Add use_bionic_libs macro
... to dedupe rules for allowing access to bootstrap bionic libraries.
Bug: N/A
Test: m
Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index cca95c2..275a455 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -81,8 +81,7 @@
allow apexd rootfs:dir mounton;
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to read file contexts when performing restorecon
allow apexd file_contexts_file:file r_file_perms;
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 84e1575..c56f05e 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -4,8 +4,7 @@
type apkdmverity_exec, exec_type, file_type, system_file_type;
# apkdmverity is using bootstrap bionic
-allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
-allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apkdmverity)
# apkdmverity accesses "payload metadata disk" which points to
# a /dev/vd* block device file.
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
index 5cf06bd..9530794 100644
--- a/microdroid/system/private/diced.te
+++ b/microdroid/system/private/diced.te
@@ -17,5 +17,4 @@
selinux_check_access(diced)
# diced is using bootstrap bionic
-allow diced system_bootstrap_lib_file:dir r_dir_perms;
-allow diced system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff3f6f5..b8db74a 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -437,8 +437,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 442b091..55f03ba 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -38,8 +38,7 @@
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
# microdroid_manager is using bootstrap bionic
-allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
-allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(microdroid_manager)
# microdroid_manager can talk to diced over binder
binder_use(microdroid_manager)
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 8e0f13c..8ffedc1 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -27,5 +27,4 @@
set_prop(servicemanager, ctl_interface_start_prop)
# servicemanager is using bootstrap bionic
-allow servicemanager system_bootstrap_lib_file:dir r_dir_perms;
-allow servicemanager system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 8524c18..c7d9fd6 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -47,8 +47,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# TODO(b/193118220): find out why this happens.
dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index da0cd0f..6652e27 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -7,8 +7,7 @@
type zipfuse_exec, exec_type, file_type, system_file_type;
# zipfuse is using bootstrap bionic
-allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
-allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 1a7aaa4..6db0d70 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -987,3 +987,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/microdroid/system/public/vendor_init.te b/microdroid/system/public/vendor_init.te
index b66caa9..322abe3 100644
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@@ -133,8 +133,7 @@
allow vendor_init self:global_capability_class_set sys_admin;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te
index 1508427..3a30054 100644
--- a/microdroid/vendor/hal_dice_default.te
+++ b/microdroid/vendor/hal_dice_default.te
@@ -5,5 +5,4 @@
init_daemon_domain(hal_dice_default)
# hal_dice_default is using bootstrap bionic
-allow hal_dice_default system_bootstrap_lib_file:dir r_dir_perms;
-allow hal_dice_default system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(hal_dice_default)
diff --git a/private/apexd.te b/private/apexd.te
index 9dfe45f..791a4ff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -126,8 +126,7 @@
binder_call(apexd, vold)
# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(apexd)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
diff --git a/private/profcollectd.te b/private/profcollectd.te
index efde321..63f42cb 100644
--- a/private/profcollectd.te
+++ b/private/profcollectd.te
@@ -23,7 +23,7 @@
allow profcollectd vendor_file:dir r_dir_perms;
allow profcollectd vendor_kernel_modules:file r_file_perms;
- # Allow profcollectd to read system bootstrap libs.
+ # Allow profcollectd to read (but not execute) system bootstrap libs.
allow profcollectd system_bootstrap_lib_file:dir search;
allow profcollectd system_bootstrap_lib_file:file r_file_perms;
diff --git a/public/init.te b/public/init.te
index 5c3e4e7..54e3082 100644
--- a/public/init.te
+++ b/public/init.te
@@ -609,8 +609,7 @@
allow init proc_pressure_mem:file { rw_file_perms setattr };
# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(init)
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
diff --git a/public/te_macros b/public/te_macros
index c112cc1..032534f 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1021,3 +1021,11 @@
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
')
+
+######################################
+# use_bootstrap_libs(domain)
+# Allow domain to use bootstrap bionic libraries in system/lib[64]/bootstrap
+define(`use_bootstrap_libs', `
+ allow $1 system_bootstrap_lib_file:dir r_dir_perms;
+ allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
+')
diff --git a/public/ueventd.te b/public/ueventd.te
index d5d4301..4e3c7c2 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -60,8 +60,7 @@
allow ueventd kernel:key search;
# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(ueventd)
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index c6e5e82..f43ef78 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -191,8 +191,7 @@
allow vendor_init misc_block_device:blk_file w_file_perms;
# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+use_bootstrap_libs(vendor_init)
# allow filesystem tuning
allow vendor_init userdata_sysdev:file create_file_perms;