From 0fa3fb0257b7535127a45b58a273336d132111bf Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Wed, 6 Sep 2017 11:17:32 -0600
Subject: [PATCH] Start paving the way for vold calls over Binder.

This change is the bare minimum needed to publish a new vold
Binder service and move the simple "reset" call over to go through
the new interface.

The new rules here are mirrored on the existing installd rules, but
with a handful of neverallow rules relaxed due to funky interactions
with hal_client_domain().

Test: builds, boots
Bug: 13758960
Change-Id: Ia9522ea7a68698cb0edce7879abfbf22b9d67c76
---
 private/compat/26.0/26.0.ignore.cil |  3 ++-
 private/service_contexts            |  1 +
 private/system_app.te               | 10 +++++++++-
 private/system_server.te            |  2 ++
 public/dumpstate.te                 | 10 +++++++++-
 public/service.te                   |  1 +
 public/shell.te                     | 11 ++++++++++-
 public/vold.te                      | 21 ++++++++++++++++++++-
 8 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9d5ce5426..e2b582567 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -28,7 +28,8 @@
     thermalserviced_exec
     thermalserviced_tmpfs
     timezone_service
-    tombstoned_java_trace_socket))
+    tombstoned_java_trace_socket
+    vold_service))
 
 ;; private_objects - a collection of types that were labeled differently in
 ;;     older policy, but that should not remain accessible to vendor policy.
diff --git a/private/service_contexts b/private/service_contexts
index d967bd216..215174fc0 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -160,6 +160,7 @@ user                                      u:object_r:user_service:s0
 vibrator                                  u:object_r:vibrator_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
+vold                                      u:object_r:vold_service:s0
 vr_hwc                                    u:object_r:vr_hwc_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index c6fcf8e12..9d2ee2898 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -58,7 +58,15 @@ binder_call(system_app, incidentd)
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow system_app {
+  service_manager_type
+  -dumpstate_service
+  -installd_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 
 allow system_app keystore:keystore_key {
     get_state
diff --git a/private/system_server.te b/private/system_server.te
index 1bf28b6b3..109587e28 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -178,6 +178,7 @@ binder_call(system_server, gatekeeperd)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
 binder_call(system_server, netd)
+binder_call(system_server, vold)
 binder_call(system_server, wificond)
 binder_service(system_server)
 
@@ -574,6 +575,7 @@ allow system_server netd_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
+allow system_server vold_service:service_manager find;
 allow system_server wificond_service:service_manager find;
 
 allow system_server keystore:keystore_key {
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 3d8049518..3abf75000 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -186,7 +186,15 @@ userdebug_or_eng(`
   allow dumpstate misc_logd_file:file r_file_perms;
 ')
 
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow dumpstate {
+  service_manager_type
+  -dumpstate_service
+  -gatekeeper_service
+  -incident_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 allow dumpstate hwservicemanager:hwservice_manager list;
 
diff --git a/public/service.te b/public/service.te
index e97b864db..30505e3fb 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,7 @@ type system_app_service,        service_manager_type;
 type thermal_service,           service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
+type vold_service,              service_manager_type;
 type vr_hwc_service,            service_manager_type;
 
 # system_server_services broken down
diff --git a/public/shell.te b/public/shell.te
index 36964e50f..84e76f2a3 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -89,7 +89,16 @@ allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow shell {
+  service_manager_type
+  -gatekeeper_service
+  -incident_service
+  -installd_service
+  -netd_service
+  -virtual_touchpad_service
+  -vold_service
+  -vr_hwc_service
+}:service_manager find;
 allow shell dumpstate:binder call;
 
 # allow shell to get information from hwservicemanager
diff --git a/public/vold.te b/public/vold.te
index 513438c48..c18b874d9 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -135,8 +135,15 @@ allow vold unlabeled:file { r_file_perms setattr relabelfrom };
 # Handle wake locks (used for device encryption)
 wakelock_use(vold)
 
-# talk to batteryservice
+# Allow vold to publish a binder service and make binder calls.
 binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to batteryservice
 binder_call(vold, healthd)
 
 # talk to keymaster
@@ -191,4 +198,16 @@ neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
+# Only system_server can interact with vold over binder
+neverallow { domain -system_server -vold } vold_service:service_manager find;
+neverallow vold {
+  domain
+  -hal_keymaster
+  -healthd
+  -hwservicemanager
+  -servicemanager
+  -system_server
+  userdebug_or_eng(`-su')
+}:binder call;
+
 neverallow vold fsck_exec:file execute_no_trans;
-- 
GitLab