Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 27e0c740f1894e9a390b7105255eb29401d25c35^! / . / private / system_server.te
commit27e0c740f1894e9a390b7105255eb29401d25c35[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Tue Oct 27 17:35:33 2020 +0000
committerAlan Stokes <alanstokes@google.com>Mon Nov 09 11:04:02 2020 +0000
tree63389920c62ebd3ba9d6ea9e33851809b9e5698d
parenta97a3665fba73274796cf96a7f7e965662447065 [diff] [blame]
Introduce app_data_file_type attribute.

This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9

diff --git a/private/system_server.te b/private/system_server.te
index 0d48554..889a11b 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -519,16 +519,7 @@
 allow system_server staging_data_file:file create_file_perms;
 
 # Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
-  system_app_data_file
-  bluetooth_data_file
-  nfc_data_file
-  radio_data_file
-  shell_data_file
-  app_data_file
-  privapp_data_file
-}:dir { getattr read search };
+allow system_server app_data_file_type:dir { getattr read search };
 
 # Also permit for unlabeled /data/data subdirectories and
 # for unlabeled asec containers on upgrades from 4.2.
@@ -541,16 +532,7 @@
 allow system_server system_app_data_file:file create_file_perms;
 
 # Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
-  system_app_data_file
-  bluetooth_data_file
-  nfc_data_file
-  radio_data_file
-  shell_data_file
-  app_data_file
-  privapp_data_file
-}:file { getattr read write append map };
+allow system_server app_data_file_type:file { getattr read write append map };
 
 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };
@@ -1041,14 +1023,11 @@
 # system server should never be operating on zygote spawned app data
 # files directly. Rather, they should always be passed via a
 # file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
+# Exclude those types that system_server needs to open directly.
 neverallow system_server {
-  bluetooth_data_file
-  nfc_data_file
-  shell_data_file
-  app_data_file
-  privapp_data_file
+  app_data_file_type
+  -system_app_data_file
+  -radio_data_file
 }:file { open create unlink link };
 
 # Forking and execing is inherently dangerous and racy. See, for