Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to
memfd. In order for tmpfs objects to be usable across the Treble
boundary, they need to be declared in public policy whereas, they're
currently all declared in private policy as part of the
tmpfs_domain() macro. Remove the type declaration from the
macro, and remove tmpfs_domain() from the init_daemon_domain() macro
to avoid having to declare the *_tmpfs types for all init launched
domains. tmpfs is mostly used by apps and the media frameworks.
Bug: 122854450
Test: Boot Taimen and blueline. Watch videos, make phone calls, browse
internet, send text, install angry birds...play angry birds, keep
playing angry birds...
Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
diff --git a/private/audioserver.te b/private/audioserver.te
index 6482c61..0bc52bf 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -4,6 +4,7 @@
type audioserver_exec, exec_type, file_type, system_file_type;
init_daemon_domain(audioserver)
+tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 97830c1..b0a32e4 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,7 @@
apexd_prop
apexd_tmpfs
app_zygote
+ app_zygote_tmpfs
biometric_service
bpf_progs_loaded_prop
bugreport_service
@@ -75,6 +76,7 @@
mnt_product_file
network_stack
network_stack_service
+ network_stack_tmpfs
overlayfs_file
permissionmgr_service
recovery_socket
@@ -85,11 +87,13 @@
rss_hwm_reset
rss_hwm_reset_exec
runas_app
+ runas_app_tmpfs
runtime_service
sensor_privacy_service
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
+ su_tmpfs
super_block_device
system_event_log_tags_file
system_lmk_prop
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 212608b..ab24120 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,6 +1,7 @@
# dexoptanalyzer
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
+type dexoptanalyzer_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
diff --git a/private/logd.te b/private/logd.te
index 4338e40..321727b 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -4,10 +4,8 @@
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
neverallow logd {
file_type
- -logd_tmpfs
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
}:file { create write append };
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index c1a8521..eb90cdc 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -1,3 +1,4 @@
typeattribute mediaextractor coredomain;
init_daemon_domain(mediaextractor)
+tmpfs_domain(mediaextractor)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 4c30bc0..b1cf64a 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,6 +1,7 @@
typeattribute mediaserver coredomain;
init_daemon_domain(mediaserver)
+tmpfs_domain(mediaserver)
# allocate and use graphic buffers
hal_client_domain(mediaserver, hal_graphics_allocator)
diff --git a/private/perfetto.te b/private/perfetto.te
index 2e43d90..128205b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -4,6 +4,7 @@
# daemon.
type perfetto_exec, system_file_type, exec_type, file_type;
+type perfetto_tmpfs, file_type;
tmpfs_domain(perfetto);
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 1fdd758..2d244fd 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -3,5 +3,4 @@
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index 327098d..b6cd56f 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -3,5 +3,4 @@
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 4bd10c8..bd7b2c0 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -1,4 +1,5 @@
type system_server_startup, domain, coredomain;
+type system_server_startup_tmpfs, file_type;
tmpfs_domain(system_server_startup)
diff --git a/private/traced.te b/private/traced.te
index 33c5ac0..6dae15c 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,9 +1,11 @@
# Perfetto user-space tracing daemon (unprivileged)
type traced, domain, coredomain, mlstrustedsubject;
type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
+tmpfs_domain(traced)
# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.
diff --git a/private/viewcompiler.te b/private/viewcompiler.te
index 14009c6..3c9c1ee 100644
--- a/private/viewcompiler.te
+++ b/private/viewcompiler.te
@@ -1,6 +1,7 @@
# viewcompiler
type viewcompiler, domain, coredomain, mlstrustedsubject;
type viewcompiler_exec, system_file_type, exec_type, file_type;
+type viewcompiler_tmpfs, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
diff --git a/public/app_zygote.te b/public/app_zygote.te
index 0d5fec1..4c1ec96 100644
--- a/public/app_zygote.te
+++ b/public/app_zygote.te
@@ -3,3 +3,4 @@
# spawned from the regular zygote process as a "child zygote".
type app_zygote, domain;
+type app_zygote_tmpfs, file_type;
diff --git a/public/audioserver.te b/public/audioserver.te
index 9a72858..2ad86e3 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -1,2 +1,3 @@
# audioserver - audio services daemon
type audioserver, domain;
+type audioserver_tmpfs, file_type;
diff --git a/public/bluetooth.te b/public/bluetooth.te
index 9b3442a..28a169f 100644
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
@@ -1,2 +1,3 @@
# bluetooth subsystem
type bluetooth, domain;
+type bluetooth_tmpfs, file_type;
diff --git a/public/domain.te b/public/domain.te
index d29adc2..0c855c1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -52,6 +52,7 @@
')
# Root fs.
+allow domain tmpfs:dir { getattr search };
allow domain rootfs:dir search;
allow domain rootfs:lnk_file { read getattr };
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index dc39a22..5993c0b 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -12,3 +12,4 @@
### PackageManager flags an app as ephemeral at install time.
type ephemeral_app, domain;
+type ephemeral_app_tmpfs, file_type;
diff --git a/public/init.te b/public/init.te
index 9f9d66d..3bdfbec 100644
--- a/public/init.te
+++ b/public/init.te
@@ -1,8 +1,7 @@
# init is its own domain.
type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
diff --git a/public/isolated_app.te b/public/isolated_app.te
index a907dac..584d743 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -7,3 +7,4 @@
###
type isolated_app, domain;
+type isolated_app_tmpfs, file_type;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 4edab55..ee5534c 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -1,6 +1,7 @@
# mediaextractor - multimedia daemon
type mediaextractor, domain;
type mediaextractor_exec, system_file_type, exec_type, file_type;
+type mediaextractor_tmpfs, file_type;
typeattribute mediaextractor mlstrustedsubject;
diff --git a/public/mediaprovider.te b/public/mediaprovider.te
index 24170a5..90eb053 100644
--- a/public/mediaprovider.te
+++ b/public/mediaprovider.te
@@ -4,3 +4,4 @@
###
type mediaprovider, domain;
+type mediaprovider_tmpfs, file_type;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 540c039..ee2d2ec 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -1,6 +1,7 @@
# mediaserver - multimedia daemon
type mediaserver, domain;
type mediaserver_exec, system_file_type, exec_type, file_type;
+type mediaserver_tmpfs, file_type;
typeattribute mediaserver mlstrustedsubject;
diff --git a/public/network_stack.te b/public/network_stack.te
index feff664..61a40b0 100644
--- a/public/network_stack.te
+++ b/public/network_stack.te
@@ -1,2 +1,3 @@
# Network stack service app
type network_stack, domain;
+type network_stack_tmpfs, file_type;
diff --git a/public/nfc.te b/public/nfc.te
index e3a03e7..5c1aa24 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -1,2 +1,3 @@
# nfc subsystem
type nfc, domain;
+type nfc_tmpfs, file_type;
diff --git a/public/platform_app.te b/public/platform_app.te
index 9b1faf0..b7d783d 100644
--- a/public/platform_app.te
+++ b/public/platform_app.te
@@ -3,3 +3,4 @@
###
type platform_app, domain;
+type platform_app_tmpfs, file_type;
diff --git a/public/priv_app.te b/public/priv_app.te
index 0761fc3..7c7dd12 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -3,3 +3,4 @@
###
type priv_app, domain;
+type priv_app_tmpfs, file_type;
diff --git a/public/radio.te b/public/radio.te
index 8a8bef3..bbaa752 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -1,5 +1,6 @@
# phone subsystem
type radio, domain, mlstrustedsubject;
+type radio_tmpfs, file_type;
net_domain(radio)
bluetooth_domain(radio)
diff --git a/public/runas_app.te b/public/runas_app.te
index cdaa799..ff03940 100644
--- a/public/runas_app.te
+++ b/public/runas_app.te
@@ -1 +1,2 @@
type runas_app, domain;
+type runas_app_tmpfs, file_type;
diff --git a/public/secure_element.te b/public/secure_element.te
index 4ce6714..985c66d 100644
--- a/public/secure_element.te
+++ b/public/secure_element.te
@@ -1,2 +1,3 @@
# secure_element subsystem
type secure_element, domain;
+type secure_element_tmpfs, file_type;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 8e58e42..422a375 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,5 +1,6 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
+type shared_relro_tmpfs, file_type;
# Grant write access to the shared relro files/directory.
allow shared_relro shared_relro_file:dir rw_dir_perms;
diff --git a/public/shell.te b/public/shell.te
index 7201df0..1c30d7a 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -1,6 +1,7 @@
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, system_file_type, exec_type, file_type;
+type shell_tmpfs, file_type;
# Create and use network sockets.
net_domain(shell)
diff --git a/public/su.te b/public/su.te
index e09248b..41ae4ef 100644
--- a/public/su.te
+++ b/public/su.te
@@ -1,6 +1,7 @@
# All types must be defined regardless of build variant to ensure
# policy compilation succeeds with userdebug/user combination at boot
type su, domain;
+type su_tmpfs, file_type;
# File types must be defined for file_contexts.
type su_exec, system_file_type, exec_type, file_type;
diff --git a/public/system_app.te b/public/system_app.te
index 023058e..da781bc 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -5,3 +5,4 @@
###
type system_app, domain;
+type system_app_tmpfs, file_type;
diff --git a/public/system_server.te b/public/system_server.te
index 805d617..aa9c6c1 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -3,3 +3,4 @@
# Most of the framework services run in this process.
#
type system_server, domain;
+type system_server_tmpfs, file_type;
diff --git a/public/te_macros b/public/te_macros
index ca6070b..4195b88 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -72,13 +72,10 @@
#####################################
# tmpfs_domain(domain)
-# Define and allow access to a unique type for
-# this domain when creating tmpfs / shmem / ashmem files.
+# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
define(`tmpfs_domain', `
-type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
allow $1 $1_tmpfs:file { read write getattr map };
-allow $1 tmpfs:dir { getattr search };
')
# pdx macros for IPC. pdx is a high-level name which contains transport-specific
@@ -164,7 +161,6 @@
# upon executing its binary.
define(`init_daemon_domain', `
domain_auto_trans(init, $1_exec, $1)
-tmpfs_domain($1)
')
#####################################
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 0bce885..3396570 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -1,4 +1,5 @@
type traceur_app, domain;
+type traceur_app_tmpfs, file_type;
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
diff --git a/public/ueventd.te b/public/ueventd.te
index cc4e30b..db02d3f 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -1,6 +1,7 @@
# ueventd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type ueventd, domain;
+type ueventd_tmpfs, file_type;
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 5289bf9..3843f55 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -19,3 +19,6 @@
type untrusted_app, domain;
type untrusted_app_27, domain;
type untrusted_app_25, domain;
+type untrusted_app_tmpfs, file_type;
+type untrusted_app_27_tmpfs, file_type;
+type untrusted_app_25_tmpfs, file_type;
diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 5d19b32..ace3a01 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -3,3 +3,4 @@
type webview_zygote, domain;
type webview_zygote_exec, exec_type, file_type;
+type webview_zygote_tmpfs, file_type;
diff --git a/public/zygote.te b/public/zygote.te
index 85c3580..071354e 100644
--- a/public/zygote.te
+++ b/public/zygote.te
@@ -1,3 +1,4 @@
# zygote
type zygote, domain;
+type zygote_tmpfs, file_type;
type zygote_exec, system_file_type, exec_type, file_type;
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index 3d97ed0..a129ad4 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,8 +1,10 @@
type hal_graphics_allocator_default, domain;
+type hal_graphics_allocator_default_tmpfs, file_type;
hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
+tmpfs_domain(hal_graphics_allocator_default)
# b/70180742
dontaudit hal_graphics_allocator_default unlabeled:dir search;