iorapd: Add new binder service iorapd.
This daemon is very locked down. Only system_server can access it.
Bug: 72170747
Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
diff --git a/private/atrace.te b/private/atrace.te
index 37e9702..a60370d 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -33,6 +33,7 @@
service_manager_type
-apex_service
-incident_service
+ -iorapd_service
-netd_service
-stats_service
-dumpstate_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index f985d95..54edb40 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -89,6 +89,11 @@
hal_wifi_offload_hwservice
incident_helper
incident_helper_exec
+ iorapd
+ iorapd_data_file
+ iorapd_exec
+ iorapd_service
+ iorapd_tmpfs
kmsg_debug_device
last_boot_reason_prop
llkd
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index df3f95a..1df6a0e 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -80,6 +80,11 @@
hal_wifi_hostapd_hwservice
incident_helper
incident_helper_exec
+ iorapd
+ iorapd_data_file
+ iorapd_exec
+ iorapd_service
+ iorapd_tmpfs
last_boot_reason_prop
llkd
llkd_exec
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c1b126b..e02421d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -31,6 +31,11 @@
llkd_prop
llkd_tmpfs
looper_stats_service
+ iorapd
+ iorapd_exec
+ iorapd_data_file
+ iorapd_service
+ iorapd_tmpfs
mnt_product_file
overlayfs_file
recovery_socket
diff --git a/private/file_contexts b/private/file_contexts
index 264735d..3b85213 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -273,6 +273,7 @@
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
/system/bin/profman(d)? u:object_r:profman_exec:s0
+/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -451,6 +452,7 @@
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
@@ -516,6 +518,9 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+# iorapd per-user data
+/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
+
#############################
# efs files
#
diff --git a/private/iorapd.te b/private/iorapd.te
new file mode 100644
index 0000000..602da03
--- /dev/null
+++ b/private/iorapd.te
@@ -0,0 +1,3 @@
+typeattribute iorapd coredomain;
+
+init_daemon_domain(iorapd)
diff --git a/private/service_contexts b/private/service_contexts
index b68ab8e..1398b19 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -70,6 +70,7 @@
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
+iorapd u:object_r:iorapd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 245496f..40fec6a 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -73,6 +73,7 @@
-apex_service
-dumpstate_service
-installd_service
+ -iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service
@@ -82,6 +83,7 @@
dontaudit system_app {
dumpstate_service
installd_service
+ iorapd_service
netd_service
virtual_touchpad_service
vold_service
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 5663e80..79faafa 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -209,6 +209,7 @@
-dumpstate_service
-gatekeeper_service
-incident_service
+ -iorapd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@@ -218,6 +219,7 @@
dumpstate_service
gatekeeper_service
incident_service
+ iorapd_service
virtual_touchpad_service
vold_service
vr_hwc_service
diff --git a/public/file.te b/public/file.te
index 8e31f2c..48c2a69 100644
--- a/public/file.te
+++ b/public/file.te
@@ -296,6 +296,7 @@
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
+type iorapd_data_file, file_type, data_file_type, core_data_file_type;
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index 42d364f..18d11b6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -158,6 +158,7 @@
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -173,6 +174,7 @@
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -189,6 +191,7 @@
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
@@ -204,6 +207,7 @@
file_type
-app_data_file
-exec_type
+ -iorapd_data_file
-keystore_data_file
-misc_logd_file
-nativetest_data_file
diff --git a/public/iorapd.te b/public/iorapd.te
new file mode 100644
index 0000000..c056943
--- /dev/null
+++ b/public/iorapd.te
@@ -0,0 +1,75 @@
+# volume manager
+type iorapd, domain;
+type iorapd_exec, exec_type, file_type, system_file_type;
+
+r_dir_file(iorapd, rootfs)
+
+# Allow read/write /proc/sys/vm/drop/caches
+allow iorapd proc_drop_caches:file rw_file_perms;
+
+# Give iorapd a place where only iorapd can store files; everyone else is off limits
+allow iorapd iorapd_data_file:dir create_dir_perms;
+allow iorapd iorapd_data_file:file create_file_perms;
+
+# Allow iorapd to publish a binder service and make binder calls.
+binder_use(iorapd)
+add_service(iorapd, iorapd_service)
+
+# Allow iorapd to call into the system server so it can check permissions.
+binder_call(iorapd, system_server)
+allow iorapd permission_service:service_manager find;
+# IUserManager
+allow iorapd user_service:service_manager find;
+# IPackageManagerNative
+allow iorapd package_native_service:service_manager find;
+
+# talk to batteryservice
+binder_call(iorapd, healthd)
+
+# TODO: does each of the service_manager allow finds above need the binder_call?
+
+# iorapd temporarily changes its priority when running benchmarks
+allow iorapd self:global_capability_class_set sys_nice;
+
+
+###
+### neverallow rules
+###
+
+neverallow {
+ domain
+ -iorapd
+} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -iorapd
+} iorapd_data_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -iorapd
+} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vendor_init
+ -iorapd
+} { iorapd_data_file }:notdevfile_class_set *;
+
+# Only system_server can interact with iorapd over binder
+neverallow { domain -system_server -iorapd } iorapd_service:service_manager find;
+neverallow iorapd {
+ domain
+ -healthd
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow { domain -init } iorapd:process { transition dyntransition };
+neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/service.te b/public/service.te
index 7a60ad4..dd80f92 100644
--- a/public/service.te
+++ b/public/service.te
@@ -10,6 +10,7 @@
type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, service_manager_type;
+type iorapd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 339b586..cef1b0a 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -108,6 +108,7 @@
-gatekeeper_service
-incident_service
-installd_service
+ -iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/traceur_app.te b/public/traceur_app.te
index c18984e..aea13ef 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -11,6 +11,7 @@
-gatekeeper_service
-incident_service
-installd_service
+ -iorapd_service
-netd_service
-virtual_touchpad_service
-vold_service
diff --git a/public/vold.te b/public/vold.te
index 8db19fc..cd2d4f7 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -272,6 +272,7 @@
-hal_bootctl
-healthd
-hwservicemanager
+ -iorapd_service
-servicemanager
-system_server
userdebug_or_eng(`-su')