Add update provider to SELinux policy
WARNING: Using this attribute will result in failing CTS!
- Adds the update_provider attribute definition
- Adds the attribute to the allowlist for neverallow rules in apexd and
domain
Bug: 375420598
Test: m
Test: atest android.security.cts.SELinuxHostTest#testNoExemptionsForUpdateInterfaces
Change-Id: I3fb8fa2537cd4c857ce0bd5ae1e8a5f9a2dc8a32
diff --git a/private/apexd.te b/private/apexd.te
index 450b563..58a3658 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -226,7 +226,11 @@
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
neverallow { domain -apexd -dexopt_chroot_setup -init -otapreopt_chroot } apex_mnt_dir:dir mounton;
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
+# and make binder calls to apexd.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/attributes b/private/attributes
index c89d0c7..7e25e94 100644
--- a/private/attributes
+++ b/private/attributes
@@ -22,3 +22,8 @@
attribute sdk_sandbox_current;
# Common to adbd and adbd_tradeinmode.
attribute adbd_common;
+
+# Provides access to platform update services.
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+attribute update_provider;
+expandattribute update_provider false;
diff --git a/private/domain.te b/private/domain.te
index 38dab17..a15c176 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1765,6 +1765,7 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
+# The update_provider can also stage files before apexd processes them.
neverallow {
domain
-init
@@ -1773,6 +1774,7 @@
-installd
-priv_app
-virtualizationmanager
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:dir *;
neverallow {
domain
@@ -1787,10 +1789,13 @@
-shell
-virtualizationmanager
-crosvm
+ -update_provider # WARNING: USING THIS ATTRIBUTE WILL CAUSE CTS TO FAIL!
} staging_data_file:file *;
-neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -update_provider } staging_data_file:dir no_w_dir_perms;
# apexd needs the link/unlink/rename permissions
-neverallow { domain -init -system_server -installd -apexd } staging_data_file:file {
+# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
+neverallow { domain -init -system_server -installd -apexd -update_provider } staging_data_file:file {
no_w_file_perms no_x_file_perms
};
neverallow apexd staging_data_file:file {