Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2679d8e3a3504891fcb9525b9aaf5276061414a1^! / .
commit2679d8e3a3504891fcb9525b9aaf5276061414a1[log] [tgz]
authorSongchun Fan <schfan@google.com>Tue Mar 17 18:30:34 2020 -0700
committerSongchun Fan <schfan@google.com>Thu Mar 19 16:31:52 2020 -0700
tree768e1576b70c72da7a16c7fb3779b67f9f2cf3b8
parent19a5cc2bab59a4eea424ab38a6f1aa67b65860f1 [diff]
[selinux] permissions on new ioctls for filling blocks

(Cherry-picking)

Denial messages:

03-17 20:30:54.274  1445  1445 I PackageInstalle: type=1400 audit(0.0:6): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F313134353234353836342F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:system_server:s0 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1

03-17 20:30:54.274  1445  1445 I PackageInstalle: type=1400 audit(0.0:7): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_1145245864/mount/.index/2b300000000000000000000000000000" dev="incremental-fs" ino=6794 ioctlcmd=0x6720 scontext=u:r:system_server:s0 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1

03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:13): avc: denied { ioctl } for path=2F646174612F696E6372656D656E74616C2F4D545F646174615F696E6372656D656E74616C5F746D705F3537383539353635322F6D6F756E742F2E70656E64696E675F7265616473202864656C6574656429 dev="incremental-fs" ino=2 ioctlcmd=0x6721 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:incremental_control_file:s0 tclass=file permissive=1 app=com.android.vending

03-17 20:49:11.797 16182 16182 I Binder:16182_6: type=1400 audit(0.0:14): avc: denied { ioctl } for path="/data/incremental/MT_data_incremental_tmp_578595652/mount/.index/626173652e61706b0000000000000000" dev="incremental-fs" ino=5810 ioctlcmd=0x6720 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:apk_data_file:s0 tclass=file permissive=1 app=com.android.vending

Test: manual
BUG: 150809360
Merged-In: If43fa9edad0848a59c0712b124adfcdbbd0c99a4
Change-Id: I10e95caba43e1e1c272b59b7191b36b1cff4ff67

diff --git a/private/priv_app.te b/private/priv_app.te
index dd4d5c7..db28bec 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -147,11 +147,15 @@
         connect getattr read recvfrom sendto write getopt setopt };
 
 # allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System
-allowxperm priv_app apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+# the Incremental File System, and fill missing blocks in the apk
+allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
 
 # allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
-allow priv_app incremental_control_file:file { read getattr };
+allow priv_app incremental_control_file:file { read getattr ioctl };
+
+# allow apps like Phonesky to request permission to fill blocks of an apk file
+# on the Incremental File System.
+allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
 
 ###
 ### neverallow rules

diff --git a/private/system_server.te b/private/system_server.te
index 7c24598..70859c0 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -24,12 +24,12 @@
 # For Incremental Service to check if incfs is available
 allow system_server proc_filesystems:file r_file_perms;
 
-# To create files on Incremental File System
+# To create files and get permission to fill blocks on Incremental File System
 allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl INCFS_IOCTL_CREATE_FILE;
+allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
 
-# To get signature of an APK installed on Incremental File System
-allowxperm system_server apk_data_file:file ioctl INCFS_IOCTL_READ_SIGNATURE;
+# To get signature of an APK installed on Incremental File System and fill in data blocks
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
 
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;

diff --git a/public/ioctl_defines b/public/ioctl_defines
index 4eeeb4e..4cc3bba 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines

@@ -1057,6 +1057,8 @@
 define(`IMSETDEVNAME', `0x80184947')
 define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
 define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
+define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
+define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
 define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
 define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
 define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')