system_dlkm: sepolicy: add system_dlkm_file_type
Add new attribute system_dlkm_file_type for
/system_dlkm partition files.
Bug: 218392646
Bug: 200082547
Test: TH
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I193c3f1270f7a1b1259bc241def3fe51d77396f3
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index f1307ad..8964074 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -55,6 +55,7 @@
snapuserd_proxy_socket
supplemental_process_service
sysfs_fs_fuse_bpf
+ system_dlkm_file
tare_service
tv_iapp_service
untrusted_app_30
diff --git a/private/file_contexts b/private/file_contexts
index ba50376..da9215f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -19,7 +19,7 @@
# For kernel modules
/lib(/.*)? u:object_r:rootfs:s0
-/system_dlkm(/.*)? u:object_r:rootfs:s0
+/system_dlkm(/.*)? u:object_r:system_dlkm_file:s0
# Empty directories
/lost\+found u:object_r:rootfs:s0
diff --git a/public/attributes b/public/attributes
index b97bffc..1e6bd6b 100644
--- a/public/attributes
+++ b/public/attributes
@@ -51,6 +51,9 @@
# All types in /system
attribute system_file_type;
+# All types in /system_dlkm
+attribute system_dlkm_file_type;
+
# All types in /vendor
attribute vendor_file_type;
diff --git a/public/domain.te b/public/domain.te
index 50503cd..72b601b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1261,8 +1261,9 @@
# Enforce restrictions on kernel module origin.
# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
+# vendor, boot, and system_dlkm partitions.
+# TODO(b/218951883): Remove usage of system and rootfs as origin
+neverallow * ~{ system_file_type vendor_file_type rootfs system_dlkm_file_type }:system module_load;
# Only allow filesystem caps to be set at build time. Runtime changes
# to filesystem capabilities are not permitted.
diff --git a/public/file.te b/public/file.te
index 3545e24..c0b7679 100644
--- a/public/file.te
+++ b/public/file.te
@@ -583,6 +583,9 @@
# kernel modules
type vendor_kernel_modules, vendor_file_type, file_type;
+# system_dlkm
+type system_dlkm_file, system_dlkm_file_type, file_type;
+
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index 54e3082..362c41e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -98,6 +98,7 @@
mnt_user_file
system_data_file
system_data_root_file
+ system_dlkm_file
system_file
vendor_file
postinstall_mnt_dir
@@ -201,6 +202,7 @@
-nativetest_data_file
-privapp_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
}:dir { create search getattr open read setattr ioctl };
@@ -217,6 +219,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -237,6 +240,7 @@
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -258,6 +262,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -277,6 +282,7 @@
-privapp_data_file
-shell_data_file
-system_app_data_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_data_file
@@ -286,6 +292,7 @@
allow init {
file_type
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-exec_type
@@ -590,6 +597,7 @@
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
+r_dir_file(init, system_dlkm_file_type)
r_dir_file(init, vendor_file_type)
allow init system_data_file:file { getattr read };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 24d144a..bc6d3b9 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -50,6 +50,7 @@
file_type
-core_data_file_type
-exec_type
+ -system_dlkm_file_type
-system_file_type
-mnt_product_file
-password_slot_metadata_file
@@ -71,6 +72,7 @@
-password_slot_metadata_file
-ota_metadata_file
-runtime_event_log_tags_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -88,6 +90,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -104,6 +107,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-unlabeled
-vendor_file_type
@@ -120,6 +124,7 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
+ -system_dlkm_file_type
-system_file_type
-vendor_file_type
-vold_metadata_file