Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ac52f460c04ed89943969a265c3e0bd903d19a53^! / .
commitac52f460c04ed89943969a265c3e0bd903d19a53[log] [tgz]
authorAlex Deymo <deymo@google.com>Tue Apr 05 16:07:25 2016 -0700
committerAlex Deymo <deymo@google.com>Fri Apr 08 23:07:08 2016 -0700
treefcb9ca704a724eaa04e26b75055eb5ffc25c022d
parent541e9d50d1ee071895b5e33c519018e5ce3635a1 [diff]
Allow postinstall_file to be an entrypoint.

postinstall_file was an exec_type so it could be an entrypoint for the
domain_auto_trans from update_engine domain to postinstall domain. This
patch removes the exec_type from postinstall_file and exempts it from
the neverallow rule to become an entrypoint.

Bug: 28008031
TEST=postinstall_example still runs as the "postinstall" domain on edison-eng.

(cherry picked from commit a9671c6b9eff0b72ad797e2339865bd24222391b)

Change-Id: I2e1f61ed42f8549e959edbe047c56513903e8e9c

diff --git a/domain.te b/domain.te
index 5171fb3..9001773 100644
--- a/domain.te
+++ b/domain.te

@@ -217,8 +217,8 @@
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
 
-# Ensure that all entrypoint executables are in exec_type.
-neverallow * { file_type -exec_type }:file entrypoint;
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
 
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;

diff --git a/file.te b/file.te
index d842559..c6b2a49 100644
--- a/file.te
+++ b/file.te

@@ -124,7 +124,7 @@
 # /postinstall: Mount point used by update_engine to run postinstall.
 type postinstall_mnt_dir, file_type;
 # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type, exec_type;
+type postinstall_file, file_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;

diff --git a/postinstall.te b/postinstall.te
index 8afc561..938fcd2 100644
--- a/postinstall.te
+++ b/postinstall.te

@@ -18,3 +18,7 @@
 allow postinstall shell_exec:file rx_file_perms;
 allow postinstall system_file:file rx_file_perms;
 allow postinstall toolbox_exec:file rx_file_perms;
+
+# No domain other than update_engine should transition to postinstall, as it is
+# only meant to run during the update.
+neverallow { domain -update_engine } postinstall:process { transition dyntransition };