Revert "Policy for overlay_remounter"
This reverts commit 879909f4d6e803f74cb2c24ba24183ef05574aa7.
Reason for revert: New Build Breakage: git_main/husky-next-user @ 12974710
Change-Id: I1b5ea9552632ee081966e76875799b61058c3cb5
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 6ead315..2e72866 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -1344,5 +1344,3 @@
/tmp shell_data_file
/mnt/pre_reboot_dexopt pre_reboot_dexopt_file
-
-/second_stage_resources/overlay_remounter overlay_remounter_exec
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7d8a706..4fe3843 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -54,7 +54,7 @@
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
-neverallow { domain -bpfloader -init userdebug_or_eng(`-overlay_remounter') } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
diff --git a/private/coredomain.te b/private/coredomain.te
index 7f0ca9d..23ad43a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -63,7 +63,6 @@
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
- userdebug_or_eng(`-overlay_remounter')
} vendor_app_file:dir { open read getattr search };
')
@@ -85,7 +84,6 @@
-system_server
-traced_perf
-mediaserver
- userdebug_or_eng(`-overlay_remounter')
} vendor_app_file:file r_file_perms;
')
@@ -107,7 +105,6 @@
-webview_zygote
-zygote
-heapprofd
- userdebug_or_eng(`-overlay_remounter')
} vendor_overlay_file:dir { getattr open read search };
')
@@ -130,7 +127,6 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
- userdebug_or_eng(`-overlay_remounter')
} vendor_overlay_file:file open;
')
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 4bd1d38..a9a802c 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -118,10 +118,7 @@
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
-neverallow {
- domain
- userdebug_or_eng(`-overlay_remounter')
-} crash_dump_exec:file execute_no_trans;
+neverallow domain crash_dump_exec:file execute_no_trans;
# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
diff --git a/private/crosvm.te b/private/crosvm.te
index 6051992..a377e7a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -223,7 +223,6 @@
-crosvm
-virtualizationmanager
-vmlauncher_app
- userdebug_or_eng(`-overlay_remounter')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 7b448c3..618258c 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -595,11 +595,6 @@
# permission on /metadata dir
allow domain metadata_file:dir search;
-# overlayfs performs all file operations as the mounter, being overlay_remounter.
-# It thus opens files as overlay_remounter, and then uses those files in the context of
-# the caller, which is anyone accessing a file on a overlaid read-only partition
-userdebug_or_eng(`allow domain overlay_remounter:fd use');
-
###
### neverallow rules
###
@@ -710,7 +705,7 @@
# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow { domain userdebug_or_eng(`-overlay_remounter') } *:{ blk_file chr_file } rename;
+neverallow * *:{ blk_file chr_file } rename;
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
@@ -745,21 +740,16 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
- userdebug_or_eng(`-kernel')
- userdebug_or_eng(`-overlay_remounter')
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') userdebug_or_eng(`-overlay_remounter') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
-neverallow {
- domain
- userdebug_or_eng(`-overlay_remounter')
-} exec_type:dir_file_class_set mounton;
+neverallow * exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -771,9 +761,9 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow { domain userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set
+neverallow * contextmount_type:dir_file_class_set
{ create setattr relabelfrom relabelto append link rename };
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set { write unlink };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
@@ -1160,7 +1150,6 @@
-init
-shell
-ueventd
- userdebug_or_eng(`-overlay_remounter')
} vendor_shell_exec:file { execute execute_no_trans };
')
@@ -1215,7 +1204,6 @@
-shell
-system_executes_vendor_violators
-ueventd
- userdebug_or_eng(`-overlay_remounter')
} {
vendor_file_type
-same_process_hal_file
@@ -1231,7 +1219,6 @@
coredomain
-shell
-system_executes_vendor_violators
- userdebug_or_eng(`-overlay_remounter')
} {
vendor_file_type
-same_process_hal_file
@@ -1315,25 +1302,19 @@
# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
-neverallow {
- domain
- userdebug_or_eng(`-overlay_remounter')
-} { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -overlay_remounter') } su_exec:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
-neverallow {
- domain
- userdebug_or_eng(`-overlay_remounter')
-} {
+neverallow * {
file_type
-apk_data_file
-app_data_file
@@ -1347,12 +1328,7 @@
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
-neverallow {
- domain
- -untrusted_app_25
- -untrusted_app_27
- userdebug_or_eng(`-overlay_remounter')
-} file_type:file execmod;
+neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
@@ -1477,7 +1453,6 @@
-installd
-profman
-artd
- userdebug_or_eng(`-overlay_remounter')
} profman_exec:file no_x_file_perms;
# Enforce restrictions on kernel module origin.
@@ -1545,7 +1520,6 @@
neverallow {
coredomain
-appdomain
- userdebug_or_eng(`-overlay_remounter')
} {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')
@@ -1860,7 +1834,6 @@
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
- userdebug_or_eng(`-overlay_remounter')
} {
file_type
-system_file_type
@@ -1936,7 +1909,6 @@
neverallow {
domain
-appdomain
- userdebug_or_eng(`-overlay_remounter')
} {
data_file_type
-apex_art_data_file
@@ -1970,7 +1942,6 @@
vold
vold_prepare_subdirs
zygote
- userdebug_or_eng(`overlay_remounter')
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
@@ -1999,7 +1970,6 @@
-update_engine
-vold
-zygote
- userdebug_or_eng(`-overlay_remounter')
} { fs_type
-sdcard_type
-fusefs_type
@@ -2068,7 +2038,6 @@
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
- userdebug_or_eng(`-overlay_remounter')
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
@@ -2112,7 +2081,6 @@
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
-vold # loads incremental fs driver
- userdebug_or_eng(`-overlay_remounter')
} {
vendor_file_type
-same_process_hal_file
@@ -2146,16 +2114,7 @@
# Only init and otapreopt_chroot should be mounting filesystems on locations
# labeled system or vendor (/product and /vendor respectively).
-neverallow {
- domain
- -dexopt_chroot_setup
- -init
- -otapreopt_chroot
- userdebug_or_eng(`-overlay_remounter')
-} {
- system_file_type
- vendor_file_type
-}:dir_file_class_set mounton;
+neverallow { domain -dexopt_chroot_setup -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Only allow init and vendor_init to read/write mm_events properties
# NOTE: dumpstate is allowed to read any system property
diff --git a/private/file_contexts b/private/file_contexts
index f79ec5a..7ef3226 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -952,7 +952,3 @@
#############################
# For early boot VM
/mnt/vm u:object_r:vm_data_file:s0
-
-#############################
-# For overlays
-/second_stage_resources/overlay_remounter u:object_r:overlay_remounter_exec:s0
diff --git a/private/incident.te b/private/incident.te
index 19db7d7..db9ae86 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -34,14 +34,4 @@
allow incident incidentd:fifo_file write;
# only allow incident being called by shell or dumpstate
-neverallow {
- domain
- -su
- -shell
- -incident
- -dumpstate
- userdebug_or_eng(`-overlay_remounter')
-} incident_exec:file {
- execute
- execute_no_trans
-};
+neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
diff --git a/private/incident_helper.te b/private/incident_helper.te
index cdaf144..b453855 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -11,13 +11,4 @@
allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
-neverallow {
- domain
- -incidentd
- -incident_helper
- -shell
- userdebug_or_eng(`-overlay_remounter')
-} incident_helper_exec:file {
- execute
- execute_no_trans
-};
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/init.te b/private/init.te
index 6f0ee80..35d7647 100644
--- a/private/init.te
+++ b/private/init.te
@@ -814,7 +814,7 @@
# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
-neverallow { domain -kernel userdebug_or_eng(`-overlay_remounter') } init:process transition;
+neverallow { domain -kernel } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
diff --git a/private/kernel.te b/private/kernel.te
index 0d3aa77..1b82c66 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -2,9 +2,6 @@
domain_auto_trans(kernel, init_exec, init)
domain_auto_trans(kernel, snapuserd_exec, snapuserd)
-userdebug_or_eng(`
- domain_auto_trans(kernel, overlay_remounter_exec, overlay_remounter)
-')
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
@@ -153,15 +150,6 @@
# required by VTS lidbm unit test
allow kernel appdomain_tmpfs:file { read write };
-# Allow first stage init to copy and then launch overlay_remounter
-userdebug_or_eng(`
- allow kernel tmpfs:dir rw_dir_perms;
- allow kernel tmpfs:file { create_file_perms relabelfrom };
- allow kernel overlay_remounter_exec:file { relabelto unlink };
- allow kernel overlay_remounter:process2 nosuid_transition;
- allow kernel overlay_remounter:process share;
-')
-
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
dontaudit kernel sysfs:dir r_dir_perms;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 5459c1d..ce26fd2 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -36,5 +36,4 @@
-init
-linkerconfig
-otapreopt_chroot
- userdebug_or_eng(`-overlay_remounter')
} linkerconfig_exec:file no_x_file_perms;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 28766dd..37a2c47 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -50,4 +50,4 @@
# netutils wrapper may only use the following capabilities.
neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
-neverallow { domain userdebug_or_eng(`-overlay_remounter') } netutils_wrapper_exec:file execute_no_trans;
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/private/overlay_remounter.te b/private/overlay_remounter.te
deleted file mode 100644
index cc00c30..0000000
--- a/private/overlay_remounter.te
+++ /dev/null
@@ -1,40 +0,0 @@
-userdebug_or_eng(`
- # Domain used for overlay_remounter process
-
- # All types must be defined regardless of build variant to ensure
- # policy compilation succeeds with userdebug/user combination at boot
- type overlay_remounter, domain, coredomain;
-
- # File types must be defined for file_contexts.
- type overlay_remounter_exec, system_file_type, exec_type, file_type;
-
- domain_auto_trans(overlay_remounter, init_exec, init)
-
- allow overlay_remounter init:process share;
- allow overlay_remounter init:process2 nosuid_transition;
- allow overlay_remounter kernel:fd use;
- allow overlay_remounter tmpfs:chr_file { open read write };
- allow overlay_remounter labeledfs:filesystem { mount unmount };
- allow overlay_remounter overlayfs_file:chr_file { unlink create link rename };
- allow overlay_remounter overlayfs_file:dir create_dir_perms;
- allow overlay_remounter overlayfs_file:file { create open rename unlink write };
- allow overlay_remounter self:capability { chown fowner sys_admin dac_override dac_read_search };
- allow overlay_remounter unlabeled:dir { rmdir search };
- use_bootstrap_libs(overlay_remounter)
-
- # overlay_remounter must be able to perform all possible operations
- # on the overlaid partitions
- allow overlay_remounter {
- system_dlkm_file_type
- vendor_file_type
- system_file_type
- adb_keys_file
- }:{ file } ~{ entrypoint };
-
- allow overlay_remounter {
- system_dlkm_file_type
- vendor_file_type
- system_file_type
- adb_keys_file
- }:{ dir lnk_file } *;
-')
diff --git a/private/vendor_toolbox.te b/private/vendor_toolbox.te
index 5421dd5..178fa8f 100644
--- a/private/vendor_toolbox.te
+++ b/private/vendor_toolbox.te
@@ -7,6 +7,5 @@
coredomain
-init
-modprobe
- userdebug_or_eng(`-overlay_remounter')
} vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
')
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 95bdd1c..259c402 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -115,16 +115,8 @@
r_dir_file(virtualizationmanager, vendor_microdroid_file)
# Do not allow writing vendor_microdroid_file from any process.
-neverallow {
- domain
- recovery_only(`userdebug_or_eng(`-fastbootd')')
- userdebug_or_eng(`-overlay_remounter')
-} vendor_microdroid_file:dir no_w_dir_perms;
-neverallow {
- domain
- recovery_only(`userdebug_or_eng(`-fastbootd')')
- userdebug_or_eng(`-overlay_remounter')
-} vendor_microdroid_file:file no_w_file_perms;
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:dir no_w_dir_perms;
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:file no_w_file_perms;
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/tests/policy.py b/tests/policy.py
index cf93ed7..98133b7 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -589,7 +589,7 @@
vendor = any(MatchPathPrefix(path, prefix) for prefix in
["/vendor", "/odm"])
system = any(MatchPathPrefix(path, prefix) for prefix in
- ["/init", "/system_ext", "/product", "/second_stage_resources" ])
+ ["/init", "/system_ext", "/product" ])
# only mark entrypoint as system if it is not in legacy /system/vendor
if MatchPathPrefix(path, "/system/vendor"):