sepolicy: grant dac_read_search to domains with dac_override

kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4

sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
342362ae · Benjamin Gordon · 51dc7cb1 · 342362ae · 342362ae · 342362ae
Commit 342362ae authored 6 years ago by Benjamin Gordon
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -8,7 +8,7 @@ get_prop(llkd, llkd_prop)
 allow llkd self:global_capability_class_set kill;
 userdebug_or_eng(`
  allow llkd self:global_capability_class_set sys_ptrace;
-  allow llkd self:global_capability_class_set dac_override;
+  allow llkd self:global_capability_class_set { dac_override dac_read_search };
 ')

 # llkd optionally locks itself in memory, to prevent it from being

--- a/private/storaged.te
+++ b/private/storaged.te
@@ -48,7 +48,7 @@ allow storaged package_native_service:service_manager find;

 # Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
 # running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set dac_override;
+dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };

 # For collecting bugreports.
 allow storaged dumpstate:fifo_file write;

--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,7 +7,7 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
 allow vold_prepare_subdirs vold:fd use;
 allow vold_prepare_subdirs vold:fifo_file { read write };
 allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
 allow vold_prepare_subdirs self:process setfscreate;
 allow vold_prepare_subdirs {
  system_data_file

--- a/private/zygote.te
+++ b/private/zygote.te
@@ -7,7 +7,7 @@ init_daemon_domain(zygote)
 read_runtime_log_tags(zygote)

 # Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };

 # Drop capabilities from bounding set.
 allow zygote self:global_capability_class_set setpcap;

--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,7 +6,7 @@ net_domain(dnsmasq)
 allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;

 # TODO:  Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set dac_override;
+allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };

 allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };


--- a/public/domain.te
+++ b/public/domain.te
@@ -1377,29 +1377,36 @@ full_treble_only(`
 # Minimize dac_override and dac_read_search.
 # Instead of granting them it is usually better to add the domain to
 # a Unix group or change the permissions of a file.
-neverallow {
-  domain
-  -dnsmasq
-  -dumpstate
-  -init
-  -installd
-  -install_recovery
-  userdebug_or_eng(`-llkd')
-  -lmkd
-  -netd
-  -perfprofd
-  -postinstall_dexopt
-  -recovery
-  -sdcardd
-  -tee
-  -ueventd
-  -uncrypt
-  -vendor_init
-  -vold
-  -vold_prepare_subdirs
-  -zygote
-} self:global_capability_class_set dac_override;
-neverallow { domain -traced_probes } self:global_capability_class_set dac_read_search;
+define(`dac_override_allowed', `{
+  dnsmasq
+  dumpstate
+  init
+  installd
+  install_recovery
+  userdebug_or_eng(`llkd')
+  lmkd
+  netd
+  perfprofd
+  postinstall_dexopt
+  recovery
+  sdcardd
+  tee
+  ueventd
+  uncrypt
+  vendor_init
+  vold
+  vold_prepare_subdirs
+  zygote
+}')
+neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
+# Since the kernel checks dac_read_search before dac_override, domains that
+# have dac_override should also have dac_read_search to eliminate spurious
+# denials.  Some domains have dac_read_search without having dac_override, so
+# this list should be a superset of the one above.
+neverallow ~{
+  dac_override_allowed
+  traced_probes
+} self:global_capability_class_set dac_read_search;

 # If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -33,7 +33,7 @@ allow dumpstate toolbox_exec:file rx_file_perms;
 allow dumpstate system_file:dir r_dir_perms;

 # Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
 allow dumpstate anr_data_file:dir rw_dir_perms;
 allow dumpstate anr_data_file:file create_file_perms;


--- a/public/init.te
+++ b/public/init.te
@@ -105,7 +105,7 @@ allow init metadata_file:dir mounton;
 allow init tmpfs:dir relabelfrom;

 # Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set dac_override;
+allow init self:global_capability_class_set { dac_override dac_read_search };

 # Set system clock.
 allow init self:global_capability_class_set sys_time;

--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
 type install_recovery, domain;
 type install_recovery_exec, exec_type, file_type;

-allow install_recovery self:global_capability_class_set dac_override;
+allow install_recovery self:global_capability_class_set { dac_override dac_read_search };

 # /system/bin/install-recovery.sh is a shell script.
 # Needs to execute /system/bin/sh

--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
 type installd, domain;
 type installd_exec, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };

 # Allow labeling of files under /data/app/com.example/oat/
 allow installd dalvikcache_data_file:dir relabelto;

--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,7 +2,7 @@
 type lmkd, domain, mlstrustedsubject;
 type lmkd_exec, exec_type, file_type;

-allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };

 # lmkd locks itself in memory, to prevent it from being
 # swapped out and unable to kill other memory hogs.

--- a/public/netd.te
+++ b/public/netd.te
@@ -61,7 +61,7 @@ allow netd fs_bpf:file create_file_perms;
 # TODO: netd previously thought it needed these permissions to do WiFi related
 #       work.  However, after all the WiFi stuff is gone, we still need them.
 #       Why?
-allow netd self:global_capability_class_set { dac_override chown };
+allow netd self:global_capability_class_set { dac_override dac_read_search chown };

 # Needed to update /data/misc/net/rt_tables
 allow netd net_data_file:file create_file_perms;

--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -23,7 +23,7 @@ userdebug_or_eng(`
  # perfprofd reads a config file from /data/data/com.google.android.gms/files
  allow perfprofd { privapp_data_file app_data_file }:file r_file_perms;
  allow perfprofd { privapp_data_file app_data_file }:dir search;
-  allow perfprofd self:global_capability_class_set { dac_override };
+  allow perfprofd self:global_capability_class_set { dac_override dac_read_search };

  # perfprofd opens a file for writing in /data/misc/perfprofd
  allow perfprofd perfprofd_data_file:file create_file_perms;

--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,7 +5,7 @@

 type postinstall_dexopt, domain;

-allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };

 allow postinstall_dexopt postinstall_file:filesystem getattr;
 allow postinstall_dexopt postinstall_file:dir { getattr search };

--- a/public/recovery.te
+++ b/public/recovery.te
@@ -15,6 +15,7 @@ recovery_only(`
  allow recovery self:global_capability_class_set {
    chown
    dac_override
+    dac_read_search
    fowner
    setuid
    setgid

--- a/public/runas.te
+++ b/public/runas.te
@@ -18,7 +18,7 @@ allow runas system_data_file:lnk_file getattr;
 allow runas system_data_file:lnk_file read;

 # run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set dac_override;
+dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
 allow runas app_data_file:dir { getattr search };

 # run-as switches to the app UID/GID.

--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@ allow sdcardd mnt_media_rw_file:dir r_dir_perms;
 allow sdcardd storage_file:dir search;
 allow sdcardd storage_stub_file:dir { search mounton };
 allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };

 allow sdcardd sdcard_type:dir create_dir_perms;
 allow sdcardd sdcard_type:file create_file_perms;

--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@ type ueventd, domain;
 # Write to /dev/kmsg.
 allow ueventd kmsg_device:chr_file rw_file_perms;

-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner };
 allow ueventd device:file create_file_perms;

 r_dir_file(ueventd, rootfs)

--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
 type uncrypt, domain, mlstrustedsubject;
 type uncrypt_exec, exec_type, file_type;

-allow uncrypt self:global_capability_class_set dac_override;
+allow uncrypt self:global_capability_class_set { dac_override dac_read_search };

 userdebug_or_eng(`
  # For debugging, allow /data/local/tmp access

--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -22,7 +22,7 @@ allow vendor_init configfs:dir create_dir_perms;
 allow vendor_init configfs:{ file lnk_file } create_file_perms;

 # Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set dac_override;
+allow vendor_init self:global_capability_class_set { dac_override dac_read_search };

 # mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
 # chown/chmod require open+read+setattr required for open()+fchown/fchmod().