From 8f81dcad5bb322a75bc61c8b42f8287e2afeaddc Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Mon, 9 Mar 2015 10:13:13 -0700
Subject: [PATCH] Only allow system_server to send commands to zygote.

Add neverallow rules to ensure that zygote commands are only taken from
system_server.

Also remove the zygote policy class which was removed as an object manager in
commit: ccb3424639821b5ef85264bc5836451590e8ade7

Bug: 19624279

Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
---
 access_vectors   | 8 --------
 domain.te        | 4 ++++
 system_server.te | 3 ---
 3 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/access_vectors b/access_vectors
index 320a1c897..43b81e9f4 100644
--- a/access_vectors
+++ b/access_vectors
@@ -876,14 +876,6 @@ class binder
 	transfer
 }
 
-class zygote
-{
-	specifyids
-	specifyrlimits
-	specifyinvokewith
-	specifyseinfo
-}
-
 class property_service
 {
 	set
diff --git a/domain.te b/domain.te
index d835ee940..b2eaa7905 100644
--- a/domain.te
+++ b/domain.te
@@ -344,6 +344,10 @@ neverallow {
   -dex2oat
 } dalvikcache_data_file:file no_w_file_perms;
 
+# Only system_server should be able to send commands via the zygote socket
+neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } zygote_socket:sock_file write;
+
 # Android does not support System V IPCs.
 #
 # The reason for this is due to the fact that, by design, they lead to global
diff --git a/system_server.te b/system_server.te
index 537876664..6b580f578 100644
--- a/system_server.te
+++ b/system_server.te
@@ -296,9 +296,6 @@ allow system_server wpa_socket:sock_file unlink;
 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
-# Specify any arguments to zygote.
-allow system_server self:zygote { specifyids specifyrlimits specifyseinfo };
-
 # Manage cache files.
 allow system_server cache_file:dir { relabelfrom create_dir_perms };
 allow system_server cache_file:file { relabelfrom create_file_perms };
-- 
GitLab