aosp_changes/platform_system_sepolicy.patch at android-15 · danielzhang130/aosp_changes · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
From c642ecc32f7778505db1b1eb352410a98e3cd8f8 Mon Sep 17 00:00:00 2001
From: Daniel Zhang <danielzhang130@gmail.com>
Date: Wed, 8 Feb 2023 17:36:52 -0500
Subject: [PATCH 1/3] Fix sdcard sepolicy

Change-Id: I3c173b9fec21c3f8918af5d5ac07da690e86940d
Signed-off-by: Daniel Zhang <danielzhang130@gmail.com>
---
 private/bluetooth.te         | 2 ++
 private/file.te              | 1 +
 private/fsck_untrusted.te    | 2 ++
 private/gmscore_app.te       | 2 ++
 private/mediadrmserver.te    | 1 +
 private/mediaprovider_app.te | 6 ++++++
 private/mls                  | 4 ++--
 private/platform_app.te      | 1 +
 private/untrusted_app.te     | 1 +
 private/untrusted_app_30.te  | 4 ++++
 private/untrusted_app_32.te  | 5 +++++
 private/vold.te              | 2 ++
 12 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/private/bluetooth.te b/private/bluetooth.te
index 0b001e2..bda33e6 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -86,6 +86,8 @@ hal_client_domain(bluetooth, hal_audio)

 read_runtime_log_tags(bluetooth)

+allow bluetooth unlabeled:file { getattr read };
+
 ###
 ### Neverallow rules
 ###
diff --git a/private/file.te b/private/file.te
index 189fb47..59a5d00 100644
--- a/private/file.te
+++ b/private/file.te
@@ -212,6 +212,7 @@ allow proc_net proc:filesystem associate;
 # Should be:
 #   type apk_data_file, file_type, data_file_type;
 neverallow fs_type file_type:filesystem associate;
+allow unlabeled self:filesystem associate;
 # app directories of storage areas: /data/storage_area/userId/pkgName -- apps cannot write to it
 type storage_area_app_dir, file_type, data_file_type, core_data_file_type, app_data_file_type;
 # app storage areas: /data/storage_area/userId/pkgName/storageAreaName
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 4b55a57..ab40ccc 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -26,6 +26,8 @@ allow fsck_untrusted proc_mounts:file r_file_perms;
 # major/minor values.
 allow fsck_untrusted dev_type:blk_file getattr;

+allow fsck_untrusted sysfs:file read;
+
 ###
 ### neverallow rules
 ###
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 148cb7e..ae96c7c 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -143,6 +143,8 @@ allow gmscore_app anr_data_file:file r_file_perms;
 # b/148974132: com.android.vending needs this
 allow gmscore_app priv_app:tcp_socket { read write };

+allow gmscore_app unlabeled:file { open read getattr };
+
 # b/168059475 Allow GMSCore to read Virtual AB properties to determine
 # if device supports VAB.
 get_prop(gmscore_app, virtual_ab_prop)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index fdc7681..de67907 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -21,6 +21,7 @@ allow mediadrmserver mediametrics_service:service_manager find;
 allow mediadrmserver processinfo_service:service_manager find;
 allow mediadrmserver surfaceflinger_service:service_manager find;
 allow mediadrmserver system_file:dir r_dir_perms;
+allow mediaserver unlabeled:file { read getattr };

 # TODO(b/80317992): remove
 binder_call(mediadrmserver, hal_omx_server)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 064d0d9..f027b78 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -74,5 +74,11 @@ dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
 allow mediaprovider_app fs_bpf:file read;
 allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };

+allow mediaprovider_app unlabeled:file { open create read getattr execute write setattr append unlink link rename };
+allow mediaprovider_app unlabeled:file create;
+allow mediaprovider_app unlabeled:dir { open create read getattr search write setattr rename add_name remove_name reparent rmdir };
+allow mediaprovider_app unlabeled:dir create;
+allow mediaprovider_app unlabeled:filesystem { getattr mount unmount };
+
 # boot animations on oem are stored with specific label
 allow mediaprovider_app bootanim_oem_file:file r_file_perms;
diff --git a/private/mls b/private/mls
index 955c27b..9a7e3f5 100644
--- a/private/mls
+++ b/private/mls
@@ -90,10 +90,10 @@ mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execut
 # Write operations: Subject must be equivalent to the object unless the
 # subject or the object is trusted.
 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
-	     (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == unlabeled or t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
-	     (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == unlabeled or t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

 # Special case for FIFOs.
 # These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/platform_app.te b/private/platform_app.te
index e60dcdd..e1a85c7 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -152,3 +152,4 @@ neverallow { domain -init userdebug_or_eng(`-shell -platform_app') } persist_sys

 # app domains which access /dev/fuse should not run as platform_app
 neverallow platform_app fuse_device:chr_file *;
+allow platform_app unlabeled:file getattr;
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index d0f9b24..88ff081 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -19,5 +19,6 @@ bluetooth_domain(untrusted_app)
 # TODO(b/229249719): Will not be supported in Android U
 allow untrusted_app sdk_sandbox_data_file:fd use;
 allow untrusted_app sdk_sandbox_data_file:file write;
+allow untrusted_app unlabeled:file { read write getattr };

 neverallow untrusted_app sdk_sandbox_data_file:file { open create };
diff --git a/private/untrusted_app_30.te b/private/untrusted_app_30.te
index c87548e..dc70dcd 100644
--- a/private/untrusted_app_30.te
+++ b/private/untrusted_app_30.te
@@ -28,6 +28,10 @@ userdebug_or_eng(`
   auditallow untrusted_app_30 mdnsd:unix_stream_socket connectto;
 ')

+allow untrusted_app_30 unlabeled:file {getattr read};
+allow untrusted_app_30 unlabeled:dir getattr;
+allow untrusted_app_30 unlabeled:filesystem getattr;
+
 # Allow calling inotify on APKs for backwards compatibility. This is disallowed
 # for targetSdkVersion>=34 to remove a sidechannel.
 allow untrusted_app_30 apk_data_file:dir { watch watch_reads };
diff --git a/private/untrusted_app_32.te b/private/untrusted_app_32.te
index 6e95fd1..5edef5a 100644
--- a/private/untrusted_app_32.te
+++ b/private/untrusted_app_32.te
@@ -37,3 +37,8 @@ userdebug_or_eng(`
   auditallow untrusted_app_32 apk_data_file:dir { watch watch_reads };
   auditallow untrusted_app_32 apk_data_file:file { watch watch_reads };
 ')
+
+allow untrusted_app_32 unlabeled:file {getattr read};
+allow untrusted_app_32 unlabeled:dir getattr;
+allow untrusted_app_32 unlabeled:filesystem getattr;
+
diff --git a/private/vold.te b/private/vold.te
index c242040..df25390 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -478,3 +478,5 @@ neverallow vold fsck_exec:file execute_no_trans;
 neverallow { domain -init } vold:process { transition dyntransition };
 neverallow vold *:process ptrace;
 neverallow vold *:rawip_socket *;
+allow vold unlabeled:dir { getattr write };
+allow vold unlabeled:filesystem { getattr mount unmount };
--
2.34.1


From 997808bc21d7d9f852c052807a8f89160d30e8f6 Mon Sep 17 00:00:00 2001
From: Daniel Zhang <danielzhang130@gmail.com>
Date: Mon, 12 Feb 2024 16:14:29 -0500
Subject: [PATCH 2/3] Update run-as sepolicy

Change-Id: I7a8334a0fcdea8574e2caf52c8b415f7582babd6
Signed-off-by: Daniel Zhang <danielzhang130@gmail.com>
---
 private/runas.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/runas.te b/private/runas.te
index 1d9aed0..66708b5 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -36,6 +36,9 @@ allow runas non_system_app_set:process dyntransition; # setcon
 # determine which domain to transition to.
 allow runas seapp_contexts_file:file r_file_perms;

+allow runas system_app_data_file:dir getattr;
+allow runas privapp_data_file:dir getattr;
+
 ###
 ### neverallow rules
 ###
--
2.34.1


From b6fb1c1e8a4f77614b14c4ca3f21d44fe221e2c4 Mon Sep 17 00:00:00 2001
From: Daniel Zhang <danielzhang130@gmail.com>
Date: Sat, 5 Oct 2024 12:57:46 -0400
Subject: [PATCH 3/3] Add sepolicy for cpu usage

Change-Id: Iaa487e9e6439d79d04edb06ab828e75dc3d1925c
Signed-off-by: Daniel Zhang <danielzhang130@gmail.com>
---
 private/system_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/private/system_app.te b/private/system_app.te
index 93be46f..b8ae863 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -178,6 +178,8 @@ get_prop(system_app, usb_uvc_enabled_prop)
 allow system_app connectivityblob_data_file:dir rw_dir_perms;
 allow system_app connectivityblob_data_file:file create_file_perms;

+allow system_app proc_stat:file { open read getattr };
+
 ###
 ### Neverallow rules
 ###
--
2.34.1