From 89625c9a6488d01466e5b21856f8fdede047f128 Mon Sep 17 00:00:00 2001
From: Calin Juravle <calin@google.com>
Date: Mon, 1 Feb 2016 19:28:39 +0000
Subject: [PATCH] Update permissions for the dedicated profile folders
Bug: 26719109
Bug: 26563023
Change-Id: Ie0ca764467c874c061752cbbc73e1bacead9b995
---
app.te | 4 ++++
dex2oat.te | 4 ++--
domain.te | 8 ++++++++
file.te | 2 ++
file_contexts | 5 +++++
installd.te | 7 +++++++
profman.te | 9 +++++++++
untrusted_app.te | 1 +
vold.te | 3 +++
9 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 profman.te
diff --git a/app.te b/app.te
index b89d4e15c..438e01f46 100644
--- a/app.te
+++ b/app.te
@@ -110,6 +110,10 @@ allow appdomain dumpstate:fd use;
allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
allow appdomain shell_data_file:file { write getattr };
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
# Send heap dumps to system_server via an already open file descriptor
# % adb shell am set-watch-heap com.android.systemui 1048576
# % adb shell dumpsys procstats --start-testing
diff --git a/dex2oat.te b/dex2oat.te
index df3cc4245..58fcef8e4 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, mlstrustedsubject, domain_deprecated;
+type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
@@ -15,7 +15,7 @@ allow dex2oat asec_apk_file:file read;
allow dex2oat unlabeled:file read;
allow dex2oat oemfs:file read;
allow dex2oat apk_tmp_file:file read;
-allow dex2oat app_data_file:file {read write lock};
+allow dex2oat user_profile_data_file:file {read lock};
##################
# A/B OTA Dexopt #
diff --git a/domain.te b/domain.te
index e24036b5e..9d377e50a 100644
--- a/domain.te
+++ b/domain.te
@@ -551,3 +551,11 @@ neverallow {
-ueventd
-vold
} fuse_device:chr_file *;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
diff --git a/file.te b/file.te
index 685cfe084..ff60c0435 100644
--- a/file.te
+++ b/file.te
@@ -85,6 +85,8 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
type dalvikcache_data_file, file_type, data_file_type;
# /data/ota
type ota_data_file, file_type, data_file_type;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type;
# /data/local - writable by shell
diff --git a/file_contexts b/file_contexts
index 9222324da..ed8e30e6c 100644
--- a/file_contexts
+++ b/file_contexts
@@ -203,6 +203,7 @@
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -289,6 +290,10 @@
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
diff --git a/installd.te b/installd.te
index f685a4883..688a7e6c0 100644
--- a/installd.te
+++ b/installd.te
@@ -66,6 +66,9 @@ allow installd resourcecache_data_file:file create_file_perms;
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
@@ -109,6 +112,10 @@ allow installd {
autoplay_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+
# Create and use pty created by android_fork_execvp().
allow installd devpts:chr_file rw_file_perms;
diff --git a/profman.te b/profman.te
new file mode 100644
index 000000000..ac34e8923
--- /dev/null
+++ b/profman.te
@@ -0,0 +1,9 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { read write lock };
+
+allow profman installd:fd use;
+
+neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/untrusted_app.te b/untrusted_app.te
index 30364b035..189f3c509 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -171,6 +171,7 @@ neverallow untrusted_app {
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
diff --git a/vold.te b/vold.te
index 9a1ccfe3a..fb3673c00 100644
--- a/vold.te
+++ b/vold.te
@@ -185,6 +185,9 @@ allow vold sysfs_zram_uevent:file rw_file_perms;
# MoveTask.cpp executes cp and rm
allow vold toolbox_exec:file rx_file_perms;
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
--
GitLab