commit 1edab60bf52128aef2d0c3208e4f37798c213f12
author Puthikorn Voravootivat <puthik@google.com> Tue Dec 08 10:35:06 2020 -0800
committer Commit Bot <commit-bot@chromium.org> Mon Dec 28 12:41:32 2020 +0000
tree 0e6856b7673b11b8785beb79935e2ed8d3caba8c
parent 68bcf1d07da1e922dfd2e815465c3a2f64af1b94

sepolicy: Add domain for temp_logger

Instead of running the script directly,
we start sanboxing temp_logger with minijail.
So add selinux-policy for this.

BUG=b:174742099
TEST=tast.security.SELinuxProcesses
TEST=tast.security.SandboxedServices

Change-Id: Ie6f029b98685ab77bcbfd58dad2717efa95b3f06
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2581739
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Puthikorn Voravootivat <puthik@chromium.org>
Commit-Queue: Puthikorn Voravootivat <puthik@chromium.org>

sepolicy/file_contexts/chromeos_file_contexts

diff --git a/sepolicy/file_contexts/chromeos_file_contexts b/sepolicy/file_contexts/chromeos_file_contexts
index a9b855a..ea0ed4a 100644
--- a/sepolicy/file_contexts/chromeos_file_contexts
+++ b/sepolicy/file_contexts/chromeos_file_contexts
@@ -181,6 +181,7 @@
 /usr/share/cros/init/ui-respawn u:object_r:cros_init_ui_respawn_shell_script:s0
 /usr/share/cros/init/shill.sh   u:object_r:cros_init_shill_shell_script:s0
 /usr/share/cros/init/shill-pre-start.sh u:object_r:cros_init_shill_shell_script:s0
+/usr/share/cros/init/temp_logger.sh u:object_r:cros_init_temp_logger_shell_script:s0
 
 /var                            u:object_r:cros_var:s0
 /var/cache                      u:object_r:cros_var_cache:s0

sepolicy/policy/chromeos/file.te

diff --git a/sepolicy/policy/chromeos/file.te b/sepolicy/policy/chromeos/file.te
index 5c2981b..c56ba84 100644
--- a/sepolicy/policy/chromeos/file.te
+++ b/sepolicy/policy/chromeos/file.te
@@ -195,6 +195,7 @@
 type cros_init_start_bluetoothlog_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type;
 type cros_init_ui_pre_start_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type;
 type cros_init_ui_respawn_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type;
+type cros_init_temp_logger_shell_script, exec_type, file_type, cros_init_scripts_file_type, cros_file_type, cros_system_file_type;
 
 type cros_ionice_exec, exec_type, file_type, cros_file_type, cros_system_file_type;
 

sepolicy/policy/chromeos_base/init-scripts/cros_init_temp_logger.te

diff --git a/sepolicy/policy/chromeos_base/init-scripts/cros_init_temp_logger.te b/sepolicy/policy/chromeos_base/init-scripts/cros_init_temp_logger.te
new file mode 100644
index 0000000..5a88d05
--- /dev/null
+++ b/sepolicy/policy/chromeos_base/init-scripts/cros_init_temp_logger.te
@@ -0,0 +1,5 @@
+type cros_init_temp_logger, chromeos_domain, domain, cros_init_scripts_domain;
+
+permissive cros_init_temp_logger;
+
+domain_auto_trans(minijail, cros_init_temp_logger_shell_script, cros_init_temp_logger);