Merge "Split user_profile_data_file label."
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 49a5a77..6c95364 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -2155,7 +2155,10 @@
(typeattributeset usbd_exec_30_0 (usbd_exec))
(typeattributeset usbfs_30_0 (usbfs))
(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
-(typeattributeset user_profile_data_file_30_0 (user_profile_data_file))
+(typeattributeset user_profile_data_file_30_0
+ ( user_profile_data_file
+ user_profile_root_file
+))
(typeattributeset user_service_30_0 (user_service))
(typeattributeset userdata_block_device_30_0 (userdata_block_device))
(typeattributeset usermodehelper_30_0 (usermodehelper))
diff --git a/private/file_contexts b/private/file_contexts
index 79b16b1..80e805e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -610,7 +610,8 @@
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
-/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
+/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/private/mls b/private/mls
index 68d0e58..1588a13 100644
--- a/private/mls
+++ b/private/mls
@@ -75,7 +75,7 @@
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_data_file) ) );
+ or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index fd370c2..4c4960c 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -3,7 +3,7 @@
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
-type postinstall_dexopt, domain, coredomain;
+type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -38,7 +38,7 @@
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
-allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
diff --git a/private/system_server.te b/private/system_server.te
index 90061c6..9979fd5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -977,7 +977,7 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server user_profile_data_file:dir { getattr search };
+allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
diff --git a/private/traced_probes.te b/private/traced_probes.te
index c669eba..9da4d94 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -58,7 +58,7 @@
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes user_profile_data_file:dir { getattr open read search };
+allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
@@ -113,6 +113,7 @@
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
+ -user_profile_root_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 4197ddd..9bea43c 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -45,7 +45,8 @@
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom relabelto };
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
# /data/misc is unlabeled during early boot.
allow vold_prepare_subdirs unlabeled:dir search;
diff --git a/private/zygote.te b/private/zygote.te
index d3d08bf..577ace8 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -61,7 +61,7 @@
allow zygote mnt_expand_file:dir { open read search relabelto };
# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote { user_profile_data_file }:dir { mounton search };
+allow zygote user_profile_root_file:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
diff --git a/public/app.te b/public/app.te
index 40c7e71..6f267c9 100644
--- a/public/app.te
+++ b/public/app.te
@@ -170,6 +170,7 @@
unix_socket_send(appdomain, statsdw, statsd)
# Write profiles /data/misc/profiles
+allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index fdd50d1..154b9c9 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -229,7 +229,7 @@
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
- allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 021779c..ff0cba3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -295,6 +295,7 @@
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
+type user_profile_root_file, file_type, data_file_type, core_data_file_type;
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/installd.te b/public/installd.te
index 53acaf0..b9c7b3e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -114,15 +114,15 @@
allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
+allow installd user_profile_data_file:dir { create_dir_perms relabelto };
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:file unlink;
+
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_data_file:dir create_dir_perms;
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:dir rmdir;
-allow installd user_profile_data_file:file unlink;
-
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index aaf4520..6f119ee 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -52,6 +52,7 @@
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:file { getattr };
allow iorap_inode2filename toolbox_exec:file getattr;
+allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:file { getattr };
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
index ad9db14..4b218fb 100644
--- a/public/iorap_prefetcherd.te
+++ b/public/iorap_prefetcherd.te
@@ -39,6 +39,7 @@
allow iorap_prefetcherd system_data_file:dir { open read search };
allow iorap_prefetcherd system_data_file:file { open read };
allow iorap_prefetcherd system_data_file:lnk_file { open read };
+allow iorap_prefetcherd user_profile_root_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:file { open read };
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
diff --git a/public/vold.te b/public/vold.te
index 737d215..6292b3d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -280,7 +280,7 @@
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
-allow vold user_profile_data_file:dir create_dir_perms;
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;