From 9075699a28fe0f369427e0c7c07a1034e804ff41 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Wed, 5 Apr 2017 16:16:13 -0700
Subject: [PATCH] sepolicy: restrict /vendor/overlay from most coredomains

The change makes 'vendor_overlay_file' accessible only to few platform
domains like idmap, system_server, zygote and appdomain.

The overlay files contains RROs (runtime resource overlays)

Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video

Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/app.te           |  3 +++
 private/system_server.te |  3 +++
 private/zygote.te        |  4 ++++
 public/domain.te         | 26 ++++++++++++++++++++------
 public/idmap.te          |  3 +++
 5 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/private/app.te b/private/app.te
index a086b8664..73d772995 100644
--- a/private/app.te
+++ b/private/app.te
@@ -98,6 +98,9 @@ allow appdomain system_file:lnk_file { getattr open read };
 # apps which cannot be in /vendor.
 r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
 
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
 # Execute dex2oat when apps call dexclassloader
 allow appdomain dex2oat_exec:file rx_file_perms;
 
diff --git a/private/system_server.te b/private/system_server.te
index 430234313..90e8b10ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -297,6 +297,9 @@ allow system_server apk_tmp_file:file create_file_perms;
 # Access /vendor/app
 r_dir_file(system_server, vendor_app_file)
 
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;
diff --git a/private/zygote.te b/private/zygote.te
index 15fd95195..52250f8f8 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -51,6 +51,10 @@ allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
 allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;
 
+# /vendor/overlay existence is checked before
+# passing it on as an argument to idmap in AssetManager
+allow zygote vendor_overlay_file:dir { getattr open read search };
+
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 92ebde01d..ffa8d44a8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -136,11 +136,6 @@ full_treble_only(`
     # TODO: b/36806861
     allow domain vendor_app_file:lnk_file { open read };
 
-    # TODO: b/36656392, find out who needs access and only allow
-    # specific domains.
-    allow domain vendor_overlay_file:dir r_dir_perms;
-    allow domain vendor_overlay_file:file { read open getattr };
-
     # TODO: b/36680116, find out who neeeds access and only allow
     # specific domains
     allow domain vendor_framework_file:dir r_dir_perms;
@@ -687,7 +682,7 @@ full_treble_only(`
 # On TREBLE devices, a limited set of files in /vendor are accessible to
 # only a few whitelisted coredomains to keep system/vendor separation.
 full_treble_only(`
-    # Limit access to /vendor/app except for whitelisted domains
+    # Limit access to /vendor/app
     neverallow {
         coredomain
         -appdomain
@@ -707,6 +702,25 @@ full_treble_only(`
         -installd
         -system_server
     } vendor_app_file:{ file lnk_file } r_file_perms;
+
+    # Limit access to /vendor/overlay
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+	-init
+        -system_server
+        -zygote
+    } vendor_overlay_file:dir { getattr open read search };
+
+    neverallow {
+        coredomain
+        -appdomain
+        -idmap
+	-init
+        -system_server
+        -zygote
+    } vendor_overlay_file:{ file lnk_file } r_file_perms;
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/idmap.te b/public/idmap.te
index 437e0cc6d..1c32f8fd5 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -12,3 +12,6 @@ allow idmap apk_data_file:dir search;
 
 # Allow apps access to /vendor/app
 r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
-- 
GitLab