Merge "SEPolicy for Staged Installs."

4d399f60 · Dario Freni · Gerrit Code Review · 58b2f2b8 · 274c1ded · 4d399f60
Commit 4d399f60 authored 6 years ago by Dario Freni Committed by Gerrit Code Review 6 years ago
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -46,6 +46,10 @@ allow apexd apex_mnt_dir:lnk_file create_file_perms;
 allow apexd apk_tmp_file:file relabelfrom;
 allow apexd apex_data_file:file relabelto;
+# allow apexd to read files from /data/staging and hardlink them to /data/apex.
+allow apexd staging_data_file:dir r_dir_perms;
+allow apexd staging_data_file:file { r_file_perms link };
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };

--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -142,6 +142,7 @@
    secure_element_service
    server_configurable_flags_data_file
    slice_service
+    staging_data_file
    stats
    stats_data_file
    stats_exec

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -141,6 +141,7 @@
    statsdw_socket
    storaged_data_file
    super_block_device
+    staging_data_file
    system_boot_reason_prop
    system_lmk_prop
    system_suspend_hwservice

--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -75,10 +75,11 @@
    rss_hwm_reset_exec
    runtime_service
    sensor_privacy_service
+    server_configurable_flags_data_file
    super_block_device
    system_lmk_prop
    system_suspend_hwservice
-    server_configurable_flags_data_file
+    staging_data_file
    time_prop
    timedetector_service
    timezonedetector_service

--- a/private/domain.te
+++ b/private/domain.te
@@ -138,6 +138,17 @@ neverallow {
  -installd
 } { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
+# The staging directory contains APEX and APK files. It is important to ensure
+# that these files cannot be accessed by other domains to ensure that the files
+# do not change between system_server staging the files and apexd processing
+# the files.
+neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
+neverallow { domain -init -system_server -apexd } staging_data_file:file *;
+neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
+# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
+neverallow { domain -init -system_server } staging_data_file:file
+  { append create unlink relabelfrom rename setattr write no_x_file_perms };
 neverallow {
    domain
    -appdomain # for oemfs

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -429,6 +429,7 @@
 /data/preloads/media(/.*)?	u:object_r:preloads_media_file:s0
 /data/preloads/demo(/.*)?	u:object_r:preloads_media_file:s0
 /data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
+/data/staging(/.*)?		u:object_r:staging_data_file:s0
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0

--- a/private/system_server.te
+++ b/private/system_server.te
@@ -471,6 +471,10 @@ allow system_server wifi_data_file:file create_file_perms;
 allow system_server zoneinfo_data_file:dir create_dir_perms;
 allow system_server zoneinfo_data_file:file create_file_perms;
+# Manage /data/staging.
+allow system_server staging_data_file:dir create_dir_perms;
+allow system_server staging_data_file:file create_file_perms;
 # Walk /data/data subdirectories.
 # Types extracted from seapp_contexts type= fields.
 allow system_server {

--- a/public/file.te
+++ b/public/file.te
@@ -253,6 +253,8 @@ type preloads_media_file, file_type, data_file_type, core_data_file_type;
 type dhcp_data_file, file_type, data_file_type, core_data_file_type;
 # /data/server_configurable_flags
 type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
+# /data/staging
+type staging_data_file, file_type, data_file_type, core_data_file_type;
 # Mount locations managed by vold
 type mnt_media_rw_file, file_type;