Update permissions for the dedicated profile folders
Bug: 26719109
Bug: 26563023
Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995
diff --git a/app.te b/app.te
index b89d4e1..438e01f 100644
--- a/app.te
+++ b/app.te
@@ -110,6 +110,10 @@
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
diff --git a/dex2oat.te b/dex2oat.te
index df3cc42..58fcef8 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, mlstrustedsubject, domain_deprecated;
+type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
@@ -15,7 +15,7 @@
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
allow dex2oat apk_tmp_file:file read;
-allow dex2oat app_data_file:file {read write lock};
+allow dex2oat user_profile_data_file:file {read lock};
##################
# A/B OTA Dexopt #
diff --git a/domain.te b/domain.te
index e24036b..9d377e5 100644
--- a/domain.te
+++ b/domain.te
@@ -551,3 +551,11 @@
-ueventd
-vold
} fuse_device:chr_file *;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
diff --git a/file.te b/file.te
index 685cfe0..ff60c04 100644
--- a/file.te
+++ b/file.te
@@ -85,6 +85,8 @@
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index 9222324..ed8e30e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -203,6 +203,7 @@
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -289,6 +290,10 @@
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/installd.te b/installd.te
index f685a48..688a7e6 100644
--- a/installd.te
+++ b/installd.te
@@ -66,6 +66,9 @@
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
@@ -109,6 +112,10 @@
autoplay_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
diff --git a/profman.te b/profman.te
new file mode 100644
index 0000000..ac34e89
--- /dev/null
+++ b/profman.te
@@ -0,0 +1,9 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { read write lock };
+
+allow profman installd:fd use;
+
+neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/untrusted_app.te b/untrusted_app.te
index 30364b0..189f3c5 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -171,6 +171,7 @@
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
diff --git a/vold.te b/vold.te
index 9a1ccfe..fb3673c 100644
--- a/vold.te
+++ b/vold.te
@@ -185,6 +185,9 @@
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;