commit 0c9708b2af4ea345277a47ae7bc1ce890e90d2bc
author Nick Kralevich <nnk@google.com> Wed Jul 10 14:46:05 2013 -0700
committer Nick Kralevich <nnk@google.com> Wed Jul 10 18:54:45 2013 -0700
tree 810c64b75d11d023ba06abe77eceaaf60d486f4d
parent 4a13f7809b0db75f850e96dcd21e6550c4e1fa60

domain.te: Add backwards compatibility for unlabeled files

For unlabeled files, revert to DAC rules. This is for backwards
compatibility, as files created before SELinux was in place may
not be properly labeled.

Over time, the number of unlabeled files will decrease, and we can
(hopefully) remove this rule in the future.

To prevent inadvertantly introducing the "relabelto" permission, add
a neverallow domain, and add apps which have a legitimate need to
relabel to this domain.

Bug: 9777552
Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88

app.te

diff --git a/app.te b/app.te
index fb76831..22168f8 100644
--- a/app.te
+++ b/app.te
@@ -24,6 +24,8 @@
 # Access the network.
 net_domain(media_app)
 unconfined_domain(media_app)
+relabelto_domain(media_app)
+allow media_app download_file:dir relabelto;
 
 # Apps signed with the shared key.
 type shared_app, domain;

attributes

diff --git a/attributes b/attributes
index 7d491e2..6123d6c 100644
--- a/attributes
+++ b/attributes
@@ -64,3 +64,6 @@
 
 # Allow domains used for platform (signed by build key) apps.
 attribute platformappdomain;
+
+# All domains which are allowed the "relabelto" permission
+attribute relabeltodomain;

domain.te

diff --git a/domain.te b/domain.te
index a4a06d5..9ca6dc4 100644
--- a/domain.te
+++ b/domain.te
@@ -120,3 +120,18 @@
 # security files
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;
+
+######## Backwards compatibility - Unlabeled files ############
+
+# Revert to DAC rules when looking at unlabeled files. Over time, the number
+# of unlabeled files should decrease.
+# TODO: delete these rules in the future.
+#
+# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
+# capability, it's essentially useless. This is needed to allow an app with
+# relabelto to relabel unlabeled files.
+#
+allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:dir { create_dir_perms relabelfrom };
+allow domain unlabeled:lnk_file { create_file_perms };
+neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;

init.te

diff --git a/init.te b/init.te
index 5b7463e..2cbf14d 100644
--- a/init.te
+++ b/init.te
@@ -4,5 +4,8 @@
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
+relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;
+
+allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;

installd.te

diff --git a/installd.te b/installd.te
index 2b983db..05e4d65 100644
--- a/installd.te
+++ b/installd.te
@@ -4,6 +4,7 @@
 type installd_exec, exec_type, file_type;
 
 init_daemon_domain(installd)
+relabelto_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
 allow installd system_data_file:file create_file_perms;

kernel.te

diff --git a/kernel.te b/kernel.te
index 5502ed8..023e457 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,3 +3,6 @@
 permissive kernel;
 # The kernel is unconfined.
 unconfined_domain(kernel)
+relabelto_domain(kernel)
+
+allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;

system.te

diff --git a/system.te b/system.te
index e638039..24d4a67 100644
--- a/system.te
+++ b/system.te
@@ -6,7 +6,13 @@
 type system, domain;
 permissive system;
 unconfined_domain(system);
+relabelto_domain(system);
 
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };
+
+allow system backup_data_file:dir relabelto;
+allow system cache_backup_file:dir relabelto;
+allow system apk_data_file:file relabelto;
+allow system apk_tmp_file:file relabelto;

te_macros

diff --git a/te_macros b/te_macros
index 1c78c96..310612c 100644
--- a/te_macros
+++ b/te_macros
@@ -109,6 +109,13 @@
 ')
 
 #####################################
+# relabelto_domain(domain)
+# Allows this domain to use the relabelto permission
+define(`relabelto_domain', `
+typeattribute $1 relabeltodomain;
+')
+
+#####################################
 # platform_app_domain(domain)
 # Allow permissions specific to platform apps.
 define(`platform_app_domain', `

unconfined.te

diff --git a/unconfined.te b/unconfined.te
index 9f100a3..a3af7d7 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -11,8 +11,8 @@
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *;
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~entrypoint;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;