From 88cef4dfef58c442d166f694cb35d8b93c259bba Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 19 Sep 2016 13:40:25 -0700
Subject: [PATCH] Audit access to libart

Grant access to all processes and audit access. The end goal is to
whitelist all access to the interpreter. Several processes including
dex2oat, apps, and zygote were observed using libart, so omit them
from auditing and explicitly grant them access.

Test: Angler builds and boots

Bug: 29795519
Change-Id: I9b93c7dbef5c49b95a18fd26307955d05a1c8e88
---
 app.te        |  3 +++
 dex2oat.te    |  3 +++
 domain.te     | 13 ++++++++++++-
 file.te       |  2 ++
 file_contexts |  3 ++-
 recovery.te   |  2 +-
 zygote.te     |  1 +
 7 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index 1afa4b5c0..2ac243a61 100644
--- a/app.te
+++ b/app.te
@@ -10,6 +10,9 @@
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
 
+# allow access to the interpreter
+allow appdomain libart_file:file { execute read open getattr };
+
 allow appdomain ashmem_device:chr_file execute;
 
 # Receive and use open file descriptors inherited from zygote.
diff --git a/dex2oat.te b/dex2oat.te
index 8c80a32a8..47aa2fba6 100644
--- a/dex2oat.te
+++ b/dex2oat.te
@@ -6,6 +6,9 @@ r_dir_file(dex2oat, apk_data_file)
 
 allow dex2oat tmpfs:file { read getattr };
 
+# allow access to the interpreter
+allow dex2oat libart_file:file { execute read open getattr };
+
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
diff --git a/domain.te b/domain.te
index 98d08986d..fcd33afea 100644
--- a/domain.te
+++ b/domain.te
@@ -101,6 +101,17 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;
 
+# Initially grant all domains access to libart.
+# TODO move to a whitelist. b/29795519
+allow domain libart_file:file { execute read open getattr };
+auditallow {
+  domain
+  -appdomain
+  -dex2oat
+  -recovery
+  -zygote
+} libart_file:file { execute read open getattr };
+
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
 
@@ -294,7 +305,7 @@ neverallow {
     userdebug_or_eng(`-su')
     -system_server
     -zygote
-} { file_type -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
     domain
     -appdomain # for oemfs
diff --git a/file.te b/file.te
index f80e46f9d..7c6c5a84f 100644
--- a/file.te
+++ b/file.te
@@ -68,6 +68,8 @@ type app_fusefs, fs_type, contextmount_type;
 type unlabeled, file_type;
 # Default type for anything under /system.
 type system_file, file_type;
+# Type for /system/*/libart*
+type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
diff --git a/file_contexts b/file_contexts
index eeda6c73e..33b628a47 100644
--- a/file_contexts
+++ b/file_contexts
@@ -216,7 +216,8 @@
 /system/bin/update_engine        u:object_r:update_engine_exec:s0
 /system/bin/bspatch              u:object_r:update_engine_exec:s0
 /system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
-
+/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
+/system/lib(64)?/libart.*        u:object_r:libart_file:s0
 
 #############################
 # Vendor files
diff --git a/recovery.te b/recovery.te
index 209a276ea..eeb8bf9c9 100644
--- a/recovery.te
+++ b/recovery.te
@@ -28,7 +28,7 @@ recovery_only(`
 
   # Create and relabel files and directories under /system.
   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
   # We may be asked to set an SELinux label for a type not known to the
diff --git a/zygote.te b/zygote.te
index 9ce5a4e9d..9f210ed3a 100644
--- a/zygote.te
+++ b/zygote.te
@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 # For art.
 allow zygote dalvikcache_data_file:file execute;
+allow zygote libart_file:file { execute read open getattr };
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain
 # used by installd or stay in-domain for zygote?
-- 
GitLab