Modify authfs related permissions Allow microdroid_manager to start authfs when needed. Migrate the authfs-related permissions from compos to microdroid_payload, so it can be used by any payload. Move a neverallow to the correct file. Bug: 245262525 Test: atest MicrodroidTests MicrodroidHostTestCases Test: atest ComposHostTestCases Change-Id: I0f5eb9c11bdb427b1f78c9fc721c40de76add484

commit: d014aa2ca1186d0a7bd784089b3d655929c2e833 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Fri Sep 23 14:35:11 2022 +0100
committer: Alan Stokes <alanstokes@google.com> Fri Sep 23 15:55:47 2022 +0100
tree: a8ef34fec508e570fd97317731330dce72f2324a
parent: f4382c5391d85a9d5482d337b805f6efbb688fbd [diff]
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 26dffe5..f4bb79b 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te

@@ -2,18 +2,6 @@
 type compos, domain, coredomain, microdroid_payload;
 type compos_exec, exec_type, file_type, system_file_type;
 
-# Allow using various binder services
-binder_use(compos);
-allow compos authfs_binder_service:service_manager find;
-binder_call(compos, authfs_service);
-
-# Read artifacts created by odrefresh and create signature files.
-allow compos authfs_fuse:dir rw_dir_perms;
-allow compos authfs_fuse:file create_file_perms;
-
-# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir search;
-
 # Run derive_classpath in our domain
 allow compos derive_classpath_exec:file rx_file_perms;
 allow compos apex_mnt_dir:dir r_dir_perms;

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d4ad862..bfaabe2 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -56,9 +56,10 @@
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
 allow microdroid_manager apex_mnt_dir:file create_file_perms;
 
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
+# Allow microdroid_manager to start various services
 set_prop(microdroid_manager, ctl_apexd_vm_prop)
 set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_authfs_prop)
 set_prop(microdroid_manager, ctl_seriallogging_prop)
 set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
 set_prop(microdroid_manager, ctl_zipfuse_prop)
@@ -93,4 +94,14 @@
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
 
+# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager,
+# in their own domains.
 neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
+neverallow microdroid_manager {
+  domain
+  -crash_dump
+  -microdroid_payload
+  -apkdmverity
+  -zipfuse
+  -kexec
+}:process transition;

diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index fd36b02..4ea187b 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te

@@ -27,16 +27,6 @@
 # Write to /dev/kmsg.
 allow microdroid_payload kmsg_device:chr_file rw_file_perms;
 
-# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager
-neverallow microdroid_manager {
-  domain
-  -crash_dump
-  -microdroid_payload
-  -apkdmverity
-  -zipfuse
-  -kexec
-}:process transition;
-
 # Allow microdroid_payload to open binder servers via vsock.
 allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
@@ -45,3 +35,15 @@
 
 # Payload can read /proc/meminfo.
 allow microdroid_payload proc_meminfo:file r_file_perms;
+
+# Allow use of authfs.
+binder_use(microdroid_payload);
+allow microdroid_payload authfs_binder_service:service_manager find;
+binder_call(microdroid_payload, authfs_service);
+
+# Allow locating the authfs mount directory.
+allow microdroid_payload authfs_data_file:dir search;
+
+# Read and write files authfs-proxied files.
+allow microdroid_payload authfs_fuse:dir rw_dir_perms;
+allow microdroid_payload authfs_fuse:file create_file_perms;

diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 569a0fe..cade2aa 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts

@@ -27,6 +27,7 @@
 
 ctl.start$apexd-vm      u:object_r:ctl_apexd_vm_prop:s0
 ctl.start$apkdmverity   u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$authfs_service u:object_r:ctl_authfs_prop:s0
 ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
 ctl.start$tombstone_transmit     u:object_r:ctl_tombstone_transmit_prop:s0
 ctl.start$zipfuse       u:object_r:ctl_zipfuse_prop:s0

diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 9363d9b..bab49f2 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te

@@ -11,6 +11,7 @@
 type ctl_apexd_prop, property_type;
 type ctl_apexd_vm_prop, property_type;
 type ctl_apkdmverity_prop, property_type;
+type ctl_authfs_prop, property_type;
 type ctl_console_prop, property_type;
 type ctl_default_prop, property_type;
 type ctl_fuse_prop, property_type;
commit	d014aa2ca1186d0a7bd784089b3d655929c2e833	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Fri Sep 23 14:35:11 2022 +0100
committer	Alan Stokes <alanstokes@google.com>	Fri Sep 23 15:55:47 2022 +0100
tree	a8ef34fec508e570fd97317731330dce72f2324a
parent	f4382c5391d85a9d5482d337b805f6efbb688fbd [diff]