From 535c5d2be06fe9c52bf14225883dbe68055c6df3 Mon Sep 17 00:00:00 2001
From: David Brazdil <dbrazdil@google.com>
Date: Mon, 19 Nov 2018 23:02:49 +0000
Subject: [PATCH] Remove 'dex2oat_exec' from untrusted_app

Remove the permission to execute dex2oat from apps targetSdkVersion>28.
This has been historically used by ART to compile secondary dex files
but that functionality has been removed in Q and the permission is
therefore not needed.

Some legacy apps do invoke dex2oat directly. Hence allow (with audit) for
targetSdkVersion<= 28.

Test: atest CtsSelinuxTargetSdk25TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Bug: 117606664
Change-Id: I2ea9cd56861fcf280cab388a251aa53e618160e5
---
 private/app_neverallows.te  | 9 +++++++++
 private/untrusted_app_25.te | 6 ++++++
 private/untrusted_app_27.te | 6 ++++++
 public/app.te               | 3 ---
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 30acf8729..793614734 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -51,6 +51,15 @@ neverallow {
   -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
+# Do not allow untrusted apps to invoke dex2oat. This was historically required
+# by ART for compiling secondary dex files but has been removed in Q.
+# Exempt legacy apps (targetApi<=28) for compatibility.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} dex2oat_exec:file no_x_file_perms;
+
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
 # enforced via levelFrom=user in seapp_contexts and the mls
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index d264aaf16..2db9c4b1a 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -49,3 +49,9 @@ allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file exe
 # for targetApi<=25. This is also allowed for targetAPIs 26, 27,
 # and 28 in untrusted_app_27.te.
 allow untrusted_app_25 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;
+
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7b9060d63..c828f6486 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -30,3 +30,9 @@ bluetooth_domain(untrusted_app_27)
 # The ability to call exec() on files in the apps home directories
 # for targetApi 26, 27, and 28.
 allow untrusted_app_27 app_data_file:file execute_no_trans;
+
+# The ability to invoke dex2oat. Historically required by ART, now only
+# allowed for targetApi<=28 for compat reasons.
+allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;
+
diff --git a/public/app.te b/public/app.te
index 8b62967af..40dee5dcd 100644
--- a/public/app.te
+++ b/public/app.te
@@ -119,9 +119,6 @@ r_dir_file(appdomain, vendor_framework_file)
 allow appdomain vendor_public_lib_file:dir r_dir_perms;
 allow appdomain vendor_public_lib_file:file { execute read open getattr map };
 
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write map };
 
-- 
GitLab