Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes
Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index d112da5..02ff6b1 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -35,6 +35,7 @@
mediatranscoding
mediatranscoding_exec
mediatranscoding_tmpfs
+ mirror_data_file
linker_prop
linkerconfig_file
mock_ota_prop
diff --git a/private/domain.te b/private/domain.te
index 2b53563..8a0a8e5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -147,6 +147,7 @@
-runas
-system_server
-viewcompiler
+ -zygote
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
@@ -328,3 +329,11 @@
-hal_bootctl_server
-fastbootd
} self:global_capability_class_set sys_rawio;
+
+# Limit directory operations that doesn't need to do app data isolation.
+neverallow {
+ domain
+ -init
+ -installd
+ -zygote
+} mirror_data_file:dir *;
diff --git a/private/file_contexts b/private/file_contexts
index c8d9327..80f7f75 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -24,6 +24,7 @@
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
+/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 588156f..5c01eab 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -64,12 +64,16 @@
dontaudit gmscore_app wifi_prop:file r_file_perms;
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
# denial to prevent apps from spamming the logs.
dontaudit gmscore_app system_data_file:dir write;
+# suppress denials for scanning /data_mirror
+dontaudit gmscore_app mirror_data_file:dir search;
+
# Access the network
net_domain(gmscore_app)
diff --git a/private/zygote.te b/private/zygote.te
index 5d7ecac..e6c1db9 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -50,6 +50,29 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
+# Bind mount on /data/data and mounted volumes
+allow zygote { system_data_file mnt_expand_file }:dir mounton;
+
+# Create and bind dirs on /data/data
+allow zygote tmpfs:dir { create_dir_perms mounton };
+
+# Create symlink for /data/user/0
+allow zygote tmpfs:lnk_file create;
+
+allow zygote mirror_data_file:dir r_dir_perms;
+
+# Get and set data directories
+allow zygote {
+ system_data_file
+ radio_data_file
+ app_data_file
+ shell_data_file
+ bluetooth_data_file
+ privapp_data_file
+ nfc_data_file
+ mnt_expand_file
+}:dir getattr;
+
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
@@ -177,3 +200,9 @@
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
+
+# Do not allow zygote to access app data except getting attributes and relabeling to.
+neverallow zygote {
+ privapp_data_file
+ app_data_file
+}:dir ~getattr;
diff --git a/public/file.te b/public/file.te
index 4d14df7..5a5bd8c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -330,6 +330,9 @@
# /postinstall/apex: Mount point used for APEX images within /postinstall.
type postinstall_apex_mnt_dir, file_type;
+# /data_mirror: Contains mirror directory for storing all apps data.
+type mirror_data_file, file_type, core_data_file_type;
+
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index 014fb60..56ed703 100644
--- a/public/init.te
+++ b/public/init.te
@@ -94,6 +94,7 @@
system_file
vendor_file
postinstall_mnt_dir
+ mirror_data_file
}:dir mounton;
allow init cgroup_bpf:dir { create mounton };
diff --git a/public/installd.te b/public/installd.te
index 40b151e..1888765 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -70,6 +70,9 @@
allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
allow installd sdcard_type:file { getattr unlink };
+# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
+allow installd mirror_data_file:dir { create_dir_perms mounton };
+
# Upgrade /data/misc/keychain for multi-user if necessary.
allow installd misc_user_data_file:dir create_dir_perms;
allow installd misc_user_data_file:file create_file_perms;
@@ -105,6 +108,7 @@
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
+
# Types extracted from seapp_contexts type= fields.
allow installd {
system_app_data_file
@@ -126,6 +130,9 @@
privapp_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Allow zygote to unmount mirror directories
+allow installd labeledfs:filesystem unmount;
+
# Similar for the files under /data/misc/profiles/
allow installd user_profile_data_file:dir create_dir_perms;
allow installd user_profile_data_file:file create_file_perms;