Initial selinux policy support for memfd
Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.
Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.
Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
diff --git a/private/app.te b/private/app.te
index 4e433eb..1ef415a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,15 +1,3 @@
-# TODO: deal with tmpfs_domain pub/priv split properly
-# Read system properties managed by zygote.
-allow appdomain zygote_tmpfs:file read;
-
-# Read from (but not create) system_server buffers transferred through
-# ashmem, e.g. battery stats.
-allow appdomain system_server_tmpfs:file read;
-
-# Get info from priv_app through ashmem, such as contact
-# info etc.
-allow appdomain priv_app_tmpfs:file read;
-
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c762fbb..bc49c99 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -7,8 +7,6 @@
( new_objects
activity_task_service
adb_service
- app_binding_service
- app_prediction_service
apex_data_file
apex_mnt_dir
apex_key_file
@@ -17,6 +15,9 @@
apexd_exec
apexd_prop
apexd_tmpfs
+ appdomain_tmpfs
+ app_binding_service
+ app_prediction_service
app_zygote
app_zygote_tmpfs
biometric_service
@@ -47,6 +48,7 @@
external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
+ hal_graphics_composer_server_tmpfs
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index eb90cdc..2e654d6 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -2,3 +2,6 @@
init_daemon_domain(mediaextractor)
tmpfs_domain(mediaextractor)
+allow mediaextractor appdomain_tmpfs:file { getattr map read write };
+allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
+allow mediaextractor system_server_tmpfs:file { getattr map read write };
diff --git a/private/mls b/private/mls
index 421b046..9690440 100644
--- a/private/mls
+++ b/private/mls
@@ -57,14 +57,14 @@
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+ ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
@@ -76,7 +76,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
@@ -84,7 +84,7 @@
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 36e784f..b1aa775 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -4,6 +4,7 @@
type surfaceflinger_exec, system_file_type, exec_type, file_type;
init_daemon_domain(surfaceflinger)
+tmpfs_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
typeattribute surfaceflinger display_service_server;
@@ -13,6 +14,7 @@
# Perform HwBinder IPC.
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
+typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
diff --git a/private/system_server.te b/private/system_server.te
index 1003994..f91461c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -13,6 +13,7 @@
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
+allow system_server appdomain_tmpfs:file { getattr map read write };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;