From 0c9708b2af4ea345277a47ae7bc1ce890e90d2bc Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 10 Jul 2013 14:46:05 -0700
Subject: [PATCH] domain.te: Add backwards compatibility for unlabeled files

For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88
---
 app.te        |  2 ++
 attributes    |  3 +++
 domain.te     | 15 +++++++++++++++
 init.te       |  3 +++
 installd.te   |  1 +
 kernel.te     |  3 +++
 system.te     |  6 ++++++
 te_macros     |  7 +++++++
 unconfined.te |  4 ++--
 9 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/app.te b/app.te
index fb7683183..22168f891 100644
--- a/app.te
+++ b/app.te
@@ -24,6 +24,8 @@ platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
 unconfined_domain(media_app)
+relabelto_domain(media_app)
+allow media_app download_file:dir relabelto;
 
 # Apps signed with the shared key.
 type shared_app, domain;
diff --git a/attributes b/attributes
index 7d491e2d4..6123d6c1b 100644
--- a/attributes
+++ b/attributes
@@ -64,3 +64,6 @@ attribute binderservicedomain;
 
 # Allow domains used for platform (signed by build key) apps.
 attribute platformappdomain;
+
+# All domains which are allowed the "relabelto" permission
+attribute relabeltodomain;
diff --git a/domain.te b/domain.te
index a4a06d554..9ca6dc4e6 100644
--- a/domain.te
+++ b/domain.te
@@ -120,3 +120,18 @@ dontaudit domain debugfs:file  rw_file_perms;
 # security files
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;
+
+######## Backwards compatibility - Unlabeled files ############
+
+# Revert to DAC rules when looking at unlabeled files. Over time, the number
+# of unlabeled files should decrease.
+# TODO: delete these rules in the future.
+#
+# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
+# capability, it's essentially useless. This is needed to allow an app with
+# relabelto to relabel unlabeled files.
+#
+allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:dir { create_dir_perms relabelfrom };
+allow domain unlabeled:lnk_file { create_file_perms };
+neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
diff --git a/init.te b/init.te
index 5b7463e93..2cbf14d86 100644
--- a/init.te
+++ b/init.te
@@ -4,5 +4,8 @@ permissive init;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
+relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;
+
+allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
diff --git a/installd.te b/installd.te
index 2b983db12..05e4d65cb 100644
--- a/installd.te
+++ b/installd.te
@@ -4,6 +4,7 @@ permissive installd;
 type installd_exec, exec_type, file_type;
 
 init_daemon_domain(installd)
+relabelto_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
 allow installd system_data_file:file create_file_perms;
diff --git a/kernel.te b/kernel.te
index 5502ed88d..023e45790 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,3 +3,6 @@ type kernel, domain;
 permissive kernel;
 # The kernel is unconfined.
 unconfined_domain(kernel)
+relabelto_domain(kernel)
+
+allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
diff --git a/system.te b/system.te
index e638039a9..24d4a676b 100644
--- a/system.te
+++ b/system.te
@@ -6,7 +6,13 @@ unconfined_domain(system_app)
 type system, domain;
 permissive system;
 unconfined_domain(system);
+relabelto_domain(system);
 
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };
+
+allow system backup_data_file:dir relabelto;
+allow system cache_backup_file:dir relabelto;
+allow system apk_data_file:file relabelto;
+allow system apk_tmp_file:file relabelto;
diff --git a/te_macros b/te_macros
index 1c78c96d0..310612cd9 100644
--- a/te_macros
+++ b/te_macros
@@ -108,6 +108,13 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 ')
 
+#####################################
+# relabelto_domain(domain)
+# Allows this domain to use the relabelto permission
+define(`relabelto_domain', `
+typeattribute $1 relabeltodomain;
+')
+
 #####################################
 # platform_app_domain(domain)
 # Allow permissions specific to platform apps.
diff --git a/unconfined.te b/unconfined.te
index 9f100a3e2..a3af7d771 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -11,8 +11,8 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *;
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;
-- 
GitLab