Allow /postinstall files to have custom contexts

allight · Treehugger Robot · commit 331e3bd90c35 · 2021-03-30T18:01:33.000Z
We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.

The sample_images were updated to manually add a selinux label for
testing FS contexts.

Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967
Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631
Merged-In: I0b8c2b2228fa08afecb64da9c276737eb9ae3631
diff --git a/aosp/hardware_android.cc b/aosp/hardware_android.cc
@@ -346,4 +346,30 @@ ErrorCode HardwareAndroid::IsPartitionUpdateValid(
   return error_code;
 }
 
+// Mount options for non-system partitions. This option causes selinux treat
+// every file in the mounted filesystem as having the 'postinstall_file'
+// context, regardless of what the filesystem itself records. See "SELinux
+// User's and Administrator's Guide" for more information on this option.
+constexpr const char* kDefaultPostinstallMountOptions =
+    "context=u:object_r:postinstall_file:s0";
+
+// Mount options for system partitions. This option causes selinux to use the
+// 'postinstall_file' context as a fallback if there are no other selinux
+// contexts associated with the file in the mounted partition. See "SELinux
+// User's and Administrator's Guide" for more information on this option.
+constexpr const char* kSystemPostinstallMountOptions =
+    "defcontext=u:object_r:postinstall_file:s0";
+
+// Name of the system-partition
+constexpr std::string_view kSystemPartitionName = "system";
+
+const char* HardwareAndroid::GetPartitionMountOptions(
+    const std::string& partition_name) const {
+  if (partition_name == kSystemPartitionName) {
+    return kSystemPostinstallMountOptions;
+  } else {
+    return kDefaultPostinstallMountOptions;
+  }
+}
+
 }  // namespace chromeos_update_engine
diff --git a/aosp/hardware_android.h b/aosp/hardware_android.h
@@ -64,6 +64,8 @@ class HardwareAndroid : public HardwareInterface {
   [[nodiscard]] ErrorCode IsPartitionUpdateValid(
       const std::string& partition_name,
       const std::string& new_version) const override;
+  [[nodiscard]] const char* GetPartitionMountOptions(
+      const std::string& partition_name) const override;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(HardwareAndroid);
diff --git a/aosp/platform_constants_android.cc b/aosp/platform_constants_android.cc
@@ -31,8 +31,6 @@ const char kCACertificatesPath[] = "/system/etc/security/cacerts_google";
 // No deadline file API support on Android.
 const char kOmahaResponseDeadlineFile[] = "";
 const char kNonVolatileDirectory[] = "/data/misc/update_engine";
-const char kPostinstallMountOptions[] =
-    "context=u:object_r:postinstall_file:s0";
 
 }  // namespace constants
 }  // namespace chromeos_update_engine
diff --git a/common/fake_hardware.h b/common/fake_hardware.h
@@ -216,6 +216,17 @@ class FakeHardware : public HardwareInterface {
     return utils::IsTimestampNewer(old_version, new_version);
   }
 
+  const char* GetPartitionMountOptions(
+      const std::string& partition_name) const override {
+#ifdef __ANDROID__
+    // TODO(b/181182967): This matches the declaration in hardware_android.cc
+    // but ideally shouldn't be duplicated.
+    return "defcontext=u:object_r:postinstall_file:s0";
+#else
+    return "";
+#endif
+  }
+
  private:
   bool is_official_build_{true};
   bool is_normal_boot_mode_{true};
diff --git a/common/hardware_interface.h b/common/hardware_interface.h
@@ -160,6 +160,9 @@ class HardwareInterface {
   virtual ErrorCode IsPartitionUpdateValid(
       const std::string& partition_name,
       const std::string& new_version) const = 0;
+
+  virtual const char* GetPartitionMountOptions(
+      const std::string& partition_name) const = 0;
 };
 
 }  // namespace chromeos_update_engine
diff --git a/common/platform_constants.h b/common/platform_constants.h
@@ -54,10 +54,6 @@ extern const char kOmahaResponseDeadlineFile[];
 // The stateful directory used by update_engine.
 extern const char kNonVolatileDirectory[];
 
-// Options passed to the filesystem when mounting the new partition during
-// postinstall.
-extern const char kPostinstallMountOptions[];
-
 #ifdef __ANDROID_RECOVERY__
 constexpr bool kIsRecovery = true;
 #else
diff --git a/cros/hardware_chromeos.cc b/cros/hardware_chromeos.cc
@@ -363,4 +363,9 @@ ErrorCode HardwareChromeOS::IsPartitionUpdateValid(
   return ErrorCode::kSuccess;
 }
 
+const char* HardwareChromeOS::GetPartitionMountOptions(
+    const std::string& partition_name) const {
+  return "";
+}
+
 }  // namespace chromeos_update_engine
diff --git a/cros/hardware_chromeos.h b/cros/hardware_chromeos.h
@@ -68,6 +68,8 @@ class HardwareChromeOS final : public HardwareInterface {
   ErrorCode IsPartitionUpdateValid(
       const std::string& partition_name,
       const std::string& new_version) const override;
+  const char* GetPartitionMountOptions(
+      const std::string& partition_name) const override;
 
  private:
   friend class HardwareChromeOSTest;
diff --git a/cros/platform_constants_chromeos.cc b/cros/platform_constants_chromeos.cc
@@ -32,7 +32,6 @@ const char kCACertificatesPath[] = "/usr/share/chromeos-ca-certificates";
 const char kOmahaResponseDeadlineFile[] = "/tmp/update-check-response-deadline";
 // This directory is wiped during powerwash.
 const char kNonVolatileDirectory[] = "/var/lib/update_engine";
-const char kPostinstallMountOptions[] = "";
 
 }  // namespace constants
 }  // namespace chromeos_update_engine
diff --git a/payload_consumer/postinstall_runner_action.cc b/payload_consumer/postinstall_runner_action.cc
@@ -191,11 +191,12 @@ void PostinstallRunnerAction::PerformPartitionPostinstall() {
   }
 #endif  // __ANDROID__
 
-  if (!utils::MountFilesystem(mountable_device,
-                              fs_mount_dir_,
-                              MS_RDONLY,
-                              partition.filesystem_type,
-                              constants::kPostinstallMountOptions)) {
+  if (!utils::MountFilesystem(
+          mountable_device,
+          fs_mount_dir_,
+          MS_RDONLY,
+          partition.filesystem_type,
+          hardware_->GetPartitionMountOptions(partition.name))) {
     return CompletePartitionPostinstall(
         1, "Error mounting the device " + mountable_device);
   }
diff --git a/payload_consumer/postinstall_runner_action_unittest.cc b/payload_consumer/postinstall_runner_action_unittest.cc
@@ -403,14 +403,23 @@ TEST_F(PostinstallRunnerActionTest, RunAsRootAbsolutePathNotAllowedTest) {
 }
 
 #ifdef __ANDROID__
-// Check that the postinstall file is relabeled to the postinstall label.
+// Check that the postinstall file is labeled to the postinstall_exec label.
 // SElinux labels are only set on Android.
 TEST_F(PostinstallRunnerActionTest, RunAsRootCheckFileContextsTest) {
   ScopedLoopbackDeviceBinder loop(postinstall_image_, false, nullptr);
   RunPostinstallAction(
       loop.dev(), "bin/self_check_context", false, false, false);
   EXPECT_EQ(ErrorCode::kSuccess, processor_delegate_.code_);
 }
+
+// Check that the postinstall file is relabeled to the default postinstall
+// label. SElinux labels are only set on Android.
+TEST_F(PostinstallRunnerActionTest, RunAsRootCheckDefaultFileContextsTest) {
+  ScopedLoopbackDeviceBinder loop(postinstall_image_, false, nullptr);
+  RunPostinstallAction(
+      loop.dev(), "bin/self_check_default_context", false, false, false);
+  EXPECT_EQ(ErrorCode::kSuccess, processor_delegate_.code_);
+}
 #endif  // __ANDROID__
 
 // Check that you can suspend/resume postinstall actions.
diff --git a/sample_images/generate_images.sh b/sample_images/generate_images.sh
@@ -184,16 +184,29 @@ echo global_progress 0.25 >&3
 echo global_progress 0.5 >&3
 echo global_progress 1.0 >&3
 exit 0
+EOF
+
+  # An unlabeled postinstall bash program.
+  sudo tee "${mntdir}"/bin/self_check_default_context >/dev/null <<EOF
+#!/etc/../bin/sh
+echo "This is my context:"
+ls -lZ "\$0"
+ls -lZ "\$0" | grep -F ' u:object_r:postinstall_file:s0 ' || exit 5
+exit 0
 EOF
 
   # A postinstall bash program.
   sudo tee "${mntdir}"/bin/self_check_context >/dev/null <<EOF
 #!/etc/../bin/sh
 echo "This is my context:"
-ls -lZ "\$0" | grep -F ' u:object_r:postinstall_file:s0 ' || exit 5
+ls -lZ "\$0"
+ls -lZ "\$0" | grep -F ' u:object_r:postinstall_exec:s0 ' || exit 5
 exit 0
 EOF
 
+  # Give the test function the context we expect the postinstall-executable to have.
+  sudo setfattr -n security.selinux -v u:object_r:postinstall_exec:s0 "${mntdir}"/bin/self_check_context
+
   sudo tee "${mntdir}"/postinst >/dev/null <<EOF
 #!/etc/../bin/sh
 echo "postinst"
diff --git a/sample_images/sample_images.tar.bz2 b/sample_images/sample_images.tar.bz2
diff --git a/sample_images/sample_payloads.tar.xz b/sample_images/sample_payloads.tar.xz

Original file line number	Diff line number	Diff line change
`@@ -363,4 +363,9 @@ ErrorCode HardwareChromeOS::IsPartitionUpdateValid(`
`363`	`363`	`return ErrorCode::kSuccess;`
`364`	`364`	`}`
`365`	`365`
	`366`	`+const char* HardwareChromeOS::GetPartitionMountOptions(`
	`367`	`+ const std::string& partition_name) const {`
	`368`	`+ return "";`
	`369`	`+}`
	`370`	`+`
`366`	`371`	`} // namespace chromeos_update_engine`