Merge "Track system_server SELinux denial."
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9dd2ee7..fb4a9e6 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -634,7 +634,9 @@
(typeattributeset system_app_data_file_26_0 (system_app_data_file))
(typeattributeset system_app_service_26_0 (system_app_service))
(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_data_file_26_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 06f4c91..2272903 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1351,7 +1351,9 @@
(typeattributeset system_app_data_file_27_0 (system_app_data_file))
(typeattributeset system_app_service_27_0 (system_app_service))
(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0 (system_data_file))
+(typeattributeset system_data_file_27_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_27_0 (system_file))
(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
diff --git a/private/file_contexts b/private/file_contexts
index 25d0d9d..321cfbe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -425,6 +425,9 @@
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
# storaged proto files
/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index 389fdf4..9ac5d87 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -53,7 +53,15 @@
neverallow perfetto domain:process ptrace;
# Disallows access to other /data files.
-neverallow perfetto { data_file_type -system_data_file -zoneinfo_data_file -perfetto_traces_data_file }:dir *;
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
diff --git a/private/traced.te b/private/traced.te
index bb7a091..531ecc2 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -27,8 +27,15 @@
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
-neverallow traced system_data_file:dir ~{ getattr search };
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced { data_file_type -zoneinfo_data_file }:file ~write;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 15c51d4..26e0051 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -44,7 +44,14 @@
neverallow traced_probes domain:process ptrace;
# Disallows access to /data files.
-neverallow traced { data_file_type -system_data_file -zoneinfo_data_file }:dir *;
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
neverallow traced system_data_file:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 58e510e..af1f442 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -9,7 +9,10 @@
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs system_data_file:dir { open read write add_name remove_name };
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name };
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
diff --git a/public/domain.te b/public/domain.te
index 67eafc2..6f50552 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -208,11 +208,15 @@
r_dir_file(domain, sysfs_usb);
# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -791,6 +795,9 @@
} {
data_file_type
-core_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
}:dir *;
')
@@ -819,6 +826,7 @@
} {
core_data_file_type
-system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
-zoneinfo_data_file
}:dir *;
')
@@ -834,6 +842,30 @@
}:dir ~{ getattr search };
')
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
diff --git a/public/file.te b/public/file.te
index d1feb3a..0aa7ece 100644
--- a/public/file.te
+++ b/public/file.te
@@ -160,6 +160,8 @@
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
diff --git a/public/vold.te b/public/vold.te
index 0107ebd..95847cf 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -113,6 +113,9 @@
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
allow vold system_data_file:lnk_file getattr;
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
# for secdiscard
allow vold system_data_file:file read;