox for snapshot & restore
164allow apexd toolbox_exec:file rx_file_perms;
165
166# Allow apexd to read ro.cold_boot_done prop.
167# apexd uses it to decide whether it needs to keep retrying polling for loop device.
168get_prop(apexd, cold_boot_done_prop)
169
170# Allow apexd to read per-device configuration properties.
171get_prop(apexd, apexd_config_prop)
172
173neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
174neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
175neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
176neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
177neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
178
179neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
180neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
181
182neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
183neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
184
185# only apexd can set apexd sysprop
186set_prop(apexd, apexd_prop)
187neverallow { domain -apexd -init } apexd_prop:property_service set;
188
189# only apexd can write apex-info-list.xml
190neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
191
192# Only apexd and init should be allowed to manage /apex mounts
193# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
194# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
195# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
196neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
197neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
198
199# Allow for use in postinstall
200allow apexd otapreopt_chroot:fd use;
201allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
202allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
203allow apexd proc_filesystems:file r_file_perms;