Skip to content
Snippets Groups Projects
Commit 00252207 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

isolated_app: add mmaps 

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f082 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.

Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.

Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
parent caf42d61
Branches
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 3 additions and 3 deletions
private/isolated_app.te
+ 3
3
View file @ 00252207
...@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain; ...@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
app_domain(isolated_app) app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC. # Access already open app data files received over Binder or local socket IPC.
allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock }; allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
allow isolated_app activity_service:service_manager find; allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find; allow isolated_app display_service:service_manager find;
...@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace; ...@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
# neverallow rules below. # neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem. # is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock }; allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote # For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the # in addition to the zygote. Allow access to resources inherited from the
...@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr }; ...@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr; neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *; neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *; neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
neverallow isolated_app sdcard_type:file ~{ read write append getattr lock }; neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
# Do not allow USB access # Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *; neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment