From 549ccf77e3fd23bb6c690da7023441c1007c4fd8 Mon Sep 17 00:00:00 2001
From: Felipe Leme <felipeal@google.com>
Date: Tue, 22 Dec 2015 12:37:17 -0800
Subject: [PATCH] Creates a new permission for /cache/recovery

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
---
 app.te               |  1 +
 domain.te            |  2 +-
 domain_deprecated.te | 11 ++++++++---
 dumpstate.te         |  4 ++++
 file.te              |  2 ++
 file_contexts        |  1 +
 install_recovery.te  |  7 +++++--
 platform_app.te      |  8 ++++++--
 priv_app.te          |  7 +++++--
 recovery.te          |  6 +++---
 system_server.te     |  6 +++---
 uncrypt.te           |  6 +++---
 untrusted_app.te     |  4 ++--
 13 files changed, 44 insertions(+), 21 deletions(-)

diff --git a/app.te b/app.te
index 94dcfc5bd..48aebbf0a 100644
--- a/app.te
+++ b/app.te
@@ -390,6 +390,7 @@ neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
 neverallow appdomain {
   apk_data_file
   cache_file
+  cache_recovery_file
   dev_type
   rootfs
   system_file
diff --git a/domain.te b/domain.te
index 7b44fb5b1..98edece31 100644
--- a/domain.te
+++ b/domain.te
@@ -258,7 +258,7 @@ neverallow {
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
 
 # Protect most domains from executing arbitrary content from /data.
 neverallow {
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 7be9a3e8c..d9b8d6b8e 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,9 +49,14 @@ allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:dir r_dir_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read };
+allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
+
+# Likely not needed. auditallow to be sure
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms;
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read };
+auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
 
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };
diff --git a/dumpstate.te b/dumpstate.te
index c3f919286..633eabcb1 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -109,6 +109,10 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
 allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
diff --git a/file.te b/file.te
index 701d99107..374ff6bd2 100644
--- a/file.te
+++ b/file.te
@@ -145,6 +145,8 @@ type cache_file, file_type, mlstrustedobject;
 # Type for /cache/.*\.{data|restore} and default
 # type for anything under /cache/backup
 type cache_backup_file, file_type, mlstrustedobject;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.
diff --git a/file_contexts b/file_contexts
index 0201a6d57..a1fa8042e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -317,6 +317,7 @@
 /cache/.*\.restore	u:object_r:cache_backup_file:s0
 # LocalTransport (backup) uses this directory
 /cache/backup(/.*)?	u:object_r:cache_backup_file:s0
+/cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
 #############################
 # sysfs files
 #
diff --git a/install_recovery.te b/install_recovery.te
index b11ff7497..1c47236ea 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -21,8 +21,11 @@ allow install_recovery boot_block_device:blk_file r_file_perms;
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
+allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
+allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
+auditallow install_recovery cache_recovery_file:file create_file_perms;
 
 # Write to /proc/sys/vm/drop_caches
 allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/platform_app.te b/platform_app.te
index 117b16f35..038128805 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -25,8 +25,12 @@ allow platform_app media_rw_data_file:dir create_dir_perms;
 allow platform_app media_rw_data_file:file create_file_perms;
 
 # Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
+allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow platform_app { cache_file cache_recovery_file }:file create_file_perms;
+
+# Likely not needed
+auditallow platform_app cache_recovery_file:dir create_dir_perms;
+auditallow platform_app cache_recovery_file:file create_file_perms;
 
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer
diff --git a/priv_app.te b/priv_app.te
index 59b4ea0ca..709904475 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -33,8 +33,11 @@ allow priv_app persistent_data_block_service:service_manager find;
 allow priv_app mnt_media_rw_file:dir search;
 
 # Write to /cache.
-allow priv_app cache_file:dir create_dir_perms;
-allow priv_app cache_file:file create_file_perms;
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow priv_app cache_recovery_file:dir create_dir_perms;
+auditallow priv_app cache_recovery_file:file create_file_perms;
 
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;
diff --git a/recovery.te b/recovery.te
index b4eb28512..d2cc90ea2 100644
--- a/recovery.te
+++ b/recovery.te
@@ -73,9 +73,9 @@ recovery_only(`
   allow recovery tmpfs:file { create_file_perms x_file_perms };
   allow recovery tmpfs:dir create_dir_perms;
 
-  # Manage files on /cache
-  allow recovery cache_file:dir create_dir_perms;
-  allow recovery cache_file:file create_file_perms;
+  # Manage files on /cache and /cache/recovery
+  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
 
   # Read files on /oem.
   r_dir_file(recovery, oemfs);
diff --git a/system_server.te b/system_server.te
index bc861e77a..97eb41584 100644
--- a/system_server.te
+++ b/system_server.te
@@ -308,9 +308,9 @@ type_transition system_server system_data_file:sock_file system_ndebug_socket "n
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 # Manage cache files.
-allow system_server cache_file:dir { relabelfrom create_dir_perms };
-allow system_server cache_file:file { relabelfrom create_file_perms };
-allow system_server cache_file:fifo_file create_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
diff --git a/uncrypt.te b/uncrypt.te
index 7608538c3..354bda004 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -17,9 +17,9 @@ userdebug_or_eng(`
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
 # Write to pipe file /cache/recovery/uncrypt_status
-allow uncrypt cache_file:dir rw_dir_perms;
-allow uncrypt cache_file:file create_file_perms;
-allow uncrypt cache_file:fifo_file w_file_perms;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+allow uncrypt cache_recovery_file:fifo_file w_file_perms;
 
 # Set a property to reboot the device.
 set_prop(uncrypt, powerctl_prop)
diff --git a/untrusted_app.te b/untrusted_app.te
index 12a629de8..204335aae 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -147,5 +147,5 @@ neverallow untrusted_app file_type:file link;
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
 # Do not allow untrusted_app access to /cache
-neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
-neverallow untrusted_app cache_file:file ~{ read getattr };
+neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
-- 
GitLab