commit 691ee939215f49e1bc1bac4c64c5fb58c813e0c1
author Treehugger Robot <treehugger-gerrit@google.com> Thu Nov 01 18:46:52 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Nov 01 18:46:52 2018 +0000
tree 153058f0286578c05f6dfef6fbfa4f291f31b75e
parent 33442f57e798303870018a4741ede6dc0c65188c
parent a6f989241bc3982d4c4ffaae320c63dc6e3f0e87

Merge "sepolicy for server configurable flags"

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 89f1635..0a838a3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -474,7 +474,18 @@
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
 # this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow {
+    domain
+    -apexd
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
+    -init
+    -kernel
+    -otapreopt_chroot
+    -recovery
+    -update_engine
+    -vold
+    -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
 
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -509,6 +520,7 @@
 neverallow {
     domain
     with_asan(`-asan_extract')
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
 } {
     system_file_type
     vendor_file_type
@@ -532,7 +544,8 @@
 # the write to /system restriction above is not bypassed via context=
 # mount to another type.
 neverallow * contextmount_type:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
+    { create setattr relabelfrom relabelto append link rename };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
 
 # Do not allow service_manager add for default service labels.
 # Instead domains should use a more specific type such as

public/fastbootd.te

diff --git a/public/fastbootd.te b/public/fastbootd.te
index fe1005e..4b79b64 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -62,6 +62,27 @@
   allow fastbootd proc_cmdline:file r_file_perms;
   allow fastbootd rootfs:dir r_dir_perms;
   allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+
+  userdebug_or_eng(`
+    # Refined manipulation of /mnt/scratch, without these perms resorts
+    # to deleting scratch partition when partition(s) are flashed.
+    allow fastbootd self:process setfscreate;
+    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+    allow fastbootd {
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:dir { remove_name rmdir search write };
+    allow fastbootd {
+      overlayfs_file
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:{ file lnk_file } unlink;
+    allow fastbootd tmpfs:dir rw_dir_perms;
+    allow fastbootd labeledfs:filesystem { mount unmount };
+    get_prop(fastbootd, persistent_properties_ready_prop)
+  ')
 ')
 
 ###

public/property_contexts

diff --git a/public/property_contexts b/public/property_contexts
index 07b5892..d58b1d4 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -172,6 +172,7 @@
 drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
 dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
 hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
 init.svc.console u:object_r:exported2_default_prop:s0 exact string
 init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
 init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string