From 790f4c7e205139b36478406e13c3ccd7e1cb8ef1 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sun, 9 Jul 2017 16:43:55 -0700
Subject: [PATCH] domain_deprecated: remove cache access

Address the "granted" permissions observed in the logs including:

tcontext=uncrypt
avc: granted { search } for comm="uncrypt" name="/" dev="mmcblk0p40"
ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:cache_file:s0
tclass=dir

tcontext=install_recovery
avc: granted { search } for comm="applypatch" name="saved.file"
scontext=u:r:install_recovery:s0 tcontext=u:object_r:cache_file:s0
tclass=dir
avc: granted { read } for comm="applypatch" name="saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file
avc: granted { getattr } for comm="applypatch" path="/cache/saved.file"
dev="mmcblk0p6" ino=14 scontext=u:r:install_recovery:s0
tcontext=u:object_r:cache_file:s0 tclass=file

tcontext=update_engine
avc: granted { search } for comm="update_engine" name="cache"
dev="sda35" ino=1409025 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0 tclass=dir"
avc: granted { read } for comm="update_engine" name="update.zip"
dev="sda35" ino=1409037 scontext=u:r:update_engine:s0
tcontext=u:object_r:cache_file:s0:c512,c768 tclass=file
avc: granted { read } for comm="update_engine" name="cache" dev="dm-0"
ino=16 scontext=u:r:update_engine:s0 tcontext=u:object_r:cache_file:s0
tclass=lnk_file

Bug: 28760354
Test: build policy.
Merged-In: Ia13fe47268df904bd4f815c429a0acac961aed1e
Change-Id: Ia13fe47268df904bd4f815c429a0acac961aed1e
---
 public/domain_deprecated.te    | 31 -------------------------------
 public/uncrypt.te              |  1 +
 public/update_engine_common.te |  2 ++
 3 files changed, 3 insertions(+), 31 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 3c296ccfd..e6760c94f 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -119,37 +119,6 @@ auditallow {
 } apk_data_file:lnk_file r_file_perms;
 ')
 
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -recovery
-  -system_server
-  -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -recovery
-  -system_server
-  -vold
-} cache_file:dir getattr;
-auditallow {
-  domain_deprecated
-  -recovery
-  -system_server
-  -vold
-} cache_file:file { getattr read };
-auditallow {
-  domain_deprecated
-  -system_server
-  -vold
-} cache_file:lnk_file r_file_perms;
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index ef1289c32..6d3ee106d 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -14,6 +14,7 @@ userdebug_or_eng(`
 
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
 allow uncrypt cache_recovery_file:dir rw_dir_perms;
 allow uncrypt cache_recovery_file:file create_file_perms;
 
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 8e454cc0e..fb0284f0e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,6 +24,8 @@ allow update_engine_common postinstall_file:file rx_file_perms;
 allow update_engine_common postinstall_file:lnk_file r_file_perms;
 allow update_engine_common postinstall_file:dir r_dir_perms;
 
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
 
 # A postinstall program is typically a shell script (with a #!), so we allow
 # to execute those.
-- 
GitLab