From 274c1ded4d641f66fde3bda7e96a32d6b7c36125 Mon Sep 17 00:00:00 2001
From: Dario Freni <dariofreni@google.com>
Date: Wed, 2 Jan 2019 14:20:52 +0000
Subject: [PATCH] SEPolicy for Staged Installs.

Test: basic workflow between apexd and PackageManager tested with
changes being developed.
Bug: 118865310
Change-Id: I1ae866f33e9b22493585e108c4fd45400493c7ac
---
 private/apexd.te                    |  4 ++++
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/compat/27.0/27.0.ignore.cil |  1 +
 private/compat/28.0/28.0.ignore.cil |  3 ++-
 private/domain.te                   | 11 +++++++++++
 private/file_contexts               |  1 +
 private/system_server.te            |  4 ++++
 public/file.te                      |  2 ++
 8 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/private/apexd.te b/private/apexd.te
index 7b1c04175..bed895306 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -46,6 +46,10 @@ allow apexd apex_mnt_dir:lnk_file create_file_perms;
 allow apexd apk_tmp_file:file relabelfrom;
 allow apexd apex_data_file:file relabelto;
 
+# allow apexd to read files from /data/staging and hardlink them to /data/apex.
+allow apexd staging_data_file:dir r_dir_perms;
+allow apexd staging_data_file:file { r_file_perms link };
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f40ca7768..de0cc7987 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -142,6 +142,7 @@
     secure_element_service
     server_configurable_flags_data_file
     slice_service
+    staging_data_file
     stats
     stats_data_file
     stats_exec
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 88cf5d621..429725c70 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -141,6 +141,7 @@
     statsdw_socket
     storaged_data_file
     super_block_device
+    staging_data_file
     system_boot_reason_prop
     system_lmk_prop
     system_suspend_hwservice
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 824761481..9133c4491 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -75,10 +75,11 @@
     rss_hwm_reset_exec
     runtime_service
     sensor_privacy_service
+    server_configurable_flags_data_file
     super_block_device
     system_lmk_prop
     system_suspend_hwservice
-    server_configurable_flags_data_file
+    staging_data_file
     time_prop
     timedetector_service
     timezonedetector_service
diff --git a/private/domain.te b/private/domain.te
index 15179e23b..bc1defb63 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -138,6 +138,17 @@ neverallow {
   -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
 
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+neverallow { domain -init -system_server } staging_data_file:file
+  { append create unlink relabelfrom rename setattr write no_x_file_perms };
+
 neverallow {
     domain
     -appdomain # for oemfs
diff --git a/private/file_contexts b/private/file_contexts
index 13d87ff1f..da41ef74a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -429,6 +429,7 @@
 /data/preloads/media(/.*)?	u:object_r:preloads_media_file:s0
 /data/preloads/demo(/.*)?	u:object_r:preloads_media_file:s0
 /data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
+/data/staging(/.*)?		u:object_r:staging_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index b8e051117..f3d2ffd99 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -471,6 +471,10 @@ allow system_server wifi_data_file:file create_file_perms;
 allow system_server zoneinfo_data_file:dir create_dir_perms;
 allow system_server zoneinfo_data_file:file create_file_perms;
 
+# Manage /data/staging.
+allow system_server staging_data_file:dir create_dir_perms;
+allow system_server staging_data_file:file create_file_perms;
+
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
 allow system_server {
diff --git a/public/file.te b/public/file.te
index 2a5e6f429..86a85dc61 100644
--- a/public/file.te
+++ b/public/file.te
@@ -253,6 +253,8 @@ type preloads_media_file, file_type, data_file_type, core_data_file_type;
 type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 # /data/server_configurable_flags
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
 
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;
-- 
GitLab