Merge "Audit access to libart" am: 6552138b am: 77346b45

am: 3e5a6bd2 Change-Id: I7503b3005abb57363ecfe2496fd6cb62523622a9

Merge "Audit access to libart" am: 6552138b am: 77346b45
am: 3e5a6bd2 Change-Id: I7503b3005abb57363ecfe2496fd6cb62523622a9
87036a35 · Jeff Vander Stoep · android-build-merger · 24940b8f · 3e5a6bd2 · 87036a35
Commit 87036a35 authored 8 years ago by Jeff Vander Stoep Committed by android-build-merger 8 years ago
--- a/app.te
+++ b/app.te
@@ -10,6 +10,9 @@
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;

+# allow access to the interpreter
+allow appdomain libart_file:file { execute read open getattr };
+
 allow appdomain ashmem_device:chr_file execute;

 # Receive and use open file descriptors inherited from zygote.

--- a/dex2oat.te
+++ b/dex2oat.te
@@ -6,6 +6,9 @@ r_dir_file(dex2oat, apk_data_file)

 allow dex2oat tmpfs:file { read getattr };

+# allow access to the interpreter
+allow dex2oat libart_file:file { execute read open getattr };
+
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where

--- a/domain.te
+++ b/domain.te
@@ -101,6 +101,17 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;

+# Initially grant all domains access to libart.
+# TODO move to a whitelist. b/29795519
+allow domain libart_file:file { execute read open getattr };
+auditallow {
+  domain
+  -appdomain
+  -dex2oat
+  -recovery
+  -zygote
+} libart_file:file { execute read open getattr };
+
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;

@@ -294,7 +305,7 @@ neverallow {
    userdebug_or_eng(`-su')
    -system_server
    -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
    domain
    -appdomain # for oemfs

--- a/file.te
+++ b/file.te
@@ -68,6 +68,8 @@ type app_fusefs, fs_type, contextmount_type;
 type unlabeled, file_type;
 # Default type for anything under /system.
 type system_file, file_type;
+# Type for /system/*/libart*
+type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds

--- a/file_contexts
+++ b/file_contexts
@@ -216,7 +216,8 @@
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
-
+/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
+/system/lib(64)?/libart.*        u:object_r:libart_file:s0

 #############################
 # Vendor files

--- a/recovery.te
+++ b/recovery.te
@@ -28,7 +28,7 @@ recovery_only(`

  # Create and relabel files and directories under /system.
  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };

  # We may be asked to set an SELinux label for a type not known to the

--- a/zygote.te
+++ b/zygote.te
@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
+allow zygote libart_file:file { execute read open getattr };
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?