init can call setns
init now creates two mount namespaces one for pre-apexd processes and
the other for post-apexd processes. This is to mount different files to
the same mount point at /bionic. For pre-apexd processes, the bootstrap
Bionic is mounted. For post-apexd processes, the default Bionic (from
the runtime APEX) is mounted.
Using unshare and setns, init first starts with the mount namespace for
the pre-apexd and then switches to the other mount namespace when APEXes
are ready. It then occasionally switches to pre-apexd mount namespace
when it has to re-launch a pre-apexd process (e.g. the process has
crashed, etc.)
In doing so, read access to /proc/self/ns/mnt is granted to init as
well.
Bug: 120266448
Bug: 122717176
Test: m device boots
Change-Id: Idbf15cbf5cc36b9993d718d4d887cd8f23a94666
diff --git a/private/coredomain.te b/private/coredomain.te
index db62cb9..9899d02 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -90,6 +90,7 @@
# /proc
neverallow {
coredomain
+ -init
-vold
} proc:file no_rw_file_perms;
diff --git a/public/init.te b/public/init.te
index 63edb20..7a8bc58 100644
--- a/public/init.te
+++ b/public/init.te
@@ -70,6 +70,9 @@
# Call mount(2).
allow init self:global_capability_class_set sys_admin;
+# Call setns(2).
+allow init self:global_capability_class_set sys_chroot;
+
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
@@ -304,6 +307,7 @@
')
allow init {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.