SELinux update to support aconfigd_mainline process
Context: Currently, aconfigd which manages aconfig flags on device is a
/system process. To support better updatability, a new aconfig storage
daemon will be created on the config infra mainline module, called
aconfigd_mainline. This new daemon bears the responsibility of managing
mainline aconfig storage files as well as providing a socket service for
server and local flag value override. The system aconfigd will only be
responsible for managing platform aconfig flags after this
transition.
Therefore we are making the following SELinux changes:
1, A new binary called aconfigd_mainline is created under config infra
mainline module, provide the file context definition in the module
file_contexts file.
2, Create a SELinux policy for aconfigd_mainline under private dir. It a
copy of system aconfigd policy (aconfigd.te). When the transition is
complete, several allow clause will be removed from aconfigd.te.
3, Clean up persist and boot storage file access never allow rule.
Previously, never allow rules are defined in both domain.te and
system_server.te. Now they are merged in domain.te. In addition,
system_server no longer needs the access, removing it from exception
list.
Bug: 369812588
Test: m and launch avd, verify from logcat log that we can successfully
launch aconfigd_mainline process
Change-Id: Id9497847de2b3ca0b3dfd98e38252ae4a6c48993
Merged-In: Id9497847de2b3ca0b3dfd98e38252ae4a6c48993
(cherry picked from commit 27783693c0fa14d6052d8ff504e8c06758046511)
DISABLE_TOPIC_PROTECTOR
diff --git a/apex/com.android.configinfrastructure-file_contexts b/apex/com.android.configinfrastructure-file_contexts
new file mode 100644
index 0000000..d18fa07
--- /dev/null
+++ b/apex/com.android.configinfrastructure-file_contexts
@@ -0,0 +1 @@
+/bin/aconfigd-mainline u:object_r:aconfigd_mainline_exec:s0
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c8f9cb..c499dfc 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -189,6 +189,8 @@
/dev/socket/does_not_exist socket_device
/dev/socket/adbd adbd_socket
/dev/socket/aconfigd aconfigd_socket
+/dev/socket/aconfigd_mainline aconfigd_mainline_socket
+/dev/socket/aconfigd_system aconfigd_socket
/dev/socket/dnsproxyd dnsproxyd_socket
/dev/socket/dumpstate dumpstate_socket
/dev/socket/fwmarkd fwmarkd_socket
diff --git a/private/aconfigd.te b/private/aconfigd.te
index 97e7493..01f53cd 100644
--- a/private/aconfigd.te
+++ b/private/aconfigd.te
@@ -25,12 +25,6 @@
allow aconfigd aconfigd_socket:unix_stream_socket { accept listen getattr read write };
allow aconfigd aconfigd_socket:sock_file rw_file_perms;
-# allow aconfigd to access shell_data_file for atest
-userdebug_or_eng(`
- allow aconfigd shell_data_file:dir search;
- allow aconfigd shell_data_file:file { getattr read open map };
-')
-
# allow aconfigd to log to the kernel.
allow aconfigd kmsg_device:chr_file w_file_perms;
@@ -41,3 +35,35 @@
# allow aconfigd to read /apex dir
allow aconfigd apex_mnt_dir:dir r_dir_perms;
allow aconfigd apex_mnt_dir:file r_file_perms;
+
+# Do not allow write access to boot/map storage files except, aconfigd and aconfigd_mainline.
+# These files are meant to serve flag reads for all processes. They are created by aconfigd (for
+# platform storage files) and aconfigd_mainline (mainline storage files) processes.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_metadata_file:file no_w_file_perms;
+
+# Only aconfigd and aconfigd_mainline can access persist storage files
+# These files are meant to serve as persist flag value storage, only aconfigd and
+# aconfigd_mainline process should manage them. Other processes should have zero access.
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -aconfigd
+ -aconfigd_mainline
+} aconfig_storage_flags_metadata_file:file no_rw_file_perms;
diff --git a/private/aconfigd_mainline.te b/private/aconfigd_mainline.te
new file mode 100644
index 0000000..cd98d4b
--- /dev/null
+++ b/private/aconfigd_mainline.te
@@ -0,0 +1,38 @@
+# aconfigd_mainline -- manager for mainline aconfig flags
+type aconfigd_mainline, domain, coredomain, mlstrustedsubject;
+type aconfigd_mainline_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(aconfigd_mainline)
+
+# allow aconfigd_mainline to search /metadata dir as it needs to access files under
+# /metadata/aconfig dir
+allow aconfigd_mainline metadata_file:dir search;
+
+# aconfigd_mainline should be able to create storage files under /metadata/aconfig dir
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:dir create_dir_perms;
+
+allow aconfigd_mainline {
+ aconfig_storage_metadata_file
+ aconfig_storage_flags_metadata_file
+}:file create_file_perms;
+
+# allow aconfigd_mainline to log to the kernel.
+allow aconfigd_mainline kmsg_device:chr_file write;
+
+# allow aconfigd_mainline to read /apex dir, aconfigd_mainline need to loop thru all
+# dirs under /apex to find all currently mounted mainline modules and get their
+# storage files
+allow aconfigd_mainline apex_mnt_dir:dir r_dir_perms;
+allow aconfigd_mainline apex_mnt_dir:file r_file_perms;
+dontaudit aconfigd_mainline apex_info_file:file r_file_perms;
+
+###
+### Neverallow assertions
+###
+
+# only init is allowed to enter the aconfigd_mainline domain
+neverallow { domain -init } aconfigd_mainline:process transition;
+neverallow * aconfigd_mainline:process dyntransition;
diff --git a/private/domain.te b/private/domain.te
index e7ab199..526e1ed 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2159,7 +2159,6 @@
-artd
-dumpstate
-installd
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice')
@@ -2207,7 +2206,6 @@
-installd
-simpleperf_app_runner
-system_server # why?
- userdebug_or_eng(`-aconfigd')
userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm')
@@ -2238,10 +2236,6 @@
# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
-# Do not allow write access to aconfig flag value files except init and aconfigd
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:dir no_w_dir_perms;
-neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_file:file no_w_file_perms;
-
neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton;
neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton;
diff --git a/private/file.te b/private/file.te
index d30465b..6e26715 100644
--- a/private/file.te
+++ b/private/file.te
@@ -154,6 +154,9 @@
# Type for aconfig daemon socket
type aconfigd_socket, file_type, coredomain_socket;
+# Type for aconfig mainline daemon socket
+type aconfigd_mainline_socket, file_type, coredomain_socket, mlstrustedobject;
+
# Type for /(system|system_ext|product)/etc/aconfig
type system_aconfig_storage_file, system_file_type, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 76f412a..91401b5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -156,6 +156,8 @@
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
/dev/socket/aconfigd u:object_r:aconfigd_socket:s0
+/dev/socket/aconfigd_mainline u:object_r:aconfigd_mainline_socket:s0
+/dev/socket/aconfigd_system u:object_r:aconfigd_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index f938ad5..c6a441e 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -137,8 +137,10 @@
allow gmscore_app shell_data_file:dir r_dir_perms;
# allow gms core app write to aconfigd socket
-allow gmscore_app aconfigd_socket:sock_file {read write};
-allow gmscore_app aconfigd:unix_stream_socket connectto;
+unix_socket_connect(gmscore_app, aconfigd, aconfigd);
+
+# allow gms core app write to aconfigd_mainline socket
+unix_socket_connect(gmscore_app, aconfigd_mainline, aconfigd_mainline);
# b/18504118: Allow reads from /data/anr/traces.txt
allow gmscore_app anr_data_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 46b0109..a9c5759 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1500,10 +1500,6 @@
allow system_server watchdog_metadata_file:dir rw_dir_perms;
allow system_server watchdog_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_flags_metadata_file:dir rw_dir_perms;
-allow system_server aconfig_storage_flags_metadata_file:file create_file_perms;
-allow system_server aconfig_storage_metadata_file:dir search;
-
allow system_server aconfigd_socket:sock_file {read write};
allow system_server aconfigd:unix_stream_socket connectto;
@@ -1566,10 +1562,6 @@
neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-# Only system server should access /metadata/aconfig
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:dir *;
-neverallow { domain -init -system_server -aconfigd } aconfig_storage_flags_metadata_file:file no_rw_file_perms;
-
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }