Add sepolicy for /metadata/password_slots.
The device OS and an installed GSI will both attempt to write
authentication data to the same weaver slots. To prevent this, we can
use the /metadata partition (required for GSI support) to communicate
which slots are in use between OS images.
To do this we define a new /metadata/password_slots directory and define
sepolicy to allow system_server (see PasswordSlotManager) to access it.
Bug: 123716647
Test: no denials on crosshatch
Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 8e0a7ab..70ceaca 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -93,6 +93,7 @@
network_stack_service
network_stack_tmpfs
overlayfs_file
+ password_slot_metadata_file
permissionmgr_service
postinstall_apex_mnt_dir
recovery_socket
diff --git a/private/file_contexts b/private/file_contexts
index 39244c1..33b4e18 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -619,6 +619,7 @@
/metadata(/.*)? u:object_r:metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
#############################
# asec containers
diff --git a/private/system_server.te b/private/system_server.te
index db51da3..a2cbc6f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1018,6 +1018,12 @@
allow system_server apex_data_file:dir search;
allow system_server apex_data_file:file r_file_perms;
+# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
+# communicate which slots are available for use.
+allow system_server metadata_file:dir search;
+allow system_server password_slot_metadata_file:dir rw_dir_perms;
+allow system_server password_slot_metadata_file:file create_file_perms;
+
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
@@ -1028,3 +1034,12 @@
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
+
+# Only system_server/init should access /metadata/password_slots.
+neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
diff --git a/public/file.te b/public/file.te
index 514f23d..65b10d6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -199,6 +199,8 @@
type vold_metadata_file, file_type;
# GSI files within /metadata
type gsi_metadata_file, file_type;
+# system_server shares Weaver slot information in /metadata
+type password_slot_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 76ee7a4..528d8ba 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -50,6 +50,7 @@
-exec_type
-system_file_type
-mnt_product_file
+ -password_slot_metadata_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -62,6 +63,7 @@
file_type
-core_data_file_type
-exec_type
+ -password_slot_metadata_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -74,6 +76,7 @@
file_type
-core_data_file_type
-exec_type
+ -password_slot_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -86,6 +89,7 @@
-apex_mnt_dir
-core_data_file_type
-exec_type
+ -password_slot_metadata_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -98,6 +102,7 @@
-core_data_file_type
-exec_type
-mnt_product_file
+ -password_slot_metadata_file
-system_file_type
-vendor_file_type
-vold_metadata_file