diff options
author | Jeff Sharkey <jsharkey@android.com> | 2015-06-25 16:13:59 -0700 |
---|---|---|
committer | Jeff Sharkey <jsharkey@android.com> | 2015-06-25 22:26:30 -0700 |
commit | 6b75d099e17dad2cf691e0a31a084d4d15d5b5ab (patch) | |
tree | abfb82c97de7fffc7df51680dcda8897afa0c398 | |
parent | 6ef32753e7592cb39bab6e9329e54faa73629eea (diff) | |
download | sepolicy-6b75d099e17dad2cf691e0a31a084d4d15d5b5ab.tar.gz |
Let's reinvent storage, yet again!
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
avc: denied { sys_chroot } for capability=18 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
avc: denied { mounton } for path="/storage" dev="tmpfs" ino=4155 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir permissive=1
avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:tmpfs:s0 tclass=filesystem permissive=0
Bug: 21858077
Change-Id: Ie481d190c5e7a774fbf80fee6e39a980f382967e
-rw-r--r-- | file_contexts | 3 | ||||
-rw-r--r-- | vold.te | 4 | ||||
-rw-r--r-- | zygote.te | 2 |
3 files changed, 8 insertions, 1 deletions
diff --git a/file_contexts b/file_contexts index 406f6a8..8fc29eb 100644 --- a/file_contexts +++ b/file_contexts @@ -314,4 +314,7 @@ # external storage /mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0 /mnt/user(/.*)? u:object_r:mnt_user_file:s0 +/mnt/runtime_default(/.*)? u:object_r:storage_file:s0 +/mnt/runtime_read(/.*)? u:object_r:storage_file:s0 +/mnt/runtime_write(/.*)? u:object_r:storage_file:s0 /storage(/.*)? u:object_r:storage_file:s0 @@ -159,6 +159,10 @@ allow vold vold:key { write search setattr }; # vold temporarily changes its priority when running benchmarks allow vold self:capability sys_nice; +# vold needs to chroot into app namespaces to remount when runtime permissions change +allow vold self:capability sys_chroot; +allow vold storage_file:dir mounton; + neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -vold -init } vold_data_file:dir *; @@ -53,7 +53,7 @@ allow zygote rootfs:dir mounton; allow zygote sdcard_type:dir { write search setattr create add_name mounton }; # TODO: deprecated in M dontaudit zygote self:capability fsetid; # TODO: deprecated in M allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M -allow zygote tmpfs:filesystem mount; # TODO: deprecated in M +allow zygote tmpfs:filesystem { mount unmount }; allow zygote labeledfs:filesystem remount; # TODO: deprecated in M # Allowed to create user-specific storage source if started before vold |