Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 806898db48a6c00dea576fdce07420018d7eecf3^! / . / private / gsid.te
commit806898db48a6c00dea576fdce07420018d7eecf3[log] [tgz]
authorYi-Yo Chiang <yochiang@google.com>Mon Mar 22 13:46:12 2021 +0800
committerYo Chiang <yochiang@google.com>Mon Mar 29 03:09:35 2021 +0000
tree3ad92870445f00382db773bfea14f9d06d49249f
parent9f3fe38950236e59fa2791df6f407810c6d2a4f0 [diff] [blame]
Split gsi_metadata_file and add gsi_metadata_file_type attribute

Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11

diff --git a/private/gsid.te b/private/gsid.te
index c523731..fb40528 100644
--- a/private/gsid.te
+++ b/private/gsid.te

@@ -123,7 +123,7 @@
 #
 allow gsid metadata_file:dir { search getattr };
 allow gsid {
-    gsi_metadata_file
+    gsi_metadata_file_type
 }:dir create_dir_perms;
 
 allow gsid {
@@ -131,10 +131,15 @@
 }:dir rw_dir_perms;
 
 allow gsid {
-    gsi_metadata_file
+    gsi_metadata_file_type
     ota_metadata_file
 }:file create_file_perms;
 
+# Allow restorecon to fix context of gsi_public_metadata_file.
+allow gsid file_contexts_file:file r_file_perms;
+allow gsid gsi_metadata_file:file relabelfrom;
+allow gsid gsi_public_metadata_file:file relabelto;
+
 allow gsid {
       gsi_data_file
       ota_image_data_file
@@ -153,6 +158,9 @@
 
 allow gsid system_server:binder call;
 
+# Prevent most processes from writing to gsi_metadata_file_type, but allow
+# adding rules for path resolution of gsi_public_metadata_file and reading
+# gsi_public_metadata_file.
 neverallow {
     domain
     -init
@@ -160,7 +168,7 @@
     -fastbootd
     -recovery
     -vold
-} gsi_metadata_file:dir *;
+} gsi_metadata_file_type:dir no_w_dir_perms;
 
 neverallow {
     domain
@@ -168,7 +176,18 @@
     -gsid
     -fastbootd
     -vold
-} gsi_metadata_file:file_class_set *;
+} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
+
+neverallow {
+    domain
+    -init
+    -gsid
+    -fastbootd
+    -vold
+} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
+
+# Prevent apps from accessing gsi_metadata_file_type.
+neverallow appdomain gsi_metadata_file_type:dir_file_class_set *;
 
 neverallow {
     domain