commit 2f31d932c267f2060a331490781aebc0154e67f0
author David Anderson <dvander@google.com> Wed Oct 02 20:22:17 2024 -0700
committer David Anderson <dvander@google.com> Fri Oct 18 13:22:44 2024 -0700
tree f2a8874d2d87e426d3cf148d78bb9a68a13cb505
parent bbee00e4ba58be49d7545cd818da0f86b5bd9c5a

Add sepolicy for /metadata/tradeinmode.

This defines a new type, tradeinmode_metadata_file, which is applied to
/metadata/tradeinmode. This directory contains an indicator, written by
system_server, that a factory reset must be initiated. The indicator is
read by first-stage init.

A neverallow rule is included since we don't want random processes reading or writing to this directory.

Bug: 307713521
Test: adb shell tradeinmode enter
Change-Id: Icc3c815a77bbadc1d4b32b88226e55a5595f5388

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 6a13816..f39668e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1504,6 +1504,10 @@
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+# Allow TradeInMode service rw access to /metadata/tradeinmode.
+allow system_server tradeinmode_metadata_file:dir rw_dir_perms;
+allow system_server tradeinmode_metadata_file:file create_file_perms;
+
 allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
 allow system_server userspace_reboot_metadata_file:file create_file_perms;
 
@@ -1679,6 +1683,9 @@
 neverallow { domain -init -system_server } crashrecovery_prop:property_service set;
 neverallow { domain -init -dumpstate -system_server } crashrecovery_prop:file no_rw_file_perms;
 
+# Do not allow anything other than system_server and init to touch /metadata/tradeinmode.
+neverallow { domain -init -system_server } tradeinmode_metadata_file:file no_rw_file_perms;
+
 neverallow {
   domain
   -init