From ac097ac4c7718f8593f2b6b96a93a776984ec7c4 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Fri, 17 Aug 2018 09:35:42 +0200
Subject: [PATCH] Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".
Bug: 112455435
Test: builds, binder service can be registered,
apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
---
private/apexd.te | 42 +++++++++++++++++++++++++++++
private/atrace.te | 1 +
private/compat/26.0/26.0.ignore.cil | 7 +++++
private/compat/27.0/27.0.ignore.cil | 7 +++++
private/compat/28.0/28.0.ignore.cil | 7 +++++
private/crash_dump.te | 1 +
private/file_contexts | 4 +++
private/llkd.te | 1 +
private/service_contexts | 1 +
private/system_app.te | 1 +
public/apexd.te | 11 ++++++++
public/domain.te | 2 +-
public/dumpstate.te | 1 +
public/file.te | 7 +++++
public/init.te | 15 +++++++++--
public/service.te | 1 +
public/shell.te | 1 +
public/traceur_app.te | 1 +
18 files changed, 108 insertions(+), 3 deletions(-)
create mode 100644 private/apexd.te
create mode 100644 public/apexd.te
diff --git a/private/apexd.te b/private/apexd.te
new file mode 100644
index 000000000..dcec2487b
--- /dev/null
+++ b/private/apexd.te
@@ -0,0 +1,42 @@
+typeattribute apexd coredomain;
+
+init_daemon_domain(apexd)
+
+# Read /system/etc/security/apex_debug_key
+allow apexd apex_key_file:dir search;
+allow apexd apex_key_file:file r_file_perms;
+
+# Allow reading and writing of APEX files in the APEX data dir
+allow apexd apex_data_file:dir rw_dir_perms;
+allow apexd apex_data_file:file rw_file_perms;
+
+# allow apexd to create loop devices with /dev/loop-control
+allow apexd loop_control_device:chr_file rw_file_perms;
+# allow apexd to access loop devices
+allow apexd loop_device:blk_file rw_file_perms;
+# allow apexd to access /dev/block
+allow apexd block_device:dir r_dir_perms;
+
+# allow apexd to access /dev/block/dm-* (device-mapper entries)
+allow apexd dm_device:chr_file rw_file_perms;
+allow apexd dm_device:blk_file rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+allow apexd self:global_capability_class_set sys_admin;
+
+# allow apexd to create a mount point in /apex
+allow apexd apex_mnt_dir:dir create_dir_perms;
+# allow apexd to mount in /apex
+allow apexd apex_mnt_dir:filesystem { mount unmount };
+allow apexd apex_mnt_dir:dir mounton;
+# Unmount and mount filesystems
+allow apexd labeledfs:filesystem { mount unmount };
+
+# Spawning a libbinder thread results in a dac_override deny,
+# /dev/cpuset/tasks is owned by system.
+#
+# See b/35323867#comment3
+dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
+
+neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
diff --git a/private/atrace.te b/private/atrace.te
index 2a7ccd0e5..37e9702a3 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,6 +31,7 @@ hal_client_domain(atrace, hal_atrace)
allow atrace {
service_manager_type
+ -apex_service
-incident_service
-netd_service
-stats_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7e3fdbc9d..f985d958c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -9,6 +9,13 @@
adb_service
adbd_exec
app_binding_service
+ apex_data_file
+ apex_mnt_dir
+ apex_key_file
+ apex_service
+ apexd
+ apexd_exec
+ apexd_tmpfs
atrace
binder_calls_stats_service
biometric_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 7d5017d1e..df3f95aed 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -8,6 +8,13 @@
activity_task_service
adb_service
app_binding_service
+ apex_data_file
+ apex_mnt_dir
+ apex_key_file
+ apex_service
+ apexd
+ apexd_exec
+ apexd_tmpfs
atrace
binder_calls_stats_service
biometric_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 63cfcb809..c1b126b20 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -8,6 +8,13 @@
activity_task_service
adb_service
app_binding_service
+ apex_data_file
+ apex_mnt_dir
+ apex_key_file
+ apex_service
+ apexd
+ apexd_exec
+ apexd_tmpfs
biometric_service
;; TODO(b/116344577): remove after the issue is resolved
buffer_hub_service
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 831ff04a7..fe25bad60 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -2,6 +2,7 @@ typeattribute crash_dump coredomain;
allow crash_dump {
domain
+ -apexd
-bpfloader
-crash_dump
-init
diff --git a/private/file_contexts b/private/file_contexts
index 991f75b1a..2e78b80ae 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -30,6 +30,7 @@
/postinstall u:object_r:postinstall_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
+/apex u:object_r:apex_mnt_dir:s0
# Symlinks
/bin u:object_r:rootfs:s0
@@ -287,6 +288,7 @@
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
+/system/etc/security/apex(/.*)? u:object_r:apex_key_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
@@ -305,6 +307,7 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
+/system/bin/apexd u:object_r:apexd_exec:s0
#############################
# Vendor files
@@ -387,6 +390,7 @@
/data/ota_package(/.*)? u:object_r:ota_package_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
diff --git a/private/llkd.te b/private/llkd.te
index 3f84eb6c1..385f93034 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -22,6 +22,7 @@ allow llkd domain:process sigkill;
userdebug_or_eng(`
allow llkd {
domain
+ -apexd
-kernel
-keystore
-init
diff --git a/private/service_contexts b/private/service_contexts
index e04227b55..b68ab8e26 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -8,6 +8,7 @@ android.os.UpdateEngineService u:object_r:update_engine_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
+apexservice u:object_r:apex_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
assetatlas u:object_r:assetatlas_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 4ed19824e..245496f8f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -70,6 +70,7 @@ allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
service_manager_type
+ -apex_service
-dumpstate_service
-installd_service
-netd_service
diff --git a/public/apexd.te b/public/apexd.te
new file mode 100644
index 000000000..73daf388b
--- /dev/null
+++ b/public/apexd.te
@@ -0,0 +1,11 @@
+# apexd -- manager for APEX packages
+type apexd, domain;
+type apexd_exec, exec_type, file_type, system_file_type;
+
+binder_use(apexd)
+add_service(apexd, apex_service)
+
+neverallow { domain -init -apexd } apex_service:service_manager find;
+neverallow { domain -init -apexd } apexd:binder call;
+
+neverallow domain apexd:process ptrace;
diff --git a/public/domain.te b/public/domain.te
index 5e8fb230b..176ab480d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -434,7 +434,7 @@ neverallow domain device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
# this capability, including device-specific domains.
-neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot -apexd } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
#
# Assert that, to the extent possible, we're not loading executable content from
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2d226afb3..5663e80ea 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -205,6 +205,7 @@ userdebug_or_eng(`
allow dumpstate {
service_manager_type
+ -apex_service
-dumpstate_service
-gatekeeper_service
-incident_service
diff --git a/public/file.te b/public/file.te
index 755bb98e0..016807ee7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -140,6 +140,8 @@ type system_linker_exec, system_file_type, file_type;
type system_linker_config_file, system_file_type, file_type;
# Default type for linker config /system/etc/seccomp_policy/*.
type system_seccomp_policy_file, system_file_type, file_type;
+# Default type for APEX keys in /system/etc/security/apex/*
+type apex_key_file, system_file_type, file_type;
# Default type for cacerts in /system/etc/security/cacerts/*.
type system_security_cacerts_file, system_file_type, file_type;
# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
@@ -197,6 +199,8 @@ type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedob
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/vendor/tombstones/wifi - vendor wifi dumps
type tombstone_wifi_data_file, file_type, data_file_type;
+# /data/apex - APEX data files
+type apex_data_file, file_type, data_file_type, core_data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type, core_data_file_type;
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -252,6 +256,9 @@ type mnt_vendor_file, file_type;
# Mount location for read-write product partitions.
type mnt_product_file, file_type;
+# Mount point used for APEX images
+type apex_mnt_dir, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/init.te b/public/init.te
index 101c0c863..c337c82ae 100644
--- a/public/init.te
+++ b/public/init.te
@@ -80,6 +80,9 @@ allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
+# Mount tmpfs on /apex
+allow init apex_mnt_dir:dir mounton;
+
# Create and remove symlinks in /.
allow init rootfs:lnk_file { create unlink };
@@ -514,6 +517,11 @@ allow init vold_metadata_file:file getattr;
# Allow init to use binder
binder_use(init);
+allow init apex_service:service_manager find;
+# Allow servicemanager to pass it
+allow servicemanager init:binder transfer;
+# Allow calls from init to apexd
+allow init apexd:binder call;
###
### neverallow rules
@@ -532,8 +540,11 @@ neverallow init { app_data_file privapp_data_file }:lnk_file read;
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
-# Init never adds or uses services via service_manager.
-neverallow init service_manager_type:service_manager { add find };
+# init can only find the APEX service
+neverallow init { service_manager_type -apex_service }:service_manager { find };
+# init can never add binder services
+neverallow init service_manager_type:service_manager { add };
+# init can never list binder services
neverallow init servicemanager:service_manager list;
# Init should not be creating subdirectories in /data/local/tmp
diff --git a/public/service.te b/public/service.te
index eaacabf72..5e7ca4d9a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,3 +1,4 @@
+type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 7a0eb4669..339b58632 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -104,6 +104,7 @@ allow shell servicemanager:service_manager list;
# - dumpstate_service (so it can receive dumpstate progress updates)
allow shell {
service_manager_type
+ -apex_service
-gatekeeper_service
-incident_service
-installd_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 355ae7779..c18984e2f 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -7,6 +7,7 @@ set_prop(traceur_app, debug_prop)
allow traceur_app {
service_manager_type
+ -apex_service
-gatekeeper_service
-incident_service
-installd_service
--
GitLab