Add sepolicy for /metadata/password_slots. The device OS and an installed GSI will both attempt to write authentication data to the same weaver slots. To prevent this, we can use the /metadata partition (required for GSI support) to communicate which slots are in use between OS images. To do this we define a new /metadata/password_slots directory and define sepolicy to allow system_server (see PasswordSlotManager) to access it. Bug: 123716647 Test: no denials on crosshatch Change-Id: I8e3679d332503b5fb8a8eb6455de068c22eba30b

commit: d99b7fd3f9be1c7ad2b434042e37db4e0cb41c54 [log] [tgz]
author: David Anderson <dvander@google.com> Thu Feb 28 14:11:34 2019 -0800
committer: David Anderson <dvander@google.com> Thu Mar 07 16:19:15 2019 +0000
tree: fd7187fed9c24cc6c4a3c8f84902e49351f0fa31
parent: a116e1afe5b28d4ed431a9b827dc3da8dc4e26cc [diff]
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 8e0a7ab..70ceaca 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -93,6 +93,7 @@
     network_stack_service
     network_stack_tmpfs
     overlayfs_file
+    password_slot_metadata_file
     permissionmgr_service
     postinstall_apex_mnt_dir
     recovery_socket

diff --git a/private/file_contexts b/private/file_contexts
index 39244c1..33b4e18 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -619,6 +619,7 @@
 /metadata(/.*)?           u:object_r:metadata_file:s0
 /metadata/vold(/.*)?      u:object_r:vold_metadata_file:s0
 /metadata/gsi(/.*)?       u:object_r:gsi_metadata_file:s0
+/metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 
 #############################
 # asec containers

diff --git a/private/system_server.te b/private/system_server.te
index db51da3..a2cbc6f 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1018,6 +1018,12 @@
 allow system_server apex_data_file:dir search;
 allow system_server apex_data_file:file r_file_perms;
 
+# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
+# communicate which slots are available for use.
+allow system_server metadata_file:dir search;
+allow system_server password_slot_metadata_file:dir rw_dir_perms;
+allow system_server password_slot_metadata_file:file create_file_perms;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
@@ -1028,3 +1034,12 @@
 # CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
 # file read access. However, that is now unnecessary (b/34951864)
 neverallow system_server system_server:global_capability_class_set sys_resource;
+
+# Only system_server/init should access /metadata/password_slots.
+neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
+neverallow {
+  domain
+  -init
+  -system_server
+} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
commit	d99b7fd3f9be1c7ad2b434042e37db4e0cb41c54	[log] [tgz]
author	David Anderson <dvander@google.com>	Thu Feb 28 14:11:34 2019 -0800
committer	David Anderson <dvander@google.com>	Thu Mar 07 16:19:15 2019 +0000
tree	fd7187fed9c24cc6c4a3c8f84902e49351f0fa31
parent	a116e1afe5b28d4ed431a9b827dc3da8dc4e26cc [diff]