commit ed62b3181272bca9af796fb0e964d5646042baab
author Gavin Corkery <gavincorkery@google.com> Tue Jun 02 10:47:16 2020 +0100
committer Gavin Corkery <gavincorkery@google.com> Wed Aug 26 21:00:09 2020 +0100
tree 91b6c867a86b49e8b3a6b7dec3bf9a391481174b
parent 8f280b08474ae356423830fc27d6e08fdf66ea75

Selinux policy for new userspace reboot logging dir

Add userspace_reboot_metadata_file, which is written to by init,
and read by system server. System server will also handle the
deletion policy and organization of files within this directory,
so it needs additional permissions.

Test: Builds
Bug: 151820675
Change-Id: Ifbd70a6564e2705e3edf7da6b05486517413b211

private/compat/30.0/30.0.ignore.cil

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index ada1bcf..91ee117 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -17,4 +17,5 @@
     profcollectd_exec
     profcollectd_service
     update_engine_stable_service
-    cgroup_v2))
+    cgroup_v2
+    userspace_reboot_metadata_file))

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index a3c0b6e..5cc5b9b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -735,6 +735,7 @@
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
+/metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 
 #############################
 # asec containers

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 26b728f..b7867a1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1161,6 +1161,9 @@
 allow system_server password_slot_metadata_file:dir rw_dir_perms;
 allow system_server password_slot_metadata_file:file create_file_perms;
 
+allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
+allow system_server userspace_reboot_metadata_file:file create_file_perms;
+
 # Allow system server rw access to files in /metadata/staged-install folder
 allow system_server staged_install_file:dir rw_dir_perms;
 allow system_server staged_install_file:file create_file_perms;
@@ -1202,6 +1205,10 @@
 } password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
 
+# Only system_server/init should access /metadata/userspacereboot.
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
+neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
+
 # Allow systemserver to read/write the invalidation property
 set_prop(system_server, binder_cache_system_server_prop)
 neverallow { domain -system_server -init }