sepolicy/policy/chromeos/cros_cryptohome_namespace_mounter.te - mirrors/cros/chromiumos/platform2 - Git at Google

 type cros_cryptohome_namespace_mounter, chromeos_domain, domain;

 permissive cros_cryptohome_namespace_mounter;

 domain_auto_trans(cros_cryptohomed, cros_cryptohome_namespace_mounter_exec, cros_cryptohome_namespace_mounter);
 domain_auto_trans(cros_cryptohome_namespace_mounter, cros_unconfined_exec, chromeos);

 allow domain cros_cryptohome_namespace_mounter:key search;
 allow cros_cryptohome_namespace_mounter cros_cryptohomed:fd use;

 # Access rules for user cryptohome directories/files .shadow/, chronos/, root/, user/
 # TODO(betuls): Define a cryptohome domain and add these rules to there.
 allow cros_cryptohome_namespace_mounter cros_cryptohomed:fifo_file rw_file_perms;
 create_dir_file(cros_cryptohome_namespace_mounter, {
   cros_downloads_file
   cros_home
   cros_home_chronos
   cros_home_root
   cros_home_shadow
   cros_home_shadow_low_entropy_creds
   cros_home_shadow_uid
   cros_home_shadow_uid_root
   cros_home_shadow_uid_user
   cros_home_user
   cros_run
   cros_run_daemon_store
   cros_run_dbus
 });
 allow cros_cryptohome_namespace_mounter {
   cros_downloads_file
   cros_home_user
   cros_home_chronos
   cros_home_root
   cros_home_shadow_uid
   cros_home_shadow_uid_user
   cros_run
   cros_run_daemon_store }:dir mounton;
 allow cros_cryptohome_namespace_mounter cros_home_shadow_uid:dir relabelto;
 allow cros_cryptohome_namespace_mounter cros_home_shadow_uid_root:dir relabelfrom;

 # cryptohome_namespace_mounter creates and relabelto dirs/files in
 # daemon-store directories.
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, authpolicyd);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, authpolicyd, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, cdm-oemcrypto);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, cdm-oemcrypto, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, chaps);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, chaps, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, crash);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, crash, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, crosvm);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, crosvm, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, debugd);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, debugd, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, kerberosd);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, kerberosd, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, pvm);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, pvm, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, pvm-dispatcher);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, pvm-dispatcher, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, session_manager);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, session_manager, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, shill);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, shill, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, smbfs);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, smbfs, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, smbproviderd);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, smbproviderd, relabelto);
 cros_daemon_store_create(cros_cryptohome_namespace_mounter, usb_bouncer);
 cros_daemon_store_perms(cros_cryptohome_namespace_mounter, usb_bouncer, relabelto);

 # Kernel and key related pemrissions.
 allow cros_cryptohome_namespace_mounter cros_init:key link;
 allow cros_cryptohome_namespace_mounter kernel:key {
   link
   search
 };
 allow cros_cryptohome_namespace_mounter kernel:system module_request;

 # Permissions to create and bind-mount ephemeral cryptohome directory.
 create_mounton_dir_file(cros_cryptohome_namespace_mounter, cros_run_cryptohome);

 allow cros_cryptohome_namespace_mounter device:blk_file      rw_file_perms;
 allowxperm cros_cryptohome_namespace_mounter device:blk_file ioctl {
   LOOP_SET_FD
   LOOP_CLR_FD
 };
 allow cros_cryptohome_namespace_mounter tpm_device:chr_file  r_file_perms;

 has_arc(`
 allow cros_cryptohome_namespace_mounter media_rw_data_file:dir {
   create_dir_perms
   mounton
 };
 ')

 allow cros_cryptohome_namespace_mounter proc_swaps:file r_file_perms;
 allow cros_cryptohome_namespace_mounter {
   rootfs
   cgroup
 }:dir r_dir_perms;

 r_dir_file(cros_cryptohome_namespace_mounter, sysfs_fs_ext4_features);

 # TODO(b/178237710) Label the directories and files with specific contexts.
 r_dir_file(cros_cryptohome_namespace_mounter, unlabeled);
 allow cros_cryptohome_namespace_mounter unlabeled:dir {
   mounton
   relabelfrom
 };

 # TODO(b/178237004) Label the processes with specific contexts.
 allow cros_cryptohome_namespace_mounter cros_unconfined_exec:file x_file_perms;

 # Cryptohome_namespace_mounter needs to enter user session mount namespace at /run/namespaces/mnt_chrome
 allow cros_cryptohome_namespace_mounter cros_run_namespaces:dir search;
 allow cros_cryptohome_namespace_mounter cros_run_namespaces_mnt_chrome:file {
   r_file_perms
   mounton
 };

 # cryptohome_namespace_mounter capabilities
 allow cros_cryptohome_namespace_mounter self:capability {
   chown
   fowner
   fsetid
   sys_admin
   sys_chroot
 };
 allow cros_cryptohome_namespace_mounter self:key {
   search
   write
 };

 # Chrome OS with ARCVM doesn't undergo CTS tests. Thus remove the
 # arc_cts_fails_release macro for ARCVM devices so that
 # cros_cryptohome_namespace_mounter is not converted into a permissive domain
 # after being flipped to enforcing.
 is_arc_vm(`
   allow cros_cryptohome_namespace_mounter self:capability {
     dac_override
     dac_read_search
   };
   # TODO(b/178237710) Label with specific contexts.
   allow cros_cryptohome_namespace_mounter unlabeled:filesystem {
     mount
     remount
     unmount
   };
   allow cros_cryptohome_namespace_mounter labeledfs:filesystem {
     mount
     remount
     unmount
   };
   allow cros_cryptohome_namespace_mounter device:chr_file r_file_perms;
   create_dir_file(cros_cryptohome_namespace_mounter, unlabeled);
 ',`
   arc_cts_fails_release(`
     allow cros_cryptohome_namespace_mounter self:capability {
       dac_override
       dac_read_search
     };
     allow cros_cryptohome_namespace_mounter unlabeled:filesystem {
       mount
       remount
       unmount
     };
     allow cros_cryptohome_namespace_mounter labeledfs:filesystem {
       mount
       remount
       unmount
     };
     allow cros_cryptohome_namespace_mounter device:chr_file r_file_perms;
     create_dir_file(cros_cryptohome_namespace_mounter, unlabeled);
   ', (cros_cryptohome_namespace_mounter));
 ')

 allow kernel cros_cryptohome_namespace_mounter:fd use;

 allow cros_cryptohomed cros_var_lib:file create_file_perms;

 log_writer(cros_cryptohome_namespace_mounter);
 uma_writer(cros_cryptohome_namespace_mounter);

 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home, cros_home_shadow, dir, ".shadow");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow, cros_home_shadow_uid, dir);
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_cdm-oemcrypto, dir, "cdm-oemcrypto");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crash, dir, "crash");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crosvm, dir, "crosvm");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_debugd, dir, "debugd");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_kerberosd, dir, "kerberosd");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm, dir, "pvm");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm-dispatcher, dir, "pvm-dispatcher");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbfs, dir, "smbfs");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbproviderd, dir, "smbproviderd");
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer");

 # Ephemeral mount should be considered home directory as well.
 # Note that this transition is currently ineffective as the ephemeral mount is a new filesystem.
 # Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment.
 filetrans_pattern(cros_cryptohome_namespace_mounter, cros_ephemeral_mount, cros_home_shadow_uid, dir);
	type cros_cryptohome_namespace_mounter, chromeos_domain, domain;

	permissive cros_cryptohome_namespace_mounter;

	domain_auto_trans(cros_cryptohomed, cros_cryptohome_namespace_mounter_exec, cros_cryptohome_namespace_mounter);
	domain_auto_trans(cros_cryptohome_namespace_mounter, cros_unconfined_exec, chromeos);

	allow domain cros_cryptohome_namespace_mounter:key search;
	allow cros_cryptohome_namespace_mounter cros_cryptohomed:fd use;

	# Access rules for user cryptohome directories/files .shadow/, chronos/, root/, user/
	# TODO(betuls): Define a cryptohome domain and add these rules to there.
	allow cros_cryptohome_namespace_mounter cros_cryptohomed:fifo_file rw_file_perms;
	create_dir_file(cros_cryptohome_namespace_mounter, {
	cros_downloads_file
	cros_home
	cros_home_chronos
	cros_home_root
	cros_home_shadow
	cros_home_shadow_low_entropy_creds
	cros_home_shadow_uid
	cros_home_shadow_uid_root
	cros_home_shadow_uid_user
	cros_home_user
	cros_run
	cros_run_daemon_store
	cros_run_dbus
	});
	allow cros_cryptohome_namespace_mounter {
	cros_downloads_file
	cros_home_user
	cros_home_chronos
	cros_home_root
	cros_home_shadow_uid
	cros_home_shadow_uid_user
	cros_run
	cros_run_daemon_store }:dir mounton;
	allow cros_cryptohome_namespace_mounter cros_home_shadow_uid:dir relabelto;
	allow cros_cryptohome_namespace_mounter cros_home_shadow_uid_root:dir relabelfrom;

	# cryptohome_namespace_mounter creates and relabelto dirs/files in
	# daemon-store directories.
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, authpolicyd);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, authpolicyd, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, cdm-oemcrypto);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, cdm-oemcrypto, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, chaps);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, chaps, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, crash);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, crash, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, crosvm);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, crosvm, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, debugd);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, debugd, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, kerberosd);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, kerberosd, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, pvm);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, pvm, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, pvm-dispatcher);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, pvm-dispatcher, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, session_manager);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, session_manager, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, shill);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, shill, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, smbfs);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, smbfs, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, smbproviderd);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, smbproviderd, relabelto);
	cros_daemon_store_create(cros_cryptohome_namespace_mounter, usb_bouncer);
	cros_daemon_store_perms(cros_cryptohome_namespace_mounter, usb_bouncer, relabelto);

	# Kernel and key related pemrissions.
	allow cros_cryptohome_namespace_mounter cros_init:key link;
	allow cros_cryptohome_namespace_mounter kernel:key {
	link
	search
	};
	allow cros_cryptohome_namespace_mounter kernel:system module_request;

	# Permissions to create and bind-mount ephemeral cryptohome directory.
	create_mounton_dir_file(cros_cryptohome_namespace_mounter, cros_run_cryptohome);

	allow cros_cryptohome_namespace_mounter device:blk_file rw_file_perms;
	allowxperm cros_cryptohome_namespace_mounter device:blk_file ioctl {
	LOOP_SET_FD
	LOOP_CLR_FD
	};
	allow cros_cryptohome_namespace_mounter tpm_device:chr_file r_file_perms;

	has_arc(`
	allow cros_cryptohome_namespace_mounter media_rw_data_file:dir {
	create_dir_perms
	mounton
	};
	')

	allow cros_cryptohome_namespace_mounter proc_swaps:file r_file_perms;
	allow cros_cryptohome_namespace_mounter {
	rootfs
	cgroup
	}:dir r_dir_perms;

	r_dir_file(cros_cryptohome_namespace_mounter, sysfs_fs_ext4_features);

	# TODO(b/178237710) Label the directories and files with specific contexts.
	r_dir_file(cros_cryptohome_namespace_mounter, unlabeled);
	allow cros_cryptohome_namespace_mounter unlabeled:dir {
	mounton
	relabelfrom
	};

	# TODO(b/178237004) Label the processes with specific contexts.
	allow cros_cryptohome_namespace_mounter cros_unconfined_exec:file x_file_perms;

	# Cryptohome_namespace_mounter needs to enter user session mount namespace at /run/namespaces/mnt_chrome
	allow cros_cryptohome_namespace_mounter cros_run_namespaces:dir search;
	allow cros_cryptohome_namespace_mounter cros_run_namespaces_mnt_chrome:file {
	r_file_perms
	mounton
	};

	# cryptohome_namespace_mounter capabilities
	allow cros_cryptohome_namespace_mounter self:capability {
	chown
	fowner
	fsetid
	sys_admin
	sys_chroot
	};
	allow cros_cryptohome_namespace_mounter self:key {
	search
	write
	};

	# Chrome OS with ARCVM doesn't undergo CTS tests. Thus remove the
	# arc_cts_fails_release macro for ARCVM devices so that
	# cros_cryptohome_namespace_mounter is not converted into a permissive domain
	# after being flipped to enforcing.
	is_arc_vm(`
	allow cros_cryptohome_namespace_mounter self:capability {
	dac_override
	dac_read_search
	};
	# TODO(b/178237710) Label with specific contexts.
	allow cros_cryptohome_namespace_mounter unlabeled:filesystem {
	mount
	remount
	unmount
	};
	allow cros_cryptohome_namespace_mounter labeledfs:filesystem {
	mount
	remount
	unmount
	};
	allow cros_cryptohome_namespace_mounter device:chr_file r_file_perms;
	create_dir_file(cros_cryptohome_namespace_mounter, unlabeled);
	',`
	arc_cts_fails_release(`
	allow cros_cryptohome_namespace_mounter self:capability {
	dac_override
	dac_read_search
	};
	allow cros_cryptohome_namespace_mounter unlabeled:filesystem {
	mount
	remount
	unmount
	};
	allow cros_cryptohome_namespace_mounter labeledfs:filesystem {
	mount
	remount
	unmount
	};
	allow cros_cryptohome_namespace_mounter device:chr_file r_file_perms;
	create_dir_file(cros_cryptohome_namespace_mounter, unlabeled);
	', (cros_cryptohome_namespace_mounter));
	')

	allow kernel cros_cryptohome_namespace_mounter:fd use;

	allow cros_cryptohomed cros_var_lib:file create_file_perms;

	log_writer(cros_cryptohome_namespace_mounter);
	uma_writer(cros_cryptohome_namespace_mounter);

	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home, cros_home_shadow, dir, ".shadow");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow, cros_home_shadow_uid, dir);
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_cdm-oemcrypto, dir, "cdm-oemcrypto");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crash, dir, "crash");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crosvm, dir, "crosvm");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_debugd, dir, "debugd");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_kerberosd, dir, "kerberosd");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm, dir, "pvm");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm-dispatcher, dir, "pvm-dispatcher");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbfs, dir, "smbfs");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbproviderd, dir, "smbproviderd");
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer");

	# Ephemeral mount should be considered home directory as well.
	# Note that this transition is currently ineffective as the ephemeral mount is a new filesystem.
	# Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment.
	filetrans_pattern(cros_cryptohome_namespace_mounter, cros_ephemeral_mount, cros_home_shadow_uid, dir);