From 620dc7f814451ebba7efe0208677d1c0164b192a Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Thu, 12 Apr 2018 17:30:56 -0700
Subject: [PATCH] Allow vendor_init to access unencrypted_data_file
FBE needs to access these files to set up or verify encryption for
directories during mkdir.
Bug: 77850279
Test: walleye + more restrictions continues to have FBE work
Change-Id: I84e201436ce4531d36d1257d932c3e2e772ea05e
(cherry picked from commit 18a284405f519ae49898031a4bea70e5e2d2fdac)
---
public/domain.te | 40 +++++++++++++++++++++++++++++++++-------
public/vendor_init.te | 4 ++++
2 files changed, 37 insertions(+), 7 deletions(-)
diff --git a/public/domain.te b/public/domain.te
index 9458d796a..3a914d7b5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -841,13 +841,25 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
} {
core_data_file_type
# libc includes functions like mktime and localtime which attempt to access
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
@@ -856,12 +868,26 @@ full_treble_only(`
-appdomain # TODO(b/34980020) remove exemption for appdomain
-coredomain
-data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -vendor_data_file
- -zoneinfo_data_file
- }:dir *;
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
')
full_treble_only(`
# vendor domains may only access dirs in /data/vendor, never core_data_file_types
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 362244ee7..135dfa859 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -34,6 +34,10 @@ allow vendor_init self:global_capability_class_set dac_override;
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
allow vendor_init {
file_type
-core_data_file_type
--
GitLab