Add rules for calling ReadDefaultFstab() Grant ReadDefaultFstab() callers allow scontext { metadata_file gsi_metadata_file_type }:dir search; allow scontext gsi_public_metadata_file:file r_file_perms; so they can search / read DSU metadata files. The DSU metadata files are required to deduce the correct fstab. Also tighten the neverallow rules in gsid.te. Bug: 181110285 Test: Build pass, presubmit test Test: Boot and check avc denials Test: Boot with DSU and check avc denials Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633

commit: 5854941f631f47f4316e1f17bea415ef9d2a7fbd [log] [tgz]
author: Yi-Yo Chiang <yochiang@google.com> Mon Mar 22 13:46:12 2021 +0800
committer: Yi-Yo Chiang <yochiang@google.com> Mon Mar 29 15:23:29 2021 +0800
tree: 70e9d76722187a2a1193d7f8c5bab1eed6a24d05
parent: 4d8f634987abbdeca0ee2389a6f17fa3c9007834 [diff]
diff --git a/private/gsid.te b/private/gsid.te
index fb40528..e6a395a 100644
--- a/private/gsid.te
+++ b/private/gsid.te

@@ -166,8 +166,6 @@
     -init
     -gsid
     -fastbootd
-    -recovery
-    -vold
 } gsi_metadata_file_type:dir no_w_dir_perms;
 
 neverallow {
@@ -175,7 +173,6 @@
     -init
     -gsid
     -fastbootd
-    -vold
 } { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
 
 neverallow {
@@ -183,7 +180,6 @@
     -init
     -gsid
     -fastbootd
-    -vold
 } gsi_public_metadata_file:file_class_set ~{ r_file_perms };
 
 # Prevent apps from accessing gsi_metadata_file_type.
@@ -193,15 +189,7 @@
     domain
     -init
     -gsid
-} gsi_data_file:dir *;
-
-neverallow {
-    domain
-    -init
-    -gsid
-    -fastbootd
-    -vold
-} gsi_data_file:file_class_set *;
+} gsi_data_file:dir_file_class_set *;
 
 neverallow {
     domain

diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index a264be7..9f5f87e 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te

@@ -16,12 +16,7 @@
 # Allow lpdumpd to read fstab.
 allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
 allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-
-# Triggered when lpdumpd tries to read default fstab.
-dontaudit lpdumpd metadata_file:dir r_dir_perms;
-dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
+read_fstab(lpdumpd)
 
 ### Neverallow rules
 

diff --git a/public/uncrypt.te b/public/uncrypt.te
index 79f3b4c..0f549c9 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te

@@ -38,6 +38,5 @@
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)
 
-# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file_type:dir search;
-dontaudit uncrypt metadata_file:dir search;
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)

diff --git a/public/update_engine.te b/public/update_engine.te
index 962ca99..ab7090b 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te

@@ -64,12 +64,11 @@
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
 
+# Allow ReadDefaultFstab().
 # update_engine tries to determine the parent path for all devices (e.g.
 # /dev/block/by-name) by reading the default fstab and looking for the misc
-# device. ReadDefaultFstab() checks whether a GSI is running by checking
-# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
-# the access.
-dontaudit update_engine gsi_metadata_file_type:dir search;
+# device.
+read_fstab(update_engine)
 
 # Allow to write to snapshotctl_log logs.
 # TODO(b/148818798) revert when parent bug is fixed.

diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 7025652..3bc3a9f 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te

@@ -8,8 +8,9 @@
 
 # Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
 # load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
 dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer metadata_file:dir search;
 dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
 dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)

diff --git a/public/vold.te b/public/vold.te
index d1731cc..5a14c44 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -293,9 +293,8 @@
 
 dontaudit vold self:global_capability_class_set sys_resource;
 
-# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file_type:dir r_dir_perms;
-allow vold gsi_metadata_file_type:file r_file_perms;
+# Allow ReadDefaultFstab().
+read_fstab(vold)
 
 # vold might need to search loopback apex files
 allow vold vendor_apex_file:file r_file_perms;

diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index ac30370..2b94313 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te

@@ -9,10 +9,7 @@
 allow hal_bootctl_default proc_cmdline:file r_file_perms;
 allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
 allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
-
-# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
-# a GSI-corrected fstab.
-dontaudit hal_bootctl_default metadata_file:dir search;
+read_fstab(hal_bootctl_default)
 
 # Needed for reading/writing misc partition.
 allow hal_bootctl_default block_device:dir search;
commit	5854941f631f47f4316e1f17bea415ef9d2a7fbd	[log] [tgz]
author	Yi-Yo Chiang <yochiang@google.com>	Mon Mar 22 13:46:12 2021 +0800
committer	Yi-Yo Chiang <yochiang@google.com>	Mon Mar 29 15:23:29 2021 +0800
tree	70e9d76722187a2a1193d7f8c5bab1eed6a24d05
parent	4d8f634987abbdeca0ee2389a6f17fa3c9007834 [diff]