Properly Treble-ize tmpfs access

This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358

Properly Treble-ize tmpfs access
This is being done in preparation for the migration from ashmem to memfd. In order for tmpfs objects to be usable across the Treble boundary, they need to be declared in public policy whereas, they're currently all declared in private policy as part of the tmpfs_domain() macro. Remove the type declaration from the macro, and remove tmpfs_domain() from the init_daemon_domain() macro to avoid having to declare the *_tmpfs types for all init launched domains. tmpfs is mostly used by apps and the media frameworks. Bug: 122854450 Test: Boot Taimen and blueline. Watch videos, make phone calls, browse internet, send text, install angry birds...play angry birds, keep playing angry birds... Change-Id: I20a47d2bb22e61b16187015c7bc7ca10accf6358
e16fb910 · Jeff Vander Stoep · 0c742804 · e16fb910 · e16fb910 · e16fb910
Commit e16fb910 authored 6 years ago by Jeff Vander Stoep
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -4,6 +4,7 @@ typeattribute audioserver coredomain;

 type audioserver_exec, exec_type, file_type, system_file_type;
 init_daemon_domain(audioserver)
+tmpfs_domain(audioserver)

 r_dir_file(audioserver, sdcard_type)


--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -18,6 +18,7 @@
    apexd_prop
    apexd_tmpfs
    app_zygote
+    app_zygote_tmpfs
    biometric_service
    bpf_progs_loaded_prop
    bugreport_service
@@ -75,6 +76,7 @@
    mnt_product_file
    network_stack
    network_stack_service
+    network_stack_tmpfs
    overlayfs_file
    permissionmgr_service
    recovery_socket
@@ -85,11 +87,13 @@
    rss_hwm_reset
    rss_hwm_reset_exec
    runas_app
+    runas_app_tmpfs
    runtime_service
    sensor_privacy_service
    server_configurable_flags_data_file
    simpleperf_app_runner
    simpleperf_app_runner_exec
+    su_tmpfs
    super_block_device
    system_event_log_tags_file
    system_lmk_prop

--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
 # dexoptanalyzer
 type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
 type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
+type dexoptanalyzer_tmpfs, file_type;

 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their

--- a/private/logd.te
+++ b/private/logd.te
@@ -4,10 +4,8 @@ init_daemon_domain(logd)

 # logd is not allowed to write anywhere other than /data/misc/logd, and then
 # only on userdebug or eng builds
-# TODO: deal with tmpfs_domain pub/priv split properly
 neverallow logd {
  file_type
-  -logd_tmpfs
  -runtime_event_log_tags_file
  userdebug_or_eng(`-coredump_file -misc_logd_file')
 }:file { create write append };

--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
 typeattribute mediaextractor coredomain;

 init_daemon_domain(mediaextractor)
+tmpfs_domain(mediaextractor)
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
 typeattribute mediaserver coredomain;

 init_daemon_domain(mediaserver)
+tmpfs_domain(mediaserver)

 # allocate and use graphic buffers
 hal_client_domain(mediaserver, hal_graphics_allocator)

--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -4,6 +4,7 @@
 # daemon.

 type perfetto_exec, system_file_type, exec_type, file_type;
+type perfetto_tmpfs, file_type;

 tmpfs_domain(perfetto);


--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -3,5 +3,4 @@ typeattribute recovery_persist coredomain;
 init_daemon_domain(recovery_persist)

 # recovery_persist is not allowed to write anywhere other than recovery_data_file
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_persist { file_type -recovery_data_file userdebug_or_eng(`-coredump_file') }:file write;
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -3,5 +3,4 @@ typeattribute recovery_refresh coredomain;
 init_daemon_domain(recovery_refresh)

 # recovery_refresh is not allowed to write anywhere
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
+neverallow recovery_refresh { file_type userdebug_or_eng(`-coredump_file') }:file write;
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
 type system_server_startup, domain, coredomain;
+type system_server_startup_tmpfs, file_type;

 tmpfs_domain(system_server_startup)


--- a/private/traced.te
+++ b/private/traced.te
 # Perfetto user-space tracing daemon (unprivileged)
 type traced, domain, coredomain, mlstrustedsubject;
 type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;

 # Allow init to exec the daemon.
 init_daemon_domain(traced)
+tmpfs_domain(traced)

 # Allow apps in other MLS contexts (for multi-user) to access
 # share memory buffers created by traced.

--- a/private/viewcompiler.te
+++ b/private/viewcompiler.te
 # viewcompiler
 type viewcompiler, domain, coredomain, mlstrustedsubject;
 type viewcompiler_exec, system_file_type, exec_type, file_type;
+type viewcompiler_tmpfs, file_type;

 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 # Use tmpfs_domain() which will give tmpfs files created by viewcompiler their

--- a/public/app_zygote.te
+++ b/public/app_zygote.te
@@ -3,3 +3,4 @@
 # spawned from the regular zygote process as a "child zygote".

 type app_zygote, domain;
+type app_zygote_tmpfs, file_type;
--- a/public/audioserver.te
+++ b/public/audioserver.te
 # audioserver - audio services daemon
 type audioserver, domain;
+type audioserver_tmpfs, file_type;
--- a/public/bluetooth.te
+++ b/public/bluetooth.te
 # bluetooth subsystem
 type bluetooth, domain;
+type bluetooth_tmpfs, file_type;
--- a/public/domain.te
+++ b/public/domain.te
@@ -52,6 +52,7 @@ userdebug_or_eng(`
 ')

 # Root fs.
+allow domain tmpfs:dir { getattr search };
 allow domain rootfs:dir search;
 allow domain rootfs:lnk_file { read getattr };


--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -12,3 +12,4 @@
 ### PackageManager flags an app as ephemeral at install time.

 type ephemeral_app, domain;
+type ephemeral_app_tmpfs, file_type;
--- a/public/init.te
+++ b/public/init.te
 # init is its own domain.
 type init, domain, mlstrustedsubject;
-
-# The init domain is entered by execing init.
 type init_exec, system_file_type, exec_type, file_type;
+type init_tmpfs, file_type;

 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };

--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -7,3 +7,4 @@
 ###

 type isolated_app, domain;
+type isolated_app_tmpfs, file_type;
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
 # mediaextractor - multimedia daemon
 type mediaextractor, domain;
 type mediaextractor_exec, system_file_type, exec_type, file_type;
+type mediaextractor_tmpfs, file_type;

 typeattribute mediaextractor mlstrustedsubject;