commit 549ccf77e3fd23bb6c690da7023441c1007c4fd8
author Felipe Leme <felipeal@google.com> Tue Dec 22 12:37:17 2015 -0800
committer Felipe Leme <felipeal@google.com> Mon Jan 04 23:11:28 2016 +0000
tree 3185e58342bb2716ddf1df42a49d7b2cd1112050
parent 36f255ff5209cb8b13217ec050d8def5472aed23

Creates a new permission for /cache/recovery

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

app.te

diff --git a/app.te b/app.te
index 94dcfc5..48aebbf 100644
--- a/app.te
+++ b/app.te
@@ -390,6 +390,7 @@
 neverallow appdomain {
   apk_data_file
   cache_file
+  cache_recovery_file
   dev_type
   rootfs
   system_file

domain.te

diff --git a/domain.te b/domain.te
index 7b44fb5..98edece 100644
--- a/domain.te
+++ b/domain.te
@@ -258,7 +258,7 @@
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
 
 # Protect most domains from executing arbitrary content from /data.
 neverallow {

domain_deprecated.te

diff --git a/domain_deprecated.te b/domain_deprecated.te
index 7be9a3e..d9b8d6b 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -49,9 +49,14 @@
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:dir r_dir_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read };
+allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
+
+# Likely not needed. auditallow to be sure
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms;
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read };
+auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
 
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };

dumpstate.te

diff --git a/dumpstate.te b/dumpstate.te
index c3f9192..633eabc 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -109,6 +109,10 @@
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
 allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 

file.te

diff --git a/file.te b/file.te
index 701d991..374ff6b 100644
--- a/file.te
+++ b/file.te
@@ -145,6 +145,8 @@
 # Type for /cache/.*\.{data|restore} and default
 # type for anything under /cache/backup
 type cache_backup_file, file_type, mlstrustedobject;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.

file_contexts

diff --git a/file_contexts b/file_contexts
index 0201a6d..a1fa804 100644
--- a/file_contexts
+++ b/file_contexts
@@ -317,6 +317,7 @@
 /cache/.*\.restore	u:object_r:cache_backup_file:s0
 # LocalTransport (backup) uses this directory
 /cache/backup(/.*)?	u:object_r:cache_backup_file:s0
+/cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
 #############################
 # sysfs files
 #

install_recovery.te

diff --git a/install_recovery.te b/install_recovery.te
index b11ff74..1c47236 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -21,8 +21,11 @@
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
+allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
+allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
+auditallow install_recovery cache_recovery_file:file create_file_perms;
 
 # Write to /proc/sys/vm/drop_caches
 allow install_recovery proc_drop_caches:file w_file_perms;

platform_app.te

diff --git a/platform_app.te b/platform_app.te
index 117b16f..0381288 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -25,8 +25,12 @@
 allow platform_app media_rw_data_file:file create_file_perms;
 
 # Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
+allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow platform_app { cache_file cache_recovery_file }:file create_file_perms;
+
+# Likely not needed
+auditallow platform_app cache_recovery_file:dir create_dir_perms;
+auditallow platform_app cache_recovery_file:file create_file_perms;
 
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer

priv_app.te

diff --git a/priv_app.te b/priv_app.te
index 59b4ea0..7099044 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -33,8 +33,11 @@
 allow priv_app mnt_media_rw_file:dir search;
 
 # Write to /cache.
-allow priv_app cache_file:dir create_dir_perms;
-allow priv_app cache_file:file create_file_perms;
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow priv_app cache_recovery_file:dir create_dir_perms;
+auditallow priv_app cache_recovery_file:file create_file_perms;
 
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;

recovery.te

diff --git a/recovery.te b/recovery.te
index b4eb285..d2cc90e 100644
--- a/recovery.te
+++ b/recovery.te
@@ -73,9 +73,9 @@
   allow recovery tmpfs:file { create_file_perms x_file_perms };
   allow recovery tmpfs:dir create_dir_perms;
 
-  # Manage files on /cache
-  allow recovery cache_file:dir create_dir_perms;
-  allow recovery cache_file:file create_file_perms;
+  # Manage files on /cache and /cache/recovery
+  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
 
   # Read files on /oem.
   r_dir_file(recovery, oemfs);

system_server.te

diff --git a/system_server.te b/system_server.te
index bc861e7..97eb415 100644
--- a/system_server.te
+++ b/system_server.te
@@ -308,9 +308,9 @@
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 # Manage cache files.
-allow system_server cache_file:dir { relabelfrom create_dir_perms };
-allow system_server cache_file:file { relabelfrom create_file_perms };
-allow system_server cache_file:fifo_file create_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;

uncrypt.te

diff --git a/uncrypt.te b/uncrypt.te
index 7608538..354bda0 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -17,9 +17,9 @@
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
 # Write to pipe file /cache/recovery/uncrypt_status
-allow uncrypt cache_file:dir rw_dir_perms;
-allow uncrypt cache_file:file create_file_perms;
-allow uncrypt cache_file:fifo_file w_file_perms;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+allow uncrypt cache_recovery_file:fifo_file w_file_perms;
 
 # Set a property to reboot the device.
 set_prop(uncrypt, powerctl_prop)

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index 12a629d..204335a 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -147,5 +147,5 @@
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
 # Do not allow untrusted_app access to /cache
-neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
-neverallow untrusted_app cache_file:file ~{ read getattr };
+neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };