commit d6fdcefaa8344b65e1320b978e5bbe11eec44c24
author Andreas Gampe <agampe@google.com> Mon Mar 18 10:54:42 2019 -0700
committer Andreas Gampe <agampe@google.com> Mon Mar 18 10:54:42 2019 -0700
tree 6b6fccdc97c0e64b1b33e3613bc85c6bfc448ccb
parent ac9cd71feda148fde182e57978e460d6de116847

Sepolicy: Move otapreopt_chroot to private

Move complete domain to private/. Move referencing parts in domain
and kernel to private.

Bug: 128840749
Test: m
Change-Id: I5572c3b04e41141c8f4db62b1361e2b392a5e2da

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 537e61b..8431957 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -280,3 +280,19 @@
   dac_override_allowed
   traced_probes
 } self:global_capability_class_set dac_read_search;
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow {
+    domain
+    -apexd
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
+    -init
+    -kernel
+    -otapreopt_chroot
+    -recovery
+    -update_engine
+    -vold
+    -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };

private/kernel.te

diff --git a/private/kernel.te b/private/kernel.te
index a4e6ebe..207800e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,8 @@
 typeattribute kernel coredomain;
 
 domain_auto_trans(kernel, init_exec, init)
+
+# Allow the kernel to read otapreopt_chroot's file descriptors and files under
+# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
+allow kernel otapreopt_chroot:fd use;
+allow kernel postinstall_file:file read;

private/otapreopt_chroot.te

diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index aea2faa..c2ee607 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,32 @@
-typeattribute otapreopt_chroot coredomain;
+# otapreopt_chroot executable
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor and mount/unmount ext4 images from
+# APEX packages in /postinstall/apex.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem { mount unmount };
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt_chroot to read SELinux policy files.
+allow otapreopt_chroot file_contexts_file:file r_file_perms;
+
+# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
+allow otapreopt_chroot postinstall_file:dir r_dir_perms;
+# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
+get_prop(otapreopt_chroot, apexd_prop)
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
 
 # Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)