Sepolicy: Move otapreopt_chroot to private
Move complete domain to private/. Move referencing parts in domain
and kernel to private.
Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da
diff --git a/private/domain.te b/private/domain.te
index 537e61b..8431957 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -280,3 +280,19 @@
dac_override_allowed
traced_probes
} self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+ domain
+ -apexd
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ -init
+ -kernel
+ -otapreopt_chroot
+ -recovery
+ -update_engine
+ -vold
+ -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
diff --git a/private/kernel.te b/private/kernel.te
index a4e6ebe..207800e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,8 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index aea2faa..c2ee607 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,32 @@
-typeattribute otapreopt_chroot coredomain;
+# otapreopt_chroot executable
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/public/domain.te b/public/domain.te
index a91cf40..8331d2d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -449,22 +449,6 @@
# Rather force a relabel to a more specific type.
neverallow domain device:chr_file { open read write };
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
-} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
diff --git a/public/kernel.te b/public/kernel.te
index 3ffb5ce..50e72c2 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -88,12 +88,6 @@
allow kernel apex_data_file:file read;
allow kernel staging_data_file:file read;
-# Likewise, allow the kernel to read otapreopt_chroot's file descriptors and
-# files under /postinstall, as it uses apexd logic to mount APEX packages in
-# /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
-
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
deleted file mode 100644
index a8d5fda..0000000
--- a/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,29 +0,0 @@
-# otapreopt_chroot executable
-type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;