Merge "Allow vendor_init to access unencrypted_data_file" into pi-dev

4f0a21cc · Tom Cherry · Android (Google) Code Review · bc9f22a6 · 18a28440 · 4f0a21cc
Commit 4f0a21cc authored 6 years ago by Tom Cherry Committed by Android (Google) Code Review 6 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -835,13 +835,25 @@ full_treble_only(`
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -coredomain
    -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+    -vendor_init
  } {
    core_data_file_type
    # libc includes functions like mktime and localtime which attempt to access
    # files in /data/misc/zoneinfo/tzdata file. These functions are considered
    # vndk-stable and thus must be allowed for all processes.
    -zoneinfo_data_file
-    }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write };
+  neverallow {
+    vendor_init
+    -data_between_core_and_vendor_violators
+  } {
+    core_data_file_type
+    -unencrypted_data_file
+    -zoneinfo_data_file
+  }:file_class_set ~{ append getattr ioctl read write };
+  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+  # The vendor init binary lives on the system partition so there is not a concern with stability.
+  neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
 ')
 full_treble_only(`
  # vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -850,12 +862,26 @@ full_treble_only(`
    -appdomain # TODO(b/34980020) remove exemption for appdomain
    -coredomain
    -data_between_core_and_vendor_violators
-    } {
-      core_data_file_type
-      -system_data_file # default label for files on /data. Covered below...
-      -vendor_data_file
-      -zoneinfo_data_file
-    }:dir *;
+    -vendor_init
+  } {
+    core_data_file_type
+    -system_data_file # default label for files on /data. Covered below...
+    -vendor_data_file
+    -zoneinfo_data_file
+  }:dir *;
+  neverallow {
+    vendor_init
+    -data_between_core_and_vendor_violators
+  } {
+    core_data_file_type
+    -unencrypted_data_file
+    -system_data_file
+    -vendor_data_file
+    -zoneinfo_data_file
+  }:dir *;
+  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+  # The vendor init binary lives on the system partition so there is not a concern with stability.
+  neverallow vendor_init unencrypted_data_file:dir ~search;
 ')
 full_treble_only(`
  # vendor domains may only access dirs in /data/vendor, never core_data_file_types

--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,10 @@ allow vendor_init self:global_capability_class_set dac_override;
 # we just allow all file types except /system files here.
 allow vendor_init self:global_capability_class_set { chown fowner fsetid };

+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
 allow vendor_init {
  file_type
  -core_data_file_type