From a12aad45b68da1d3da096659a2b22b5e95c1f6b9 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 10 Jul 2017 20:39:50 -0700
Subject: [PATCH] domain_deprecated: remove rootfs access

Grant audited permissions collected in logs.

tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665
---
 private/platform_app.te        | 3 +++
 private/system_app.te          | 3 +++
 public/update_engine_common.te | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/private/platform_app.te b/private/platform_app.te
index 42534bd60..047cca45f 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -38,6 +38,9 @@ allow platform_app mnt_media_rw_file:dir r_dir_perms;
 allow platform_app vfat:dir create_dir_perms;
 allow platform_app vfat:file create_file_perms;
 
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+
 allow platform_app audioserver_service:service_manager find;
 allow platform_app cameraserver_service:service_manager find;
 allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 606c4a07d..80afcb946 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -11,6 +11,9 @@ app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
 
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
 # Read and write /data/data subdirectory.
 allow system_app system_app_data_file:dir create_dir_perms;
 allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index fb0284f0e..775bb1eda 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -13,6 +13,10 @@ allow update_engine_common system_block_device:blk_file rw_file_perms;
 # requires it.
 allow update_engine_common misc_block_device:blk_file rw_file_perms;
 
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
 # Allow update_engine_common to mount on the /postinstall directory and reset the
 # labels on the mounted filesystem to postinstall_file.
 allow update_engine_common postinstall_mnt_dir:dir mounton;
-- 
GitLab