diff --git a/app.te b/app.te index fb768318361ff68cbad73c698b16f3a067c683b7..22168f8918e165678c9ed159c1576eed8698ad4c 100644 --- a/app.te +++ b/app.te @@ -24,6 +24,8 @@ platform_app_domain(media_app) # Access the network. net_domain(media_app) unconfined_domain(media_app) +relabelto_domain(media_app) +allow media_app download_file:dir relabelto; # Apps signed with the shared key. type shared_app, domain; diff --git a/attributes b/attributes index 7d491e2d4ea7c4faf8ae71bebd0f1fdee292d10b..6123d6c1be12a4984cca8dbe05258aa9d81e6a79 100644 --- a/attributes +++ b/attributes @@ -64,3 +64,6 @@ attribute binderservicedomain; # Allow domains used for platform (signed by build key) apps. attribute platformappdomain; + +# All domains which are allowed the "relabelto" permission +attribute relabeltodomain; diff --git a/domain.te b/domain.te index a4a06d554d5f4b37adc004440dacf8e221597df6..9ca6dc4e657188026190d779f8b9d6219cd338fe 100644 --- a/domain.te +++ b/domain.te @@ -120,3 +120,18 @@ dontaudit domain debugfs:file rw_file_perms; # security files allow domain security_file:dir { search getattr }; allow domain security_file:file getattr; + +######## Backwards compatibility - Unlabeled files ############ + +# Revert to DAC rules when looking at unlabeled files. Over time, the number +# of unlabeled files should decrease. +# TODO: delete these rules in the future. +# +# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto +# capability, it's essentially useless. This is needed to allow an app with +# relabelto to relabel unlabeled files. +# +allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom }; +allow domain unlabeled:dir { create_dir_perms relabelfrom }; +allow domain unlabeled:lnk_file { create_file_perms }; +neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; diff --git a/init.te b/init.te index 5b7463e93938b613876dd2d33338e1e3f7d2f79c..2cbf14d86a80c5d3fcc516984d8685f726220c59 100644 --- a/init.te +++ b/init.te @@ -4,5 +4,8 @@ permissive init; # init is unconfined. unconfined_domain(init) tmpfs_domain(init) +relabelto_domain(init) # add a rule to handle unlabelled mounts allow init unlabeled:filesystem mount; + +allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; diff --git a/installd.te b/installd.te index 2b983db128b71df13c271671d18090987beb86e3..05e4d65cb0f01dfb6b0ed137e3f6771526a0825c 100644 --- a/installd.te +++ b/installd.te @@ -4,6 +4,7 @@ permissive installd; type installd_exec, exec_type, file_type; init_daemon_domain(installd) +relabelto_domain(installd) typeattribute installd mlstrustedsubject; allow installd self:capability { chown dac_override fowner fsetid setgid setuid }; allow installd system_data_file:file create_file_perms; diff --git a/kernel.te b/kernel.te index 5502ed88da4eea4b33402aadad22f5869b79affd..023e45790c12fed62b961620a3f8f63131641e47 100644 --- a/kernel.te +++ b/kernel.te @@ -3,3 +3,6 @@ type kernel, domain; permissive kernel; # The kernel is unconfined. unconfined_domain(kernel) +relabelto_domain(kernel) + +allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto; diff --git a/system.te b/system.te index e638039a9e11539e3fde6026d6f1313a498da68b..24d4a676b0b6dc16730a2bfd516d2dc915ef3f6f 100644 --- a/system.te +++ b/system.te @@ -6,7 +6,13 @@ unconfined_domain(system_app) type system, domain; permissive system; unconfined_domain(system); +relabelto_domain(system); # Create a socket for receiving info from wpa. type_transition system wifi_data_file:sock_file system_wpa_socket; allow system self:zygote { specifyids specifyrlimits specifyseinfo }; + +allow system backup_data_file:dir relabelto; +allow system cache_backup_file:dir relabelto; +allow system apk_data_file:file relabelto; +allow system apk_tmp_file:file relabelto; diff --git a/te_macros b/te_macros index 1c78c96d0c911a380c04c546decf0f4d695afa05..310612cd9878bb677b16dc28b4bdba1550b097fa 100644 --- a/te_macros +++ b/te_macros @@ -108,6 +108,13 @@ typeattribute $1 appdomain; tmpfs_domain($1) ') +##################################### +# relabelto_domain(domain) +# Allows this domain to use the relabelto permission +define(`relabelto_domain', ` +typeattribute $1 relabeltodomain; +') + ##################################### # platform_app_domain(domain) # Allow permissions specific to platform apps. diff --git a/unconfined.te b/unconfined.te index 9f100a3e26597a25ebca6b6782973c79f44fcecf..a3af7d771320f36a1e9fccfeed084ca5fb171e9c 100644 --- a/unconfined.te +++ b/unconfined.te @@ -11,8 +11,8 @@ allow unconfineddomain domain:socket_class_set *; allow unconfineddomain domain:ipc_class_set *; allow unconfineddomain domain:key *; allow unconfineddomain fs_type:filesystem *; -allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *; -allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint; +allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto; +allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto}; allow unconfineddomain node_type:node *; allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind; allow unconfineddomain netif_type:netif *;