Merge "Update permissions for the dedicated profile folders" into nyc-dev

56baf61f · Calin Juravle · Android (Google) Code Review · 7a8b34a0 · 89625c9a · 56baf61f
Commit 56baf61f authored 9 years ago by Calin Juravle Committed by Android (Google) Code Review 9 years ago
--- a/app.te
+++ b/app.te
@@ -110,6 +110,10 @@ allow appdomain dumpstate:fd use;
 allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
 allow appdomain shell_data_file:file { write getattr };

+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
 # % adb shell dumpsys procstats --start-testing

--- a/dex2oat.te
+++ b/dex2oat.te
 # dex2oat
-type dex2oat, domain, mlstrustedsubject, domain_deprecated;
+type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;

 allow dex2oat dalvikcache_data_file:file write;
@@ -15,7 +15,7 @@ allow dex2oat asec_apk_file:file read;
 allow dex2oat unlabeled:file read;
 allow dex2oat oemfs:file read;
 allow dex2oat apk_tmp_file:file read;
-allow dex2oat app_data_file:file {read write lock};
+allow dex2oat user_profile_data_file:file {read lock};

 ##################
 # A/B OTA Dexopt #

--- a/domain.te
+++ b/domain.te
@@ -551,3 +551,11 @@ neverallow {
  -ueventd
  -vold
 } fuse_device:chr_file *;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+  domain
+  -installd
+  -profman
+} profman_exec:file no_x_file_perms;
--- a/file.te
+++ b/file.te
@@ -85,6 +85,8 @@ type apk_private_tmp_file, file_type, data_file_type, mlstrustedobject;
 type dalvikcache_data_file, file_type, data_file_type;
 # /data/ota
 type ota_data_file, file_type, data_file_type;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/resource-cache
 type resourcecache_data_file, file_type, data_file_type;
 # /data/local - writable by shell

--- a/file_contexts
+++ b/file_contexts
@@ -203,6 +203,7 @@
 /system/bin/dex2oat     u:object_r:dex2oat_exec:s0
 # patchoat executable has (essentially) the same requirements as dex2oat.
 /system/bin/patchoat    u:object_r:dex2oat_exec:s0
+/system/bin/profman     u:object_r:profman_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -289,6 +290,10 @@
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 /data/misc/trace(/.*)?          u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0

 # Fingerprint data
 /data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0

--- a/installd.te
+++ b/installd.te
@@ -66,6 +66,9 @@ allow installd resourcecache_data_file:file create_file_perms;
 # Run dex2oat in its own sandbox.
 domain_auto_trans(installd, dex2oat_exec, dex2oat)

+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
 # Run idmap in its own sandbox.
 domain_auto_trans(installd, idmap_exec, idmap)

@@ -109,6 +112,10 @@ allow installd {
    autoplay_data_file
 }:notdevfile_class_set { create_file_perms relabelfrom relabelto };

+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+
 # Create and use pty created by android_fork_execvp().
 allow installd devpts:chr_file rw_file_perms;


--- a/profman.te
+++ b/profman.te
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { read write lock };
+
+allow profman installd:fd use;
+
+neverallow profman app_data_file:notdevfile_class_set open;
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -171,6 +171,7 @@ neverallow untrusted_app {
  -app_data_file            # The apps sandbox itself
  -media_rw_data_file       # Internal storage. Known that apps can
                            # leave artfacts here after uninstall.
+  -user_profile_data_file   # Access to profile files
  userdebug_or_eng(`
    -method_trace_data_file # only on ro.debuggable=1
    -coredump_file          # userdebug/eng only

--- a/vold.te
+++ b/vold.te
@@ -185,6 +185,9 @@ allow vold sysfs_zram_uevent:file rw_file_perms;
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;

+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;