xref: /aosp_15_r20/system/sepolicy/private/dexopt_chroot_setup.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# A service that sets up the chroot environment for Pre-reboot Dexopt.
2type dexopt_chroot_setup, domain, coredomain;
3type dexopt_chroot_setup_exec, system_file_type, exec_type, file_type;
4type dexopt_chroot_setup_tmpfs, file_type;
5
6# Allow dexopt_chroot_setup to publish a binder service and make binder calls.
7binder_use(dexopt_chroot_setup)
8add_service(dexopt_chroot_setup, dexopt_chroot_setup_service)
9allow dexopt_chroot_setup dumpstate:fifo_file { getattr write };
10allow dexopt_chroot_setup dumpstate:fd use;
11
12init_daemon_domain(dexopt_chroot_setup)
13
14# Use tmpfs_domain() which will give tmpfs files created by dexopt_chroot_setup
15# their own label, which differs from other labels created by other processes.
16# This allows to distinguish in policy files created by dexopt_chroot_setup vs
17# other processes.
18tmpfs_domain(dexopt_chroot_setup)
19
20# libart (mark_compact.cc) has some intialization code that touches the cache
21# info file and userfaultfd.
22allow dexopt_chroot_setup apex_module_data_file:dir { getattr search };
23r_dir_file(dexopt_chroot_setup, apex_art_data_file)
24userfaultfd_use(dexopt_chroot_setup)
25
26# Allow getting root capabilities to bypass permission checks.
27# - "sys_admin" is for performing mount and umount.
28# - "sys_chroot" is for performing chroot.
29allow dexopt_chroot_setup self:global_capability_class_set { sys_admin sys_chroot };
30
31# Allow managing its own files.
32# The root of the temp dir that dexopt_chroot_setup uses is labeled
33# pre_reboot_dexopt_file.
34allow dexopt_chroot_setup pre_reboot_dexopt_file:dir create_dir_perms;
35allow dexopt_chroot_setup pre_reboot_dexopt_file:file create_file_perms;
36
37# Allow accessing /proc/filesystems.
38allow dexopt_chroot_setup proc_filesystems:file r_file_perms;
39
40# Allow accessing block devices (/dev/block/...).
41allow dexopt_chroot_setup block_device:dir { getattr search };
42
43# Allow mounting file systems, to create a chroot environment.
44# We recursively bind-mount directories under /data, /mnt/expand, /proc, /sys,
45# and /dev. We need some of them (e.g., incremental-fs directories for
46# incremental apps in /data; /dev/cpuctl and /dev/blkio for task profiles), but
47# not necessarily all of them. However, to avoid random crashes and silent
48# fallbacks, we bind-mount all of them. Therefore, we need access to many of the
49# fstypes.
50
51allow dexopt_chroot_setup {
52  apex_mnt_dir
53  apk_data_file
54  binderfs
55  binfmt_miscfs
56  cgroup
57  cgroup_v2
58  userdebug_or_eng(debugfs)
59  debugfs_tracing_debug
60  device
61  devpts
62  fs_bpf
63  functionfs
64  fusectlfs
65  linkerconfig_file
66  metadata_file
67  mnt_expand_file
68  pre_reboot_dexopt_file
69  proc
70  pstorefs
71  rootfs
72  selinuxfs
73  sysfs
74  system_data_file
75  system_data_root_file
76  system_file
77  system_lib_file
78  tmpfs
79  vendor_file
80}:dir mounton;
81
82allow dexopt_chroot_setup { tmpfs labeledfs }:filesystem mount;
83
84allow dexopt_chroot_setup {
85  binderfs
86  binfmt_miscfs
87  cgroup
88  cgroup_v2
89  userdebug_or_eng(debugfs)
90  debugfs_tracing_debug
91  devpts
92  fs_bpf
93  functionfs
94  fusectlfs
95  labeledfs
96  proc
97  pstorefs
98  selinuxfs
99  sysfs
100  tmpfs
101}:filesystem unmount;
102
103# Allow reading /apex in chroot.
104r_dir_file(dexopt_chroot_setup, apex_mnt_dir)
105allow dexopt_chroot_setup apex_info_file:file r_file_perms;
106
107# Allow writing an empty linker config in chroot to suppress linker warnings.
108# The empty linker config is used until linkerconfig has run.
109# In chroot, we're reusing the type outside the chroot, to reuse all the rules
110# for it for other domains, even though we're not changing the real linker
111# config outside the chroot.
112allow dexopt_chroot_setup linkerconfig_file:dir { write add_name };
113allow dexopt_chroot_setup linkerconfig_file:file { create write };
114
115# Allow using the `rootcontext=` option when mounting tmpfs, so we can give the
116# right labels to /apex, /linkerconfig, /mnt/artd_tmp in chroot.
117# Combined with `allow file_type tmpfs:filesystem associate;`, this allows
118# giving any labels to any tmpfs filesystems as soon as they are mounted.
119# Note that those tmpfs filesystems are known to be empty at the time where the
120# labels are given, and this rule doesn't allow relabeling any existing tmpfs.
121allow dexopt_chroot_setup tmpfs:filesystem relabelfrom;
122
123# Allow executing art_exec_exec without a domain transition because it is a thin
124# wrapper that executes other binaries on behalf of dexopt_chroot_setup. Domain
125# transition will take place as soon as art_exec_exec executes other binaries.
126allow dexopt_chroot_setup art_exec_exec:file rx_file_perms;
127
128# Allow running other binaries in their own domains.
129domain_auto_trans(dexopt_chroot_setup, apexd_exec, apexd)
130domain_auto_trans(dexopt_chroot_setup, linkerconfig_exec, linkerconfig)
131
132# Allow running snapshotctl through init, to map and unmap block devices.
133set_prop(dexopt_chroot_setup, snapshotctl_prop)
134
135# Allow accessing /data/app/..., to bind-mount dirs for incremental apps.
136allow dexopt_chroot_setup apk_data_file:dir { getattr search };
137
138# Neverallow rules.
139
140# Never allow running other binaries without a domain transition.
141# The exception for art_exec_exec is explained above.
142neverallow dexopt_chroot_setup ~{art_exec_exec}:file execute_no_trans;
143
144# Given how powerful this domain is, it shouldn't be used for other purposes.
145neverallow { domain -init } dexopt_chroot_setup:process transition;
146neverallow * dexopt_chroot_setup:process dyntransition;
147
148# Never allow other processes to access the temp dirs for Pre-reboot Dexopt.
149neverallow {
150  domain
151  -art_exec
152  -artd
153  -dexopt_chroot_setup
154  -init
155  -system_server
156  -vendor_init
157} pre_reboot_dexopt_file:dir *;
158