1typeattribute apexd coredomain; 2 3init_daemon_domain(apexd) 4 5# Allow creating, reading and writing of APEX files/dirs in the APEX data dir 6allow apexd apex_data_file:dir create_dir_perms; 7allow apexd apex_data_file:file create_file_perms; 8# Allow relabeling file created in /data/apex/decompressed 9allow apexd apex_data_file:file relabelfrom; 10 11# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir 12allow apexd metadata_file:dir search; 13allow apexd apex_metadata_file:dir create_dir_perms; 14allow apexd apex_metadata_file:file create_file_perms; 15 16# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir 17allow apexd sepolicy_metadata_file:dir create_dir_perms; 18allow apexd sepolicy_metadata_file:file create_file_perms; 19# Allow apexd to setup fs-verity for SEPolicy files in metadata 20allowxperm apexd sepolicy_metadata_file:file ioctl { 21 FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY 22}; 23 24# Allow reserving space on /data/apex/ota_reserved for apex decompression 25allow apexd apex_ota_reserved_file:dir create_dir_perms; 26allow apexd apex_ota_reserved_file:file create_file_perms; 27 28# Allow apexd to create files and directories for snapshots of apex data 29allow apexd apex_data_file_type:dir { create_dir_perms relabelto }; 30allow apexd apex_data_file_type:file { create_file_perms relabelto }; 31allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom }; 32allow apexd apex_module_data_file:file { create_file_perms relabelfrom }; 33allow apexd apex_rollback_data_file:dir create_dir_perms; 34allow apexd apex_rollback_data_file:file create_file_perms; 35 36# Allow apexd to read directories under /data/misc_de in order to snapshot and 37# restore apex data for all users. 38allow apexd system_data_file:dir r_dir_perms; 39 40# allow apexd to create loop devices with /dev/loop-control 41allow apexd loop_control_device:chr_file rw_file_perms; 42# allow apexd to access loop devices 43allow apexd loop_device:blk_file rw_file_perms; 44allowxperm apexd loop_device:blk_file ioctl { 45 LOOP_GET_STATUS64 46 LOOP_SET_STATUS64 47 LOOP_SET_FD 48 LOOP_SET_BLOCK_SIZE 49 LOOP_SET_DIRECT_IO 50 LOOP_CLR_FD 51 BLKFLSBUF 52 LOOP_CONFIGURE 53}; 54# Allow apexd to access /dev/block 55allow apexd dev_type:dir r_dir_perms; 56allow apexd dev_type:blk_file getattr; 57 58#allow apexd to access virtual disks 59allow apexd vd_device:blk_file r_file_perms; 60 61# allow apexd to access /dev/block/dm-* (device-mapper entries) 62allow apexd dm_device:chr_file rw_file_perms; 63allow apexd dm_device:blk_file rw_file_perms; 64 65# sys_admin is required to access the device-mapper and mount 66# dac_override, chown, and fowner are needed for snapshot and restore 67allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner }; 68 69# Note: fsetid is deliberately not included above. fsetid checks are 70# triggered by chmod on a directory or file owned by a group other 71# than one of the groups assigned to the current process to see if 72# the setgid bit should be cleared, regardless of whether the setgid 73# bit was even set. We do not appear to truly need this capability 74# for apexd to operate. 75dontaudit apexd self:global_capability_class_set fsetid; 76 77# allow apexd to create a mount point in /apex 78allow apexd apex_mnt_dir:dir create_dir_perms; 79# allow apexd to mount in /apex 80allow apexd apex_mnt_dir:filesystem { mount unmount }; 81allow apexd apex_mnt_dir:dir mounton; 82# allow apexd to create symlinks in /apex 83allow apexd apex_mnt_dir:lnk_file create_file_perms; 84# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file 85allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton }; 86allow apexd apex_info_file:file relabelto; 87# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update. 88allow apexd apex_info_file:file rw_file_perms; 89allow apexd apex_info_file:file mounton; 90 91# allow apexd to unlink apex files in /data/apex/active 92# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX, 93# because it doesn't have write permission for staging_data_file object. 94allow apexd staging_data_file:file unlink; 95 96# allow apexd to read files from /data/app-staging and hardlink them to /data/apex. 97allow apexd staging_data_file:dir r_dir_perms; 98allow apexd staging_data_file:file { r_file_perms link }; 99# # Allow relabeling file created in /data/apex/decompressed 100allow apexd staging_data_file:file relabelto; 101 102# allow apexd to read files from /vendor/apex 103allow apexd vendor_apex_file:dir r_dir_perms; 104allow apexd vendor_apex_file:file r_file_perms; 105 106# Unmount and mount filesystems 107allow apexd labeledfs:filesystem { mount unmount }; 108 109# /sys directory tree traversal 110allow apexd sysfs_type:dir search; 111# Access to /sys/class/block 112allow apexd sysfs_type:dir r_dir_perms; 113allow apexd sysfs_type:file r_file_perms; 114# Configure read-ahead of dm-verity and loop devices 115# for dm-X 116allow apexd sysfs_dm:dir r_dir_perms; 117allow apexd sysfs_dm:file rw_file_perms; 118# for loopX 119allow apexd sysfs_loop:dir r_dir_perms; 120allow apexd sysfs_loop:file rw_file_perms; 121 122# Allow apexd to log to the kernel. 123allow apexd kmsg_device:chr_file w_file_perms; 124 125# Allow apexd to reboot device. Required for rollbacks of apexes that are 126# not covered by rollback manager. 127set_prop(apexd, powerctl_prop) 128 129# Allow apexd to stop itself 130set_prop(apexd, ctl_apexd_prop) 131 132# Find the vold service, and call into vold to manage FS checkpoints 133allow apexd vold_service:service_manager find; 134binder_call(apexd, vold) 135 136# apexd is using bootstrap bionic 137use_bootstrap_libs(apexd) 138 139# Allow apexd to be invoked with logwrapper from init during userspace reboot. 140allow apexd devpts:chr_file { read write }; 141 142# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to 143# other processes 144create_pty(apexd) 145 146# Allow apexd to read file contexts when performing restorecon of snapshots. 147allow apexd file_contexts_file:file r_file_perms; 148 149# Allow apexd to execute toybox for snapshot & restore 150allow apexd toolbox_exec:file rx_file_perms; 151 152# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs. 153allowxperm apexd staging_data_file:file ioctl { 154 FS_IOC_GETFLAGS 155 F2FS_IOC_RELEASE_COMPRESS_BLOCKS 156}; 157 158# Allow apexd to read ro.cold_boot_done prop. 159# apexd uses it to decide whether it needs to keep retrying polling for loop device. 160get_prop(apexd, cold_boot_done_prop) 161 162# Allow apexd to read per-device configuration properties. 163get_prop(apexd, apexd_config_prop) 164 165# Allow apexd to read apex selection properties. 166# These are used to choose between multi-installed APEXes at activation time. 167get_prop(apexd, apexd_select_prop) 168# 169# Allow apexd to read apexd_payload_metadata_prop 170get_prop(apexd, apexd_payload_metadata_prop) 171 172neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms; 173neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms; 174neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms; 175neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms; 176neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms; 177 178neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms; 179neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms; 180 181neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms; 182neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms; 183 184# only apexd can set apexd sysprop 185set_prop(apexd, apexd_prop) 186neverallow { domain -apexd -init } apexd_prop:property_service set; 187 188# only apexd can write apex-info-list.xml 189neverallow { domain -apexd } apex_info_file:file no_w_file_perms; 190 191# Only apexd and init should be allowed to manage /apex mounts 192# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs, 193# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies 194# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below. 195neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount }; 196neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton }; 197 198# Allow for use in postinstall 199allow apexd otapreopt_chroot:fd use; 200allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton }; 201allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom }; 202allow apexd postinstall_apex_mnt_dir:lnk_file create; 203allow apexd proc_filesystems:file r_file_perms; 204 205# Allow calling derive_classpath to gather BCP information for staged sessions 206domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath); 207