From 7256f369e93daf189fb1792c8277c647a08f6ea4 Mon Sep 17 00:00:00 2001
From: "Torne (Richard Coles)" <torne@google.com>
Date: Mon, 5 Dec 2016 17:32:56 +0000
Subject: [PATCH] Allow webview_zygote to read/execute installed APKs.

webview_zygote needs to preload the WebView implementation, which may be
an installed APK, so must be able to read and execute code from inside
the APK.

Also add additional neverallow assertions to strengthen some
restrictions on this domain.

Test: WebView apps work after installing a WebView APK.
Bug: 21643067
Change-Id: I58aedc5e0a25259e2e20c70d4260579a354b6789
---
 public/webview_zygote.te | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/public/webview_zygote.te b/public/webview_zygote.te
index 0bed08301..71f3f9a3c 100644
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -8,6 +8,11 @@ type webview_zygote_exec, exec_type, file_type;
 # Access to system files for SELinux contexts.
 allow webview_zygote rootfs:file r_file_perms;
 
+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
 # Access to the WebView relro file.
 allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;
@@ -48,6 +53,17 @@ selinux_check_access(webview_zygote)
 # Only permit transition to isolated_app.
 neverallow webview_zygote { domain -isolated_app }:process dyntransition;
 
+# Only setcon() transitions, no exec() based transitions
+neverallow webview_zygote *:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for init to exec() us.
+neverallow { domain -init } webview_zygote:process transition;
+neverallow * webview_zygote:process dyntransition;
+
 # Disallow write access to properties.
 neverallow webview_zygote property_socket:sock_file write;
 neverallow webview_zygote property_type:property_service set;
-- 
GitLab