Merge "Properly Treble-ize tmpfs access"

private/audioserver.te

@@ -4,6 +4,7 @@ typeattribute audioserver coredomain;
 
 type audioserver_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(audioserver)
+tmpfs_domain(audioserver)
 
 r_dir_file(audioserver, sdcard_type)
 

private/compat/28.0/28.0.ignore.cil

@@ -18,6 +18,7 @@
     apexd_prop
     apexd_tmpfs
     app_zygote
+    app_zygote_tmpfs
     biometric_service
     bpf_progs_loaded_prop
     bugreport_service
@@ -76,6 +77,7 @@
     mnt_product_file
     network_stack
     network_stack_service
+    network_stack_tmpfs
     overlayfs_file
     permissionmgr_service
     recovery_socket
@@ -85,11 +87,13 @@
     rss_hwm_reset
     rss_hwm_reset_exec
     runas_app
+    runas_app_tmpfs
     runtime_service
     sensor_privacy_service
     server_configurable_flags_data_file
     simpleperf_app_runner
     simpleperf_app_runner_exec
+    su_tmpfs
     super_block_device
     system_event_log_tags_file
     system_lmk_prop

private/dexoptanalyzer.te

 # dexoptanalyzer
 type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
+type dexoptanalyzer_tmpfs, file_type;
 
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their

private/logd.te

@@ -4,10 +4,8 @@ init_daemon_domain(logd)
 
 # logd is not allowed to write anywhere other than /data/misc/logd, and then
 # only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
 neverallow logd {
   file_type
-  -logd_tmpfs
   -runtime_event_log_tags_file
   userdebug_or_eng(`-coredump_file -misc_logd_file')
 }:file { create write append };

private/mediaextractor.te

 typeattribute mediaextractor coredomain;
 
 init_daemon_domain(mediaextractor)
+tmpfs_domain(mediaextractor)

private/mediaserver.te

 typeattribute mediaserver coredomain;
 
 init_daemon_domain(mediaserver)
+tmpfs_domain(mediaserver)
 
 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)

private/perfetto.te

@@ -4,6 +4,7 @@
 # daemon.
 
 type perfetto_exec, system_file_type, exec_type, file_type;
+type perfetto_tmpfs, file_type;
 
 tmpfs_domain(perfetto);
 

private/recovery_persist.te

@@ -3,5 +3,4 @@ typeattribute recovery_persist coredomain;
 init_daemon_domain(recovery_persist)
 
 # recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;

private/recovery_refresh.te

@@ -3,5 +3,4 @@ typeattribute recovery_refresh coredomain;
 init_daemon_domain(recovery_refresh)
 
 # recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;

private/system_server_startup.te

 type system_server_startup, domain, coredomain;
+type system_server_startup_tmpfs, file_type;
 
 tmpfs_domain(system_server_startup)
 

private/traced.te

@@ -3,9 +3,11 @@
 # type traced is defined under /public (because iorapd rules
 # under public/ need to refer to it).
 type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
 
 # Allow init to exec the daemon.
 init_daemon_domain(traced)
+tmpfs_domain(traced)
 
 # Allow apps in other MLS contexts (for multi-user) to access
 # share memory buffers created by traced.

private/viewcompiler.te

 # viewcompiler
 type viewcompiler, domain, coredomain, mlstrustedsubject;
 type viewcompiler_exec, system_file_type, exec_type, file_type;
+type viewcompiler_tmpfs, file_type;
 
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by viewcompiler their

public/app_zygote.te

@@ -3,3 +3,4 @@
 # spawned from the regular zygote process as a "child zygote".
 
 type app_zygote, domain;
+type app_zygote_tmpfs, file_type;

public/audioserver.te

 # audioserver - audio services daemon
 type audioserver, domain;
+type audioserver_tmpfs, file_type;

public/bluetooth.te

 # bluetooth subsystem
 type bluetooth, domain;
+type bluetooth_tmpfs, file_type;

public/domain.te

@@ -52,6 +52,7 @@ userdebug_or_eng(`
 ')
 
 # Root fs.
+allow domain tmpfs:dir { getattr search };
 allow domain rootfs:dir search;
 allow domain rootfs:lnk_file { read getattr };
 

public/ephemeral_app.te

@@ -12,3 +12,4 @@
 ### PackageManager flags an app as ephemeral at install time.
 
 type ephemeral_app, domain;
+type ephemeral_app_tmpfs, file_type;

public/init.te

 # init is its own domain.
 type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
 type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;
 
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };

public/isolated_app.te

@@ -7,3 +7,4 @@
 ###
 
 type isolated_app, domain;
+type isolated_app_tmpfs, file_type;

public/mediaextractor.te

 # mediaextractor - multimedia daemon
 type mediaextractor, domain;
 type mediaextractor_exec, system_file_type, exec_type, file_type;
+type mediaextractor_tmpfs, file_type;
 
 typeattribute mediaextractor mlstrustedsubject;