SELinux policy for authfs_service and authfs
authfs_service is a binder service on microdroid. Upon a request by the
client, the service will create the mount directory, execute authfs to
mount the FUSE, and finally unmount and delete the mount directory.
authfs currently requires more privileges than it should, but it's ok
because the client owns the VM, and all input will be verified by
signatures. But there is plan to keep the privileges isoated in the
service (b/195554831).
Bug: 194717985
Bug: 195554831
Test: Start the service from init, use a test executable to call the
service API. Only observed denial from the test executable.
Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
new file mode 100644
index 0000000..e8c340b
--- /dev/null
+++ b/microdroid/system/private/authfs.te
@@ -0,0 +1,20 @@
+# authfs is a FUSE-based filesystem to support "remote" file access normally
+# over vsock, backed by a file server backend on Android.
+
+type authfs, domain, coredomain;
+type authfs_exec, exec_type, file_type, system_file_type;
+
+allow authfs self:vsock_socket create_socket_perms_no_ioctl;
+
+# Allow basic rules to implement FUSE.
+# TODO(195554831): Move the privilege to authfs_service
+allow authfs fuse_device:chr_file rw_file_perms;
+
+# Allow mounting authfs.
+# TODO(195554831): Move the privilege to authfs_service.
+allow authfs fuse:filesystem relabelfrom;
+allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
+allow authfs authfs_data_file:dir { mounton search };
+
+# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
+allow authfs authfs_service:fd use;
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
new file mode 100644
index 0000000..8461f3c
--- /dev/null
+++ b/microdroid/system/private/authfs_service.te
@@ -0,0 +1,31 @@
+# authfs_service is a binder service running on microdroid. It serves the
+# client's request and manages the mount/unmount of individual authfs instances
+# (a FUSE based filesystem). The service then can pass file descriptor on authfs
+# to the client for remote file access.
+
+type authfs_service, domain, coredomain;
+type authfs_service_exec, exec_type, file_type, system_file_type;
+
+# Allow domain transition from init.
+init_daemon_domain(authfs_service)
+
+# Allow running as a binder service.
+binder_call(authfs_service, servicemanager)
+
+# Allow domain transition into authfs.
+domain_auto_trans(authfs_service, authfs_exec, authfs)
+
+# Allow creating/deleting mount directories.
+allow authfs_service authfs_data_file:dir create_dir_perms;
+
+# Allow opening a file from the FUSE mount.
+# Note: authfs_service doesn't really need to read and write the file, but the
+# check seems to happen on open anyway. It also doesn't need getattr, but it is
+# currently called internally by binder to estimate ashmem size.
+allow authfs_service authfs_fuse:dir search;
+# TODO(195752513): Remove getattr once the binder bug is fixed.
+allow authfs_service authfs_fuse:file { getattr open read write };
+
+# Allow killing the authfs process and unmount.
+allow authfs_service authfs:process sigkill;
+allow authfs_service authfs_fuse:filesystem unmount;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 1989d7e..cbbd379 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -10,3 +10,5 @@
allow proc_net proc:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow system_data_file tmpfs:filesystem associate;
+
+type authfs_fuse, fs_type, contextmount_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 97e756d..ffd75a1 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -117,6 +117,8 @@
/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
+/system/bin/authfs u:object_r:authfs_exec:s0
+/system/bin/authfs_service u:object_r:authfs_service_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -158,6 +160,7 @@
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c8be9d9..61cd68d 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -32,6 +32,7 @@
ro.logd.kernel u:object_r:logd_prop:s0 exact bool
ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
@@ -60,6 +61,7 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 67d5068..c750ccc 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -6,6 +6,7 @@
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
+type authfs_data_file, file_type, data_file_type, core_data_file_type;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;