fastboot: /mnt/scratch refined access on userdebug

Already has permissions to remove the scratch partition, but to allow more refined cleansing (eg: just remove vendor override), need the ability to mount and scrub overlay directories. Test: manual Bug: 117605276 Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f

fastboot: /mnt/scratch refined access on userdebug
Already has permissions to remove the scratch partition, but to allow more refined cleansing (eg: just remove vendor override), need the ability to mount and scrub overlay directories. Test: manual Bug: 117605276 Change-Id: Ibc272c0aa7ce207280023912f5f119ccf5079a7f
33442f57 · Mark Salyzyn · 96c6d14c · 33442f57 · 33442f57
Commit 33442f57 authored 6 years ago by Mark Salyzyn
--- a/public/domain.te
+++ b/public/domain.te
@@ -474,7 +474,18 @@ neverallow domain device:chr_file { open read write };
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
 # this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow {
+    domain
+    -apexd
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
+    -init
+    -kernel
+    -otapreopt_chroot
+    -recovery
+    -update_engine
+    -vold
+    -zygote
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
 # Files from cache should never be executed
 neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -509,6 +520,7 @@ neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_p
 neverallow {
    domain
    with_asan(`-asan_extract')
+    recovery_only(`userdebug_or_eng(`-fastbootd')')
 } {
    system_file_type
    vendor_file_type
@@ -532,7 +544,8 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto;
 # the write to /system restriction above is not bypassed via context=
 # mount to another type.
 neverallow * contextmount_type:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
+    { create setattr relabelfrom relabelto append link rename };
+neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
 # Do not allow service_manager add for default service labels.
 # Instead domains should use a more specific type such as

--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -62,6 +62,27 @@ recovery_only(`
  allow fastbootd proc_cmdline:file r_file_perms;
  allow fastbootd rootfs:dir r_dir_perms;
  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+  userdebug_or_eng(`
+    # Refined manipulation of /mnt/scratch, without these perms resorts
+    # to deleting scratch partition when partition(s) are flashed.
+    allow fastbootd self:process setfscreate;
+    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+    allow fastbootd {
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:dir { remove_name rmdir search write };
+    allow fastbootd {
+      overlayfs_file
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:{ file lnk_file } unlink;
+    allow fastbootd tmpfs:dir rw_dir_perms;
+    allow fastbootd labeledfs:filesystem { mount unmount };
+    get_prop(fastbootd, persistent_properties_ready_prop)
+  ')
 ')
 ###