prebuilts/api/30.0/private/apexd.te - platform/system/sepolicy - Git at Google

 typeattribute apexd coredomain;

 init_daemon_domain(apexd)

 # Allow creating, reading and writing of APEX files/dirs in the APEX data dir
 allow apexd apex_data_file:dir create_dir_perms;
 allow apexd apex_data_file:file create_file_perms;

 # Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
 allow apexd metadata_file:dir search;
 allow apexd apex_metadata_file:dir create_dir_perms;
 allow apexd apex_metadata_file:file create_file_perms;

 # Allow apexd to create files and directories for snapshots of apex data
 allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
 allow apexd apex_permission_data_file:file { create_file_perms relabelto };
 allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
 allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
 allow apexd apex_rollback_data_file:dir create_dir_perms;
 allow apexd apex_rollback_data_file:file create_file_perms;
 allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
 allow apexd apex_wifi_data_file:file { create_file_perms relabelto };

 # Allow apexd to read directories under /data/misc_de in order to snapshot and
 # restore apex data for all users.
 allow apexd system_data_file:dir r_dir_perms;

 # allow apexd to create loop devices with /dev/loop-control
 allow apexd loop_control_device:chr_file rw_file_perms;
 # allow apexd to access loop devices
 allow apexd loop_device:blk_file rw_file_perms;
 allowxperm apexd loop_device:blk_file ioctl {
   LOOP_GET_STATUS64
   LOOP_SET_STATUS64
   LOOP_SET_FD
   LOOP_SET_BLOCK_SIZE
   LOOP_SET_DIRECT_IO
   LOOP_CLR_FD
   BLKFLSBUF
   LOOP_CONFIGURE
 };
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;

 # allow apexd to access /dev/block/dm-* (device-mapper entries)
 allow apexd dm_device:chr_file rw_file_perms;
 allow apexd dm_device:blk_file rw_file_perms;

 # sys_admin is required to access the device-mapper and mount
 # dac_override, chown, and fowner are needed for snapshot and restore
 allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };

 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other
 # than one of the groups assigned to the current process to see if
 # the setgid bit should be cleared, regardless of whether the setgid
 # bit was even set.  We do not appear to truly need this capability
 # for apexd to operate.
 dontaudit apexd self:global_capability_class_set fsetid;

 # allow apexd to create a mount point in /apex
 allow apexd apex_mnt_dir:dir create_dir_perms;
 # allow apexd to mount in /apex
 allow apexd apex_mnt_dir:filesystem { mount unmount };
 allow apexd apex_mnt_dir:dir mounton;
 # allow apexd to create symlinks in /apex
 allow apexd apex_mnt_dir:lnk_file create_file_perms;
 # allow apexd to unlink apex files in /data/apex/active
 # note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
 # because it doesn't have write permission for staging_data_file object.
 allow apexd staging_data_file:file unlink;

 # allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
 allow apexd staging_data_file:dir r_dir_perms;
 allow apexd staging_data_file:file { r_file_perms link };

 # allow apexd to read files from /vendor/apex
 allow apexd vendor_apex_file:dir r_dir_perms;
 allow apexd vendor_apex_file:file r_file_perms;

 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };

 # /sys directory tree traversal
 allow apexd sysfs_type:dir search;
 # Configure read-ahead of dm-verity and loop devices
 # for dm-X
 allow apexd sysfs_dm:dir r_dir_perms;
 allow apexd sysfs_dm:file rw_file_perms;
 # for loopX
 allow apexd sysfs_loop:dir r_dir_perms;
 allow apexd sysfs_loop:file rw_file_perms;

 # Allow apexd to log to the kernel.
 allow apexd kmsg_device:chr_file w_file_perms;

 # Allow apexd to reboot device. Required for rollbacks of apexes that are
 # not covered by rollback manager.
 set_prop(apexd, powerctl_prop)

 # Allow apexd to stop itself
 set_prop(apexd, ctl_apexd_prop)

 # Find the vold service, and call into vold to manage FS checkpoints
 allow apexd vold_service:service_manager find;
 binder_call(apexd, vold)

 # Apex pre- & post-install permission.

 # Allow self-execute for the fork mount helper.
 allow apexd apexd_exec:file execute_no_trans;

 # Unshare and make / private so that hooks cannot influence the
 # running system.
 allow apexd rootfs:dir mounton;

 # Allow to execute shell for pre- and postinstall scripts. A transition
 # rule is required, thus restricted to execute and not execute_no_trans.
 allow apexd shell_exec:file { r_file_perms execute };

 # apexd is using bootstrap bionic
 allow apexd system_bootstrap_lib_file:dir r_dir_perms;
 allow apexd system_bootstrap_lib_file:file { execute read open getattr map };

 # Allow transition to ART APEX preinstall domain.
 domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
 # Allow transition to ART APEX postinstall domain.
 domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)

 # Allow transition to test APEX preinstall domain.
 userdebug_or_eng(`
   domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
 ')

 # Allow apexd to be invoked with logwrapper from init during userspace reboot.
 allow apexd devpts:chr_file { read write };

 # Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
 # other processes
 create_pty(apexd)

 # Allow apexd to read file contexts when performing restorecon of snapshots.
 allow apexd file_contexts_file:file r_file_perms;

 # Allow apexd to execute toybox for snapshot & restore
 allow apexd toolbox_exec:file rx_file_perms;

 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
 neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;

 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
	typeattribute apexd coredomain;

	init_daemon_domain(apexd)

	# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
	allow apexd apex_data_file:dir create_dir_perms;
	allow apexd apex_data_file:file create_file_perms;

	# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
	allow apexd metadata_file:dir search;
	allow apexd apex_metadata_file:dir create_dir_perms;
	allow apexd apex_metadata_file:file create_file_perms;

	# Allow apexd to create files and directories for snapshots of apex data
	allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
	allow apexd apex_permission_data_file:file { create_file_perms relabelto };
	allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
	allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
	allow apexd apex_rollback_data_file:dir create_dir_perms;
	allow apexd apex_rollback_data_file:file create_file_perms;
	allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
	allow apexd apex_wifi_data_file:file { create_file_perms relabelto };

	# Allow apexd to read directories under /data/misc_de in order to snapshot and
	# restore apex data for all users.
	allow apexd system_data_file:dir r_dir_perms;

	# allow apexd to create loop devices with /dev/loop-control
	allow apexd loop_control_device:chr_file rw_file_perms;
	# allow apexd to access loop devices
	allow apexd loop_device:blk_file rw_file_perms;
	allowxperm apexd loop_device:blk_file ioctl {
	LOOP_GET_STATUS64
	LOOP_SET_STATUS64
	LOOP_SET_FD
	LOOP_SET_BLOCK_SIZE
	LOOP_SET_DIRECT_IO
	LOOP_CLR_FD
	BLKFLSBUF
	LOOP_CONFIGURE
	};
	# allow apexd to access /dev/block
	allow apexd block_device:dir r_dir_perms;

	# allow apexd to access /dev/block/dm-* (device-mapper entries)
	allow apexd dm_device:chr_file rw_file_perms;
	allow apexd dm_device:blk_file rw_file_perms;

	# sys_admin is required to access the device-mapper and mount
	# dac_override, chown, and fowner are needed for snapshot and restore
	allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };

	# Note: fsetid is deliberately not included above. fsetid checks are
	# triggered by chmod on a directory or file owned by a group other
	# than one of the groups assigned to the current process to see if
	# the setgid bit should be cleared, regardless of whether the setgid
	# bit was even set. We do not appear to truly need this capability
	# for apexd to operate.
	dontaudit apexd self:global_capability_class_set fsetid;

	# allow apexd to create a mount point in /apex
	allow apexd apex_mnt_dir:dir create_dir_perms;
	# allow apexd to mount in /apex
	allow apexd apex_mnt_dir:filesystem { mount unmount };
	allow apexd apex_mnt_dir:dir mounton;
	# allow apexd to create symlinks in /apex
	allow apexd apex_mnt_dir:lnk_file create_file_perms;
	# allow apexd to unlink apex files in /data/apex/active
	# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
	# because it doesn't have write permission for staging_data_file object.
	allow apexd staging_data_file:file unlink;

	# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
	allow apexd staging_data_file:dir r_dir_perms;
	allow apexd staging_data_file:file { r_file_perms link };

	# allow apexd to read files from /vendor/apex
	allow apexd vendor_apex_file:dir r_dir_perms;
	allow apexd vendor_apex_file:file r_file_perms;

	# Unmount and mount filesystems
	allow apexd labeledfs:filesystem { mount unmount };

	# /sys directory tree traversal
	allow apexd sysfs_type:dir search;
	# Configure read-ahead of dm-verity and loop devices
	# for dm-X
	allow apexd sysfs_dm:dir r_dir_perms;
	allow apexd sysfs_dm:file rw_file_perms;
	# for loopX
	allow apexd sysfs_loop:dir r_dir_perms;
	allow apexd sysfs_loop:file rw_file_perms;

	# Allow apexd to log to the kernel.
	allow apexd kmsg_device:chr_file w_file_perms;

	# Allow apexd to reboot device. Required for rollbacks of apexes that are
	# not covered by rollback manager.
	set_prop(apexd, powerctl_prop)

	# Allow apexd to stop itself
	set_prop(apexd, ctl_apexd_prop)

	# Find the vold service, and call into vold to manage FS checkpoints
	allow apexd vold_service:service_manager find;
	binder_call(apexd, vold)

	# Apex pre- & post-install permission.

	# Allow self-execute for the fork mount helper.
	allow apexd apexd_exec:file execute_no_trans;

	# Unshare and make / private so that hooks cannot influence the
	# running system.
	allow apexd rootfs:dir mounton;

	# Allow to execute shell for pre- and postinstall scripts. A transition
	# rule is required, thus restricted to execute and not execute_no_trans.
	allow apexd shell_exec:file { r_file_perms execute };

	# apexd is using bootstrap bionic
	allow apexd system_bootstrap_lib_file:dir r_dir_perms;
	allow apexd system_bootstrap_lib_file:file { execute read open getattr map };

	# Allow transition to ART APEX preinstall domain.
	domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
	# Allow transition to ART APEX postinstall domain.
	domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)

	# Allow transition to test APEX preinstall domain.
	userdebug_or_eng(`
	domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
	')

	# Allow apexd to be invoked with logwrapper from init during userspace reboot.
	allow apexd devpts:chr_file { read write };

	# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
	# other processes
	create_pty(apexd)

	# Allow apexd to read file contexts when performing restorecon of snapshots.
	allow apexd file_contexts_file:file r_file_perms;

	# Allow apexd to execute toybox for snapshot & restore
	allow apexd toolbox_exec:file rx_file_perms;

	neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
	neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
	neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
	neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
	neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

	neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
	neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;

	neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
	neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;