Introduce system_file_type

system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5

Introduce system_file_type
5e37271d · Nick Kralevich · ff1c765f · 5e37271d · 5e37271d · 5e37271d
Commit 5e37271d authored 7 years ago by Nick Kralevich
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
 # hwservicemanager - the Binder context manager for HAL services
 type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, exec_type, file_type;
+type hwservicemanager_exec, system_file_type, exec_type, file_type;
 # Note that we do not use the binder_* macros here.
 # hwservicemanager provides name service (aka context manager)

--- a/public/idmap.te
+++ b/public/idmap.te
 # idmap, when executed by installd
 type idmap, domain;
-type idmap_exec, exec_type, file_type;
+type idmap_exec, system_file_type, exec_type, file_type;
 # Use open file to /data/resource-cache file inherited from installd.
 allow idmap installd:fd use;

--- a/public/init.te
+++ b/public/init.te
@@ -2,7 +2,7 @@
 type init, domain, mlstrustedsubject;
 # The init domain is entered by execing init.
-type init_exec, exec_type, file_type;
+type init_exec, system_file_type, exec_type, file_type;
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
@@ -147,7 +147,7 @@ allow init {
  -nativetest_data_file
  -privapp_data_file
  -system_app_data_file
-  -system_file
+  -system_file_type
  -vendor_file_type
 }:dir { create search getattr open read setattr ioctl };
@@ -161,7 +161,7 @@ allow init {
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
-  -system_file
+  -system_file_type
  -vendor_file_type
  -vold_data_file
 }:dir { write add_name remove_name rmdir relabelfrom };
@@ -177,7 +177,7 @@ allow init {
  -runtime_event_log_tags_file
  -shell_data_file
  -system_app_data_file
-  -system_file
+  -system_file_type
  -vendor_file_type
  -vold_data_file
 }:file { create getattr open read write setattr relabelfrom unlink map };
@@ -192,7 +192,7 @@ allow init {
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
-  -system_file
+  -system_file_type
  -vendor_file_type
  -vold_data_file
 }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
@@ -207,14 +207,14 @@ allow init {
  -privapp_data_file
  -shell_data_file
  -system_app_data_file
-  -system_file
+  -system_file_type
  -vendor_file_type
  -vold_data_file
 }:lnk_file { create getattr setattr relabelfrom unlink };
 allow init cache_file:lnk_file r_file_perms;
-allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init { file_type -system_file_type -vendor_file_type -exec_type }:dir_file_class_set relabelto;
 # does init really need to relabel app data?
 userdebug_or_eng(`auditallow init { app_data_file privapp_data_file }:dir_file_class_set relabelto;')
 allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };

--- a/public/inputflinger.te
+++ b/public/inputflinger.te
 # inputflinger
 type inputflinger, domain;
-type inputflinger_exec, exec_type, file_type;
+type inputflinger_exec, system_file_type, exec_type, file_type;
 binder_use(inputflinger)
 binder_service(inputflinger)

--- a/public/install_recovery.te
+++ b/public/install_recovery.te
 # service flash_recovery in init.rc
 type install_recovery, domain;
-type install_recovery_exec, exec_type, file_type;
+type install_recovery_exec, system_file_type, exec_type, file_type;
 allow install_recovery self:global_capability_class_set { dac_override dac_read_search };

--- a/public/installd.te
+++ b/public/installd.te
 # installer daemon
 type installd, domain;
-type installd_exec, exec_type, file_type;
+type installd_exec, system_file_type, exec_type, file_type;
 typeattribute installd mlstrustedsubject;
 allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };

--- a/public/keystore.te
+++ b/public/keystore.te
 type keystore, domain;
-type keystore_exec, exec_type, file_type;
+type keystore_exec, system_file_type, exec_type, file_type;
 # keystore daemon
 typeattribute keystore mlstrustedsubject;

--- a/public/llkd.te
+++ b/public/llkd.te
 # llkd Live LocK Daemon
 type llkd, domain, mlstrustedsubject;
-type llkd_exec, exec_type, file_type;
+type llkd_exec, system_file_type, exec_type, file_type;
--- a/public/lmkd.te
+++ b/public/lmkd.te
 # lmkd low memory killer daemon
 type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, exec_type, file_type;
+type lmkd_exec, system_file_type, exec_type, file_type;
 allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };

--- a/public/logd.te
+++ b/public/logd.te
 # android user-space log manager
 type logd, domain, mlstrustedsubject;
-type logd_exec, exec_type, file_type;
+type logd_exec, system_file_type, exec_type, file_type;
 # Read access to pseudo filesystems.
 r_dir_file(logd, cgroup)

--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
 # mediadrmserver - mediadrm daemon
 type mediadrmserver, domain;
-type mediadrmserver_exec, exec_type, file_type;
+type mediadrmserver_exec, system_file_type, exec_type, file_type;
 typeattribute mediadrmserver mlstrustedsubject;

--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
 # mediaextractor - multimedia daemon
 type mediaextractor, domain;
-type mediaextractor_exec, exec_type, file_type;
+type mediaextractor_exec, system_file_type, exec_type, file_type;
 typeattribute mediaextractor mlstrustedsubject;

--- a/public/mediametrics.te
+++ b/public/mediametrics.te
 # mediametrics - daemon for collecting media.metrics data
 type mediametrics, domain;
-type mediametrics_exec, exec_type, file_type;
+type mediametrics_exec, system_file_type, exec_type, file_type;
 binder_use(mediametrics)

--- a/public/mediaserver.te
+++ b/public/mediaserver.te
 # mediaserver - multimedia daemon
 type mediaserver, domain;
-type mediaserver_exec, exec_type, file_type;
+type mediaserver_exec, system_file_type, exec_type, file_type;
 typeattribute mediaserver mlstrustedsubject;

--- a/public/mtp.te
+++ b/public/mtp.te
 # vpn tunneling protocol manager
 type mtp, domain;
-type mtp_exec, exec_type, file_type;
+type mtp_exec, system_file_type, exec_type, file_type;
 net_domain(mtp)

--- a/public/netd.te
+++ b/public/netd.te
 # network manager
 type netd, domain, mlstrustedsubject;
-type netd_exec, exec_type, file_type;
+type netd_exec, system_file_type, exec_type, file_type;
 net_domain(netd)
 # in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.

--- a/public/netutils_wrapper.te
+++ b/public/netutils_wrapper.te
 type netutils_wrapper, domain;
-type netutils_wrapper_exec, exec_type, file_type;
+type netutils_wrapper_exec, system_file_type, exec_type, file_type;
 neverallow domain netutils_wrapper_exec:file execute_no_trans;
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
 # otapreopt_chroot executable
 type otapreopt_chroot, domain;
-type otapreopt_chroot_exec, exec_type, file_type;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
 # Chroot preparation and execution.
 # We need to create an unshared mount namespace, and then mount /data.

--- a/public/otapreopt_slot.te
+++ b/public/otapreopt_slot.te
@@ -4,7 +4,7 @@
 # from /data/ota to /data/dalvik-cache.
 type otapreopt_slot, domain, mlstrustedsubject;
-type otapreopt_slot_exec, exec_type, file_type;
+type otapreopt_slot_exec, system_file_type, exec_type, file_type;
 # The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up

--- a/public/performanced.te
+++ b/public/performanced.te
 # performanced
 type performanced, domain, mlstrustedsubject;
-type performanced_exec, exec_type, file_type;
+type performanced_exec, system_file_type, exec_type, file_type;
 # Needed to check for app permissions.
 binder_use(performanced)