commit edbe51215eb01cfbb2fe609b71b8e0b07e156244
author Treehugger Robot <treehugger-gerrit@google.com> Tue Jan 08 15:21:06 2019 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jan 08 15:21:06 2019 +0000
tree e19529e04809780b226743c091e749e2afc49c65
parent 9f343b32be0a15139b0a9f51d864cc4f9b7eeed4
parent 886ba9c9ff8ea118b7eadbd19d3a7048358ba5c8

Merge "Allow dumpstate to read some directories."

OWNERS

diff --git a/OWNERS b/OWNERS
index 5a25bcc..194acf3 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,4 @@
+adamshih@google.com
 alanstokes@google.com
 bowgotsai@google.com
 cbrubaker@google.com

apex/com.android.runtime.debug-file_contexts

diff --git a/apex/com.android.runtime.debug-file_contexts b/apex/com.android.runtime.debug-file_contexts
index 35ef891..507d665 100644
--- a/apex/com.android.runtime.debug-file_contexts
+++ b/apex/com.android.runtime.debug-file_contexts
@@ -5,5 +5,6 @@
 /bin/dex2oat(d)?         u:object_r:dex2oat_exec:s0
 /bin/dexoptanalyzer(d)?  u:object_r:dexoptanalyzer_exec:s0
 /bin/profman(d)?         u:object_r:profman_exec:s0
+/bin/linker(64)?         u:object_r:system_linker_exec:s0
 /lib(64)?(/.*)?          u:object_r:system_lib_file:s0
 /etc/tz(/.*)?            u:object_r:system_zoneinfo_file:s0

apex/com.android.runtime.release-file_contexts

diff --git a/apex/com.android.runtime.release-file_contexts b/apex/com.android.runtime.release-file_contexts
index 207704d..286d698 100644
--- a/apex/com.android.runtime.release-file_contexts
+++ b/apex/com.android.runtime.release-file_contexts
@@ -5,5 +5,6 @@
 /bin/dex2oat             u:object_r:dex2oat_exec:s0
 /bin/dexoptanalyzer      u:object_r:dexoptanalyzer_exec:s0
 /bin/profman             u:object_r:profman_exec:s0
+/bin/linker(64)?         u:object_r:system_linker_exec:s0
 /lib(64)?(/.*)?          u:object_r:system_lib_file:s0
 /etc/tz(/.*)?            u:object_r:system_zoneinfo_file:s0

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index 7b1c041..4850d61 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -46,6 +46,10 @@
 allow apexd apk_tmp_file:file relabelfrom;
 allow apexd apex_data_file:file relabelto;
 
+# allow apexd to read files from /data/staging and hardlink them to /data/apex.
+allow apexd staging_data_file:dir r_dir_perms;
+allow apexd staging_data_file:file { r_file_perms link };
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
@@ -64,5 +68,5 @@
 dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

private/compat/26.0/26.0.ignore.cil

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f40ca77..de0cc79 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -142,6 +142,7 @@
     secure_element_service
     server_configurable_flags_data_file
     slice_service
+    staging_data_file
     stats
     stats_data_file
     stats_exec

private/compat/27.0/27.0.ignore.cil

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 88cf5d6..429725c 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -141,6 +141,7 @@
     statsdw_socket
     storaged_data_file
     super_block_device
+    staging_data_file
     system_boot_reason_prop
     system_lmk_prop
     system_suspend_hwservice

private/compat/28.0/28.0.ignore.cil

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 8247614..9133c44 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -75,10 +75,11 @@
     rss_hwm_reset_exec
     runtime_service
     sensor_privacy_service
+    server_configurable_flags_data_file
     super_block_device
     system_lmk_prop
     system_suspend_hwservice
-    server_configurable_flags_data_file
+    staging_data_file
     time_prop
     timedetector_service
     timezonedetector_service

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 15179e2..bc1defb 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -138,6 +138,17 @@
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+neverallow { domain -init -system_server } staging_data_file:file
+  { append create unlink relabelfrom rename setattr write no_x_file_perms };
+
 neverallow {
     domain
     -appdomain # for oemfs

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 13d87ff..da41ef7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -429,6 +429,7 @@
 /data/preloads/media(/.*)?	u:object_r:preloads_media_file:s0
 /data/preloads/demo(/.*)?	u:object_r:preloads_media_file:s0
 /data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
+/data/staging(/.*)?		u:object_r:staging_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index b8e0511..4581417 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -471,6 +471,10 @@
 allow system_server zoneinfo_data_file:dir create_dir_perms;
 allow system_server zoneinfo_data_file:file create_file_perms;
 
+# Manage /data/staging.
+allow system_server staging_data_file:dir create_dir_perms;
+allow system_server staging_data_file:file create_file_perms;
+
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
 allow system_server {
@@ -959,6 +963,13 @@
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;
 
+# Allow the system server to read files under /data/apex. The system_server
+# needs these privileges to compare file signatures while processing installs.
+#
+# Only apexd is allowed to create new entries or write to any file under /data/apex.
+allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:file r_file_perms;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;

public/file.te

diff --git a/public/file.te b/public/file.te
index 2a5e6f4..86a85dc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -253,6 +253,8 @@
 type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 # /data/server_configurable_flags
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;