sepolicy/policy/chromeos/cros_chromeos_install.te - mirrors/cros/chromiumos/platform2 - Git at Google

 type cros_chromeos_install, domain, chromeos_domain;

 domain_auto_trans_nnp(cros_os_install_service, cros_chromeos_install_exec, cros_chromeos_install);

 # chromeos-install is currently a shell script (b/176492189) so it
 # needs to run lots of other programs.
 allow cros_chromeos_install sh_exec:file rx_file_perms;
 allow cros_chromeos_install cros_blockdev_exec:file rx_file_perms;
 allow cros_chromeos_install cros_cgpt_exec:file rx_file_perms;
 allow cros_chromeos_install cros_coreutils_exec:file rx_file_perms;
 allow cros_chromeos_install cros_crossystem_exec:file rx_file_perms;
 allow cros_chromeos_install cros_getopt_exec:file rx_file_perms;
 allow cros_chromeos_install cros_grep_exec:file rx_file_perms;
 allow cros_chromeos_install cros_initctl_exec:file rx_file_perms;
 allow cros_chromeos_install cros_losetup_exec:file rx_file_perms;
 allow cros_chromeos_install cros_mawk_exec:file rx_file_perms;
 allow cros_chromeos_install cros_mke2fs_exec:file rx_file_perms;
 allow cros_chromeos_install cros_mount_exec:file rx_file_perms;
 allow cros_chromeos_install cros_mountpoint_exec:file rx_file_perms;
 allow cros_chromeos_install cros_sed_exec:file rx_file_perms;
 allow cros_chromeos_install cros_system_file:file rx_file_perms;
 allow cros_chromeos_install cros_udevadm_exec:file rx_file_perms;
 allow cros_chromeos_install cros_umount_exec:file rx_file_perms;
 allow cros_chromeos_install cros_init:unix_stream_socket connectto;
 allow cros_chromeos_install cros_udevd:unix_stream_socket connectto;

 allow cros_chromeos_install cros_os_install_service:fd use;
 allow cros_chromeos_install cros_os_install_service:fifo_file rw_file_perms;

 allow cros_chromeos_install self:capability { chown fowner fsetid sys_admin };
 allow cros_chromeos_install self:process setfscreate;
 allow cros_chromeos_install kernel:process setsched;

 create_dir_file(cros_chromeos_install cros_var_db_pkg);
 create_dir_file(cros_chromeos_install cros_var_lib_portage);
 rw_dir_file(cros_chromeos_install cros_dev_image_files);
 rw_dir_file(cros_chromeos_install cros_stateful_partition_unencrypted);
 r_dir_file(cros_chromeos_install cros_init);
 r_dir_file(cros_chromeos_install sysfs);
 r_dir_file(cros_chromeos_install sysfs_dm);
 r_dir_file(cros_chromeos_install sysfs_fs_ext4_features);
 r_dir_file(cros_chromeos_install sysfs_loop);

 allow cros_chromeos_install cros_dev_image_files:dir create_dir_perms;
 allow cros_chromeos_install cros_dev_image_files:file create_file_perms;
 allow cros_chromeos_install cros_run:dir w_dir_perms;
 allow cros_chromeos_install cros_run_udev:dir { r_dir_perms watch };
 allow cros_chromeos_install cros_run_udev:sock_file write;
 allow cros_chromeos_install cros_stateful_partition:dir r_dir_perms;
 allow cros_chromeos_install cros_stateful_partition_unencrypted:file unlink;
 allow cros_chromeos_install cros_usr_dirs:dir create_dir_perms;
 allow cros_chromeos_install device:{blk_file lnk_file} rw_file_perms;
 allow cros_chromeos_install labeledfs:filesystem unmount;
 allow cros_chromeos_install proc_cmdline:file r_file_perms;
 allow cros_chromeos_install tmpfs:dir mounton;
 allow cros_chromeos_install tmpfs:file create_file_perms;

 # Special handling for permissions that conflict with CTS neverallow
 # rules. This makes the policy permissive when used with the ARC
 # container, but not when used with ARCVM. The two branches should be
 # kept in sync.
 is_arc_vm(`
   allow cros_chromeos_install labeledfs:filesystem mount;
   allow cros_chromeos_install device:chr_file rw_file_perms;
   # TODO(b/187204745): properly label these files.
   create_dir_file(cros_chromeos_install unlabeled);
   allow cros_chromeos_install unlabeled:file link;
   allow cros_chromeos_install self:capability { dac_override setfcap };
   allow cros_chromeos_install cros_dev_image_exec:{file lnk_file} { create_file_perms link };
 ',`arc_cts_fails_release(`
   allow cros_chromeos_install labeledfs:filesystem mount;
   allow cros_chromeos_install device:chr_file rw_file_perms;
   # TODO(b/187204745): properly label these files.
   create_dir_file(cros_chromeos_install unlabeled);
   allow cros_chromeos_install unlabeled:file link;
   allow cros_chromeos_install self:capability { dac_override setfcap };
   allow cros_chromeos_install cros_dev_image_exec:{file lnk_file} { create_file_perms link };
   ', (`cros_chromeos_install'));
 ')
	type cros_chromeos_install, domain, chromeos_domain;

	domain_auto_trans_nnp(cros_os_install_service, cros_chromeos_install_exec, cros_chromeos_install);

	# chromeos-install is currently a shell script (b/176492189) so it
	# needs to run lots of other programs.
	allow cros_chromeos_install sh_exec:file rx_file_perms;
	allow cros_chromeos_install cros_blockdev_exec:file rx_file_perms;
	allow cros_chromeos_install cros_cgpt_exec:file rx_file_perms;
	allow cros_chromeos_install cros_coreutils_exec:file rx_file_perms;
	allow cros_chromeos_install cros_crossystem_exec:file rx_file_perms;
	allow cros_chromeos_install cros_getopt_exec:file rx_file_perms;
	allow cros_chromeos_install cros_grep_exec:file rx_file_perms;
	allow cros_chromeos_install cros_initctl_exec:file rx_file_perms;
	allow cros_chromeos_install cros_losetup_exec:file rx_file_perms;
	allow cros_chromeos_install cros_mawk_exec:file rx_file_perms;
	allow cros_chromeos_install cros_mke2fs_exec:file rx_file_perms;
	allow cros_chromeos_install cros_mount_exec:file rx_file_perms;
	allow cros_chromeos_install cros_mountpoint_exec:file rx_file_perms;
	allow cros_chromeos_install cros_sed_exec:file rx_file_perms;
	allow cros_chromeos_install cros_system_file:file rx_file_perms;
	allow cros_chromeos_install cros_udevadm_exec:file rx_file_perms;
	allow cros_chromeos_install cros_umount_exec:file rx_file_perms;
	allow cros_chromeos_install cros_init:unix_stream_socket connectto;
	allow cros_chromeos_install cros_udevd:unix_stream_socket connectto;

	allow cros_chromeos_install cros_os_install_service:fd use;
	allow cros_chromeos_install cros_os_install_service:fifo_file rw_file_perms;

	allow cros_chromeos_install self:capability { chown fowner fsetid sys_admin };
	allow cros_chromeos_install self:process setfscreate;
	allow cros_chromeos_install kernel:process setsched;

	create_dir_file(cros_chromeos_install cros_var_db_pkg);
	create_dir_file(cros_chromeos_install cros_var_lib_portage);
	rw_dir_file(cros_chromeos_install cros_dev_image_files);
	rw_dir_file(cros_chromeos_install cros_stateful_partition_unencrypted);
	r_dir_file(cros_chromeos_install cros_init);
	r_dir_file(cros_chromeos_install sysfs);
	r_dir_file(cros_chromeos_install sysfs_dm);
	r_dir_file(cros_chromeos_install sysfs_fs_ext4_features);
	r_dir_file(cros_chromeos_install sysfs_loop);

	allow cros_chromeos_install cros_dev_image_files:dir create_dir_perms;
	allow cros_chromeos_install cros_dev_image_files:file create_file_perms;
	allow cros_chromeos_install cros_run:dir w_dir_perms;
	allow cros_chromeos_install cros_run_udev:dir { r_dir_perms watch };
	allow cros_chromeos_install cros_run_udev:sock_file write;
	allow cros_chromeos_install cros_stateful_partition:dir r_dir_perms;
	allow cros_chromeos_install cros_stateful_partition_unencrypted:file unlink;
	allow cros_chromeos_install cros_usr_dirs:dir create_dir_perms;
	allow cros_chromeos_install device:{blk_file lnk_file} rw_file_perms;
	allow cros_chromeos_install labeledfs:filesystem unmount;
	allow cros_chromeos_install proc_cmdline:file r_file_perms;
	allow cros_chromeos_install tmpfs:dir mounton;
	allow cros_chromeos_install tmpfs:file create_file_perms;

	# Special handling for permissions that conflict with CTS neverallow
	# rules. This makes the policy permissive when used with the ARC
	# container, but not when used with ARCVM. The two branches should be
	# kept in sync.
	is_arc_vm(`
	allow cros_chromeos_install labeledfs:filesystem mount;
	allow cros_chromeos_install device:chr_file rw_file_perms;
	# TODO(b/187204745): properly label these files.
	create_dir_file(cros_chromeos_install unlabeled);
	allow cros_chromeos_install unlabeled:file link;
	allow cros_chromeos_install self:capability { dac_override setfcap };
	allow cros_chromeos_install cros_dev_image_exec:{file lnk_file} { create_file_perms link };
	',`arc_cts_fails_release(`
	allow cros_chromeos_install labeledfs:filesystem mount;
	allow cros_chromeos_install device:chr_file rw_file_perms;
	# TODO(b/187204745): properly label these files.
	create_dir_file(cros_chromeos_install unlabeled);
	allow cros_chromeos_install unlabeled:file link;
	allow cros_chromeos_install self:capability { dac_override setfcap };
	allow cros_chromeos_install cros_dev_image_exec:{file lnk_file} { create_file_perms link };
	', (`cros_chromeos_install'));
	')