sepolicy/policy/chromeos/cros_cryptohomed.te - mirrors/cros/chromiumos/platform2 - Git at Google

 type cros_cryptohomed, chromeos_domain, domain;

 permissive cros_cryptohomed;

 domain_auto_trans(cros_init_scripts, cros_cryptohomed_exec, cros_cryptohomed);
 domain_auto_trans(cros_cryptohomed, cros_unconfined_exec, chromeos);

 allow domain cros_cryptohomed:key                                     search;

 allow cros_cryptohomed cros_coreutils_exec:file                       x_file_perms;
 allow cros_cryptohomed cros_cryptohome_namespace_mounter:process      signal;

 # Access rules for user cryptohome directories/files .shadow/, chronos/, root/, user/
 # TODO(betuls): Reevaluate after OOP flags are removed from the cryptohome code.
 allow cros_cryptohomed cros_cryptohomed:fifo_file w_file_perms;

 allow cros_cryptohomed {
   cros_downloads_file
   cros_home_chronos
   cros_home_root
   cros_home_user
   cros_home_shadow_uid_user
 }:dir mounton;

 allow cros_cryptohomed cros_home_shadow_uid_root:dir relabelfrom;
 create_dir_file(cros_cryptohomed, {
   cros_downloads_file
   cros_home
   cros_home_chronos
   cros_home_root
   cros_home_shadow
   cros_home_shadow_low_entropy_creds
   cros_home_shadow_uid
   cros_home_shadow_uid_root
   cros_home_shadow_uid_user
   cros_home_user
   cros_run
   cros_run_daemon_store
   cros_run_dbus
   cros_run_arcvm
   testharness_file
   system_data_root_file
 });
 create_relabelto_dir_file(cros_cryptohomed, cros_home_shadow_uid);

 allow cros_cryptohomed {
   cros_stateful_partition
   cros_run_daemon_store
   cros_var_db
   unlabeled
 }:dir r_dir_perms;

 # ioctl is restricted for Chrome OS domains, see chrome_os.te. Give required
 # permissions to cros_cryptohomed.
 allowxperm cros_cryptohomed {
   cros_home_shadow
   cros_home_shadow_uid
   cros_home_shadow_uid_user
   cros_stateful_partition
   unlabeled
 }:dir ioctl cryptohome_fscrypt_ioctls;

 # cryptohomed creates and relabelto dirs/files in
 # daemon-store directories.
 cros_daemon_store_create(cros_cryptohomed, authpolicyd);
 cros_daemon_store_perms(cros_cryptohomed, authpolicyd, relabelto);
 cros_daemon_store_create(cros_cryptohomed, cdm-oemcrypto);
 cros_daemon_store_perms(cros_cryptohomed, cdm-oemcrypto, relabelto);
 cros_daemon_store_create(cros_cryptohomed, chaps);
 cros_daemon_store_perms(cros_cryptohomed, chaps, relabelto);
 cros_daemon_store_create(cros_cryptohomed, crash);
 cros_daemon_store_perms(cros_cryptohomed, crash, relabelto);
 cros_daemon_store_create(cros_cryptohomed, crosvm);
 cros_daemon_store_perms(cros_cryptohomed, crosvm, relabelto);
 cros_daemon_store_create(cros_cryptohomed, debugd);
 cros_daemon_store_perms(cros_cryptohomed, debugd, relabelto);
 cros_daemon_store_create(cros_cryptohomed, kerberosd);
 cros_daemon_store_perms(cros_cryptohomed, kerberosd, relabelto);
 cros_daemon_store_create(cros_cryptohomed, pvm);
 cros_daemon_store_perms(cros_cryptohomed, pvm, relabelto);
 cros_daemon_store_create(cros_cryptohomed, pvm-dispatcher);
 cros_daemon_store_perms(cros_cryptohomed, pvm-dispatcher, relabelto);
 cros_daemon_store_create(cros_cryptohomed, session_manager);
 cros_daemon_store_perms(cros_cryptohomed, session_manager, relabelto);
 cros_daemon_store_create(cros_cryptohomed, shill);
 cros_daemon_store_perms(cros_cryptohomed, shill, relabelto);
 cros_daemon_store_create(cros_cryptohomed, smbfs);
 cros_daemon_store_perms(cros_cryptohomed, smbfs, relabelto);
 cros_daemon_store_create(cros_cryptohomed, smbproviderd);
 cros_daemon_store_perms(cros_cryptohomed, smbproviderd, relabelto);
 cros_daemon_store_create(cros_cryptohomed, usb_bouncer);
 cros_daemon_store_perms(cros_cryptohomed, usb_bouncer, relabelto);


 allow cros_cryptohomed chromeos_startup_tmp_file:file mounton;
 allow cros_cryptohomed cros_init_scripts:fd use;
 allow cros_cryptohomed cros_init:key {
   link
   write
 };
 allow cros_cryptohomed kernel:key {
   link
   search
   write
 };
 allow cros_cryptohomed kernel:system          module_request;
 allow cros_cryptohomed cros_passwd_file:file  r_file_perms;

 allow cros_cryptohomed {
   cros_init
   cros_dbus_daemon
 }:unix_stream_socket connectto;

 allow cros_cryptohomed {
   cros_run
   cros_run_cryptohome
   proc_drop_caches
 }:file create_file_perms;
 allow cros_cryptohomed cros_system_bus_socket:sock_file write;

 create_dir_file( cros_cryptohomed cros_var_lib_whitelist );

 has_arc(`
   create_dir_file(cros_cryptohomed media_rw_data_file);
   allowxperm cros_cryptohomed media_rw_data_file:{ file dir } ioctl {
     FS_IOC_FSGETXATTR
     FS_IOC_FSSETXATTR
   };
 ')

 r_dir_file(cros_cryptohomed {
   sysfs_dm
   sysfs_loop
   sysfs_zram
   rootfs
 });
 allow cros_cryptohomed tmpfs:file create_file_perms;
 r_dir_file( cros_cryptohomed sysfs );

 # cryptohomed capabilities
 allow cros_cryptohomed self:capability {
   chown
   fowner
   ipc_lock
   sys_admin
 };
 allow cros_cryptohomed self:key {
   setattr
   write
 };

 allow cros_cryptohomed {
   cros_stateful_partition
   cgroup
 }:dir r_dir_perms;

 # TODO(b/178237710) Label the directories and files with specific contexts.
 allow cros_cryptohomed cros_run_namespaces:dir      search;
 allow cros_cryptohomed labeledfs:filesystem {
   quotaget
   unmount
 };

 # TODO(b/178237004) Label the processes with specific contexts.
 allow cros_cryptohomed cros_unconfined_exec:file    x_file_perms;

 # Chrome OS with ARCVM doesn't undergo CTS tests. Thus remove the
 # arc_cts_fails_release macro for ARCVM devices so that cros_cryptohomed is not
 # converted into a permissive domain after being flipped to enforcing.
 is_arc_vm(`
   allow cros_cryptohomed self:capability {
     dac_override
     dac_read_search
   };
   allow cros_cryptohomed unlabeled:filesystem {
     mount
     remount
     unmount
   };
 ',`
   arc_cts_fails_release(`
     allow cros_cryptohomed self:capability {
       dac_override
       dac_read_search
     };
     allow cros_cryptohomed unlabeled:filesystem {
       mount
       remount
       unmount
     };
   ', (`cros_cryptohomed'));
 ')

 log_writer(cros_cryptohomed);
 uma_writer(cros_cryptohomed);
 allow cros_cryptohomed debugfs:dir r_dir_perms;

 filetrans_pattern(cros_cryptohomed, cros_home, cros_home_shadow, dir, ".shadow");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_uid, dir);
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_cdm-oemcrypto, dir, "cdm-oemcrypto");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crash, dir, "crash");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crosvm, dir, "crosvm");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_debugd, dir, "debugd");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_kerberosd, dir, "kerberosd");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm, dir, "pvm");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm-dispatcher, dir, "pvm-dispatcher");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbfs, dir, "smbfs");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbproviderd, dir, "smbproviderd");
 filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer");

 # Ephemeral mount should have the same treatment as normal mount.
 filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run, cros_run_cryptohome, dir, "cryptohome");
 filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run_cryptohome, cros_ephemeral_mount, dir, "ephemeral_mount");

 # Note that this transition is currently ineffective as the ephemeral mount is a new filesystem.
 # Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment.
 filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_ephemeral_mount, cros_home_shadow_uid, dir);

 dev_only(
 auditallow domain cros_home_shadow_uid_root:dir create;
 auditallow domain cros_home_shadow_uid_user:dir create;
 )
	type cros_cryptohomed, chromeos_domain, domain;

	permissive cros_cryptohomed;

	domain_auto_trans(cros_init_scripts, cros_cryptohomed_exec, cros_cryptohomed);
	domain_auto_trans(cros_cryptohomed, cros_unconfined_exec, chromeos);

	allow domain cros_cryptohomed:key search;

	allow cros_cryptohomed cros_coreutils_exec:file x_file_perms;
	allow cros_cryptohomed cros_cryptohome_namespace_mounter:process signal;

	# Access rules for user cryptohome directories/files .shadow/, chronos/, root/, user/
	# TODO(betuls): Reevaluate after OOP flags are removed from the cryptohome code.
	allow cros_cryptohomed cros_cryptohomed:fifo_file w_file_perms;

	allow cros_cryptohomed {
	cros_downloads_file
	cros_home_chronos
	cros_home_root
	cros_home_user
	cros_home_shadow_uid_user
	}:dir mounton;

	allow cros_cryptohomed cros_home_shadow_uid_root:dir relabelfrom;
	create_dir_file(cros_cryptohomed, {
	cros_downloads_file
	cros_home
	cros_home_chronos
	cros_home_root
	cros_home_shadow
	cros_home_shadow_low_entropy_creds
	cros_home_shadow_uid
	cros_home_shadow_uid_root
	cros_home_shadow_uid_user
	cros_home_user
	cros_run
	cros_run_daemon_store
	cros_run_dbus
	cros_run_arcvm
	testharness_file
	system_data_root_file
	});
	create_relabelto_dir_file(cros_cryptohomed, cros_home_shadow_uid);

	allow cros_cryptohomed {
	cros_stateful_partition
	cros_run_daemon_store
	cros_var_db
	unlabeled
	}:dir r_dir_perms;

	# ioctl is restricted for Chrome OS domains, see chrome_os.te. Give required
	# permissions to cros_cryptohomed.
	allowxperm cros_cryptohomed {
	cros_home_shadow
	cros_home_shadow_uid
	cros_home_shadow_uid_user
	cros_stateful_partition
	unlabeled
	}:dir ioctl cryptohome_fscrypt_ioctls;

	# cryptohomed creates and relabelto dirs/files in
	# daemon-store directories.
	cros_daemon_store_create(cros_cryptohomed, authpolicyd);
	cros_daemon_store_perms(cros_cryptohomed, authpolicyd, relabelto);
	cros_daemon_store_create(cros_cryptohomed, cdm-oemcrypto);
	cros_daemon_store_perms(cros_cryptohomed, cdm-oemcrypto, relabelto);
	cros_daemon_store_create(cros_cryptohomed, chaps);
	cros_daemon_store_perms(cros_cryptohomed, chaps, relabelto);
	cros_daemon_store_create(cros_cryptohomed, crash);
	cros_daemon_store_perms(cros_cryptohomed, crash, relabelto);
	cros_daemon_store_create(cros_cryptohomed, crosvm);
	cros_daemon_store_perms(cros_cryptohomed, crosvm, relabelto);
	cros_daemon_store_create(cros_cryptohomed, debugd);
	cros_daemon_store_perms(cros_cryptohomed, debugd, relabelto);
	cros_daemon_store_create(cros_cryptohomed, kerberosd);
	cros_daemon_store_perms(cros_cryptohomed, kerberosd, relabelto);
	cros_daemon_store_create(cros_cryptohomed, pvm);
	cros_daemon_store_perms(cros_cryptohomed, pvm, relabelto);
	cros_daemon_store_create(cros_cryptohomed, pvm-dispatcher);
	cros_daemon_store_perms(cros_cryptohomed, pvm-dispatcher, relabelto);
	cros_daemon_store_create(cros_cryptohomed, session_manager);
	cros_daemon_store_perms(cros_cryptohomed, session_manager, relabelto);
	cros_daemon_store_create(cros_cryptohomed, shill);
	cros_daemon_store_perms(cros_cryptohomed, shill, relabelto);
	cros_daemon_store_create(cros_cryptohomed, smbfs);
	cros_daemon_store_perms(cros_cryptohomed, smbfs, relabelto);
	cros_daemon_store_create(cros_cryptohomed, smbproviderd);
	cros_daemon_store_perms(cros_cryptohomed, smbproviderd, relabelto);
	cros_daemon_store_create(cros_cryptohomed, usb_bouncer);
	cros_daemon_store_perms(cros_cryptohomed, usb_bouncer, relabelto);


	allow cros_cryptohomed chromeos_startup_tmp_file:file mounton;
	allow cros_cryptohomed cros_init_scripts:fd use;
	allow cros_cryptohomed cros_init:key {
	link
	write
	};
	allow cros_cryptohomed kernel:key {
	link
	search
	write
	};
	allow cros_cryptohomed kernel:system module_request;
	allow cros_cryptohomed cros_passwd_file:file r_file_perms;

	allow cros_cryptohomed {
	cros_init
	cros_dbus_daemon
	}:unix_stream_socket connectto;

	allow cros_cryptohomed {
	cros_run
	cros_run_cryptohome
	proc_drop_caches
	}:file create_file_perms;
	allow cros_cryptohomed cros_system_bus_socket:sock_file write;

	create_dir_file( cros_cryptohomed cros_var_lib_whitelist );

	has_arc(`
	create_dir_file(cros_cryptohomed media_rw_data_file);
	allowxperm cros_cryptohomed media_rw_data_file:{ file dir } ioctl {
	FS_IOC_FSGETXATTR
	FS_IOC_FSSETXATTR
	};
	')

	r_dir_file(cros_cryptohomed {
	sysfs_dm
	sysfs_loop
	sysfs_zram
	rootfs
	});
	allow cros_cryptohomed tmpfs:file create_file_perms;
	r_dir_file( cros_cryptohomed sysfs );

	# cryptohomed capabilities
	allow cros_cryptohomed self:capability {
	chown
	fowner
	ipc_lock
	sys_admin
	};
	allow cros_cryptohomed self:key {
	setattr
	write
	};

	allow cros_cryptohomed {
	cros_stateful_partition
	cgroup
	}:dir r_dir_perms;

	# TODO(b/178237710) Label the directories and files with specific contexts.
	allow cros_cryptohomed cros_run_namespaces:dir search;
	allow cros_cryptohomed labeledfs:filesystem {
	quotaget
	unmount
	};

	# TODO(b/178237004) Label the processes with specific contexts.
	allow cros_cryptohomed cros_unconfined_exec:file x_file_perms;

	# Chrome OS with ARCVM doesn't undergo CTS tests. Thus remove the
	# arc_cts_fails_release macro for ARCVM devices so that cros_cryptohomed is not
	# converted into a permissive domain after being flipped to enforcing.
	is_arc_vm(`
	allow cros_cryptohomed self:capability {
	dac_override
	dac_read_search
	};
	allow cros_cryptohomed unlabeled:filesystem {
	mount
	remount
	unmount
	};
	',`
	arc_cts_fails_release(`
	allow cros_cryptohomed self:capability {
	dac_override
	dac_read_search
	};
	allow cros_cryptohomed unlabeled:filesystem {
	mount
	remount
	unmount
	};
	', (`cros_cryptohomed'));
	')

	log_writer(cros_cryptohomed);
	uma_writer(cros_cryptohomed);
	allow cros_cryptohomed debugfs:dir r_dir_perms;

	filetrans_pattern(cros_cryptohomed, cros_home, cros_home_shadow, dir, ".shadow");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_low_entropy_creds, dir, "low_entropy_creds");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow, cros_home_shadow_uid, dir);
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_root, dir, "root");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid, cros_home_shadow_uid_user, dir, "user");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "Downloads");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_user, cros_downloads_file, dir, "MyFiles");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_authpolicyd, dir, "authpolicyd");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_cdm-oemcrypto, dir, "cdm-oemcrypto");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_chaps, dir, "chaps");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crash, dir, "crash");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_crosvm, dir, "crosvm");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_debugd, dir, "debugd");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_kerberosd, dir, "kerberosd");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm, dir, "pvm");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_pvm-dispatcher, dir, "pvm-dispatcher");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbfs, dir, "smbfs");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_smbproviderd, dir, "smbproviderd");
	filetrans_pattern(cros_cryptohomed, cros_home_shadow_uid_root, cros_home_shadow_uid_root_usb_bouncer, dir, "usb_bouncer");

	# Ephemeral mount should have the same treatment as normal mount.
	filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run, cros_run_cryptohome, dir, "cryptohome");
	filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_run_cryptohome, cros_ephemeral_mount, dir, "ephemeral_mount");

	# Note that this transition is currently ineffective as the ephemeral mount is a new filesystem.
	# Setting the new ephemeral mount to cros_home_shadow_uid is done by cryptohome at the moment.
	filetrans_pattern({cros_init_scripts cros_cryptohomed}, cros_ephemeral_mount, cros_home_shadow_uid, dir);

	dev_only(
	auditallow domain cros_home_shadow_uid_root:dir create;
	auditallow domain cros_home_shadow_uid_user:dir create;
	)