Split gsi_metadata_file and add gsi_metadata_file_type attribute
Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.
Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d24d12d..e7ddf48 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -61,6 +61,7 @@
gpuservice
gsi_data_file
gsi_metadata_file
+ gsi_public_metadata_file
gsi_service
gsid
gsid_exec
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 73374e6..2b2b04a 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil
@@ -1482,7 +1482,9 @@
(typeattributeset graphics_device_30_0 (graphics_device))
(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
(typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
+(typeattributeset gsi_metadata_file_30_0
+ ( gsi_metadata_file
+ gsi_public_metadata_file))
(typeattributeset gsid_prop_30_0 (gsid_prop))
(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
diff --git a/private/file_contexts b/private/file_contexts
index 1347797..d5d773c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -762,6 +762,10 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
+/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index c523731..fb40528 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -123,7 +123,7 @@
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
}:dir create_dir_perms;
allow gsid {
@@ -131,10 +131,15 @@
}:dir rw_dir_perms;
allow gsid {
- gsi_metadata_file
+ gsi_metadata_file_type
ota_metadata_file
}:file create_file_perms;
+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
allow gsid {
gsi_data_file
ota_image_data_file
@@ -153,6 +158,9 @@
allow gsid system_server:binder call;
+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
neverallow {
domain
-init
@@ -160,7 +168,7 @@
-fastbootd
-recovery
-vold
-} gsi_metadata_file:dir *;
+} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
domain
@@ -168,7 +176,18 @@
-gsid
-fastbootd
-vold
-} gsi_metadata_file:file_class_set *;
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
+
+neverallow {
+ domain
+ -init
+ -gsid
+ -fastbootd
+ -vold
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
+
+# Prevent apps from accessing gsi_metadata_file_type.
+neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
neverallow {
domain
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 3bcd761..a264be7 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -20,8 +20,8 @@
# Triggered when lpdumpd tries to read default fstab.
dontaudit lpdumpd metadata_file:dir r_dir_perms;
dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
+dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
+dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
### Neverallow rules
diff --git a/public/attributes b/public/attributes
index 384533b..c5a93c9 100644
--- a/public/attributes
+++ b/public/attributes
@@ -386,3 +386,6 @@
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
+
+# All types used for DSU metadata files.
+attribute gsi_metadata_file_type;
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 9614545..72ba65c 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -49,8 +49,8 @@
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
allow fastbootd metadata_file:dir { search getattr };
- allow fastbootd gsi_metadata_file:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file:file create_file_perms;
+ allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file_type:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@@ -103,7 +103,7 @@
')
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file:dir search;
+ allow fastbootd gsi_metadata_file_type:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
')
diff --git a/public/file.te b/public/file.te
index 243148f..c4c2a21 100644
--- a/public/file.te
+++ b/public/file.te
@@ -242,7 +242,9 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
-type gsi_metadata_file, file_type;
+type gsi_metadata_file, gsi_metadata_file_type, file_type;
+# DSU (GSI) files within /metadata that are globally readable.
+type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
diff --git a/public/recovery.te b/public/recovery.te
index fd3c82a..63ba3ee 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -127,7 +127,7 @@
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file:dir search;
+ allow recovery gsi_metadata_file_type:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
diff --git a/public/te_macros b/public/te_macros
index 097d068..1ce5541 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -965,3 +965,12 @@
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')
+
+#####################################
+# read_fstab(domain)
+# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
+#
+define(`read_fstab', `
+ allow $1 { metadata_file gsi_metadata_file_type }:dir search;
+ allow $1 gsi_public_metadata_file:file r_file_perms;
+')
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 46bcfaa..79f3b4c 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -39,5 +39,5 @@
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt gsi_metadata_file_type:dir search;
dontaudit uncrypt metadata_file:dir search;
diff --git a/public/update_engine.te b/public/update_engine.te
index b7cf827..962ca99 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -69,7 +69,7 @@
# device. ReadDefaultFstab() checks whether a GSI is running by checking
# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
# the access.
-dontaudit update_engine gsi_metadata_file:dir search;
+dontaudit update_engine gsi_metadata_file_type:dir search;
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c8b8b12..db99b9e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,7 +57,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
@@ -75,7 +75,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-apex_info_file
-userspace_reboot_metadata_file
@@ -91,7 +91,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -107,7 +107,7 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
@@ -122,7 +122,7 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file
+ -gsi_metadata_file_type
-apex_metadata_file
-userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 98ec3b4..7025652 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,7 +8,7 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file:dir search;
+dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/public/vold.te b/public/vold.te
index fb16b7e..d1731cc 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -294,8 +294,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file:dir r_dir_perms;
-allow vold gsi_metadata_file:file r_file_perms;
+allow vold gsi_metadata_file_type:dir r_dir_perms;
+allow vold gsi_metadata_file_type:file r_file_perms;
# vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms;