Address sepolicy denials of GceService
This commit moves GceService app out of system_app domain into its own
new gceservice domain. This is so that the privileged accessed granted
to the GceService app is not granted to other platform / system UID
apps.
denied { write } for comm=".gce.gceservice" name="kmsg" dev="tmpfs" scontext=u:r:system_app:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file
denied { open } for comm=".gce.gceservice" path="/dev/kmsg" dev="tmpfs" scontext=u:r:system_app:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file
denied { getattr } for comm=".gce.gceservice" path="/dev/kmsg" dev="tmpfs" scontext=u:r:system_app:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file
denied { connectto } for comm="pool-1-thread-8" path=006763655F6D65746164617461 scontext=u:r:system_app:s0 tcontext=u:r:kernel:s0 tclass=unix_stream_socket
denied { getattr } for comm="pool-1-thread-4" path="/ts_snap.txt" dev="rootfs" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { read } for comm="pool-1-thread-4" name="ts_snap.txt" dev="rootfs" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { open } for comm="pool-1-thread-4" path="/ts_snap.txt" dev="rootfs" scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { read } for comm="pool-1-thread-4" name="tombstones" dev="vdc" scontext=u:r:system_app:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
denied { open } for comm="pool-1-thread-4" path="/data/tombstones" dev="vdc" scontext=u:r:system_app:s0 tcontext=u:object_r:tombstone_data_file:s0 tclass=dir
denied { getattr } for comm="pool-1-thread-4" path="/data/tombstones/tombstone_00" dev="vdc" scontext=u:r:system_app:s0 tcontext=u:object_r:tombstone_data_file:s0
denied { add } for service=gce scontext=u:r:system_app:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
Test: Device boots, VPN works, no denials to do with GceService
Test: adb shell dumpsys gce
outputs sane JSON
Bug: 28053261
Change-Id: I292e94bebaaf6bbda8db41e0236a443bbe0e60cb
diff --git a/shared/config/init.vsoc.rc b/shared/config/init.vsoc.rc
index 7d1466c..b2448d5 100644
--- a/shared/config/init.vsoc.rc
+++ b/shared/config/init.vsoc.rc
@@ -20,6 +20,7 @@
chmod 0660 /dev/framebuffer_control
restorecon /dev/framebuffer_control
restorecon /initial.metadata
+ restorecon /ts_snap.txt
mount debugfs debugfs /sys/kernel/debug
chmod 0755 /sys/kernel/debug
diff --git a/shared/sepolicy/file.te b/shared/sepolicy/file.te
index 40615c3..f79af7d 100644
--- a/shared/sepolicy/file.te
+++ b/shared/sepolicy/file.te
@@ -3,4 +3,5 @@
type initial_metadata_file, file_type;
# USB related portion of sysfs requiring privileged access, as opposed to sysfs_usb which is
type sysfs_usb_priv, sysfs_type, file_type;
+type tombstone_snapshot_file, file_type;
type userspace_fb_file, file_type;
diff --git a/shared/sepolicy/file_contexts b/shared/sepolicy/file_contexts
index 1617847..069a548 100644
--- a/shared/sepolicy/file_contexts
+++ b/shared/sepolicy/file_contexts
@@ -12,6 +12,7 @@
#############################
# Root files
/initial\.metadata u:object_r:initial_metadata_file:s0
+/ts_snap\.txt u:object_r:tombstone_snapshot_file:s0
#############################
# sysfs files
diff --git a/shared/sepolicy/gceservice.te b/shared/sepolicy/gceservice.te
new file mode 100644
index 0000000..a4b8db7
--- /dev/null
+++ b/shared/sepolicy/gceservice.te
@@ -0,0 +1,29 @@
+# GceService app
+type gceservice, domain;
+app_domain(gceservice)
+
+# Use system services exposed as part of Android framework public API
+allow gceservice app_api_service:service_manager find;
+
+# Export Binder service called "gce". Needed to make "dumpsys gce" work.
+add_service(gceservice, gce_service)
+
+# Read and write /data/data subdirectory (for its app-private persistent data).
+allow gceservice app_data_file:dir create_dir_perms;
+allow gceservice app_data_file:{ file lnk_file } create_file_perms;
+
+# Write to kernel log (/dev/kmsg)
+allow gceservice kmsg_device:chr_file w_file_perms;
+allow gceservice kmsg_device:chr_file getattr;
+
+# Read tombstone snapshot file
+allow gceservice tombstone_snapshot_file:file r_file_perms;
+# List tombstone files
+allow gceservice tombstone_data_file:dir r_dir_perms;
+allow gceservice tombstone_data_file:file getattr;
+
+# Communicate with GCE Metadata Proxy over Unix domain sockets
+# The proxy process uses the default label ("kernel") because it is
+# started before Android init and thus before SELinux rule are applied.
+# TODO(b/65049764): Update once GCE metadata proxy is moved outside of the emulator or gets labelled
+allow gceservice kernel:unix_stream_socket connectto;
diff --git a/shared/sepolicy/seapp_contexts b/shared/sepolicy/seapp_contexts
new file mode 100644
index 0000000..e325c99
--- /dev/null
+++ b/shared/sepolicy/seapp_contexts
@@ -0,0 +1,2 @@
+# GceService app
+user=system seinfo=platform name=com.android.google.gce.gceservice domain=gceservice type=app_data_file
diff --git a/shared/sepolicy/service.te b/shared/sepolicy/service.te
new file mode 100644
index 0000000..67d7939
--- /dev/null
+++ b/shared/sepolicy/service.te
@@ -0,0 +1,2 @@
+# Binder service types
+type gce_service, service_manager_type;
diff --git a/shared/sepolicy/service_contexts b/shared/sepolicy/service_contexts
new file mode 100644
index 0000000..5a5ed00
--- /dev/null
+++ b/shared/sepolicy/service_contexts
@@ -0,0 +1,2 @@
+# Binder service mappings
+gce u:object_r:gce_service:s0