sepolicy: Add iorap_prefetcherd rules
/system/bin/iorapd fork+execs into /system/bin/iorap_prefetcherd during
startup
See also go/android-iorap-security for the design doc
Bug: 137403231
Change-Id: Ie8949c7927a98e0ab757bc46230c589b5a496360
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 133c9b2..eb99076 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -17,6 +17,10 @@
hal_can_controller_hwservice
hal_tv_tuner_hwservice
init_svc_debug_prop
+ iorap_prefetcherd
+ iorap_prefetcherd_data_file
+ iorap_prefetcherd_exec
+ iorap_prefetcherd_tmpfs
linker_prop
mock_ota_prop
ota_metadata_file
diff --git a/private/coredomain.te b/private/coredomain.te
index af91028..dac061a 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -56,6 +56,7 @@
-idmap
-init
-installd
+ -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -73,6 +74,7 @@
-idmap
-init
-installd
+ -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
diff --git a/private/domain.te b/private/domain.te
index 98251d0..3fc55a2 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -136,6 +136,7 @@
-app_zygote
-dexoptanalyzer
-installd
+ -iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -157,6 +158,7 @@
-appdomain
-app_zygote
-installd
+ -iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -201,6 +203,7 @@
domain
-appdomain
with_asan(`-asan_extract')
+ -iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@@ -284,6 +287,7 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
+ iorap_prefetcherd
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
diff --git a/private/file_contexts b/private/file_contexts
index 3e989e7..ac22908 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -289,6 +289,7 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
+/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
new file mode 100644
index 0000000..9ddb512
--- /dev/null
+++ b/private/iorap_prefecherd.te
@@ -0,0 +1,4 @@
+typeattribute iorap_prefetcherd coredomain;
+
+init_daemon_domain(iorap_prefetcherd)
+tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
index 91f4ddc..ba8ece3 100644
--- a/private/iorapd.te
+++ b/private/iorapd.te
@@ -2,3 +2,5 @@
init_daemon_domain(iorapd)
tmpfs_domain(iorapd)
+
+domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)