commit a0a35e0dc28ea36715e86dd0adf2b389360e39ff
author Marco Ballesio <balejs@google.com> Tue Jan 12 20:22:04 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jan 12 20:22:04 2021 +0000
tree 841a6e55def2ec30f1558ce24983cd6092f47d66
parent 9c2b5ef747560f998fa05a85f359b9150fabb346
parent 3eabc1d541973f8508437a852798bd9c559017b1

Merge "sepolicy: allow system_server to read /proc/locks"

private/kernel.te

diff --git a/private/kernel.te b/private/kernel.te
index 207800e..70ca912 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,8 +1,32 @@
 typeattribute kernel coredomain;
 
 domain_auto_trans(kernel, init_exec, init)
+domain_auto_trans(kernel, snapuserd_exec, snapuserd)
 
 # Allow the kernel to read otapreopt_chroot's file descriptors and files under
 # /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
 allow kernel otapreopt_chroot:fd use;
 allow kernel postinstall_file:file read;
+
+# The following sections are for the transition period during a Virtual A/B
+# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
+# context, and with properly labelled devices. This must be done before
+# enabling enforcement, eg, in permissive mode while still in the kernel
+# context.
+allow kernel tmpfs:blk_file { getattr relabelfrom };
+allow kernel tmpfs:chr_file { getattr relabelfrom };
+allow kernel tmpfs:lnk_file { getattr relabelfrom };
+allow kernel tmpfs:dir { open read relabelfrom };
+
+allow kernel block_device:blk_file relabelto;
+allow kernel block_device:lnk_file relabelto;
+allow kernel dm_device:chr_file relabelto;
+allow kernel dm_device:blk_file relabelto;
+allow kernel dm_user_device:dir { read open search relabelto };
+allow kernel dm_user_device:chr_file relabelto;
+allow kernel kmsg_device:chr_file relabelto;
+allow kernel null_device:chr_file relabelto;
+allow kernel random_device:chr_file relabelto;
+allow kernel snapuserd_exec:file relabelto;
+
+allow kernel kmsg_device:chr_file write;

private/snapuserd.te

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 99ee90f..d96b31e 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -16,3 +16,11 @@
 # Reading and writing to dm-user control nodes.
 allow snapuserd dm_user_device:dir r_dir_perms;
 allow snapuserd dm_user_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/socket/snapuserd.
+allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+
+# This arises due to first-stage init opening /dev/null without F_CLOEXEC
+# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
+# again, the descriptor leaks into the new process.
+allow snapuserd kernel:fd use;

public/init.te

diff --git a/public/init.te b/public/init.te
index 0bbeb29..35d4134 100644
--- a/public/init.te
+++ b/public/init.te
@@ -37,6 +37,7 @@
 allow init tmpfs:blk_file getattr;
 allow init block_device:{ dir blk_file lnk_file } relabelto;
 allow init dm_device:{ chr_file blk_file } relabelto;
+allow init dm_user_device:chr_file relabelto;
 allow init kernel:fd use;
 # restorecon for early mount device symlinks
 allow init tmpfs:lnk_file { getattr read relabelfrom };
@@ -543,6 +544,9 @@
 allow init dm_device:chr_file rw_file_perms;
 allow init dm_device:blk_file rw_file_perms;
 
+# Access dm-user for OTA boot
+allow init dm_user_device:chr_file rw_file_perms;
+
 # Access metadata block device for storing dm-verity state
 allow init metadata_block_device:blk_file rw_file_perms;