Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ba99b14c5cf0b7dc817a55fe4f8f9c1dc46e407d / . / private / dexopt_chroot_setup.te
blob: c34a30b299714c6f0423990c1ec102b39cbaccf6 [file] [log] [blame]
Jiakai Zhang4acd0732024-03-20 11:24:54 +0000[diff] [blame]1# A service that sets up the chroot environment for Pre-reboot Dexopt.
Jiakai Zhang817c49f2023-10-18 17:03:20 +0100[diff] [blame]2type dexopt_chroot_setup, domain, coredomain;
3type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
4type dexopt_chroot_setup_tmpfs, file_type;
5
6# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
7binder_use(dexopt_chroot_setup)
8add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
9allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
10allow dexopt_chroot_setup dumpstate:fd use;
11
12init_daemon_domain(dexopt_chroot_setup)
13
Jiakai Zhang4acd0732024-03-20 11:24:54 +0000[diff] [blame]14# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup
15# their own label, which differs from other labels created by other processes.
16# This allows to distinguish in policy files created by dexopt_chroot_setup vs
17# other processes.
Jiakai Zhang817c49f2023-10-18 17:03:20 +0100[diff] [blame]18tmpfs_domain(dexopt_chroot_setup)
19
20# libart (mark_compact.cc) has some intialization code that touches the cache
21# info file and userfaultfd.
22allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
23r_dir_file(dexopt_chroot_setup, apex_art_data_file)
24userfaultfd_use(dexopt_chroot_setup)
Jiakai Zhang4acd0732024-03-20 11:24:54 +0000[diff] [blame]25
26# Allow getting root capabilities to bypass permission checks.
27# - "sys_admin" is for performing mount and umount.
28# - "sys_chroot" is for performing chroot.
29allow dexopt_chroot_setup self:global_capability_class_set { sys_admin sys_chroot };
30
31# Allow managing its own files.
32# The root of the temp dir that dexopt_chroot_setup uses is labeled
33# pre_reboot_dexopt_file.
34allow dexopt_chroot_setup pre_reboot_dexopt_file:dir create_dir_perms;
35allow dexopt_chroot_setup pre_reboot_dexopt_file:file create_file_perms;
36
37# Allow accessing /proc/filesystems.
38allow dexopt_chroot_setup proc_filesystems:file r_file_perms;
39
40# Allow accessing block devices (/dev/block/...).
41allow dexopt_chroot_setup block_device:dir { getattr search };
42
43# Allow mounting file systems, to create a chroot environment.
44allow dexopt_chroot_setup {
45 apex_mnt_dir
46 binderfs
47 cgroup
48 cgroup_v2
49 debugfs_tracing_debug
50 device
51 devpts
52 fs_bpf
53 fusectlfs
54 linkerconfig_file
55 metadata_file
56 mnt_expand_file
57 pre_reboot_dexopt_file
58 proc
59 pstorefs
60 rootfs
61 selinuxfs
62 sysfs
63 system_data_file
64 system_data_root_file
65 system_file
66 tmpfs
67 vendor_file
68}:dir mounton;
69
70allow dexopt_chroot_setup { tmpfs labeledfs }:filesystem mount;
71
72allow dexopt_chroot_setup {
73 binderfs
74 cgroup
75 cgroup_v2
76 debugfs_tracing_debug
77 devpts
78 fs_bpf
79 fusectlfs
80 labeledfs
81 proc
82 pstorefs
83 selinuxfs
84 sysfs
85 tmpfs
86}:filesystem unmount;
87
88# Allow reading /apex in chroot.
89r_dir_file(dexopt_chroot_setup, apex_mnt_dir)
90allow dexopt_chroot_setup apex_info_file:file r_file_perms;
91
92# Allow writing an empty linker config in chroot to suppress linker warnings.
93# The empty linker config is used until linkerconfig has run.
94# In chroot, we're reusing the type outside the chroot, to reuse all the rules
95# for it for other domains, even though we're not changing the real linker
96# config outside the chroot.
97allow dexopt_chroot_setup linkerconfig_file:dir { write add_name };
98allow dexopt_chroot_setup linkerconfig_file:file { create write };
99
100# Allow using the `rootcontext=` option when mounting tmpfs, so we can give the
101# right labels to /apex, /linkerconfig, /mnt/artd_tmp in chroot.
102# Combined with `allow file_type tmpfs:filesystem associate;`, this allows
103# giving any labels to any tmpfs filesystems as soon as they are mounted.
104# Note that those tmpfs filesystems are known to be empty at the time where the
105# labels are given, and this rule doesn't allow relabeling any existing tmpfs.
106allow dexopt_chroot_setup tmpfs:filesystem relabelfrom;
107
108# Allow executing art_exec_exec without a domain transition because it is a thin
109# wrapper that executes other binaries on behalf of dexopt_chroot_setup. Domain
110# transition will take place as soon as art_exec_exec executes other binaries.
111allow dexopt_chroot_setup art_exec_exec:file rx_file_perms;
112
113# Allow running other binaries in their own domains.
114domain_auto_trans(dexopt_chroot_setup, apexd_exec, apexd)
115domain_auto_trans(dexopt_chroot_setup, linkerconfig_exec, linkerconfig)
116
117# Allow running snapshotctl through init, to map and unmap block devices.
118set_prop(dexopt_chroot_setup, snapshotctl_prop)
119
120# Neverallow rules.
121
122# Never allow running other binaries without a domain transition.
123# The exception for art_exec_exec is explained above.
124neverallow dexopt_chroot_setup ~{art_exec_exec}:file execute_no_trans;
125
126# Given how powerful this domain is, it shouldn't be used for other purposes.
127neverallow { domain -init } dexopt_chroot_setup:process transition;
128neverallow * dexopt_chroot_setup:process dyntransition;
129
130# Never allow other processes to access the temp dirs for Pre-reboot Dexopt.
131neverallow {
132 domain
133 -art_exec
134 -artd
135 -dexopt_chroot_setup
136 -init
137 -system_server
138 -vendor_init
139} pre_reboot_dexopt_file:dir *;