[Thread] move Thread settings data to APEX data dir
This commit includes two sepolicy changes:
1. change threadnetwork data file to
/data/misc/apexdata/com.android.tethering/threadnetwork
2. use apex_tethering_data_file for files under
/data/misc/apexdata/com.android.tethering
The background is that the Thread daemon (ot_daemon) is merged into the
Tethering mainline module, which means the the Tehtering module now has
code running in both system_server and the standalone unprivileged
ot_daemon process. To prevent ot_daemon from accessing other
apex_system_server_data_file dirs, here use the specific
apex_tethering_data_file for both Tethering and Thread files (A
subdirectory threadnetwork/ will be created for Thread at runtime). This
is similar to apex_art_data_file and apex_virt_data_file.
Note that a file_contexts rule like
```
/data/misc/apexdata/com\.android\.tethering/threadnetwork(/.*)? u:object_r:apex_threadnetwork_data_file:s0
```
won't work because the threadnetwork/ subdir doesn't exist before the
sepolicy rules are evaluated.
Bug: 309932508
Test: manually verified that Thread settings file can be written to
/data/misc/apexdata/com.android.tethering/threadnetwork
Change-Id: I66539865ef388115c8e9b388b43291d8faf1f384
diff --git a/private/file.te b/private/file.te
index de2581d..d289f43 100644
--- a/private/file.te
+++ b/private/file.te
@@ -77,12 +77,14 @@
# /data/misc/apexdata/com.android.virt
type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+# /data/misc/apexdata/com.android.tethering
+type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
# legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
# for backward compatibility b/217581286
type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
-type apex_tethering_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
# /data/font/files
@@ -134,9 +136,6 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
-# /data/misc/threadnetwork
-type threadnetwork_data_file, file_type, data_file_type, core_data_file_type;
-
# /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/file_contexts b/private/file_contexts
index a1bc85f..7fbc580 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -625,7 +625,7 @@
/data/misc/apexdata/com\.android\.virt(/.*)? u:object_r:apex_virt_data_file:s0
/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_system_server_data_file:s0
-/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_system_server_data_file:s0
+/data/misc/apexdata/com\.android\.tethering(/.*)? u:object_r:apex_tethering_data_file:s0
/data/misc/apexdata/com\.android\.uwb(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_system_server_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
@@ -678,7 +678,6 @@
/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
-/data/misc/threadnetwork(/.*)? u:object_r:threadnetwork_data_file:s0
/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
/data/misc/virtualizationservice(/.*)? u:object_r:virtualizationservice_data_file:s0
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 457e1bf..495947f 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -12,10 +12,14 @@
# Allow the ot_daemon to use the net domain.
net_domain(ot_daemon)
-# Allow the ot_daemon to access the folder "/data/misc/threadnetwork".
-allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
-allow ot_daemon threadnetwork_data_file:file create_file_perms;
-allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
+# Allow ot_daemon to find /data/misc/apexdata/com.android.tethering
+allow ot_daemon apex_module_data_file:dir search;
+
+# Allow the ot_daemon to access files and subdirectories under
+# /data/misc/apexdata/com\.android\.tethering
+allow ot_daemon apex_tethering_data_file:dir {create rw_dir_perms};
+allow ot_daemon apex_tethering_data_file:file create_file_perms;
+allow ot_daemon apex_tethering_data_file:sock_file {create unlink};
# Allow OT daemon to read/write the Thread tunnel interface
allow ot_daemon tun_device:chr_file {read write};
diff --git a/private/system_server.te b/private/system_server.te
index 62430b1..decabe1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1418,19 +1418,19 @@
# These are modules where the code runs in system_server, so we need full access.
allow system_server apex_system_server_data_file:dir create_dir_perms;
allow system_server apex_system_server_data_file:file create_file_perms;
+allow system_server apex_tethering_data_file:dir create_dir_perms;
+allow system_server apex_tethering_data_file:file create_file_perms;
# Legacy labels that we still need to support (b/217581286)
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
- apex_tethering_data_file
apex_wifi_data_file
}:dir create_dir_perms;
allow system_server {
apex_appsearch_data_file
apex_permission_data_file
apex_scheduling_data_file
- apex_tethering_data_file
apex_wifi_data_file
}:file create_file_perms;