Policy for overlay_remounter
Test: Manual
Bug: 388912628
Change-Id: I9f27647f0e8d3ece229e7a46d50d54aa1f76fd76
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 4fe3843..7d8a706 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -54,7 +54,7 @@
neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
neverallow { domain -bpfloader } fs_bpf_loader:file *;
-neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init userdebug_or_eng(`-overlay_remounter') } bpfloader_exec:file { execute execute_no_trans };
neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
diff --git a/private/coredomain.te b/private/coredomain.te
index 23ad43a..7f0ca9d 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -63,6 +63,7 @@
-rs # spawned by appdomain, so carryover the exception above
-system_server
-traced_perf
+ userdebug_or_eng(`-overlay_remounter')
} vendor_app_file:dir { open read getattr search };
')
@@ -84,6 +85,7 @@
-system_server
-traced_perf
-mediaserver
+ userdebug_or_eng(`-overlay_remounter')
} vendor_app_file:file r_file_perms;
')
@@ -105,6 +107,7 @@
-webview_zygote
-zygote
-heapprofd
+ userdebug_or_eng(`-overlay_remounter')
} vendor_overlay_file:dir { getattr open read search };
')
@@ -127,6 +130,7 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
userdebug_or_eng(`-simpleperf_boot')
+ userdebug_or_eng(`-overlay_remounter')
} vendor_overlay_file:file open;
')
diff --git a/private/crash_dump.te b/private/crash_dump.te
index a9a802c..4bd1d38 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -118,7 +118,10 @@
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
+neverallow {
+ domain
+ userdebug_or_eng(`-overlay_remounter')
+} crash_dump_exec:file execute_no_trans;
# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
diff --git a/private/crosvm.te b/private/crosvm.te
index a377e7a..6051992 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -223,6 +223,7 @@
-crosvm
-virtualizationmanager
-vmlauncher_app
+ userdebug_or_eng(`-overlay_remounter')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 618258c..7b448c3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -595,6 +595,11 @@
# permission on /metadata dir
allow domain metadata_file:dir search;
+# overlayfs performs all file operations as the mounter, being overlay_remounter.
+# It thus opens files as overlay_remounter, and then uses those files in the context of
+# the caller, which is anyone accessing a file on a overlaid read-only partition
+userdebug_or_eng(`allow domain overlay_remounter:fd use');
+
###
### neverallow rules
###
@@ -705,7 +710,7 @@
# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
+neverallow { domain userdebug_or_eng(`-overlay_remounter') } *:{ blk_file chr_file } rename;
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
@@ -740,16 +745,21 @@
domain
with_asan(`-asan_extract')
recovery_only(`userdebug_or_eng(`-fastbootd')')
+ userdebug_or_eng(`-kernel')
+ userdebug_or_eng(`-overlay_remounter')
} {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') userdebug_or_eng(`-overlay_remounter') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
+neverallow {
+ domain
+ userdebug_or_eng(`-overlay_remounter')
+} exec_type:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -761,9 +771,9 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow * contextmount_type:dir_file_class_set
+neverallow { domain userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set
{ create setattr relabelfrom relabelto append link rename };
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') userdebug_or_eng(`-overlay_remounter') } contextmount_type:dir_file_class_set { write unlink };
# Do not allow service_manager add for default service labels.
# Instead domains should use a more specific type such as
@@ -1150,6 +1160,7 @@
-init
-shell
-ueventd
+ userdebug_or_eng(`-overlay_remounter')
} vendor_shell_exec:file { execute execute_no_trans };
')
@@ -1204,6 +1215,7 @@
-shell
-system_executes_vendor_violators
-ueventd
+ userdebug_or_eng(`-overlay_remounter')
} {
vendor_file_type
-same_process_hal_file
@@ -1219,6 +1231,7 @@
coredomain
-shell
-system_executes_vendor_violators
+ userdebug_or_eng(`-overlay_remounter')
} {
vendor_file_type
-same_process_hal_file
@@ -1302,19 +1315,25 @@
# Do not mount on top of symlinks, fifos, or sockets.
# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+neverallow {
+ domain
+ userdebug_or_eng(`-overlay_remounter')
+} { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -overlay_remounter') } su_exec:file no_x_file_perms;
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
# The only exceptions are for NDK text relocations associated with
# https://code.google.com/p/android/issues/detail?id=23203
# which, long term, need to go away.
-neverallow * {
+neverallow {
+ domain
+ userdebug_or_eng(`-overlay_remounter')
+} {
file_type
-apk_data_file
-app_data_file
@@ -1328,7 +1347,12 @@
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
+neverallow {
+ domain
+ -untrusted_app_25
+ -untrusted_app_27
+ userdebug_or_eng(`-overlay_remounter')
+} file_type:file execmod;
# Ensure that all types assigned to processes are included
# in the domain attribute, so that all allow and neverallow rules
@@ -1453,6 +1477,7 @@
-installd
-profman
-artd
+ userdebug_or_eng(`-overlay_remounter')
} profman_exec:file no_x_file_perms;
# Enforce restrictions on kernel module origin.
@@ -1520,6 +1545,7 @@
neverallow {
coredomain
-appdomain
+ userdebug_or_eng(`-overlay_remounter')
} {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
')
@@ -1834,6 +1860,7 @@
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
+ userdebug_or_eng(`-overlay_remounter')
} {
file_type
-system_file_type
@@ -1909,6 +1936,7 @@
neverallow {
domain
-appdomain
+ userdebug_or_eng(`-overlay_remounter')
} {
data_file_type
-apex_art_data_file
@@ -1942,6 +1970,7 @@
vold
vold_prepare_subdirs
zygote
+ userdebug_or_eng(`overlay_remounter')
}')
neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
# Since the kernel checks dac_read_search before dac_override, domains that
@@ -1970,6 +1999,7 @@
-update_engine
-vold
-zygote
+ userdebug_or_eng(`-overlay_remounter')
} { fs_type
-sdcard_type
-fusefs_type
@@ -2038,6 +2068,7 @@
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
-ueventd
+ userdebug_or_eng(`-overlay_remounter')
} vendor_file:file { no_w_file_perms no_x_file_perms open };
')
@@ -2081,6 +2112,7 @@
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
-vold # loads incremental fs driver
+ userdebug_or_eng(`-overlay_remounter')
} {
vendor_file_type
-same_process_hal_file
@@ -2114,7 +2146,16 @@
# Only init and otapreopt_chroot should be mounting filesystems on locations
# labeled system or vendor (/product and /vendor respectively).
-neverallow { domain -dexopt_chroot_setup -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
+neverallow {
+ domain
+ -dexopt_chroot_setup
+ -init
+ -otapreopt_chroot
+ userdebug_or_eng(`-overlay_remounter')
+} {
+ system_file_type
+ vendor_file_type
+}:dir_file_class_set mounton;
# Only allow init and vendor_init to read/write mm_events properties
# NOTE: dumpstate is allowed to read any system property
diff --git a/private/file_contexts b/private/file_contexts
index 7ef3226..f79ec5a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -952,3 +952,7 @@
#############################
# For early boot VM
/mnt/vm u:object_r:vm_data_file:s0
+
+#############################
+# For overlays
+/second_stage_resources/overlay_remounter u:object_r:overlay_remounter_exec:s0
diff --git a/private/incident.te b/private/incident.te
index db9ae86..19db7d7 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -34,4 +34,14 @@
allow incident incidentd:fifo_file write;
# only allow incident being called by shell or dumpstate
-neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
+neverallow {
+ domain
+ -su
+ -shell
+ -incident
+ -dumpstate
+ userdebug_or_eng(`-overlay_remounter')
+} incident_exec:file {
+ execute
+ execute_no_trans
+};
diff --git a/private/incident_helper.te b/private/incident_helper.te
index b453855..cdaf144 100644
--- a/private/incident_helper.te
+++ b/private/incident_helper.te
@@ -11,4 +11,13 @@
allow incident_helper incidentd:unix_stream_socket { read write };
# only allow incidentd and shell to call incident_helper
-neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
+neverallow {
+ domain
+ -incidentd
+ -incident_helper
+ -shell
+ userdebug_or_eng(`-overlay_remounter')
+} incident_helper_exec:file {
+ execute
+ execute_no_trans
+};
diff --git a/private/init.te b/private/init.te
index 35d7647..6f0ee80 100644
--- a/private/init.te
+++ b/private/init.te
@@ -814,7 +814,7 @@
# The init domain is only entered via an exec based transition from the
# kernel domain, never via setcon().
neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
+neverallow { domain -kernel userdebug_or_eng(`-overlay_remounter') } init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
diff --git a/private/kernel.te b/private/kernel.te
index 1b82c66..0d3aa77 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -2,6 +2,9 @@
domain_auto_trans(kernel, init_exec, init)
domain_auto_trans(kernel, snapuserd_exec, snapuserd)
+userdebug_or_eng(`
+ domain_auto_trans(kernel, overlay_remounter_exec, overlay_remounter)
+')
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
@@ -150,6 +153,15 @@
# required by VTS lidbm unit test
allow kernel appdomain_tmpfs:file { read write };
+# Allow first stage init to copy and then launch overlay_remounter
+userdebug_or_eng(`
+ allow kernel tmpfs:dir rw_dir_perms;
+ allow kernel tmpfs:file { create_file_perms relabelfrom };
+ allow kernel overlay_remounter_exec:file { relabelto unlink };
+ allow kernel overlay_remounter:process2 nosuid_transition;
+ allow kernel overlay_remounter:process share;
+')
+
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
dontaudit kernel sysfs:dir r_dir_perms;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index ce26fd2..5459c1d 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -36,4 +36,5 @@
-init
-linkerconfig
-otapreopt_chroot
+ userdebug_or_eng(`-overlay_remounter')
} linkerconfig_exec:file no_x_file_perms;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 37a2c47..28766dd 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -50,4 +50,4 @@
# netutils wrapper may only use the following capabilities.
neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
+neverallow { domain userdebug_or_eng(`-overlay_remounter') } netutils_wrapper_exec:file execute_no_trans;
diff --git a/private/overlay_remounter.te b/private/overlay_remounter.te
new file mode 100644
index 0000000..cc00c30
--- /dev/null
+++ b/private/overlay_remounter.te
@@ -0,0 +1,40 @@
+userdebug_or_eng(`
+ # Domain used for overlay_remounter process
+
+ # All types must be defined regardless of build variant to ensure
+ # policy compilation succeeds with userdebug/user combination at boot
+ type overlay_remounter, domain, coredomain;
+
+ # File types must be defined for file_contexts.
+ type overlay_remounter_exec, system_file_type, exec_type, file_type;
+
+ domain_auto_trans(overlay_remounter, init_exec, init)
+
+ allow overlay_remounter init:process share;
+ allow overlay_remounter init:process2 nosuid_transition;
+ allow overlay_remounter kernel:fd use;
+ allow overlay_remounter tmpfs:chr_file { open read write };
+ allow overlay_remounter labeledfs:filesystem { mount unmount };
+ allow overlay_remounter overlayfs_file:chr_file { unlink create link rename };
+ allow overlay_remounter overlayfs_file:dir create_dir_perms;
+ allow overlay_remounter overlayfs_file:file { create open rename unlink write };
+ allow overlay_remounter self:capability { chown fowner sys_admin dac_override dac_read_search };
+ allow overlay_remounter unlabeled:dir { rmdir search };
+ use_bootstrap_libs(overlay_remounter)
+
+ # overlay_remounter must be able to perform all possible operations
+ # on the overlaid partitions
+ allow overlay_remounter {
+ system_dlkm_file_type
+ vendor_file_type
+ system_file_type
+ adb_keys_file
+ }:{ file } ~{ entrypoint };
+
+ allow overlay_remounter {
+ system_dlkm_file_type
+ vendor_file_type
+ system_file_type
+ adb_keys_file
+ }:{ dir lnk_file } *;
+')
diff --git a/private/vendor_toolbox.te b/private/vendor_toolbox.te
index 178fa8f..5421dd5 100644
--- a/private/vendor_toolbox.te
+++ b/private/vendor_toolbox.te
@@ -7,5 +7,6 @@
coredomain
-init
-modprobe
+ userdebug_or_eng(`-overlay_remounter')
} vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
')
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 259c402..95bdd1c 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -115,8 +115,16 @@
r_dir_file(virtualizationmanager, vendor_microdroid_file)
# Do not allow writing vendor_microdroid_file from any process.
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:dir no_w_dir_perms;
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:file no_w_file_perms;
+neverallow {
+ domain
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:file no_w_file_perms;
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);