From 561aa01ccbd570a8b92916d9970367b689bd2dc6 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 17 Jan 2019 14:44:29 -0800
Subject: [PATCH] rs: add tests to ensure rs cannot abuse app data

Test: build
Change-Id: I2ea39c767264339e300fceeb23c506883d23a14c
---
 private/rs.te        | 9 +++++++++
 public/global_macros | 1 +
 2 files changed, 10 insertions(+)

diff --git a/private/rs.te b/private/rs.te
index 5aa2d540e..7fbea8cd7 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -28,3 +28,12 @@ allow rs same_process_hal_file:file { r_file_perms execute };
 
 # File descriptors passed from app to renderscript
 allow rs untrusted_app_all:fd use;
+
+# rs can access app data, so ensure it can only be entered via an app domain and cannot have
+# CAP_DAC_OVERRIDE.
+neverallow rs rs:capability_class_set *;
+neverallow { domain -appdomain } rs:process { dyntransition transition };
+neverallow rs { domain -crash_dump }:process { dyntransition transition };
+neverallow rs app_data_file:file_class_set ~r_file_perms;
+# rs should never use network sockets
+neverallow rs *:network_socket_class_set *;
diff --git a/public/global_macros b/public/global_macros
index 962bca95e..1a1d593b3 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -14,6 +14,7 @@ define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
+define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
 
 define(`ipc_class_set', `{ sem msgq shm ipc }')
 
-- 
GitLab