Add new label for supplemental data
Supplemental data is separate from app data and only supplemental
process should have access to these directories.
This CL creates a new label for such data and updates the seapp_context
to assign correct label from installd.
The new label will be applied as follows:
/data/user/0/supplemental #system_data_file
/data/user/0/supplemental/<app-name> #system_data_file
/data/user/0/supplemental/<app-name>/shared #supplemental_app_data_file
Bug: 217543371
Bug: 217559719
Test: atest SupplementalProcessStorageHostTest
- #testSelinuxLabel_SharedData
- #testSupplementalDataAppDirectory_SharedStorageIsUsable
Ignore-AOSP-First: Feature is being developed in internal branch
Change-Id: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145
diff --git a/private/file.te b/private/file.te
index 9dd0615..01a66cd 100644
--- a/private/file.te
+++ b/private/file.te
@@ -19,6 +19,9 @@
# /data/misc/perfetto-configs for perfetto configs
type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc_{ce/de}/<user>/sdk/<app-name>/* subdirectory for supplemental apps
+type supplemental_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index d6664ff..0f1195c 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -26,6 +26,7 @@
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
# user=_app will match any regular app process.
# user=_isolated will match any isolated service process.
+# user=_supplemental will match supplemental process for an app.
# Other values of user are matched against the name associated with the process
# UID.
# seinfo= matches aginst the seinfo tag for the app, determined from
@@ -152,6 +153,7 @@
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
+user=_supplemental domain=supplemental_process type=supplemental_app_data_file levelFrom=all
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
@@ -174,4 +176,4 @@
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
-user=_app seinfo=supplemental_process name=com.android.supplemental.process domain=supplemental_process type=app_data_file levelFrom=user
+
diff --git a/private/supplemental_process.te b/private/supplemental_process.te
index 1670fa4..720f71b 100644
--- a/private/supplemental_process.te
+++ b/private/supplemental_process.te
@@ -38,6 +38,10 @@
allow supplemental_process system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+# allow access to supplemental data directory
+allow supplemental_process supplemental_app_data_file:dir create_dir_perms;
+allow supplemental_process supplemental_app_data_file:file create_file_perms;
+
###
### neverallow rules
###