Allow Zygote and Installd to remount directories in /data/data
Zygote/Installd now can do the following operations in app data directory:
- Mount on it
- Create directories in it
- Mount directory for each app data, and get/set attributes
Bug: 143937733
Test: No denials at boot
Test: No denials seen when creating mounts
Change-Id: I6e852a5f5182f1abcb3136a3b23ccea69c3328db
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index d112da5..02ff6b1 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -35,6 +35,7 @@
mediatranscoding
mediatranscoding_exec
mediatranscoding_tmpfs
+ mirror_data_file
linker_prop
linkerconfig_file
mock_ota_prop
diff --git a/private/domain.te b/private/domain.te
index 2b53563..8a0a8e5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -147,6 +147,7 @@
-runas
-system_server
-viewcompiler
+ -zygote
} { privapp_data_file app_data_file }:dir *;
# Only apps should be modifying app data. installd is exempted for
@@ -328,3 +329,11 @@
-hal_bootctl_server
-fastbootd
} self:global_capability_class_set sys_rawio;
+
+# Limit directory operations that doesn't need to do app data isolation.
+neverallow {
+ domain
+ -init
+ -installd
+ -zygote
+} mirror_data_file:dir *;
diff --git a/private/file_contexts b/private/file_contexts
index c8d9327..80f7f75 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -24,6 +24,7 @@
/lost\+found u:object_r:rootfs:s0
/acct u:object_r:cgroup:s0
/config u:object_r:rootfs:s0
+/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 588156f..5c01eab 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -64,12 +64,16 @@
dontaudit gmscore_app wifi_prop:file r_file_perms;
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
+
# Attempts to write to system_data_file is generally a sign
# that apps are attempting to access encrypted storage before
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
# denial to prevent apps from spamming the logs.
dontaudit gmscore_app system_data_file:dir write;
+# suppress denials for scanning /data_mirror
+dontaudit gmscore_app mirror_data_file:dir search;
+
# Access the network
net_domain(gmscore_app)
diff --git a/private/zygote.te b/private/zygote.te
index 5d7ecac..e6c1db9 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -50,6 +50,29 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
+# Bind mount on /data/data and mounted volumes
+allow zygote { system_data_file mnt_expand_file }:dir mounton;
+
+# Create and bind dirs on /data/data
+allow zygote tmpfs:dir { create_dir_perms mounton };
+
+# Create symlink for /data/user/0
+allow zygote tmpfs:lnk_file create;
+
+allow zygote mirror_data_file:dir r_dir_perms;
+
+# Get and set data directories
+allow zygote {
+ system_data_file
+ radio_data_file
+ app_data_file
+ shell_data_file
+ bluetooth_data_file
+ privapp_data_file
+ nfc_data_file
+ mnt_expand_file
+}:dir getattr;
+
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
@@ -177,3 +200,9 @@
bluetooth_prop
exported_bluetooth_prop
}:file create_file_perms;
+
+# Do not allow zygote to access app data except getting attributes and relabeling to.
+neverallow zygote {
+ privapp_data_file
+ app_data_file
+}:dir ~getattr;