Add new snapuserd socket and property rules. This adds a new property prefix owned by snapuserd, for communicating when the service is ready to accept connections (snapuserd.ready and snapuserd.proxy_ready). This also adds a new socket context. This is a seqpacket socket used to communicate with a special instance of snapuserd that bridges to the first-stage daemon. Bug: 193833730 Test: no denials after OTA applies and boots Change-Id: Ibad03659eba5c25e205ba00f27d0b4f98585a84b

commit: bf5b6ce422e3b5ba4868b5ecacb0fed1ecbff864 [log] [tgz]
author: David Anderson <dvander@google.com> Mon Jul 26 15:03:11 2021 -0700
committer: David Anderson <dvander@google.com> Tue Jul 27 10:50:59 2021 -0700
tree: f815867631dd5459d17209277a5447c0d02faf20
parent: 2179e112e16f09162175dab2c8f9373df8fb340b [diff]
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 1fcfa4d..06859d9 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil

@@ -10,6 +10,8 @@
     hal_system_suspend_service
     hal_tv_tuner_service
     power_stats_service
+    snapuserd_prop
+    snapuserd_proxy_socket
     tare_service
     transformer_service
     proc_watermark_boost_factor

diff --git a/private/file_contexts b/private/file_contexts
index c9b7c69..a5dd5a6 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -162,6 +162,7 @@
 /dev/socket/rild	u:object_r:rild_socket:s0
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
 /dev/socket/snapuserd u:object_r:snapuserd_socket:s0
+/dev/socket/snapuserd_proxy u:object_r:snapuserd_proxy_socket:s0
 /dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
 /dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
 /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0

diff --git a/private/property.te b/private/property.te
index 49d18ee..33eed5c 100644
--- a/private/property.te
+++ b/private/property.te

@@ -30,6 +30,7 @@
 system_internal_prop(profcollectd_node_id_prop)
 system_internal_prop(rollback_test_prop)
 system_internal_prop(setupwizard_prop)
+system_internal_prop(snapuserd_prop)
 system_internal_prop(system_adbd_prop)
 system_internal_prop(traced_perf_enabled_prop)
 system_internal_prop(userspace_reboot_log_prop)

diff --git a/private/property_contexts b/private/property_contexts
index fa5389d..198a50f 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -278,10 +278,12 @@
 sys.boot_from_charger_mode  u:object_r:charger_status_prop:s0 exact int
 ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
 
-# Virtual A/B properties
+# Virtual A/B and snapuserd properties
 ro.virtual_ab.enabled   u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.retrofit  u:object_r:virtual_ab_prop:s0 exact bool
 ro.virtual_ab.compression.enabled  u:object_r:virtual_ab_prop:s0 exact bool
+snapuserd.ready         u:object_r:snapuserd_prop:s0 exact bool
+snapuserd.proxy_ready   u:object_r:snapuserd_prop:s0 exact bool
 
 ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
 # Property to set/clear the warm reset flag after an OTA update.

diff --git a/private/snapuserd.te b/private/snapuserd.te
index d96b31e..2956891 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te

@@ -17,10 +17,24 @@
 allow snapuserd dm_user_device:dir r_dir_perms;
 allow snapuserd dm_user_device:chr_file rw_file_perms;
 
-# Reading and writing to /dev/socket/snapuserd.
+# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
 allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+allow snapuserd snapuserd_proxy_socket:sock_file write;
 
 # This arises due to first-stage init opening /dev/null without F_CLOEXEC
 # (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
 # again, the descriptor leaks into the new process.
 allow snapuserd kernel:fd use;
+
+# snapuserd.* properties
+set_prop(snapuserd, snapuserd_prop)
+
+# For inotify watching for /dev/socket/snapuserd_proxy to appear.
+allow snapuserd tmpfs:dir read;
+
+# Forbid anything other than snapuserd and init setting snapuserd properties.
+neverallow {
+  domain
+  -snapuserd
+  -init
+} snapuserd_prop:property_service set;

diff --git a/public/file.te b/public/file.te
index cf65c7d..2d98bb0 100644
--- a/public/file.te
+++ b/public/file.te

@@ -499,6 +499,7 @@
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
 type snapuserd_socket, file_type, coredomain_socket;
+type snapuserd_proxy_socket, file_type, coredomain_socket;
 type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
 type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
 type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
commit	bf5b6ce422e3b5ba4868b5ecacb0fed1ecbff864	[log] [tgz]
author	David Anderson <dvander@google.com>	Mon Jul 26 15:03:11 2021 -0700
committer	David Anderson <dvander@google.com>	Tue Jul 27 10:50:59 2021 -0700
tree	f815867631dd5459d17209277a5447c0d02faf20
parent	2179e112e16f09162175dab2c8f9373df8fb340b [diff]