Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f8ad33985d954236a204c2fa9b8ac376e05d1613^! / . / private / system_server.te
commitf8ad33985d954236a204c2fa9b8ac376e05d1613[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Tue Oct 27 17:35:33 2020 +0000
committerAlan Stokes <alanstokes@google.com>Wed Nov 11 14:43:36 2020 +0000
tree5be74b315607c861d32910b1abaf821a120f2dba
parent2680a1b55c2489939ff8d5b9a25230f65ec67cbf [diff] [blame]
Introduce app_data_file_type attribute.

This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf1320d54c8641cfff687f13f32013bf, restoring commit
27e0c740f1894e9a390b7105255eb29401d25c35. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4

diff --git a/private/system_server.te b/private/system_server.te
index 139165f..a60c327 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -520,16 +520,7 @@
 allow system_server staging_data_file:file create_file_perms;
 
 # Walk /data/data subdirectories.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
-  system_app_data_file
-  bluetooth_data_file
-  nfc_data_file
-  radio_data_file
-  shell_data_file
-  app_data_file
-  privapp_data_file
-}:dir { getattr read search };
+allow system_server app_data_file_type:dir { getattr read search };
 
 # Also permit for unlabeled /data/data subdirectories and
 # for unlabeled asec containers on upgrades from 4.2.
@@ -542,16 +533,7 @@
 allow system_server system_app_data_file:file create_file_perms;
 
 # Receive and use open app data files passed over binder IPC.
-# Types extracted from seapp_contexts type= fields.
-allow system_server {
-  system_app_data_file
-  bluetooth_data_file
-  nfc_data_file
-  radio_data_file
-  shell_data_file
-  app_data_file
-  privapp_data_file
-}:file { getattr read write append map };
+allow system_server app_data_file_type:file { getattr read write append map };
 
 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };
@@ -1042,14 +1024,11 @@
 # system server should never be operating on zygote spawned app data
 # files directly. Rather, they should always be passed via a
 # file descriptor.
-# Types extracted from seapp_contexts type= fields, excluding
-# those types that system_server needs to open directly.
+# Exclude those types that system_server needs to open directly.
 neverallow system_server {
-  bluetooth_data_file
-  nfc_data_file
-  shell_data_file
-  app_data_file
-  privapp_data_file
+  app_data_file_type
+  -system_app_data_file
+  -radio_data_file
 }:file { open create unlink link };
 
 # Forking and execing is inherently dangerous and racy. See, for