From b6a05a93c1708e7db1443da13191036cdfa2794b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 22 Nov 2017 14:51:29 +0000
Subject: [PATCH] Revert "Clean up old file-based OTA SELinux rules"

Self sideload OTA installation is aborted in #PPR1.171122.001.
Likely cause is the removal of the file-based OTA rules. Revert
the change while I investigate.

This reverts commit 7388575591ff2f55afa887851f5d593963b4552f.

Bug: 35853185
Bug: 69664758
Bug: 15575013

Change-Id: I65ca3bad7251f06df33eae8b2d4bcfada93ae9b8
---
 public/domain.te   | 30 ++++++++++++++----------------
 public/recovery.te | 22 +++++++++++++++++++++-
 2 files changed, 35 insertions(+), 17 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 0d50c38f9..91cf8ca6d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -238,8 +238,8 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
 # http://www.openwall.com/lists/oss-security/2016/09/26/14
 neverallowxperm * devpts:chr_file ioctl TIOCSTI;
 
-# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init } unlabeled:dir_file_class_set create;
+# Do not allow any domain other than init or recovery to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
 # Limit device node creation to these whitelisted domains.
 neverallow {
@@ -269,10 +269,8 @@ neverallow * self:memprotect mmap_zero;
 # No domain needs mac_override as it is unused by SELinux.
 neverallow * self:global_capability2_class_set mac_override;
 
-# Disallow attempts to set contexts not defined in current policy
-# This helps guarantee that unknown or dangerous contents will not ever
-# be set.
-neverallow * self:global_capability2_class_set mac_admin;
+# Only recovery needs mac_admin to set contexts not defined in current policy.
+neverallow { domain -recovery } self:global_capability2_class_set mac_admin;
 
 # Once the policy has been loaded there shall be none to modify the policy.
 # It is sealed.
@@ -378,7 +376,6 @@ neverallow {
     -bootanim # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
-
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
 
@@ -402,12 +399,10 @@ neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms
 neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
 neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
 
-# Nobody should be doing writes to /system & /vendor
-# These partitions are intended to be read-only and must never be
-# modified. Doing so would violate important Android security guarantees
-# and invalidate dm-verity signatures.
+# Only recovery should be doing writes to /system & /vendor
 neverallow {
     domain
+    -recovery
     with_asan(`-asan_extract')
 } {
     system_file
@@ -415,7 +410,7 @@ neverallow {
     exec_type
 }:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
 
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
 neverallow * exec_type:dir_file_class_set mounton;
@@ -431,7 +426,7 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto;
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=
 # mount to another type.
-neverallow * contextmount_type:dir_file_class_set
+neverallow { domain -recovery } contextmount_type:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Do not allow service_manager add for default service labels.
@@ -1096,9 +1091,12 @@ neverallow {
 # vendor, and boot partitions.
 neverallow * ~{ system_file vendor_file rootfs }:system module_load;
 
-# Only allow filesystem caps to be set at build time. Runtime changes
-# to filesystem capabilities are not permitted.
-neverallow * self:global_capability_class_set setfcap;
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+  domain
+  -recovery
+} self:global_capability_class_set setfcap;
 
 # Enforce AT_SECURE for executing crash_dump.
 neverallow domain crash_dump:process noatsecure;
diff --git a/public/recovery.te b/public/recovery.te
index f6ad47fef..3e3c28e61 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,7 +12,10 @@ recovery_only(`
   # Recovery can only use HALs in passthrough mode
   passthrough_hal_client_domain(recovery, hal_bootctl)
 
-  allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config };
+  allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
+
+  # Set security contexts on files that are not known to the loaded policy.
+  allow recovery self:global_capability2_class_set mac_admin;
 
   # Run helpers from / or /system without changing domain.
   r_dir_file(recovery, rootfs)
@@ -26,9 +29,26 @@ recovery_only(`
   allow recovery unlabeled:filesystem ~relabelto;
   allow recovery contextmount_type:filesystem relabelto;
 
+  # Create and relabel files and directories under /system.
+  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
+
+  # We may be asked to set an SELinux label for a type not known to the
+  # currently loaded policy. Allow it.
+  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
   # Get file contexts
   allow recovery file_contexts_file:file r_file_perms;
 
+  # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
+  # support to OTAs. However, that code has a bug. When an update occurs,
+  # some directories are inappropriately labeled as exec_type. This is
+  # only transient, and subsequent steps in the OTA script correct this
+  # mistake. New devices are moving to block based OTAs, so this is not
+  # worth fixing. b/15575013
+  allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
+
   # Write to /proc/sys/vm/drop_caches
   allow recovery proc_drop_caches:file w_file_perms;
 
-- 
GitLab