commit 75806ef3c529c019ab002072cca7951b91f245aa
author Inseob Kim <inseob@google.com> Wed Mar 27 17:18:41 2024 +0900
committer Inseob Kim <inseob@google.com> Thu Mar 28 00:33:46 2024 +0000
tree cbd0c46779774cd09f127c0e20144c39dff08dca
parent e98c6d2b38114e0819a558ef5e0d2793a30eebff

Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

private/fastbootd.te

diff --git a/private/fastbootd.te b/private/fastbootd.te
index a189d23..66dd2b1 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -49,9 +49,129 @@
   # Let this domain use the hal fastboot service
   binder_use(fastbootd)
   hal_client_domain(fastbootd, hal_fastboot)
+
+  # fastbootd can only use HALs in passthrough mode
+  passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+  # fastbootd can use AIDL HALs in binder mode
+  binder_use(fastbootd)
+  hal_client_domain(fastbootd, hal_health)
+  hal_client_domain(fastbootd, hal_fastboot)
+
+  # Access /dev/usb-ffs/fastbootd/ep0
+  allow fastbootd functionfs:dir search;
+  allow fastbootd functionfs:file rw_file_perms;
+
+  allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
+  # Log to serial
+  allow fastbootd kmsg_device:chr_file { open getattr write };
+
+  # battery info
+  allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+  allow fastbootd device:dir r_dir_perms;
+
+  # For dev/block/by-name dir
+  allow fastbootd block_device:dir r_dir_perms;
+
+  # Needed for DM_DEV_CREATE ioctl call
+  allow fastbootd self:capability sys_admin;
+
+  unix_socket_connect(fastbootd, recovery, recovery)
+
+  # Required for flashing
+  allow fastbootd dm_device:chr_file rw_file_perms;
+  allow fastbootd dm_device:blk_file rw_file_perms;
+
+  allow fastbootd cache_block_device:blk_file rw_file_perms;
+  allow fastbootd super_block_device_type:blk_file rw_file_perms;
+  allow fastbootd {
+    boot_block_device
+    metadata_block_device
+    system_block_device
+    userdata_block_device
+  }:blk_file { w_file_perms getattr ioctl };
+
+  # For disabling/wiping GSI, and for modifying/deleting files created via
+  # libfiemap.
+  allow fastbootd metadata_block_device:blk_file r_file_perms;
+  allow fastbootd {rootfs tmpfs}:dir mounton;
+  allow fastbootd metadata_file:dir { search getattr mounton };
+  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+  allow fastbootd gsi_metadata_file_type:file create_file_perms;
+
+  allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+  allowxperm fastbootd {
+    metadata_block_device
+    userdata_block_device
+    dm_device
+    cache_block_device
+  }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
+
+  allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+  allow fastbootd proc_cmdline:file r_file_perms;
+  allow fastbootd rootfs:dir r_dir_perms;
+
+  # Needed to read fstab node from device tree.
+  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+  allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
+
+  # Needed because libdm reads sysfs to validate when a dm path is ready.
+  r_dir_file(fastbootd, sysfs_dm)
+
+  # Needed for realpath() call to resolve symlinks.
+  allow fastbootd block_device:dir getattr;
+  userdebug_or_eng(`
+    # Refined manipulation of /mnt/scratch, without these perms resorts
+    # to deleting scratch partition when partition(s) are flashed.
+    allow fastbootd self:process setfscreate;
+    allow fastbootd cache_file:dir search;
+    allow fastbootd proc_filesystems:file { getattr open read };
+    allow fastbootd self:capability sys_rawio;
+    allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
+    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+    allow fastbootd {
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:dir { remove_name rmdir search write };
+    allow fastbootd {
+      overlayfs_file
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:{ file lnk_file } unlink;
+    allow fastbootd tmpfs:dir rw_dir_perms;
+    # Fetch vendor_boot partition
+    allow fastbootd boot_block_device:blk_file r_file_perms;
+
+    # popen(/system/bin/dmesg) and associated permissions. We only allow this
+    # on unlocked devices running userdebug builds.
+    allow fastbootd rootfs:file execute_no_trans;
+    allow fastbootd system_file:file execute_no_trans;
+    allow fastbootd kmsg_device:chr_file read;
+    allow fastbootd kernel:system syslog_read;
+  ')
+
+  # Allow using libfiemap/gsid directly (no binder in recovery).
+  allow fastbootd gsi_metadata_file_type:dir search;
+  allow fastbootd ota_metadata_file:dir rw_dir_perms;
+  allow fastbootd ota_metadata_file:file create_file_perms;
 ')
 
 # This capability allows fastbootd to circumvent memlock rlimits while using
 # io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
 allow fastbootd self:capability ipc_lock;
 io_uring_use(fastbootd)
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+   data_file_type
+}:file { no_x_file_perms };