From 47f3ed09d222ee126cf2fe23b5fe15cd0b64520e Mon Sep 17 00:00:00 2001 From: Paul Crowley <paulcrowley@google.com> Date: Fri, 13 Oct 2017 14:54:32 -0700 Subject: [PATCH] vold_prepare_subdirs sets policy in vold-created dirs. Bug: 25861755 Test: Boot device, observe logs Change-Id: I6c13430d42e9794003eb48e6ca219b874112b900 --- private/compat/26.0/26.0.ignore.cil | 2 ++ private/file_contexts | 5 +++++ private/vold_prepare_subdirs.te | 1 + public/vold.te | 2 +- public/vold_prepare_subdirs.te | 18 ++++++++++++++++++ 5 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 private/vold_prepare_subdirs.te create mode 100644 public/vold_prepare_subdirs.te diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil index 1f2d82348..2cb4d09ef 100644 --- a/private/compat/26.0/26.0.ignore.cil +++ b/private/compat/26.0/26.0.ignore.cil @@ -33,6 +33,8 @@ thermalserviced_tmpfs timezone_service tombstoned_java_trace_socket + vold_prepare_subdirs + vold_prepare_subdirs_exec vold_service wpantund wpantund_exec diff --git a/private/file_contexts b/private/file_contexts index a98171477..fb6099d69 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -271,6 +271,7 @@ /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0 /system/bin/vr_hwc u:object_r:vr_hwc_exec:s0 /system/bin/adbd u:object_r:adbd_exec:s0 +/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0 ############################# # Vendor files @@ -431,6 +432,10 @@ # User icon files /data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0 +# vold per-user data +/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 +/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0 + ############################# # efs files # diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te new file mode 100644 index 000000000..c2146f91a --- /dev/null +++ b/private/vold_prepare_subdirs.te @@ -0,0 +1 @@ +domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs) diff --git a/public/vold.te b/public/vold.te index a569f9ebd..10d3474c5 100644 --- a/public/vold.te +++ b/public/vold.te @@ -200,7 +200,7 @@ allow vold misc_block_device:blk_file w_file_perms; neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; -neverallow { domain -vold -init } vold_data_file:dir *; +neverallow { domain -vold -init -vold_prepare_subdirs } vold_data_file:dir *; neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *; neverallow { domain -vold -init } restorecon_prop:property_service set; diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te new file mode 100644 index 000000000..ddb588238 --- /dev/null +++ b/public/vold_prepare_subdirs.te @@ -0,0 +1,18 @@ +# SELinux directory creation and labelling for vold-managed directories + +type vold_prepare_subdirs, domain; +type vold_prepare_subdirs_exec, exec_type, file_type; + +typeattribute vold_prepare_subdirs coredomain; + +allow vold_prepare_subdirs system_file:file execute_no_trans; +allow vold_prepare_subdirs shell_exec:file rx_file_perms; +allow vold_prepare_subdirs toolbox_exec:file rx_file_perms; +allow vold_prepare_subdirs devpts:chr_file { ioctl read write }; +allow vold_prepare_subdirs vold:fd use; +allow vold_prepare_subdirs vold:fifo_file { read write }; +allow vold_prepare_subdirs file_contexts_file:file r_file_perms; +allow vold_prepare_subdirs self:capability dac_override; +allow vold_prepare_subdirs self:process setfscreate; +allow vold_prepare_subdirs system_data_file:dir { add_name write }; +allow vold_prepare_subdirs vold_data_file:dir { create getattr setattr }; -- GitLab