From 1b5f81a2d2fd0a09de75b416c3e995c4b9728192 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Tue, 4 Apr 2017 09:30:41 -0700
Subject: [PATCH] sepolicy: restrict /vendor/app from most coredomains
The change makes 'vendor_app_file' accessible only to few platform
domains like dex2oat, idmap, installd, system_server and appdomain.
Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video
Change-Id: Ib8757fedbf2e19c8381c8cd0f8f2693b2345534b
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
private/app.te | 4 ++++
public/dex2oat.te | 2 ++
public/domain.te | 31 ++++++++++++++++++++++++++-----
public/idmap.te | 3 +++
public/installd.te | 2 ++
5 files changed, 37 insertions(+), 5 deletions(-)
diff --git a/private/app.te b/private/app.te
index 81de403aa..a086b8664 100644
--- a/private/app.te
+++ b/private/app.te
@@ -94,6 +94,10 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p
allow appdomain system_file:dir r_dir_perms;
allow appdomain system_file:lnk_file { getattr open read };
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 1d794e221..bbd3c72f9 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -3,6 +3,8 @@ type dex2oat, domain, domain_deprecated;
type dex2oat_exec, exec_type, file_type;
r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
allow dex2oat tmpfs:file { read getattr };
diff --git a/public/domain.te b/public/domain.te
index 4fc3bc03c..92ebde01d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -131,11 +131,6 @@ full_treble_only(`
# through linker/loader.
allow domain vendor_file:dir { getattr search };
- # TODO: b/36681210, find out who needs access and only allow
- # specific domains for Treble
- allow domain vendor_app_file:dir r_dir_perms;
- allow domain vendor_app_file:file { read open getattr };
-
# Some apps (com.android.phone) need to be able to open
# symlinked libraries
# TODO: b/36806861
@@ -689,6 +684,31 @@ full_treble_only(`
}:sock_file ~{ append getattr ioctl read write };
')
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app except for whitelisted domains
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -system_server
+ } vendor_app_file:{ file lnk_file } r_file_perms;
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
@@ -908,6 +928,7 @@ neverallow {
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
+
# servicemanager is the only process which handles list request
neverallow * ~servicemanager:service_manager list;
diff --git a/public/idmap.te b/public/idmap.te
index 61f1e1cc1..437e0cc6d 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -9,3 +9,6 @@ allow idmap resourcecache_data_file:file { getattr read write };
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
diff --git a/public/installd.te b/public/installd.te
index a85edff9f..774ba49e1 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,8 @@ selinux_check_context(installd)
r_dir_file(installd, rootfs)
# Scan through APKs in /system/app and /system/priv-app
r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
# Get seapp_context
--
GitLab