commit ff1c765ff20ec9887e51933ed783c650013f1da4
author Nick Kralevich <nnk@google.com> Thu Sep 27 08:45:16 2018 -0700
committer Nick Kralevich <nnk@google.com> Thu Sep 27 10:18:40 2018 -0700
tree 396477722e45cbebf2c4507c5fb57e9f16ec9cb1
parent 0e0feac01bd567f71242f18701df71ae87c015b6

Label /system/usr/share/zoneinfo differently

/system/usr/share/zoneinfo is currently labeled zoneinfo_data_file,
a label shared with /data/misc/zoneinfo. However, each of these
directory locations has different security characteristics. In
particular, the files in /system/usr/share/zoneinfo must never be
writable, whereas /data/misc/zoneinfo may be written to by system_server.
Reusing the same label hides these different security characteristics.

Create a separate label for /system/usr/share/zoneinfo.

Test: Device boots and no obvious problems.
Change-Id: I8cf16ff038b06b38f77388e546d9b7a6865f7879

private/compat/26.0/26.0.cil

diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index c9f09b9..dd60596 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -658,7 +658,9 @@
     system_linker_config_file
     system_linker_exec
     system_seccomp_policy_file
-    system_security_cacerts_file))
+    system_security_cacerts_file
+    system_zoneinfo_file
+))
 (typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
 (typeattributeset system_prop_26_0 (system_prop))

private/compat/27.0/27.0.cil

diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index c596d3f..155cf42 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1375,7 +1375,9 @@
     system_linker_config_file
     system_linker_exec
     system_seccomp_policy_file
-    system_security_cacerts_file))
+    system_security_cacerts_file
+    system_zoneinfo_file
+))
 (typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))

private/compat/28.0/28.0.cil

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 2348b19..5d47d23 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1573,7 +1573,9 @@
     system_linker_config_file
     system_linker_exec
     system_seccomp_policy_file
-    system_security_cacerts_file))
+    system_security_cacerts_file
+    system_zoneinfo_file
+))
 (typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
 (typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 37af878..991f75b 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -296,6 +296,7 @@
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
 /system/bin/vr_hwc               u:object_r:vr_hwc_exec:s0
 /system/bin/adbd                 u:object_r:adbd_exec:s0
 /system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
@@ -445,7 +446,6 @@
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
-/system/usr/share/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 032c27c..669c3c2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -221,8 +221,8 @@
 # libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
 # timezone related information.
 # This directory is considered to be a VNDK-stable
-allow domain zoneinfo_data_file:file r_file_perms;
-allow domain zoneinfo_data_file:dir r_dir_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
+allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
 
 # Lots of processes access current CPU information
 r_dir_file(domain, sysfs_devices_system_cpu)

public/file.te

diff --git a/public/file.te b/public/file.te
index bf0a0b4..4416227 100644
--- a/public/file.te
+++ b/public/file.te
@@ -142,6 +142,8 @@
 type system_seccomp_policy_file, file_type;
 # Default type for cacerts in /system/etc/security/cacerts/*.
 type system_security_cacerts_file, file_type;
+# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
+type system_zoneinfo_file, file_type;
 
 # Default type for directories search for
 # HAL implementations