Creates a new permission for /cache/recovery

This permission was created mostly for dumpstate (so it can include
recovery files on bugreports when an OTA fails), but it was applied to
uncrypt and recovery as well (since it had a wider access before).

Grant access to cache_recovery_file where we previously granted access
to cache_file. Add auditallow rules to determine if this is really
needed.

BUG: 25351711
Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18

app.te

@@ -390,6 +390,7 @@ neverallow { appdomain -system_app -radio -shell -bluetooth -nfc }
 neverallow appdomain {
   apk_data_file
   cache_file
+  cache_recovery_file
   dev_type
   rootfs
   system_file

domain.te

@@ -258,7 +258,7 @@ neverallow {
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file }:file execute;
+neverallow domain { cache_file cache_backup_file cache_recovery_file }:file execute;
 
 # Protect most domains from executing arbitrary content from /data.
 neverallow {

domain_deprecated.te

@@ -49,9 +49,14 @@ allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:dir r_dir_perms;
+allow domain_deprecated { cache_file cache_recovery_file }:file { getattr read };
+allow domain_deprecated { cache_file cache_recovery_file }:lnk_file r_file_perms;
+
+# Likely not needed. auditallow to be sure
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:dir r_dir_perms;
+auditallow { domain_deprecated -init -system_server -dumpstate -install_recovery -platform_app -priv_app -uncrypt } cache_recovery_file:file { getattr read };
+auditallow domain_deprecated cache_recovery_file:lnk_file r_file_perms;
 
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };

dumpstate.te

@@ -109,6 +109,10 @@ allow dumpstate net_data_file:file r_file_perms;
 allow dumpstate tombstone_data_file:dir r_dir_perms;
 allow dumpstate tombstone_data_file:file r_file_perms;
 
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
 allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 

file.te

@@ -145,6 +145,8 @@ type cache_file, file_type, mlstrustedobject;
 # Type for /cache/.*\.{data|restore} and default
 # type for anything under /cache/backup
 type cache_backup_file, file_type, mlstrustedobject;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, mlstrustedobject;
 # Default type for anything under /efs
 type efs_file, file_type;
 # Type for wallpaper file.

file_contexts

@@ -317,6 +317,7 @@
 /cache/.*\.restore	u:object_r:cache_backup_file:s0
 # LocalTransport (backup) uses this directory
 /cache/backup(/.*)?	u:object_r:cache_backup_file:s0
+/cache/recovery(/.*)?	u:object_r:cache_recovery_file:s0
 #############################
 # sysfs files
 #

install_recovery.te

@@ -21,8 +21,11 @@ allow install_recovery boot_block_device:blk_file r_file_perms;
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
-allow install_recovery cache_file:dir rw_dir_perms;
-allow install_recovery cache_file:file create_file_perms;
+allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
+allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
+auditallow install_recovery cache_recovery_file:file create_file_perms;
 
 # Write to /proc/sys/vm/drop_caches
 allow install_recovery proc_drop_caches:file w_file_perms;

platform_app.te

@@ -25,8 +25,12 @@ allow platform_app media_rw_data_file:dir create_dir_perms;
 allow platform_app media_rw_data_file:file create_file_perms;
 
 # Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
+allow platform_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow platform_app { cache_file cache_recovery_file }:file create_file_perms;
+
+# Likely not needed
+auditallow platform_app cache_recovery_file:dir create_dir_perms;
+auditallow platform_app cache_recovery_file:file create_file_perms;
 
 # Direct access to vold-mounted storage under /mnt/media_rw
 # This is a performance optimization that allows platform apps to bypass the FUSE layer

priv_app.te

@@ -33,8 +33,11 @@ allow priv_app persistent_data_block_service:service_manager find;
 allow priv_app mnt_media_rw_file:dir search;
 
 # Write to /cache.
-allow priv_app cache_file:dir create_dir_perms;
-allow priv_app cache_file:file create_file_perms;
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+
+auditallow priv_app cache_recovery_file:dir create_dir_perms;
+auditallow priv_app cache_recovery_file:file create_file_perms;
 
 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;

recovery.te

@@ -73,9 +73,9 @@ recovery_only(`
   allow recovery tmpfs:file { create_file_perms x_file_perms };
   allow recovery tmpfs:dir create_dir_perms;
 
-  # Manage files on /cache
-  allow recovery cache_file:dir create_dir_perms;
-  allow recovery cache_file:file create_file_perms;
+  # Manage files on /cache and /cache/recovery
+  allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+  allow recovery { cache_file cache_recovery_file }:file create_file_perms;
 
   # Read files on /oem.
   r_dir_file(recovery, oemfs);

system_server.te

@@ -308,9 +308,9 @@ type_transition system_server system_data_file:sock_file system_ndebug_socket "n
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
 # Manage cache files.
-allow system_server cache_file:dir { relabelfrom create_dir_perms };
-allow system_server cache_file:file { relabelfrom create_file_perms };
-allow system_server cache_file:fifo_file create_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;

uncrypt.te

@@ -17,9 +17,9 @@ userdebug_or_eng(`
 # Read /cache/recovery/command
 # Read /cache/recovery/uncrypt_file
 # Write to pipe file /cache/recovery/uncrypt_status
-allow uncrypt cache_file:dir rw_dir_perms;
-allow uncrypt cache_file:file create_file_perms;
-allow uncrypt cache_file:fifo_file w_file_perms;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+allow uncrypt cache_recovery_file:fifo_file w_file_perms;
 
 # Set a property to reboot the device.
 set_prop(uncrypt, powerctl_prop)

untrusted_app.te

@@ -147,5 +147,5 @@ neverallow untrusted_app file_type:file link;
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
 # Do not allow untrusted_app access to /cache
-neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
-neverallow untrusted_app cache_file:file ~{ read getattr };
+neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };